Bet the report concludes you should give him some money to prevent you from having that money stolen. Either via crooks or HPC you are going to get screwed over.
A new report on point-of-sale malware presents the most detailed examination of the malicious code behind high-profile attacks against US retailers to date. Cyphort Labs’ in-depth look focuses on Target, Home Depot and UPS breaches and involved an analysis of BlackPOS, FrameworkPOS and Backoff malware samples. The researchers …
Wednesday 12th November 2014 13:38 GMT wyatt
Wednesday 12th November 2014 13:50 GMT Yet Another Anonymous coward
Monday 17th November 2014 15:10 GMT Michael Wojcik
is it really that hard to detect things going wrong
In Target's case, their (outsourced) IDS team did detect the breach. They informed management, per procedure, and were ignored.
More-sophisticated malware (such as Backoff) can make detection difficult. As with pretty much anything in security, there's a tradeoff: the attacker can expend more effort to force the defender to expend more effort.1
Often, though, the problem is not detection. The problem is bureaucracy, and an aversion to interfering with operations (and so taking a hit on revenue) in order to investigate possible intrusions.
1This ought to be obvious, but years of reading comments to security-related stories in the Reg has taught me that much of the readership remains stubbornly ignorant of even the most basic concepts in information security. I suppose that's because there are only dozens or hundreds of well-known, accessible, free sources of information on the subject readily available to them.
Wednesday 12th November 2014 13:40 GMT Anonymous Coward
Wednesday 12th November 2014 17:12 GMT wub
Wednesday 12th November 2014 21:23 GMT Herby
Of course it might be easier if...
They didn't use a version of Windoze as the base of the system. While this isn't in all systems, I suspect that there is an influence in many. Then they connect to the general internet and things go crazy. It seems to me that having a firewall (or similar) that detects connections to wrong places (I suspect a short whitelist would work) might stop things dead in their tracks.
Of course many of the PoS vendors probably didn't think about security to begin with, but I'll leave comments about that to someone else.
For the paranoid: Cash leaves no trail!
Thursday 13th November 2014 00:05 GMT Anonymous Coward
Re: Of course it might be easier if...
The PoS terminals should never be accessing the Internet; they should only be communicating with the back-end systems and nothing more. Why any of these companies thought that third-parties should be able to access these systems is beyond me. For Target an HVAC vendor was hacked and their VPN connection was used to access the PoS systems. Why an HVAC vendor even had access to reach that is beyond me. It is nothing more than just being lazy and doing what is easiest to implement.
Thursday 13th November 2014 03:02 GMT Medixstiff
Re: Of course it might be easier if...
Actually quite a few POS systems use Linux based OS'es these days.
Simply put, there should be no-one other than an internal IT person touching POS machines, ever.
Worst case scenario, a suppliers' staff member should sit next to the IT people and the IT people does the keystrokes, just like we have to do when someone tries a remote session at work here.
VISA and Mastercard should be pushing back on the retailers too, as it affects their brands just as much as the retailers.
This is what happens when it all boils down to nothing but cost, it's not that expensive in the grand scheme of things for a large supermarket to have 1 or 2 IT staff in the building doing the regular bread and butter IT jobs. Maybe instead of paying overblown salaries to managers that bring SFA value to the company, trim the fat up top to help pay for the real value adds in the business.
Tuesday 30th December 2014 23:14 GMT Anonymous Coward
The root cause ...
... of those attacks is clearly the use of highly vulnerable PC and networking technology in business-critical environments. Why, for heaven's sake, do we deploy POS terminals and ATM's that are powered by x86 CPU's running under Windows or Linux ? Hackers have easy access to all the hardware and software needed to develop and test related malware, and company networks are just too big and heterogeneous to be kept reasonably secure.
Using some other embedded hardware and software which isn't that easy to get hold of, and insisting on solid end-to-end encryption between the card reader and the authorization system would put an end to those nasty attacks. Adding more people to the payroll won't.
Monday 27th April 2015 11:31 GMT Anonymous Coward
Re: The root cause ...
«Why, for heaven's sake, do we deploy POS terminals and ATM's that are powered by x86 CPU's running under Windows or Linux ? Hackers have easy access to all the hardware and software needed to develop and test related malware, and company networks are just too big and heterogeneous to be kept reasonably secure.»
Because it facilitates integration? Because security through obscurity isn't security?
«...and insisting on solid end-to-end encryption between the card reader and the authorization system would put an end to those nasty attacks. Adding more people to the payroll won't.»
Now we're getting somewhere. Good software practices, sane and (at least) reasonable security-minded programming, etc, etc, etc goes a long way, even with windows. As it's been said: when all that matters is the money, there's only so much anyone can do, regardless if they're an IT tech at the site or a developer of the pos software.
But, alas, its the people in suits and PhDs in Powerpoint that have the final say on technical decisions. Put a monkey at the wheel of a Ferrari and you're still in trouble.