http://www.boston.com/business/articles/2008/04/23/stung_by_hackers_grocer_encrypts_customer_data/
As any Hannaford exec will tell you, the last place you want to secure is the first place hackers will target. As the cliché goes - a chain is only as strong...
In this case, although details are quite nebulous, it appears that malware running on internal servers intercepted credit card data as the cards were swiped (plaintext data is sent from the POS terminals to the processing servers before the data is encrypted, so anyone snooping right in the middle could easily get access to the entire card data), and then simply shipped the info off to the hackers.
Really simple operation, but how did the malware get inside the internal servers? There are a few ways:
a. Someone used it to surf the 'Net, and probably downloaded it by mistake
b. Someone planted it on purpose (inside job)
c. Hackers got in from outside and planted the program
The company will not really say what happened, so the possibility that it was an inside job is quite high.
Steps the company has taken to avoid such illegal interception include encrypting the data right at the POS, having IBM monitor the network for suspicious activities and so on. This, thus, is another case of bolting the barn...although it is a sure deterrent to hackers planning the same method of stealing information in future.
The problem is hackers will probably find a way around it; they always do. The PCI-DSS standards (see one of my previous blogs) only regulate the encryption of data when it reaches the servers and not before or during, so that is definitely a weakness.
Further, as the article in the link notes (and is so true anyway), retailers depend badly on the software vendors to update their software/patch issues and vulnerabilities, and overall make sure their product is not a gateway for hackers to drill into the enterprise and steal information.
One critical step would to monitor INTERNAL traffic (in terms of always monitoring who accesses sensitive servers, implement a strict ACL, and checking ALL packets that leave the servers - especially those that break known patterns/signatures).
Doing extensive background checks on staff that must have access to these machines should be made mandatory, and any unauthorized attempts to peek at the database or perform any kind of illegal operation should result in immediate termination, no exceptions. Quite obviously (as before in my earlier blogs) I am not advocating tyranny at the workplace, just prudence/caution/curiosity- and lots of it.
Hacking is done by humans - not machines or software, although they're indispensable in meeting their nefarious goals. The instigator is still a living, breathing human; so any security plan that mindlessly targets malware, viruses, worms, trojans etc without taking into account the human element (especially employees and also the psychological aspects of hacking/hackers) is doomed to fail.
For most large corporations that deal in data (finance, medicine, retail etc) there is nothing more horrific than a panicky call in the middle of the night from the sys admin. Don't let it happen to you - tighten your network; encrypt; monitor; adjust; implement; monitor.
Be safe!
skip to main |
skip to sidebar
ThreeHeadedDog
Security = ConfidentialityIntegrityAuthentication Confidentiality because you don't want others to "see" your data. Integrity because you don't want others to "change" your data. Authentication because you don't want unauthorized persons to access your data.
Kerberos/Cerberus
ThreeHeadedDog
History
ME ME ME ME
Disclaimer
This is a personal Blog. The views/opinions expressed on this Blog represent my own and not those of my employer.
No comments:
Post a Comment