Verizon: Data Breaches Getting More Sophisticated

Submitted by MacRonin on December 10, 2009 - 5:24pm

Verizon: Data Breaches Getting More Sophisticated: Via Threat Level.

Methods of stealing data are becoming increasingly sophisticated, but attackers are still gaining initial access to networks through known, preventable vulnerabilities, according to a report released by Verizon Business on Wednesday.

“Attacks are getting more sophisticated and more difficult to prevent,” said Wade Baker, research and intelligence principal for Verizon Business’s RISK Team, in an interview. “The attackers still usually get in the network through some relatively mundane attacks. But once they’re in, they’re getting more and more adept at getting the data they want and getting it effectively and silently. And we seem to be on a plateau in terms of our ability to detect [them].”

For example, while companies have been expanding their use of encryption to protect bank card data in transit and in storage, hackers have begun to use RAM scrapers to grab data during the few seconds it’s unencrypted and transactions are being authorized.

“A paper was published about the theoretical possibility of this about three years ago,” Baker said. “But 2008 was the first time we saw [the attacks] live and active. It is a fairly sophisticated attack to be able to grab data from memory.”

The attacks are detailed in a new report issued by Verizon’s RISK Team, which conducts forensic investigations for companies that experience a breach. The report supplements the company’s 2009 Data Breach Investigations report, released in April. That report also indicated that thieves were conducting “more targeted, cutting-edge, complex” attacks, but provided few details to describe exactly how hackers were getting in to systems.

The supplement provides case studies, involving anonymous Verizon clients, that detail some of the tools and methods hackers used to compromise the more than 285 million sensitive records that were breached in 90 forensic cases Verizon handled last year.

In one case, for example, a simple SQL injection attack opened the door for intruders to breach the entire network of an unidentified consumer banking institution. Once inside, the attackers had unfettered access to the entire network, including the hardware security modules for the bank’s ATM system, from which they were able to grab account numbers and PINs.

HSMs are security devices that sit on bank networks and switches through which card transactions pass on their way from an ATM or retail cash register to the card issuer for authentication. The module is a tamper-resistant device that is supposed to provide a secure environment for encryption and decryption of the PINs to occur. When transaction data hits the HSM, the PIN is decrypted for a fraction of a second, then re-encrypted with a key for the next leg in its journey, which is itself encrypted under a master key that is stored in the module.

But as Threat Level reported previously, thieves have found a way to fool the application programming interface (or API) of the HSM in to revealing the encryption key to them.

Academic papers published in the last few years have described theoretical attacks against HSMs, but generally an attacker needed physical access to the device to exploit it. In the Verizon case, however, the hackers were able to remotely attack the HSM because the bank had installed no access controls to protect it from unauthorized personnel, and the HSM was accessible from “hundreds of systems” in the bank’s network, making it vulnerable to attack from anyone. For several months, the attackers siphoned data out of the network via FTP connections to IP addresses in South America.

Baker said most companies are starting to disable command capabilities in HSMs to prevent an attacker from exploiting the API. But Verizon has seen cases where an attacker reverted the software on a secured HSM to its previous vulnerable version — essentially restoring the command capability and making it open to attack again.

SQL injection attacks were one of the most common methods of breaching systems in the Verizon cases. They were used in 19 percent of the cases and accounted for 79 percent of the breached records.

A SQL injection attack is generally conducted through a web site to its backend database and is often the first simple step in what becomes a more sophisticated attack once the hacker is in the network. By sending special attack commands through a vulnerable web site to the backend database, a hacker can obtain access to the database, change data in it or use it as a jumping off point to install a sniffer, keystroke logger or backdoor on the network.

Verizon describes the case of one Europe-based processor of pre-paid debit cards who discovered it had been hacked when it conducted a routine review of transaction balances on a Monday morning. The attackers, who entered the system from IP addresses based in Russia, had used SQL commands to increase the balance on multiple card accounts.

The processor discovered the activity because the balances didn’t match the amounts the merchants, who sold the cards, had recorded as deposits into the accounts. The hackers also increased the withdrawal limits on the cards. In a coordinated attack over one weekend, mules around the world withdrew more than 3 million Euro from ATMs before the company discovered the problem.

Another card processor was also breached through a SQL injection attack. In this case, the attackers installed “an extensive array” of packet sniffers on the processor’s network to map it out and locate card data. Then they installed keystroke loggers to record administrative passwords to get into the core payment system and installed other sniffers that siphoned millions of transactions records.

Point-of-sale (POS) systems were another popular target in Verizon’s caseload.

A U.S. restaurant chain was using a point-of-sale system that stored unencrypted card data, in violation of the payment card industry security guidelines. The thieves were able to get into the restaurant chain’s system because a third-party company hired to install the POS system in each restaurant neglected to change the system’s default password. Intruders had been in the system for “years” siphoning card data, Verizon reported.

Verizon wouldn’t identify the restaurant chain or the company that installed its POS system. But Threat Level reported on a case last week that involved seven restaurant chains that are suing the maker of a point-of-sale system and the company that installed the system in their restaurants for the same kinds of vulnerabilities described in Verizon’s report.

The suit claims that the POS systems stored card transaction data in violation of PCI guidelines and that the company that installed the systems at the restaurants failed to change the vendor’s default passwords. The vendor in that suit is Radiant, maker of the Aloha POS system, and Computer World, a Georgia-based company that installed the systems in the restaurants.

Another Verizon case involving POS systems affected a number of unrelated supermarkets across the country that were all breached through an attack originating from a single IP address in South Asia.

The attacker used legitimate credentials to gain access, but rather than having the same default credentials, the systems all used different logins and passwords. Verizon discovered that the supermarkets had all hired the same third-party firm to manage their POS systems. It turned out that an attacker had hacked the firm and stolen its customer list, which identified the unencrypted log-in credentials the firm used to access the POS system at each supermarket.

See also: