the attack against target - how was it done and how has it changed the security landscape

DISCLAIMER:

This presentation reflects the opinions and recommendations of the authors only and does not in any way represent the views or endorsements of any other parties.

HP NonStop is a trademark of Hewlett-Packard Development Company, L.P. All other trademarks are the property of their respective owners.

copyright (2014) comForte 21 1

To be able to look at this presentation offline and without the speakers audio, slide notes have been added to some slides and are shown here, on the right.

It is recommended to view the presentation in ‘full screen single page at a time’ view, giving you the slide (as presented) in the upper left and the slide notes (to be used when viewing the PDF or slide share view) on the right side.


Thomas is…

• somewhat of a geek, playing with computers at the age of 13 and now making a living off it

• Learning about computer security since about 2000 –classes, reading, …. Learning every day … CISSP 2007

• active on LinkedIn

• Privately: active on Facebook (but never posting images of people), Writing his own blog

• investing in Bitcoins (!?) . In fact, I mined bitcoins at home and it looks like it ramped up my energy bill. Fortunately I only invest small scale, otherwise I’d be VERY worried about loosing my bitcoins – more on this later

• I am also the CTO of comForte – more about the company at the end


• Understand how the Target Hack (and, probably, theHome Depot attack and several others) was done

• Understand that computer security is, at this point in time, not exactly effective. So we’ll talk about

• Why do the bad guys seem to win? In other words, why is securing computer systems HARD

• Some old principles which are still important

• A new model …

• What comForte can do for you


• OK, I told you about me and about my goals for today – time for you to answer some questions…

• Who in the audience works for ….

• a vendor of computer software (maybe even security software!?)

• a consulting company (small or large, one-man shows allowed)

• A real “customers” or “users” (having the budget for the sponsors to go after):

• Retailers

• Banks

• Other Fis

• Result of quiz: a somewhat even distribution of all of the folks above


The URL shown is a rather detailed write-up of the breach – including how the stolen credit card numbers are monetized in the “carder underground”. Highly recommended reading.

The diagram “how the hackers broke in” is also from the article – we will now look at the steps in more detail.

Download URL is http://www.businessweek.com/printer/articles/189573-missed-alarms-and-40-million-stolen-credit-card-numbers-how-target-blew-it


http://www.businessweek.com/printer/articles/189573-missed-alarms-and-40-million-stolen-credit-card-numbers-how-target-blew-it

This is the POS acquiring infrastructure at TARGET, showing only the core systems required for the processing of POS transactions.

The system on the right is a HP NonStop system, see http://www.hp.com/go/nonstop for more information about the computing platform. We use the term “NonStop system” in the diagram for brevity.

If these were the only systems, the breach at TARGET could not have happened in the same way.

Note: the speaker got some heat from a HP NonStop guy because he did not like “breach” and “HP NonStop” in the same sentence – especially if the breach did not happen “on” HP NonStop. Point well taken – however don’t think your NonStop is safe (we’ll get to this bit later).


http://www.hp.com/go/nonstop

This diagram shows more systems which are part of the larger TARGET infrastructure: Two internal servers are used to process the “backoffice” data collected at the Point of sale systems. Also, an HVAC system (Heating, Ventilation, Air conditioning) is remote-controlled via an external consultant.


In the first step of the attack, the “bad guys” took over a web site an employee of the HVAC company was accessing. By doing so, they were able to obtain his username and password for that – unrelated – web site.

Unfortunately, the employee used the same password to access the TARGET network for remote HVAC maintenance – and thus the attackers were inside the TARGET network.


They then were able to ‘take over’ an internal server present at every TARGET store with direct connectivity to the POS systems running Microsoft Windows.


In the next step, they used the internal server to install specifically crafted malware onto the Windows POS system.


At this point in time, the malware installed on the POS system was collecting the full data for each and every POS transaction. They used a well-known technique called “memory scraping” to access the data sent from the POS device “through” the Windows POS system to the NonStop system processing the POS data.

The final step now is to get the data sent out from the internal TARGET network and the attackers needed to be careful not to raise an alarm by using new connections (an outgoing FTP connection to an unknown host on the Internet would almost certainly have raised alarms immediately).

This final step is called “exfiltration”.


For exfiltration, the attackers were able to take over another internal server which was already shown on an earlier slide. That server was not in the “critical network zone” and hence not monitored for outgoing data as closely as each TARGET store itself.


In the final step, the attackers sent the data from the POS Windows systems to the Internal server on the right where they collected it for a while.

They then sent the data to a few servers on the Internet and then downloaded the data to their own systems.


Summary: five steps, each time hopping from machine to the next. One should note the complexity of the attack – this is not a simple attack but one that requires careful advance planning as well as a lot of details during the ‘execution’ stage.


As companies improve their defenses, attacks are requiring more and more steps to succeed. This is why “defense in depth” is such an important concept – the defender only need to prevent a single step of the attack to thwart it. Here are a few measures which all could have prevented the specific attack carried out successfully against TARGET:

• Preventing distribution and installation of the malware onto the POS systems:

• Better segmentation of in-store network

• Strong authentication for vendor access

• Actually looking at the incident logs of the advanced attack tool (“Fireeye”, see business week article for details)

• Setting Fireeye to “block” rather than “alert”

• Using end-to-end encryption between the POS reading device and the acquiring system.

• Detecting and blocking the outbound traffic in which the confidential data was transferred to servers outside of Target's store network.

(It should be noted that these measures are by no means a comprehensive security architecture, they are the few pieces of a whole defense-in-depth strategy that would have made the difference)


• Who knows what an APT is

• Who knew all the gory details of this attack

• Who knows what DLP is

• Who knows what Data Centric Security is

Results of quiz:

• Who knows what an APT is (few. APT stands forAdvanced Persistent Threat – see presentation http://www.slideshare.net/thomasburg/from-russia-with-love-modern-tools-used-in-cyber-attacks on slide share)

• Who knew all the gory details of this attack (about a third of the audience)

• Who knows what DLP is (few. It stands for Data Loss Prevention – in a nutshell this is about avoiding data being leaked via technical means)

• Who knows what Data Centric Security is (very few. This will be talked about later)


Let’s first look at the security landscape before ca. 2005:

• The defenders had appropriate tools (Antivirus, Firewalls)

• The attackers were mostly harmless and well-meaning


Only five years later – but big changes in the ‘real world’ (!). We’ll talk about CEO perceptions later.

• The attackers are plenty, skilled and motivated

• No real change on the defender side

• The defenders are very often busy with something else, understaffed and underfunded


Only another four years later!

• The attackers are plenty, skilled and motivated – much more so (APT)

• Again, No real change on thedefender side

• Still, The defenders are very often busy with something else, understaffed and underfunded

Question from the title “How has the attack on target changed the computer security landscape”. Answer: technically, not at all. Perception: next slide


This discussion on LinkedIn started with a rather insightful blog entry (more on this below) and turned out into very interesting reading – I’d recommend to look at the whole thread (which keeps growing, 45 comments as of 29Sep2014).

Link to discussion: https://www.linkedin.com/groups/Current-State-PCI-66587.S.5917749052983771136?view=&gid=66587&item=5917749052983771136&type=member&commentID=discussion%3A5917749052983771136%3Agroup%3A66587&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_FOLLOWED#commentID_discussion%3A5917749052983771136%3Agroup%3A66587

The aforementioned blog entry is at http://www.tenable.com/blog/the-current-state-of-pci.


Quoted, with permission from http://www.tenable.com/blog/the-current-state-of-pci .

Highly recommended reading!


http://www.tenable.com/blog/the-current-state-of-pci

Quoted, with permission from http://www.tenable.com/blog/the-current-state-of-pci. Highly recommended reading!

It is paraphrased nicely in the discussion by Mark Faithfull, Interim Technology Leader, Founder & CEO www.textsquirt.com :

(quoted)

The key section of the article by Jeff Mann is this:

The PCI DSS, as a set of security requirements, does not presume that organizations will not be breached, but rather tries to set organizations up for detecting the compromise early, and hopefully minimizing the damage. This is the key message we need to evangelise- to move PCI from being a 'compliance' based project and instead get business leaders thinking more in terms of:

We will get breached- we better get ourselves organised so we can spot it the day it happens

To this end, the PCI framework does provide a lot of helpful guidance for businesses who don't have that security infrastructure in place at the moment. The most telling fact about the recent high profile breaches is the length of time intruders are in the merchant systems before these big breaches are discovered, which to me means the 'business as usual' of living the PCI life is not in place in these organisations.


https://www.linkedin.com/groups?viewMemberFeed=&gid=66587&memberID=2826442

Quoted (with permission) from a LinkedIn discussion in the “PCI Network - The World's Largest Payment Card Industry Group” group

The discussion started with the following blog entry http://www.tenable.com/blog/the-current-state-of-pci – highly recommended reading

Link to discussion:

https://www.linkedin.com/groups/Current-State-PCI-66587.S.5917749052983771136?view=&gid=66587&item=5917749052983771136&type=member&commentID=discussion%3A5917749052983771136%3Agroup%3A66587&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_FOLLOWED#commentID_discussion%3A5917749052983771136%3Agroup%3A66587


https://www.linkedin.com/groups/Current-State-PCI-66587.S.5917749052983771136?view=&gid=66587&item=5917749052983771136&type=member&commentID=discussion%3A5917749052983771136%3Agroup%3A66587&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_FOLLOWED#commentID_discussion%3A5917749052983771136%3Agroup%3A66587

So far we looked at changes in the industry. The speaker believes that while the ATTACK SCENARIOS have radically changed (“improved” from the point of view of the attacker) – the DEFENSE SCENARIOS have not. We’ll look at the ‘defense scenarios’ in second.

The speaker has been thinking about this question for years, maybe decades. He still isn’t sure, but he feels he is closing in (?). So, here is the most important slide of this presentation. Why are the bad guys winning? (drum roll, slide still blank)

(1) There is a HUGE difference between the perception of computer security among the non-computer-security-geeks (about 99.999 % of the general population) and the computer-security-geeks. The problem is that you have to see the problem you have to be very geeky. There are excellent classes on this by SANS, they will turn you from the 99.999 % to the 0.0001 % within a week – I did this 10 years ago and became a convert. The class SEC401: Security Essentials Bootcamp Style is a class I can not recommend too much – it does take a week and it does cost about US$ 5000 – but it is worth every $. See www.sans.org for details.

(2) Anyway: here is how most people perceive computer security (image shows): Most importantly, they don’t care. They have a life and other things to worry about. Also, overall it can’t be that bad – my company has not been hacked yet. I have not been hacked yet. The industry will take care. …


So here is what the “security geeks” are perceiving… Drum roll… Image appears

I spent the last 14 years of my life learning about computer security. I am still learning every day. Why do I think this way?

(1) In most life scenarios, getting “99 % right” is good. In computer security it can be disastrous

(2) There is no silver bullet. Repeat after me: there is no silver bullet. It is hard.

(3) Translation of “it is hard”:

(1) It will be expensive. Ramp up the budget

(2) It is beyond products (although some vendors might tell you so)

(3) It is an arms race. New attacks are coming out every day

(4) Most of us have a life and other things to do than securing their computers…

Back to the bitcoin story: If I had EUR 100,000 k in Bitcoins…. I’d sell them real fast

But let’s say I couldn’t – what would I do? Here’s what:

- Buy a new computer. Most probably not Windows or Mac

- Set up a bitcoin wallet

- Take it off the Internet and never connect it again (!!!)

- Move data only through freshly formatted USB sticks

- Side note : Modern bitcoin wallets allow to do just that


Let’s take a moment to think about the message so far. Shouldn’t we simply give up hope?


Ignore the issue or…

Hope that it does not happen to you or …

Do something

Nope – there are ways to cope


About 20 years ago, users would connect to “big iron” (mainframe type of computers) using dedicated terminals which had no other functionality than to access the system.

Today, PCs are used to connect to HP NonStop systems and administer them. The big problem with this is that many core security principles are based on so-called “user authentication” – making sure the NonStop knows which user name is currently connecting.

Historically, there have been many means on using this information for “Authorization” – namely deciding who can do what (and who can NOT do what).

This has worked well over the years – but most attacks including the on TARGET show that attackers are able to “0wn” (Hacker lingo for “own”) any PC or midrange server in the organization. An “0wned” PC is effectively remote-controlled by the bad guys – and with that user authentication is broken and should not be relied on as strongly as so far.

This knowledge is widely spread in the security community – but unfortunately it is not that widely spread in non-security realm.

copyright 2014 comForte 2133

https://en.wikipedia.org/wiki/Tootsie_Roll , supposedlythis is “Hard on the outside, chewy on the inside”

Image credits: See Wikipedia link above and/or https://upload.wikimedia.org/wikipedia/commons/thumb/0/02/Tootsie-Roll-WU.jpg/220px-Tootsie-Roll-WU.jpg [[Tootsie-Roll-WUCC BY-SA 3.0 Evan-Amos - Own work]]

Badly broken!!! (Look at Target attack…)


http://creativecommons.org/licenses/by-sa/3.0

https://commons.wikimedia.org/wiki/User:Evan-Amos

See also http://technodrone.blogspot.com/2014/07/m-snickers-and-security-in-cloud.html or http://networkingnerd.net/2014/07/15/security-dessert-models/

Or see http://www.computer.org/csdl/mags/sp/2005/05/j5004.pdf - a white paper from 2005 (sic!)

Image credit: see https://en.wikipedia.org/wiki/File:Snickers_wrapped.jpg


http://technodrone.blogspot.com/2014/07/m-snickers-and-security-in-cloud.html

http://networkingnerd.net/2014/07/15/security-dessert-models/

http://www.computer.org/csdl/mags/sp/2005/05/j5004.pdf

IMHO, "we", the IT geeks and/or the industry have horribly failed in making executives aware of what is at stake. Also, I am *not* aware of a proper translation of "IT risk" and "protective technical measures" into "value from C-level view".

That said, I just came upon a most wonderful white paper from IBM,

Elevating the Discussion on Security Management

The Data Centric Paradigm

downloadable at

https://www.google.fi/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCEQFjAA&url=http%3A%2F%2Fwww.researchgate.net%2Fpublication%2F4257215_Elevating_the_Discussion_on_Security_Management_The_Data_Centric_Paradigm%2Flinks%2F0deec51b8afeb363fe000000&ei=LxQoVPDHIcHkaoL7gKgJ&usg=AFQjCNGAqVHURFbcqxwnCt54C5tWDPDj6w&bvm=bv.76247554,d.d2s (if you find an easier link, let me know at [email protected] )

This is the best on this topic I have read in about a decade. Finally there might be hope for C-levels folks to "get it" ???


https://www.google.fi/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCEQFjAA&url=http%3A%2F%2Fwww.researchgate.net%2Fpublication%2F4257215_Elevating_the_Discussion_on_Security_Management_The_Data_Centric_Paradigm%2Flinks%2F0deec51b8afeb363fe000000&ei=LxQoVPDHIcHkaoL7gKgJ&usg=AFQjCNGAqVHURFbcqxwnCt54C5tWDPDj6w&bvm=bv.76247554,d.d2s

Comments on that paper very welcome ...


Quoted, with permission from https://securosis.com/blog/trends-in-data-centric-security-new-series


https://securosis.com/blog/trends-in-data-centric-security-new-series

From the aforementioned white paper…


We focus on HP NonStop platform. In fact, we just wrote a book about the platform – you can get it at http://www.comforte.com/ns4dummies

Along with many products for this platform, we have a product for data-centric-security (You didn’t think you’d be getting away without a sales pitch, did you ).

It is about enabling existing (“legacy”) applications to replace PANs with tokens on HP NonStop. It is relatively new but do we have folks in production. Wearing my vendor hat for a moment, I think that we are best equipped within the NonStop market to make this possible for legacy applications. Why is that:

- We have been doing this for a couple of years by now

- We have an open architecture, allowing you to use our own tokenization engine (which is blazingly fast!). Or any (!) Enterprise tokenization engine.

For more information about the product, please go to www.comforte.com/securdata or (recommended even more) look at our Youtube video series at http://youtu.be/-bnxPrdS0-0


http://www.comforte.com/ns4dummies

http://www.comforte.com/securdata

http://youtu.be/-bnxPrdS0-0

If you think you are secure – think again. You are not.Sorry. Please do not kill the messenger. It is all about getting the perception right – and to spend money wisely and to see this as a process…

We need to move from Tootsie roll security model (“hard on the outside, chewy on the inside”) to Snickers security model (“crunchy on the inside” – data driven!).

comForte:

- HP NonStop for Dummies, just out – get it at http://www.comforte.com/ns4dummies

- Lots of expertise around HP NonStop system

- Product for data-centric security for HP NonStop (“SecurData”, click on Image). It also helps with PCI compliance . For more information about the product, please go to www.comforte.com/securdataor (recommended even more) look at our Youtubevideo series at http://youtu.be/-bnxPrdS0-0

- And, of course http://www.comforte.com


http://www.comforte.com/ns4dummies

http://www.comforte.com/securdata

http://youtu.be/-bnxPrdS0-0

http://www.comforte.com/

the attack against target - how was it done and how has it changed the security landscape

Technology

cto of comforte

pos systems

pos data

hp nonstop system

windows pos system

term nonstop system

internal target network

pos device