Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
PCI DSS does not require in-motion card data to be encrypted inside the CDE. granted, better to have encrypt with in-motion data.
CC data sitting needs to be encrypted and some CC data cannot be stored at all, but this encryption usually comes from the storage device or file system, which is useless for a virus that has rights to access the stored data. data at rest really needs to be encrypted by application thus reducing the risk vector down to just the apps, etc.
some news suggests the swipe terminals themselves were all infected. i suspect not, as the ones used at target dont likely have a comm path to the outside world. other news suggests Target had a virus that got onto all of their POS terminals (the OS that runs the software to which swipe terms are connected). this to me sounds like Dexter or variant.however, i am not 100% that Target has a homogenous POS landscpe which makes Dexter less probable to hit every in-store terminal. i am leaning on what others are suggesting, a central aggregate point.
perhaps a lesson for Target is, dont build solutions under aggregation model, use segregated stacks. sure, the latter requires more effort but limits probability of a "got all" attack.
Last edited by Linux_Kidd; 01-03-2014 at 10:56 AM.
It was caused by point-of-sales malware, specifically RAM scrapper.
Quote:
According sources who spoke to Reuters, attackers used RAM scraper, or Memory parser malware to steal sensitive data from Target and other retail victims.
Visa issued alerts about attacks utilizing these types of malware in April 2013 (PDF) and again in August 2013 (PDF).
After gaining access to a merchant’s network, attackers can install memory-parsing malware on register systems or backend processing servers to extract magnetic-stripe data as it moves through the through the payment process.
Memory parser malware targets payment card data being processed “in the clear” (unencrypted) in a system’s random access memory (RAM).
“The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,” Visa explained in a security advisory.
“These binaries are responsible for processing authorization data, which includes full magnetic-stripe data. When authorization data is processed, the payment application decrypts the transaction on the cash register system or BOH server and stores the authorization data in random access memory (RAM). The data must be decrypted for the authorization to be completed, so hackers are accessing full track data when it is stored in RAM and using malware such as memory-parsers to steal it.”
Visa first warned about these types of attacks targeting grocery merchants, but said merchant segment is vulnerable. According to Visa, these types memory parser malware attacks have been found only targeting Windows-based operating systems.
it still baffles me as to why from card swipe there is any non-encrypted data anywhere. the simple use of PKI would rid this problem. public key on the swipe terminal, data is decrypted on processor side, tokenization used for the approval/denial, etc.
even swipe terminals can be hacked, but way harder to do so then infecting the stupid OS that has the application. why in the world are POS terminals using Windows??? mistake #1.
other news has a C2 server in Target network, from there they carefully deployed hack to many of the POS terminals. where's the IDS/IPS, where's the anomalous detection??? omg Target, are you kidding.
someone needs to request their PCI ROC !!!
Last edited by Linux_Kidd; 01-18-2014 at 11:37 PM.
The NetSec podcast finally addressed this situation; it's in the early part of this episode. They were delayed in getting to it because one of the podcasters was moving from the US to the UK at the end of last year.
i deal with this all the time. i get paid good $$ to be a security advisor. i have made many suggestions where management just didnt see the value-add. i mark these items on my side as "declined by customer, risk accepted by customer management". in the end, it's customer owners (whoever that may be) are the ones who own the risk.
Target upper management either had a good insurance plan for such risk, or they were negligent of the matter. my guess is, the 1st is likely the case given this article.
did Target have a passing ROC for PCI (either by 3rd party or did they have a ISA?)???
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
