Two weeks ago - after I heard about 4.2 million credit card numbers being stolen at the Hannaford Bros. supermarket chain - I wrote that it looked like an inside job.
I hate to gloat but I am willing to wager that they never did a practical threat analysis of their Point of sale system and here is why.
Boston.com reported last Friday that Hannaford believes they've been the victim of a sophisticated attack of malware stealing credit card numbers at POS terminals and transferring the data overseas.
I love the overseas bit - it's so American - yeah - all the bad guys live "overseas". Ooo - "overseas" is exotic and mysterious. Get with it people - there is no "overseas" in the Internet - you can store an FTP server with stolen credit card numbers in Myanmar or in San Diego - it don't make no difference.
You can do this exploit with a 10 line shell script.
This is not sophisticated malware that some overseas attacker sneaked onto 300 servers. The attack surface for the extrusion event might be 300 stores and all their cash registers but it is far more probable that the attack surface is a single server and centralized payment authorization gateway that stores temporary files.
Hannaford sent a letter to Massachusetts Attorney General Martha Coakley and the Office of Consumer Affairs and Business Regulation, in which the Maine-based retailer concluded it was the victim of a "new and sophisticated" technique where the attacker sneaked malware onto servers at all of its nearly 300 grocery stores. A Coakley spokesperson confirmed the Attorney General's Office had received the letter, but that it would not be released to the public.
The cloak of secrecy makes this entire incident even more suspicious in my eyes. Visa doesn't reveal data, The AG doesn't reveal data and Hannaford can continue to try to baffle us with bullshit instead of dazzling us with brilliance.
Let's try and analyze what is going on here:
The Hannaford story is that a bad guy installed malware on all the store servers and that the malware intercepted data from the POS terminals while the cards were being swiped.
1. How exactly did the malware get on to over 300 store backoffice servers?
Did someone drive out to all the stores and install software? Are these servers accessible on the public Internet? I highly doubt it.
2, How did malware on the backoffice server intercept credit card swipes in real time on the POS terminal? The backofficer servers usually run Windows 200x and the POS terminals usually run DOS - the client and server network in a proprietary protocol. It is a fair assumption that the backoffice servers do not have Internet access although they must have connectivity to the head office. Since the POS terminals at the cash registers have no external network connectivity and they run proprietary protocols - their vulnerability to a network attack is low.
Since the backoffice servers perform credit card authorization via a payment gateway to the credit processor - we need to consider two possible attack scenarios:
A. Each store server accesses a non-Hannaford payment gateway. The store servers have outgoing Internet access enabling malware to extrude customer data using FTP.
It is possible that software was installed by a trusted insider on all of the store backoffice servers. This would be an employee or outsourced contractor employed in the IT department. The software would actually be quite simple and not at all sophisticated as Hannaford would want us to believe. The software would read a batch file of credit card numbers collection from the POS terminals at the cash registers waiting for authorization and aggregate records on the side. Every so often a cron job would run and ftp the file out.
B. Each store server accesses a central Hannaford-operated payment gateway. The store servers don't have outgoing Internet access. (I don't see how they could if the chain was PCI DSS certified...)
You can do this exploit with a shell script that reads temporary files of credit card numbers transmitted to the payment authorization gateway.
A trusted insider in IT - drops the script on the payment gateway. The payment gateway probably has public Internet access. If necessary the insider can open up a port for himself - but knowing how poorly maintained most firewalls are - my guess is that the FTP port was open anyhow for maintenance purposes.
This is not sophisticated malware that some overseas attacker sneaked onto 300 servers. The attack surface could be 300 stores and all the cash registers but it is far more probable that the attack surface is a single server and centralized payment authorization gateway that stores temporary files.
