Anatomy of a Data Breach Part 3 – The Wireless Hack

July 17, 2008

Wireless networks and endpoints offer convenience and connectivity. Unless properly secured, they also offer a means of egress into the network. This article will describe the vulnerabilities and strategies for mitigation.

In the wake of undiscovered data breaches and subsequent public exposure, hackers have begun to turn their eye towards breaching wireless networks and taking advantage of the many weaknesses incumbent. Furthermore, we are seeing a trend towards stealing cardholder information from retailers such as TJ Max and Hannaford Brothers as a quick way to gain profit.

The use of mobile networks is not an uncommon way of providing access for employees anywhere anytime throughout the corporate campus. However wireless networks come with several often ignored dangers:

• Exploitation of WEP and WPA protocols.

• Impersonation and interception of wireless traffic.

• Access points being deployed with little or no security enabled.

All of these vulnerabilities can eventually lead to the exposure of private information if not properly secured and accounted for when implementing a data security policy. The weaknesses of a wireless environment can often lead to violations of PCI, HIPAA & SOX if an exposure were to occur through one of those vulnerabilities. Regulations such as SOX, HIPAA and PCI were ultimately designed to protect specific classes of information that if exposed can cause serious ramifications such as: fines, potential jail time and a host of other unwanted aftereffects.

The Target: Wireless Point-of-Sales (POS)

For example the protection of cardholder information as covered under PCI-DSS includes a number of guidelines to aide in the development of policy that (a) protects cardholder information stored on servers and (b) protects cardholder information that may be in transit via transactions that occur between front-end point-of-sales terminals, to backend merchant processing servers (the machines that handle and authorize transactions when a credit card is swiped at a store location).


Because the target is often cardholder information – meaning it has a higher raw value on the black-market then other information like a social security number, hackers are developing strategies that involve breaching wireless networks – mainly because it is much easier to penetrate then cracking the corporate firewall and obtaining access via the external gateway.

This is a stepping ground to harvesting data at rest, but in motion as well. The methodology behind this goes in tangent with the “low hanging fruit” theory and part of an overall emerging trend towards gaining access to cardholder information.

Cracking the Wireless Network

Wireless hacks attributed to around 9% of the security incidents documented in a recent report published by the Verizon Business Risk team. This is likely due to incorrectly configured access points or the use of weak authentication ; WPA-PSK in some cases can be vulnerable to offline dictionary attacks if given enough time to decode the captured traffic. WEP on the other hand can be cracked in less than 10 minutes using commercially available tools on the market.

For wireless hacks to be successful without investing a large amount of time and resources the access point either has to have a vulnerable encryption protocol enabled such as WEP or WPA-PSK or not have security enabled at all – which has been seen in the field numerous times.

As data security issues become the number one problem, hackers will continue to innovate and find additional ways of accessing the information they want. Penetrating a wireless network and planting targeted malware only recently emerged on the scene and is expected to increase; especially being that cardholder information is one of the primary targets of interest when it comes to data of value.

Thus, one popular method being used today is the development of targeted malware to intercept transmissions and to extract credit card information and other sensitive data directly from these streams .

However; it all starts with penetrating the wireless network and obtaining the ability to access its resources – as we have seen the weaker link in the chain is often targeted first (stores or regional offices in the field). Some recent breaches have led to malware being physically installed on key servers and the avenue for attack was through a wireless network at a field office.

Theories on how this malware would work would be using filters to detect certain packets with specific information (e.g. credit numbers, social security numbers, authorization codes and pin numbers all of which are of value). Another theory is capturing the details in real-time by installing Trojans that directly interact with the application on the POS terminal, thus, capturing the customer’s information in real-time as it exits the POS to the payment authorization gateway.


Once the malware has captured the necessary data it can open a channel with a command and control server and upload the stolen information – it is often found that the C&C server will also be connected to thousands of compromised PCs; subsequently distributing the stolen data to be stored on a consumer’s PC. The chilling part is any consumer’s PC can instantly become a drop-box for stolen corporate information once it has been compromised by hackers.

As mentioned before hackers will target wireless networks located at smaller regional offices as they did with Hannaford and TJX Max This is done under the assumption that security is weaker then at corporate HQ and fits part in parcel with them being “low hanging fruit”. This is probably true given the technical resources available and the diversity that smaller locations have.

Discovery and Prevention

Determining if you have been breached is somewhat difficult as the intruders have likely covered their initial entry by hiding any physical traces (deleting or hiding audit logs, etc). Therefore, your best approach is to adopt a strategy for detecting and mitigating the effects of a breach such as:

• Database monitoring: Technologies exist to monitor SQL and Oracle databases for suspicious activity (access from unauthorized users, insertion of scripts, execution of SQL statements, etc). Monitoring is only part of the equation to detecting an actual breach in progress. If hackers subsequently decide to access cardholder information stored in your databases in addition to extracting the data in real-time; database monitoring will increase the odds of discovering unauthorized access.

• Network Intrusion Detection: Intrusion detection technologies in addition to other methods can be used to detect anomalous traffic and behavior that might be associated with an attack.

• Hardening critical assets: You can minimize your exposure & risk by hardening critical assets (in this case the POS terminal); in other words you are removing non essential functionality such as services, applications and ports that not only adds to the complexity, but introduces additional risk.


Massive iframe hack: The conclusions

April 28, 2008

Perception vs. Reality


It may seem that things are getting better and cyber-crime may be diminishing, but the evolution of hacking for profit will remain constant through the remainder of this year.


Data breaches are becoming a commonplace and corporate CIOs are focusing their attention towards protection of critical assets, especially external facing applications that are subject to a number of specialized attacks.


We have seen the explosion of high-profile hacks targeting external facing web applications and exploiting vulnerabilities to allow hackers to gain access to private and sensitive information.


These attacks are getting better and more sophisticated by the day. Some of these attacks are using complex SQL injection techniques to manipulate web-sites ranging from a simple insert of a malicious iframe tag to a complete compromise of a web server.

It’s interesting to see the number of web sites that are vulnerable to attacks and that such target sites can easily be found by searching for specific strings within Google (”.asp” inurl:”a=”) that will reveal if they are potentially exploitable. That’s exactly how the hackers automated a massive web hacking campaign that affected over a half million web-sites including the Department of Homeland Security and the United Nations web-sites.

A crafted SQL statement was used to compromise the web site and insert a malicious java script that untimely attempted to exploit several already known vulnerabilities within Microsoft Windows and install malware on visitors PCs. In other words the hackers found a way to generically infect hundreds of thousands of web-sites automatically using a similar statement.


According to the Identity Theft Resource Center (IRTC) the number of data breaches for 2008 has nearly exceeded the combined total of 2007; which obviously raises the question on why internal controls are failing to ensure the safety of critical assets in the time of a breach.


So why are internal controls failing? Thoughts?

Think Your Protected? Think Again. Study Reveals Hidden Cyber-Crime Breaches

March 28, 2008

Over a five month period, Panda Security conducted several audits with a large state agency in the United States to assess the level of risk pertaining to hidden and undetected infection points. Due to the confidential nature of this customer, we cannot disclose the agency name. The information learned from this case is a great demonstration of how even the “well-protected” networks require more effective tools to fend off the latest generation of malware.

This agency by nature is obligated to enforce rigorous security policies to protect against unauthorized activity, especially when they are responsible for securing a large network of sensitive information. Some of the restrictions the agency enforces on its users include:

 – Users have limited rights to the network

 – Users can’t modify anything within the system directory

 – Users must access the Internet through a secured proxy.

In such a secure environment, it should be extremely difficult for malware to cause any harm to the network. Unfortunately, even with these strict access rules, Panda Security found various dangerous intrusions in the agency’s network caused by malware.  

The following case study covers an audit spanning more then 4,500 PCs with active, up-to-date anti-malware software from a leading vendor. These PCs were analyzed against a set criteria consisting of hidden active or latent malware along with their associated vulnerabilities.

For more information please see the attached study:  Case Study