More POS malware, just in time for Christmas Threat researchers are warning of two pieces of point of sales malware that have gone largely undetected during years of retail wrecking and now appear likely to earn VXers a haul over the coming festive break. The Cherry Picker and AbaddonPOS malware, exposed in the last week, are the latest evolution in stealthy and capable …
Is it not possible to design these things in such a way that all the code within them is signed so that without the key, it is essentially impossible to implant software that does not "belong" to the unit.
I ask not as an expert but as someone who sees shit like this on an almost daily basis and thinks, there *must* be a simple way to mitigate this...
Is it not possible to design these things in such a way that all the code within them is signed so that without the key, it is essentially impossible to implant software that does not "belong" to the unit.
Yes.
The problem is not "is it possible" - yes, of course it is. The snag is the question "was it done?". Sadly, no it was not. Everyone went for cheap and easy, rather than secure and expensive. We can only change that situation by replacing every POS in the field...
Vic.
How can a point-of-sales teminal get infected without the miscreant going behind the counter and faffing about with the equipment for a very visible few minutes ?
If I brazenly go to the cashier's chair in a supermarket anywhere and get busy with the equipment, I give it all of 20 seconds before some employee is standing next to me asking me wtf I'm doing. If it's in a major store, he'll be accompanied by at least one security guy. And I'll be looking at some embarrassing minutes before the cops are called.
So this has to be done under the guise of some sort of maintenance, right ? Guy in coveralls from the proper company doing regular maintenance and slipping in a bit more unnoticed. Or possibly one of the employees in cahoots with the scum.
Is there another way ?
This is changing with things like self service in the UK, we have a greater exposure to the user.
Also these machines don't exist in a network vacuum as such depending on how the network is configured there is exposure here.
With regards to prevention, it seems like a no brainer candidate for application whitelisting.
This post has been deleted by its author
"How can a point-of-sales teminal get infected without the miscreant going behind the counter and faffing about with the equipment for a very visible few minutes ?"
From the article:
"The memory-scraping malware runs on Windows platforms including Windows 7 and the hard-to-kill XP, running remote administration services."
It doesn't make anything clear beyond that (I don't have time to read the linked piece; I'm about to go out - and running late), but that's the starting point; probably no direct physical contact needed.
What is the attack vector ?
More generally, whatever is the weakest link. It could be open media drives on terminals, it could be the corporate network for the store (ie, your choice of phishing, zero days, SQL injection, corruption, fraud, or access via third party systems, you name it). It could be physical interference with the card reader or terminal by the bogus maintenance guy, disaffected employees. And if the hardware spec is sufficiently inadequate, then simply connecting a poisoned USB drive whilst nobody is looking could be sufficient, taking all of five seconds (because nobody thought to remove or physically disable all the USB ports on a vanilla PC chassis).
A big part of the problem is that many EPOS are a complete POS. So running an outdated OS, or a newer but unpatched OS, or actually written in some bugware like Java. The EPOS software supply chain is very similar to the ERP software supply chain - so more than a few are snowball acquisition outfits, where the original coders and designers have long since left, the IP has been sold several times over, and there's no real knowledge of the software. Nobody dares touch it in case it falls over, and nobody really cares about data security because that's the customer's problem.
And all of that is before you look at the founders and directors of some of the EPOS companies - a search on the words fraud, conviction, Retail J, Lucas EPOS, Torex, XN Checkout, will pull up sufficient to get the gist of this, but in my view there's more, affecting more companies and systems.
I used to work for Torex (Retail J, LUCAS and XN Checkout were all Torex applications).
The software was all JAVA, with either SQL, PostGRES or Oracle DB at the backend. Front end would be either Debian or Windows XP.
A bit slow but generally well written, configurable to any language of choice. Certainly no back doors in any of the software.
The chairman on the other hand was as dodgy as they come. The company was actually taken down from within as the Finance Director took all the financial documents in the back of his car and dropped about a dozen boxes in the lobby of the SFO with the line "I think my boss is breaking the law, here's the evidence". The chairman was also implicated in the $400M write down of iSoft's healthcare software division (guess who iSoft bought? Yup, Torex Healthcare). Part of the reason for the write down was the fact Torex Retail sales had been booked through Torex Healthcare's books. You'd think someone might have queried why the 99p Stores were a client of Torex Healthcare and why $400M of sales revenue suddenly disappeared overnight. It gets even murkier when you realise the Australian company that ended up buying iSoft was run by an ex-director of... Torex Healthcare.
[subnote: in pure irony at it's finest the Finance Director's previous role was as Special Financial Advisor to... Enron.]
Sadly, it is very possible to slip behind a counter in a busy retailer and be completely unchallenged. Simply wear an ID badge, carry a cardboard box with a "part" in it, and act like you have every right to be there.
I do break/fix in some large retail establishments in the UK, and quite often, the person who raises the call isn't around when you turn up, some overworked person signs you in and points you in the direction you need to go, and you're left to your own devices. Last time, I'd walked past the line of customers waiting to be served, taken the front off the counter, demounted the PoS customer display, changed the offending cable and started to put everything back before I even got a "hello" out of the shop staff, never mind asking if I'd any right to be doing what I was doing...
Sometimes, human beings aren't as smart as we like to think - it's like bees, fiercely guarding the hive entrance, but once you're inside, it's assumed you've every right to be there or _someone else_ would have stopped you.
Meh.
Does your local supermarket have an IT staff on site?
No, mine doesn't either and that's usually the start of the problem. A friend of mine does POS support work for a fast food franchise owner. Last time I checked their staff of 3.5 at the home office supported about 400 stores located mostly in Pennsylvania but with some down in the Carolinas and Texas. Which means almost all of the administration is done remotely. And that's your vector.
I think they've finally gotten off the XP stuff for what amounts to their POS server even though it's a bog standard desktop box for the 3-5 terminals run in the store. I'm less sure the terminals are no longer running embedded XP.
Also remember, since there is no onsite IT staff, the actual IT staff are frequently asking the store manager to be the trained monkey following their over the phone troubleshooting steps. And yeah, some of them are dumber than the managers in El Reg's BOFH articles.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
