Anatomy of a Data Breach Part 3 – The Wireless Hack

Wireless networks and endpoints offer convenience and connectivity. Unless properly secured, they also offer a means of egress into the network. This article will describe the vulnerabilities and strategies for mitigation.

In the wake of undiscovered data breaches and subsequent public exposure, hackers have begun to turn their eye towards breaching wireless networks and taking advantage of the many weaknesses incumbent. Furthermore, we are seeing a trend towards stealing cardholder information from retailers such as TJ Max and Hannaford Brothers as a quick way to gain profit.

The use of mobile networks is not an uncommon way of providing access for employees anywhere anytime throughout the corporate campus. However wireless networks come with several often ignored dangers:

• Exploitation of WEP and WPA protocols.

• Impersonation and interception of wireless traffic.

• Access points being deployed with little or no security enabled.

All of these vulnerabilities can eventually lead to the exposure of private information if not properly secured and accounted for when implementing a data security policy. The weaknesses of a wireless environment can often lead to violations of PCI, HIPAA & SOX if an exposure were to occur through one of those vulnerabilities. Regulations such as SOX, HIPAA and PCI were ultimately designed to protect specific classes of information that if exposed can cause serious ramifications such as: fines, potential jail time and a host of other unwanted aftereffects.

The Target: Wireless Point-of-Sales (POS)

For example the protection of cardholder information as covered under PCI-DSS includes a number of guidelines to aide in the development of policy that (a) protects cardholder information stored on servers and (b) protects cardholder information that may be in transit via transactions that occur between front-end point-of-sales terminals, to backend merchant processing servers (the machines that handle and authorize transactions when a credit card is swiped at a store location).


Because the target is often cardholder information – meaning it has a higher raw value on the black-market then other information like a social security number, hackers are developing strategies that involve breaching wireless networks – mainly because it is much easier to penetrate then cracking the corporate firewall and obtaining access via the external gateway.

This is a stepping ground to harvesting data at rest, but in motion as well. The methodology behind this goes in tangent with the “low hanging fruit” theory and part of an overall emerging trend towards gaining access to cardholder information.

Cracking the Wireless Network

Wireless hacks attributed to around 9% of the security incidents documented in a recent report published by the Verizon Business Risk team. This is likely due to incorrectly configured access points or the use of weak authentication ; WPA-PSK in some cases can be vulnerable to offline dictionary attacks if given enough time to decode the captured traffic. WEP on the other hand can be cracked in less than 10 minutes using commercially available tools on the market.

For wireless hacks to be successful without investing a large amount of time and resources the access point either has to have a vulnerable encryption protocol enabled such as WEP or WPA-PSK or not have security enabled at all – which has been seen in the field numerous times.

As data security issues become the number one problem, hackers will continue to innovate and find additional ways of accessing the information they want. Penetrating a wireless network and planting targeted malware only recently emerged on the scene and is expected to increase; especially being that cardholder information is one of the primary targets of interest when it comes to data of value.

Thus, one popular method being used today is the development of targeted malware to intercept transmissions and to extract credit card information and other sensitive data directly from these streams .

However; it all starts with penetrating the wireless network and obtaining the ability to access its resources – as we have seen the weaker link in the chain is often targeted first (stores or regional offices in the field). Some recent breaches have led to malware being physically installed on key servers and the avenue for attack was through a wireless network at a field office.

Theories on how this malware would work would be using filters to detect certain packets with specific information (e.g. credit numbers, social security numbers, authorization codes and pin numbers all of which are of value). Another theory is capturing the details in real-time by installing Trojans that directly interact with the application on the POS terminal, thus, capturing the customer’s information in real-time as it exits the POS to the payment authorization gateway.


Once the malware has captured the necessary data it can open a channel with a command and control server and upload the stolen information – it is often found that the C&C server will also be connected to thousands of compromised PCs; subsequently distributing the stolen data to be stored on a consumer’s PC. The chilling part is any consumer’s PC can instantly become a drop-box for stolen corporate information once it has been compromised by hackers.

As mentioned before hackers will target wireless networks located at smaller regional offices as they did with Hannaford and TJX Max This is done under the assumption that security is weaker then at corporate HQ and fits part in parcel with them being “low hanging fruit”. This is probably true given the technical resources available and the diversity that smaller locations have.

Discovery and Prevention

Determining if you have been breached is somewhat difficult as the intruders have likely covered their initial entry by hiding any physical traces (deleting or hiding audit logs, etc). Therefore, your best approach is to adopt a strategy for detecting and mitigating the effects of a breach such as:

• Database monitoring: Technologies exist to monitor SQL and Oracle databases for suspicious activity (access from unauthorized users, insertion of scripts, execution of SQL statements, etc). Monitoring is only part of the equation to detecting an actual breach in progress. If hackers subsequently decide to access cardholder information stored in your databases in addition to extracting the data in real-time; database monitoring will increase the odds of discovering unauthorized access.

• Network Intrusion Detection: Intrusion detection technologies in addition to other methods can be used to detect anomalous traffic and behavior that might be associated with an attack.

• Hardening critical assets: You can minimize your exposure & risk by hardening critical assets (in this case the POS terminal); in other words you are removing non essential functionality such as services, applications and ports that not only adds to the complexity, but introduces additional risk.

4 Responses to Anatomy of a Data Breach Part 3 – The Wireless Hack

  1. AlexM says:

    I found your site on technorati and read a few of your other posts. Keep up the good work. I just added your RSS feed to my Google News Reader. Looking forward to reading more from you down the road!

  2. Alex says:

    Your blog is interesting!

    Keep up the good work!

  3. Scott says:

    What you fail to mention about WPA is that it has NEVER been cracked when long/strong passphrase is implemented.

    Other than that, nice analysis!

  4. That’s right Scott. However; not everyone uses a strong passphrase these days and the horror is that some don’t even encrypt the wireless environment.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: