That Point of Sale is a PoS

Similar documents
Alert (TA14-212A) Backoff Point-of-Sale Malware

Credit Card Security

How To Protect Your Data From Being Stolen

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Data Security for the Hospitality

Did you know your security solution can help with PCI compliance too?

Thick Client Application Security

Windows Operating Systems. Basic Security

Backoff: New Point of Sale Malware. 31 July National Cybersecurity and Communications Integration Center

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Managing Remote Access

The Key to Secure Online Financial Transactions

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

Secure Payment Transactions and Consumer Information from Point-of-Sale to the Server

Bomgar Corporation. Bomgar Application Security Assessment Summary January 26, This document is the property of Bomgar Corporation.

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

Introduction. PCI DSS Overview

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Global Partner Management Notice

Discovering passwords in the memory

Catapult PCI Compliance

Central Agency for Information Technology

MITIGATING LARGE MERCHANT DATA BREACHES

Setting Up Scan to SMB on TaskALFA series MFP s.

Locking down a Hitachi ID Suite server

GFI White Paper PCI-DSS compliance and GFI Software products

SANS Top 20 Critical Controls for Effective Cyber Defense

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

SESSION 507 Thursday, March 26, 11:15 AM - 12:15 PM Track: Desktop Support

The Evolution of Data Breaches

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Xerox Mobile Print Cloud

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Achieving PCI Compliance Using F5 Products

Passing PCI Compliance How to Address the Application Security Mandates

PCI Data Security Standards

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Securing Remote Vendor Access with Privileged Account Security

Guidance End User Devices Security Guidance: Apple OS X 10.9

Are your multi-function printers a security risk? Here are five key strategies for safeguarding your data

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

End User Devices Security Guidance: Apple OS X 10.10

Using Remote Desktop Clients

Basics of Internet Security

Windows Phone 8 Security Overview

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

DiamondStream Data Security Policy Summary

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Global Security Report 2011

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

12 Security Camera System Best Practices - Cyber Safe

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

BlackBerry 10.3 Work and Personal Corporate

Ovation Security Center Data Sheet

PCI Compliance in Multi-Site Retail Environments

V ISA SECURITY ALERT 13 November 2015

Section 12 MUST BE COMPLETED BY: 4/22

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Complying with PCI Data Security

Becoming PCI Compliant

Alliance Key Manager A Solution Brief for Technical Implementers

How to Secure Your Environment

SECURING YOUR REMOTE DESKTOP CONNECTION

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Cyber Essentials Questionnaire

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Implementation Guide

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

PCI DSS 3.0 Compliance

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security

FileCloud Security FAQ

Using a VPN with Niagara Systems. v0.3 6, July 2013

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Frequently Asked Questions

Remote Administration

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

Sophos SafeGuard Native Device Encryption for Mac Administrator help. Product version: 7

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

PCI Data Security Standards (DSS)

UNCLASSIFIED CPA SECURITY CHARACTERISTIC REMOTE DESKTOP. Version 1.0. Crown Copyright 2011 All Rights Reserved

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

Remote Deposit Terms of Use and Procedures

Appendix 1 - Credit Card Security Incident Response Plan

Policies and Procedures

Transcription:

SESSION ID: HTA-W02 That Point of Sale is a PoS Charles Henderson Vice President Managed Security Testing Trustwave @angus_tx David Byrne Senior Security Associate Bishop Fox

Agenda POS Architecture Breach Investigations Testing Techniques Penetration Test Findings 2

PoS Attacks: Theory vs. Reality Most breaches involve very simple vulnerabilities Future breaches are likely to leverage more complex vulnerabilities as merchants become more secure Many merchants have very immature security programs 3

PoS Purchasing: Security Is Not A Criteria 4

Point of Sale Architecture

Hardware Standard PC workstation Specialized peripherals Card reader and PIN pad Barcode scanner Touch screen much less specialized than it used to be Expanded keyboard Scale Customer display

Hardware Interfaces USB RS-232 becoming less common TIA-485/RS-485 rare in 2015 Ethernet some PIN pads and printers can connect directly to network 7

Client Operating System and Software Windows dominates Some Linux Occasional use of network boot with no local storage Even large retailers use off the shelf packages that are customized to the client 8

Application Servers Many separate systems: Transaction records (purchases, refunds, etc.) Payment card processing Promotions Customer tracking Gift cards May be from entirely different vendors; more likely to see custom software in larger merchants 9

Application Servers In larger environments, typically implemented as middleware services: XML web services, etc. Small environments (isolated stores) likely to store all data on register. 10

Remote Administration Major source of compromise Registers will almost always have remote administration services Small organizations typically outsource administration Large chains will still not have on-site technical support 11

Breach Investigations

Attacks Become More Efficient Physical Modifications (External) Physical Modifications (Internal) Drive-By Malware Scalable Malware 13

Physical Attacks (Internal) 14

Physical Attacks (Internal) 15

Physical Attacks (Internal) 16

Forensics Case Study One: Vendor Negligence Same administrator password for nine years Attackers most likely discovered merchant in breach of other merchant using same vendor Username : Administrator [500] Full Name : User Comment : Built-in account for administering the computer/domain Account Created : Xxx Xxx XX XX:XX:XX 2004 Last Login Date : Xxx Xxx XX XX:XX:XX 2013 Pwd Reset Date : Xxx Xxx XX XX:XX:XX 2005 Pwd Fail Date : Xxx Xxx XX XX:XX:XX 2014 Login Count : 261 Password does not expire Normal user account 17

Forensics Case Study Two: Vendor Negligence Attacker installs memory-scraping malware Data was manually retrieved by attacker; memory dumps left on PoS disk Malware easily discovered during investigation using current AV Scan type: Quick scan Objects scanned: 191441 Time elapsed: 12 minute(s), 40 second(s) Files Detected: 2 C:\WINDOWS\system32\Searcher.dll (Trojan.Clicker) -> Quarantined and deleted successfully. C:\WINDOWS\system32\QOS.dll (Trojan.Agent) -> Quarantined and deleted successfully. 18

Forensics Case Study Three: Vendor Negligence Back of house server configured for remote management utilizing pcanywhere Null Administrator password Administrator password had not been changed in nine years Malware easily discovered during investigation using current AV 19

Forensics Case Study Four: Origin of Malware Multiple workstations in CHD environment used to browse pornographic websites, download torrents, and video chat Keylogger installed by attacker also logged use of machines with CHD being used to play Guitar Hero 3, Call of Duty, and other games Key Pressed: bxcvbxcvbxcvbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbxxxxxxx xxxxxxxxcvbvvvvvvvvvvvvvvvvvvvvbccxcvcvvcvbvxvcvxccc cccccccccvbxccvcbvcxxxxxxxxxxxcbcvcxbbvcxcvbvcbvcvcv cxbvcx{esc} b{esc}bbxcvbxcvbbvbvbvbvbvbvbbvbvbvbbbbbbbbbbbbbbbbb bbbbbbbbbbbbbbbbbbbbbbbbbbxxxxxxxxxxxxxxxcvbvvvvvvvv vvvvvvvvvvvvbcxcbcvvvvvvcvbbbbbbbvxvcvxxcccccccccvbx cvvcbvcxcbcvxbbbvcxxxcbvcbvcvcvcxvcxvcvcvcvcvbcccccc cccccccccccccccccccccccxbxcbxxcxvxbxvxcxvxvbxvxcxvxv xbbbbbvcxxxxxxxxxxxxxxxxxxxxxxvcxcccccvvvvvvvvvvvvvv bbbbbbbbxbxvxcxcbvbcvxcxccccccccccccccvccxxxxxxxxbbv xcbxbxvxcxvbbbbbbbbbbbbbbbbbbbbbcccccvxvcvcbbbbbbbvc vcbcvbxvcvcbxvcvcbcvxxxxxxxxxcvcvcbbbbbbvcvcbcvbbbbb bxvcvcbxvxvcvcvbvxbxvxvxvxcvvvvvvcbxv 20

Backoff Malware Self-propagates through weak remote access authentication Command and control features Memory scraping for payment card data Automatic data exfiltration Keylogging New infections look for old versions of Backoff to remove 21

Testing Strategies

Multiple Testing Perspectives Remote (routed) network access Vulnerable network services Local network access Proper protocol encryption Endpoint authentication (i.e., no MitM) Identification of second-tier application servers

Multiple Testing Perspectives Momentary physical access Introduction of malicious device key-logger, network adapter, USB attacks, IEEE 1394 DMA, etc. Prolonged physical access Hard drive encryption Local storage of sensitive data (i.e., payment card numbers) Analysis of application binaries Monitoring and modification of key peripherals (i.e. PIN pad) 24

Multiple Testing Perspectives Console interaction Execution of unauthorized and malicious programs Escalation of system privileges Modification of PoS application Monitoring of network and peripheral communication Memory dumps 25

Physical Security Quality of locks Exposed network cables, drops 26

Penetration Testing Results

Physical Security This is not good physical security Easy access to USB, Ethernet, etc 28

Physical Security This is not a good lock 29

166816 (Z66816) Since 1990, this has been the default password for all products from a major vendor Publically documented in a 1994 alt.2600 FAQ (featuring terms like sysop and company names like Northern Telecom ) 90% of the terminals of this brand we test for the first time still have this code 30

Improper Use of Symmetric Keys Symmetric algorithms: one key for both encryption and decryption Asymmetric algorithms: decryption & encryption keys separate Using symmetric algorithms for payment card data invites abuse 31

Operating System Security Most POS deployments are overly reliant on passwords Very difficult to secure OS passwords on endpoint AV scanning isn t perfect, but still important Easy to introduce custom malicious executables No drive encryption Simplifies offline attacks Allows stolen devices to be used for analysis Devices get stolen 32

Authentication Fail Single set of authentication credentials across enterprise Automatic Windows login and local enforcement of POS user authentication no authentication against networked application services 33

Running as administrator Vendors often claim that this is a requirement. Lies, nothing but lies. Windows and Unix-like operating systems have never worked this way. Simply an excuse for lazy programmers 34

PIN Pad Debug Triggered 35

Plaintext Network Traffic Note the protocol. This is not IP. 36

Running Unauthorized Programs This is how malware infections start 37

Network Communication Security Flaws Plaintext communication Failure to authenticate endpoints SSL is next to useless without certificate verification 38

Encryption Insanity Symmetric encryption used for transmission of payment cards Point-to-point-to-point encryption (one too many points)* XOR to protect passwords; programmers are always amazed that we can reverse this * Note: The addition of more points does not enhance security posture. 39

PIN Pad Security Default configuration often insecure Can almost always be reprogrammed from register Convenient way of implementing management across enterprise Some code is cryptographically signed Configuration is almost never signed Attacker may be able to disable security controls such as end-to-end encryption 40

PAN Abuse Coupon printer using PAN to track customers PAN returned to PoS for truncation Purchase history stored for tracking fraud 37 million numbers Adding drives to register store growing debug transaction logs 41

Card Numbers in RAM 42

Symlink to Access Filesystem 43

Apply: PoS Security Program

Implement a PoS Security Program Always verify the security claimed to be implemented by vendors Top priorities: Ensure no payment card data is stored on registers Enforce strong authentication policies Don t run PoS user interface as administrator Stay current on patches and AV signatures 45

Implement a PoS Security Program Secondary priorities: Evaluate security of data communication (encryption, certificate checks, etc.) Pen test application servers for application vulnerabilities Lock down client execution environment Final efforts: Use strong authentication (key/certificate-based) Implement end-to-end encryption with asymmetric keys 46

Q & A

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information