Point-of-Sales Vulnerabilities

July 24, 2008

The Target: the wireless point-of-sale (POS)

The wireless POS system consists of one or more networked wireless POS end-points located at check-out stands and the internal on-site transaction server which connects the system to the payment authorization source. The transaction server also interfaces with the inventory control system.

• Transaction initiated at wireless POS checkout stand

• Transaction information sent to wireless access point, to transaction server, to authorization source

• Transaction authorization returns to POS checkout to complete transaction

Note there are vulnerabilities at each point.


From an architectural perspective a POS end-point runs an operating system, either a version of Windows or Linux designed to limit functionality – meaning not all O/S functions are available to the logged-in user. These devices are physically divided into two different components:

• Card Reader – system that reads the card as it is swiped.

• Transaction Unit – system that sends the card information to an authorization source.

The information read at the POS will be sent to an authorization source (e.g., Amex) through the transaction unit. In addition the transaction information of the purchase (payment, item, quantity, etc.) is sent over the network to a branch server for inventory control and auditing purposes.

Normally the information sent between the retailer and the authorization source will use strong encryption to protect the information; however, network security between the POS and the internal branch servers may or may not be encrypted and really depends on the configuration.

Assuming that the retailer does encrypt the information sent between the POS and the branch server, the real vulnerabilities then exist at the POS end-point, the wireless access point, and the branch server itself.

• Because a POS terminal reads the card information, performs the transactions and receives the authorization code, information may be stored for short periods either in flash, static ram or the hard-drive (e.g., a few hours until close of register, etc). Therefore, malware could be installed directly on the POS to intercept the transaction data as it is being sent to the authorization source or the internal branch server for storage.

• Branch servers are normally used to collect information from multiple POS terminals, thus, they often will be running a database of some form or another. A hacker wishing to obtain access to this information would have to compromise the server first, and then likely exploit database encryption vulnerabilities.

Because the target is often cardholder information, hackers are developing strategies that involve breaching wireless networks – mainly because a POS requires either direct physical access or access via the network, thus, it’s easier to penetrate than cracking the corporate firewall and obtaining access via the external gateway.

Penetrating a wireless network and planting targeted malware only recently emerged on the scene and is expected to increase; especially being that cardholder information is one of the primary targets of interest when it comes to data of value.

Once the intruder has accessed the wireless network the next challenge would be to compromise the POS or the Branch server. There are a number of ways and vectors in which this can be accomplished in a relatively short period of time:

• Privilege escalation: Elevating user privileges is a method that hackers use to gain access to other parts of the system that may require a higher level of validation. Vulnerabilities that allow this condition to occur are often the culprit behind most escalation attacks.

• Hacking specific Windows services (IIS, SQL, Apache, etc): Gaining access via Windows services by exploiting specific vulnerabilities that allow remote arbitrary code execution.

• Buffer overflow attacks: Overflowing the buffer of an application will cause a condition to occur, that in some cases will allow for arbitrary code to execute with remote shell binding capabilities. Many of these methods if done correctly and the systems are somewhat vulnerable, often will work.

One popular method being used today is the development of targeted malware to extract credit card information and other sensitive data directly from the wireless POS, AP, or the Branch server .

Some recent breaches have led to malware being physically installed on key servers and the avenue for attack was through a wireless network at a field office.

One theory on how this malware would work, is by capturing the details in real-time by installing Trojans that directly interact with the application on the POS terminal, thus, capturing the customer’s information in real-time as it is sent to the authorization source or the branch server.

Once the malware has captured the necessary data it can open a channel with a command and control server and upload the stolen information – it is often found that the C&C server will also be connected to thousands of compromised PCs; subsequently distributing the stolen data to be stored on a consumer’s PC. The chilling part is any consumer’s PC can instantly become a drop-box for stolen corporate information once it has been compromised by hackers.

Hiding the evidence

A next step for the attacker after compromising the POS would be to hide the obvious signs that the system had been tampered with, thus, installing a root-kit is one way to hide any traces associated with the attack. Full kernel mode persistent root-kits are the hardest form to detect.

Therefore, the hacker is completely eliminating the possibility of detection by the means of security scanners, anti-virus applications or any other security tool focused on finding vulnerabilities. This way the breach can remain hidden for as long as possible before anyone considers the possibility a POS is breached.


Sever-Side Polymorphism or Crime-ware as a Service (CaaS)

April 16, 2008

As the threat-landscape is evolving hackers are constantly changing technique in order to counter-act detection technologies that vendors develop. I remember a few years ago when polymorphism and metamorphism were used as a way to constantly generate new variants of worms.


Essentially the virus morphed itself into different variations and successfully evaded signature based technologies. Eventually the anti-virus industry responded through the creation of emulation technologies to counteract this new breed of virus.


Subsequently proactive technologies were developed (behavioral, heuristics, etc) when worms began to self-replicate across networks and exploit 0-day vulnerabilities faster then a signature could be created. However; in today’s world malware is run by organized crime and has simply adapted to the technologies that vendors have developed over the years.


As we are already familiar with the shift from fame to profit, hackers will do anything to make a buck these days by developing new and innovative ways to slip below the radar. Some of these methods are very innovative and are certainly thinking out of the box when it comes to crime.


As we begin to map out the evolution there are several common themes when it comes to stealth and camouflage techniques:


  • Custom run-time packers
  • Server-Side polymorphism
  • Virtual machine / sandbox detection

According to PandaLabs approximately 90% of all malware use some form of packers and the trend indicates they are becoming more customized by the day, therefore; making the analyst’s job harder.


Furthermore; we have the emergence of server side polymorphism or as described by the industry “Crime-Ware as a Service (CaaS)” which the polymorphic engine does not reside within the virus code itself, rather remotely on a server.


This methodology has proven to be quite effective and difficult to counter-act when it comes down to the traditional anti-malware model. The reason why server-side polymorphism is so hard to detect is the transformation function (the routines used to change the signature of the code) will not be not visible to the virus analyst and therefore; the actual algorithms or techniques that are involved in this process can’t be studied to the degree necessary to create an effective vaccination.


Server-side polymorphism will open the door to all sorts of problems from the increase in targeted attacks to undisclosed data breaches if corporations do not take a holistic approach to end-point security.


Your best bet for stopping server-side polymorphism is through the use of host based intrusion prevention technologies or HIPS as we call it.  So what do we define as HIPS? Well according to analyst Neil McDonald from Gartner HIPS is comprised of several different technologies from attack-facing network inspection to behavioral containment.

The Hannaford hack: what we can learn from it

April 5, 2008

Most people have heard of by now the recent high-profile data security breach with retail chain Hannaford Bros. According to an article published by SC Magazine (http://www.scmagazineus.com/Hannaford-tells-regulators-how-breach-happened/article/108569/) hackers placed hidden malware on nearly 300 servers to intercept transactions.


This malware was designed to locate and discover credit card information from consumers who interacted with the stores, thus, these hackers untimely harvested 4.2 million credit card numbers over a period of 3 months.


What a knock-out that was!


The question we have to ask is why didn’t their current anti-virus / anti-malware solution not detect the malware for 3 months? That’s a great question; most people today are living under the assumption that they are well protected from the dangers of the Internet just because their AV solution say’s it’s up to date and that they have enabled their firewalls.


Its unfortunate the traditional signature based anti-malware model is crumbling under the shear force of numbers (the rapid pace of new malware created daily). Thus, the industry has to take a holistic approach to solving this problem by using many different layers including proactive technologies.


Ideally if a proactive approach were taken to continuously monitor critical assets the situation could have potentially been avoided altogether. In closing this is a very real example of how even the most thought to be secure environment can be breached by hackers who have the drive and spirit to commit financial fraud. Let our lesson be learned.

Think Your Protected? Think Again. Study Reveals Hidden Cyber-Crime Breaches

March 28, 2008

Over a five month period, Panda Security conducted several audits with a large state agency in the United States to assess the level of risk pertaining to hidden and undetected infection points. Due to the confidential nature of this customer, we cannot disclose the agency name. The information learned from this case is a great demonstration of how even the “well-protected” networks require more effective tools to fend off the latest generation of malware.

This agency by nature is obligated to enforce rigorous security policies to protect against unauthorized activity, especially when they are responsible for securing a large network of sensitive information. Some of the restrictions the agency enforces on its users include:

 – Users have limited rights to the network

 – Users can’t modify anything within the system directory

 – Users must access the Internet through a secured proxy.

In such a secure environment, it should be extremely difficult for malware to cause any harm to the network. Unfortunately, even with these strict access rules, Panda Security found various dangerous intrusions in the agency’s network caused by malware.  

The following case study covers an audit spanning more then 4,500 PCs with active, up-to-date anti-malware software from a leading vendor. These PCs were analyzed against a set criteria consisting of hidden active or latent malware along with their associated vulnerabilities.

For more information please see the attached study:  Case Study

Click-Fraud: The lesser known evil

March 25, 2008

I came across this interesting article that talks about a Trojan; not any Trojan but a  Trojan that automates PPC click-fraud that is currently targeting Google and Yahoo (http://www.securitypronews.com/news/securitynews/spn-45-20080312ClickFraudTrojanTargetsGoogleYahoo.html).

What’s interesting about click-fraud is the little amount of attention that it receives in the media in comparison to Identity Theft and the other horrors of the Internet. In fact you are more likely to see news on the latest and greatest zombie-bot net then click-fraud.

However; many companies who have paid good money for Pay-Per-Click (PPC) advertising are falling victim to false impressions due to the rising click-fraud movement in America.

According to Click Forensics the annual click-fraud rate has grown by 28.3%; that’s nearly a quarter of all on-line advertising http://www.clickforensics.com/Pages/ClickFraudIndex.aspx.

For the worst part bot-nets are being used to automate PPC clicks in order to ensure that the activity looks authentic.

So this leaves us with one question, is your PC part of a click-net.

Behavioral Blocking: An effective means of stopping 0-day

March 25, 2008

Behavioral blocking (a.k.a kernel rules / system rules) can provide the first layer of defense against emerging threats exploiting 0-day vulnerabilities. Exploits commonly take advantage of mistakes made by programmers and thus good applications can turn bad in an instant.

Malformed documents have accounted for a good number of these attacks (PDF, MDB, DOC, etc) recently. Take for example the new vulnerability discovered in Microsoft Access reported by Ismael Briones from PandaLabs (http://pandalabs.pandasecurity.com/archive/New-MS-Access-exploit.aspx).

All in all a bit of clever social engineering can result in successful exploitation, thus, resulting in confidential information being stolen from a user’s system.

An effective use of behavioral blocking can mitigate the risks of a 0-day threat. This works by monitoring the behavior of applications and applying such rules as: “Adobe Acrobat shouldn’t spawn a command shell“, or “Internet Explorer should not inject threads into other processes.”

This way one can proactively block new exploits (including the one for MS Access) without the actual need to analyze the threat and produce detection for it. However; it is still crucial that other protection layers exist (behavioral analysis, system hardening, IPS firewall, etc) as behavioral blocking alone is not 100%.

Regulatory Compliance & the Real Risk of Undetected Malware

March 20, 2008

With the emergence of regulatory laws borne out of experience from a variety of embarrassing security breaches, today’s corporate leaders face a myriad of repercussions. These range from serious fines to jail time when found not in compliance with regulations such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB), and Payment Card Industry (PCI), etc.

These regulations are designed to protect the privacy of individuals and to ensure the proper internal controls are in place to maintain confidentiality and integrity of sensitive information.

For example it mandates in the Sarbanes-Oxley act section 404 that any publicly traded corporation must maintain adequate internal controls, ranging from proper financial reporting to the protection of critical assets. This includes designing controls around the premise of protecting consumer data from an information security perspective.

Normally, these controls are defined and established through a risk analysis that identifies potential threats and weaknesses. The development of a policy framework based on this audit untimely drives the definition of what would be considered “adequate” controls.

However, in 2007 the industry suffered a record-breaking loss of information stemming from data security breaches ranging from stolen laptops to hijacked advertising as seen in the Monster.com attack. It’s estimated that over 79 million records were exposed last year alone. 

Despite established security policy, these breaches lead to public dismay and a loss of consumer confidence. Take for example the TJ Maxx incident that led to an exposure of 45 million credit card numbers and eventually cost the retailer over 200 million dollars in both hard costs incurred and stock value reduction.

These incidents raise several interesting questions. Were these security breaches a result of undetected malware, perhaps a targeted attack orchestrated by a foreign hacker group? Why did the internal controls, established according to company policy, fail to protect assets from being compromised? And what are the real risks and implications of undetected malware as it pertains to regulatory compliance?

These are all good questions, especially concerning the changing crimeware landscape and its evolution from curiosity to financial gain. Not surprisingly, this trend has a considerable part do with the dramatic increase in information exposure in 2007.

For example a majority of identity theft and financial fraud incidents in 2007 were related to Banker Trojans that infected individual consumers, thus, stealing credentials and other personal information that could be used to gain profit.

Furthermore, if we put this into perspective we are more at risk then we were a few years ago when the primary concern was the prevention of network worms that caused data destruction.

In that day and age, controls were designed around the need to ensure the integrity and availability of information assets. CIOs and IT Managers designed and implemented systems that had the primary goal of ensuring that their users had access to information. At that time security was a secondary concern in this scenario, because the threats were different and much less sophisticated.

Today we face a new breed of threats with different motives: financial gain through targeted attacks. In fact targeted attacks in 2007 showed a marked increase over previous years with respect to online fraud.

The mentality of CIOs and IT Managers has shifted to a security focused mind-set, especially with the advent of recent high-profile security breaches. What’s alarming is the rate at which malware is developed and released to infect victims on a daily basis. For example, PandaLabs and other major AV labs see over 4000 new strains per day.

This is mainly due to the overwhelming inability for security vendors to respond to this ever increasing rate of new malware strains. We are witnessing a literal denial of service against vendor resources.

The rapid pace at which cyber criminals seed the industry with new threats contributes to the overall problem that is causing technical safeguards to fail, thus, putting the corporation at risk of violating regulatory standards which untimely will lead to serious consequences if sensitive information is leaked.

For example, in a health care organization one undetected Trojan could make a case for a serious risk of violation of HIPAA §164.308(a) (4) that pertains to protecting health information: “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a) (4) [Information Access Management]”

A False Sense of Security – Audit and Assessment Standards

When doing a security audit to ensure that adequate controls are in place from an information security perspective, the auditor is normally looking at whether the corporation is in adherence to a defined policy. Furthermore, a security audit encompasses some of the following questions:

– Are passwords difficult to break?
– Are computers up-to-date with the latest security patches?
– Do any vulnerabilities exist in the operating system or applications installed?
– Are there Access Control Lists (ACLs) implemented on shared resources to control access to them?
– Have unnecessary services or applications been removed from computers that could potentially expose the resource?
– Are computers regularly scanned for malware?

The missing element in a security audit, however, is assessing for sophisticated active threats (e.g. kernel-mode root-kits, stealth Trojans, key-loggers, etc). Therefore the current assessment tools and verification methodologies used to validate controls rely mostly on identifying weaknesses or potential risk to assets; for example, a vulnerability scan or untimely a penetration test will tell the auditor of potential avenues for attack. But, the number one question to ask is: are assets already compromised with undetected malware?

There are a wide range of technical safeguards that can be implemented to significantly reduce potential exposure and the organization’s overall risk; however hackers have devised ways to circumvent these. For example the most common infection vector is via the web through malware laced web-sites that have been compromised and altered in some way, shape or form.

Therefore, a majority of malware (if not detected via signatures or proactively by other technologies) will simply evade perimeter defenses (firewalls, network intrusion prevention, etc.) and make its way to the end-point, especially if it is “targeted” in nature, and with a limited number of hosts designated to be infected.

There are certainly other ways to reduce risk. For example, corporations can implement a policy that limits the administrative access a user has to his or her own PC and other resources on the network. While this reduces the overall risk of unauthorized access, it is not the final solution as hackers tend to abuse system privileges (going around established ACLs) by exploiting applications and other flaws in the operating system.

Proactive defenses such as Host Based Intrusion Prevention (HIPS) can substantially raise the bar in terms of detection, anywhere between 80 and 90 percent. With malware 1.0 this model was acceptable; but with the rate and volume of new threats emerging on a daily basis hundreds or even thousands of threats over time can be missed.

Public companies that must adhere to regulatory laws, must also adopt better internal controls to ensure that hidden infection points are discovered and removed before any exposure occurs. Better yet, modern assessments must take into consideration the possibility of assets already compromised by hidden and undetected malware.


Regulatory compliance is an interesting but challenging topic that every public corporation, no matter what size or shape, is untimely affected by. Organizations must evolve their security best practices to include better assessment methodologies that take into consideration crimeware innovations and available technologies that not only assess weaknesses, but locate active unnoticed infection points.