NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0477 Hackers Open New Front in Data Theft:
Security managers often describe their efforts to protect corporate data from being compromised
as a full-fledged battle of wits against cybercrooks who are continually arming themselves with
innovative tools and methods of attack. And the security breaches disclosed last month by
Hannaford Bros. Company and Okemo Mountain Resort - along with unconfirmed reports of dozens of
similar network intrusions - suggest that a new front may have opened up in the battle. Furthermore,
the recent incidents have prompted some to question whether the payment card industry's highly
publicized data security standards are fully equipping companies to fend off attackers. What's
noteworthy about the Hannaford and Okemo breaches is that they both involved the theft of data
in transit - credit and debit card information that was being transmitted from point-of-sale
systems to payment processors in order to authorize transactions. In Hannaford's case, the
Scarborough, Maine-based supermarket chain has said that malware planted on the servers at about
300 grocery stores in the Northeast and Florida intercepted up to 4.2 million credit and debit
card numbers and periodically sent the data in batches to a system overseas. Just two weeks after
Hannaford disclosed its breach, Okemo reported that data from more than 46,000 payment card
transactions may have been compromised during a 16-day system intrusion in February. Some of the
data that was stolen was from transactions that occurred two years ago. But data from purchases
made by customers while the intrusion was taking place appears to have been stolen in real-time
durin gthe authorization and card-verification process. "The information was being taken as the
cards were being swiped," she said, adding that law enforcement officials have told Okemo's management
that they are investigating about 50 such incidents in the Northeast alone. The Hannaford breach,
at least, poits to possible holes in the PCI defense wall. The techniques used to pull off data-in-
transit heists really are not all that new. Typically, perpetrators first gain access to a targeted
network by taking advantage of a vulnerability that has yet to be detected or patched. Once the
attackers get a foothold, they can deploy malware that can sniff the network for traffic they are
interested in, such as credit card data. The malware can also be programmed to queue the stolen
data and send it in batches to an outside destination, as was the case with the Hannaford intrusion.
The grocer has said that it was breached even though it had been certified as being compliant with the
security standard last year and then again on 27 February. That was the day Hannaford was first made
aware of suspicious activity involving the credit cards of its customers. Under existing rules, a
company does not need to encrypt payment data while it is in transit within its own internal network.
But the general manager of the PCI Security Standards Council contended that if a company implemented
all of the existing PCI controls, it would not be possible for attackers to get at the information
while it is being transmitted internally.
(ComputerWorld 14APR08)