Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target Breach Should Spur POS Security, PCI 3.0 Awareness
Newest First  |  Oldest First  |  Threaded View
Bill Frank
50%
50%
Bill Frank,
User Rank: Apprentice
1/22/2014 | 11:25:08 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
According to Brian Krebs (http://krebsonsecurity.com/201..., who seems to have the best information, the cardholder data was scraped from the memory of the POS terminals themselves. Therefore encrypting the data at rest or in-motion would not have prevented the attackers from capturing the cardholder data.

Krebs went on to say that the cardholder data was then moved to a compromised server, most likely in the Target data center. So why didn't Target's firewalls' policies deny this communication between the POS terminals and this server? Also, since this communication happened can we deduce that Target was not in PCI DSS compliance requirement #1 - Install and maintain a firewall configuration to protect cardholder data?

The answer is that you can be completely compliant with the PCI DSS firewall requirements and still not block illicit communications. The reason is that PCI DSS does not specify the type of firewall to be used. Therefore you can use a legacy port-based, stateful inspection firewall, which cannot monitor all applications on all ports, all of the time, and be fully compliant. My point is that attackers can easily bypass a stateful inspection firewall. In fact, there are thousands of legitimate applications being used every day that bypass legacy firewalls. If you don't believe me, contact me, and I will prove to you.

I am not sure if it's OK to provide a link to a more detailed blog post I wrote about this a couple of days ago at www.riskpundit.com. If not, just delete this paragraph.
macker490
50%
50%
macker490,
User Rank: Ninja
12/28/2013 | 1:20:04 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
thanks
my remarks are not totally original,-- I would suggest reading this report
http://arstechnica.com/tech-po...
on Whitfield Diffie's testiomony as an expert witness for Newegg in their lawsuit v TQP

Whitield explains the realization that network commerce would require security and authentication -- and relates that to his participation in the development of public key cryptography

managing key trust should be taught in the 7th grade rather than wasting time factoring polynomials.
macker490
50%
50%
macker490,
User Rank: Ninja
12/27/2013 | 2:17:38 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
remember,-- it finally came out that the Heartland breach was an inside job,-- using USB sticks -- AGAIN

if you are interested in security get mother boards with PS/2 connectors for keyboard & mouse -- and NO USB connectors. ideally the connectors should be inside a locked case.
lancop
50%
50%
lancop,
User Rank: Apprentice
12/27/2013 | 1:53:02 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
While the article is a good start on the Target Breach discussion, it is of necessity highly speculative since the investigation is in progress and insider forensic details are not likely to be forthcoming any time soon. But the real meat & potatoes at this point are to be found in the reader comments by folks like Mike Acker, pgregory and inforiskgroup. How transactions are captured, authenticated and settled is at the core of every credit card breach that we find ourselves dissecting, so informed comments by IT security professionals that illuminate the inherent flaws in the curent standards or propose new processes that reduce the attack surface of credit card transaction systems are extremely helpful to all of us who play a role in the Information Technology arena. The Internet has become the public & private communications backbone of modern civilization, but financial transaction processing over this global network is rife with potential vulnerabilities that make fraudsters salivate in anticipation of a successful exploit at any point in the overall system. Given the costs & widespread disruption that POS breaches can cause to every party involved, it is critical to educate all IT professionals in security best practices and vulnerability assessment so that we can all be informed evangelists for continuous improvements to IT security standards. Otherwise, we will find civilization increasingly undermined by those dark forces that sneak around in cyberspace hunting for their next prey.
kenchu
50%
50%
kenchu,
User Rank: Apprentice
12/26/2013 | 11:39:16 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
Most Companies dont pay attention to IT depts suggestions until a tragedy like this Happens,IT Depts should have a more influential Role(CIO) in Day to day Running of a Compnay!!! the Company is work for had a similar situation....they never implemented full disk encryption for more than 45 years til senior executives laptop was stolen with Patient info.
kenchu
50%
50%
kenchu,
User Rank: Apprentice
12/26/2013 | 11:36:57 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
Great Discussion for a IT student,who has always been interested in Security and hope to actually branch out in the Future.Scary that Target was targeted like this but i could be wrong in suggesting that an inside man was involved...
pgregory98001
50%
50%
pgregory98001,
User Rank: Apprentice
12/26/2013 | 4:02:24 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
One point I didn't see in this article is that just being PCI compliant is nowhere near enough. One of PCI's greatest shortcomings is that it does not require the encryption of card data on internal networks. I am told that the reason for this is that many companies would have to pay too high a price to implement internal encryption. However, we may yet learn that the Target breach (as others) was a result of card numbers being transmitted in the clear through internal networks.
macker490
50%
50%
macker490,
User Rank: Ninja
12/26/2013 | 12:27:28 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
Fixing the Point of Sale Terminal (POST)

THINK: when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.

if the merchant is hacked the card numbers are then sold on the black market. hackers then prepare bogus cards -- with real customer numbers -- and then send "mules" out to purchase high value items -- that can be resold

it's a rough way to scam cash and the "mules" are most likely to get caught -- not the hackers who compromised the merchants' systems .

The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST. Instead, the POST will submit an INVOICE to the customer's card. On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated. They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire. Note that PGP signatures can also be REVOKED if the card is lost.
macker490
50%
50%
macker490,
User Rank: Ninja
12/26/2013 | 12:26:32 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
it is important to recognize that electronic fraud generally exploits our failure to authenticate transactions and transmittals. we have attempted to "port" our manual, "pen and ink" procedures into a digital network environment

public key encryption systems were then created to resolve this issue. sadly we have settled for the x.509 SSL certificate and allowed the bIG vENDORS to just sweep the issue under the carpet.

we should be teaching the 7th graders how to verify a PGP key trust model instead of wasting time factoring polynomials.

hint: if you are going to trust a key you are expected to verify it yourself, -- and sign for it. Yep, you should have your own PGP key if you are going to do any e/commerce, including downloading/installing software, banking, -- and -- credit cards.


Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3622
PUBLISHED: 2020-01-22
A Cross-Site Scripting (XSS) vulnerability exists in the admin login screen in Phorum before 5.2.18.
CVE-2020-5221
PUBLISHED: 2020-01-22
In uftpd before 2.11, it is possible for an unauthenticated user to perform a directory traversal attack using multiple different FTP commands and read and write to arbitrary locations on the filesystem due to the lack of a well-written chroot jail in compose_abspath(). This has been fixed in versio...
CVE-2019-19834
PUBLISHED: 2020-01-22
Directory Traversal in ruckus_cli2 in Ruckus Wireless Unleashed through 200.7.10.102.64 allows a remote attacker to jailbreak the CLI via enable->debug->script->exec with ../../../bin/sh as the parameter.
CVE-2019-19836
PUBLISHED: 2020-01-22
AjaxRestrictedCmdStat in zap in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote code execution via a POST request that uses tools/_rcmdstat.jsp to write to a specified filename.
CVE-2019-19843
PUBLISHED: 2020-01-22
Incorrect access control in the web interface in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote credential fetch via an unauthenticated HTTP request involving a symlink with /tmp and web/user/wps_tool_cache.