Jason Atchley : Data Security : The Target Breach: Is There a Silver Lining?
The Target Breach: Is There a Silver Lining?
What to expect as the company reverse-engineers the breach to diagnose how it happened.
Jason Fredrickson, Law Technology News
December 23, 2013, 12:29 PM |0 Comments
It was recently reported, and confirmed, that retail giant Target Corp. fell victim to a massive data breach involving more than 40 million consumer credit and debit cards. And this had been going on since Nov. 29 (“Black Friday”). The last time a breach of this magnitude was reported was in 2007 with TJX.
The very nature of this attack makes detecting it difficult: It targeted the point-of-sale terminals with limited functions, not the valuable big servers, and it dealt with a very specific function, which means that the number of security systems targeting that area are limited.
Even security teams can overlook how computer have infiltrated day-to-day life. Point-of-sale devices are often specialized hardware, running specialized software, and because they’re not “standard” workstations, they don’t have the anti-malware and anti-virus support that are de rigueur in ordinary desktops and laptops. In addition, the fact that they contain valuable information—credit card numbers, driver’s license information, etc.—makes them an obvious target for large-scale attacks. The big reward easily compensates the criminals for their effort.
There are dozens of ways that attackers could have initially compromised Target’s network, but the company should look closely at the obvious: insider activity. It’s likely that an insider intruded either knowingly—where an employee actively helped the attacker—or unwittingly—where an employee possibly plugged in a thumb drive without knowing what was on it. It’s a good bet that this will turn out to be a classic advanced persistent threat: some attacker actively managing the malware remotely over time until they were able to maneuver it into position on the point-of-sales across the nation.
The challenge that Target will face over the next several days is determining how the initial compromise occurred, and figuring out how to prevent it in the future. Doing a tiny amount of back-of-the-envelope forensics—knowing that the attackers stole track data, which only exists at a few points in the entire sales process—lets us know where the malware inserted itself into the chain.
The attackers likely inserted a “shim” into the credit-card processing stack that simply logged the data on the magnetic stripe as it was moved from the card reader through the computer and over the network to the processor. It’s probably something like the computer worm Stuxnet, for credit card readers.
From there the security team will track the attack backwards in time, looking at network access and system logs to find where it entered the system. That means applying some fairly heavy computer forensics, digging into system logs, file system records, and other artifacts to find out what happened where and when.
The good news for those of us who used credit cards at Target during the breach window is that credit card fraud is credit card fraud, and the Visa and MasterCard networks will roll back transactions if requested so that we don’t take the financial hit during the expensive holiday season.
The bad news is that they’re not going to do it automatically—we’re going to have to ask. That means reviewing our credit card statements carefully and watching for purchases that we didn’t make. And if your household is like mine, that may mean inadvertently finding where your spouse shopped for your Christmas present!
Unfortunately, there’s not a lot we can do as consumers (other than using only cash) to protect ourselves from attacks. Shopping at major, reputable retailers like Target minimizes the risk of hardware-based credit card “skimmers” and other ways that smaller crooks may try to steal credit card numbers. But nothing we can do will prevent intrusions like this one.
Shopping online, despite the hype, is probably a safer bet: the security models between your web browser and the credit card processors are strong and well-understood; the information sent is usually not enough to allow an attacker to create an actual fake credit card, which means that even if they steal the credit card number, they can only use it online themselves; and many credit card issuers offer single-use “temporary” credit card numbers specifically for online transactions, which are the safest of all.
The end result of this, just as with other breaches, is higher costs. Typically, the credit card companies will compensate consumers who identify fraud; they’ll pass those costs on to the store, either in the form of increased fees or penalties; and the store raises costs for the consumers.
My hope is that the “silver lining” in this cloud will be an increased attention to specialized systems and a more proactive stance on the part of all retailers towards identifying APTs—whether by locking down policies, doing baseline deviation analysis or some other combination of technologies—as well as operating under the assumption that their network is already breached and that perimeter defense isn’t enough.
In the meantime, when discovers the source and process of the hit, let’s hope they make that information available to the providers of their point-of-sale equipment, so the industry can address the vulnerability and help protect other merchants and the consumers.
Jason Fredrickson is the senior director of application development at Guidance Software, based in Pasadena, Calif.