Some of you will remember the Target and Home Depot cyberattacks in 2013 & 2014, which resulted in an estimated $135-200 million (take out $202 million (Sruthi Ramakrishnan, 2017) to $134.5 million USD (Roberts, 2017) of damages respectively. Both of these attacks involved the installation of malware on Point-of-Sale (POS) terminals which, in turn, captured credit card information from the memory of the POS terminals as customers swiped their credit cards. This information was captured locally, and then transferred to remote drop boxes where it was picked up by the hackers (SANS Institute, 2014).
It is instructive to examine these and other infamous hacks in detail to glean important lessons about system and application security.
Breaches are Inevitable
In an attack on systems of this scale, there will be many security lapses from network access to the network infrastructure which contribute to the hack. In particular, the false assurance of relying upon perimeter security has been dealt with in a separate series of articles by fellow cybersecurity expert Ben Gidley. For the Target and Home Depot exploits, though, I want to consider two of the attack vectors in detail:
- Malware installed on the POS terminals (SANS Institute, 2014)
- Card data scraped from memory (SANS Institute, 2014)
In the malware case, the hackers uploaded malware to the point of sale terminals to capture credit card data which, in turn, would be sent back to predetermined drop points.
The credit card information itself was captured by scraping the memory of the point of sale terminal for credit card information. In fact, the lack of memory protection is cited as being a key weakness of the overall solution,
“Target reportedly spent a great deal of money on security technology. Although systems used encryption, the encryption was rendered useless because the data was accessed in memory where it was unencrypted.” (SANS Institute, 2014).
Today in-memory attacks are quite common and show that externally focussed perimeter security measures such as communication encryption, whitelisting and firewalls are no longer sufficient. Let’s have a look at the benefits of a multi-layered, or defense in depth, approach.
Multi-Layered Security Mitigations
(Or, How to mitigate these types of in-memory attacks using defense in depth)
Systems and applications that adopt a multi-layered approach to software security assume that the system will be compromised and that the attacker could have root privileges. A proper multi-layered approach to software system security could have mitigated the security exploits above in two ways:
- A secure environment, with application whitelist support, could have been deployed on the point of sale devices to limit the execution of unauthorized 3rd party apps like the malware which was installed. This is especially relevant to embedded devices, like POS terminals, where no unauthorized 3rd party applications need to be accommodated.
- Software protection solutions such as whitebox cryptography could have been implemented in the software to prevent the capture of credit card information, which was displayed as cleartext for milliseconds within memory. (Alina is an example of such a memory grabber (Grunzweig, 2013)). Modern software protection solutions are easy to integrate into a developer’s build environment and the techniques can be selectively applied to protect software IP (code), keys and critical data.
Bottom-line, effective mitigations against the Target & Home Depot data breaches could have been easily applied to their systems at a small fraction of the final settlement costs for the resulting damages.
Note: Irdeto provides a range of software security products and services based on our Cloakware® Software Protection suite of tools and technologies. All of the solutions, including Cloakware’s Secure Environment, adopt a multi-layered, self-protecting, approach to software security.
Grunzweig, J. (2013, May 8). Alina: Casting a Shadow on POS. Retrieved from Trustwave – SpiderLabs Blog: https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina–Casting-a-Shadow-on-POS/
Roberts, J. J. (2017, mar 9). Target in $18.5 million multi-state settlement over data breach. Retrieved from Fortune Magazine: http://fortune.com/2017/03/09/home-depot-data-breach-banks/
SANS Institute. (2014). Case Study: Critical Controls that Could Have Prevented Target Breach. SANS Institute.
Sruthi Ramakrishnan, N. B. (2017, May 23). Target in $18.5 million multi-state settlement over data breach.