ebook img

Breaking the Target: An Analysis of Target Data Breach and Lessons Learned PDF

0.69 MB·
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Breaking the Target: An Analysis of Target Data Breach and Lessons Learned

1 Breaking the Target: An Analysis of Target Data Breach and Lessons Learned Xiaokui Shu, Ke Tian*, Andrew Ciambrone* and Danfeng (Daphne) Yao, Member, IEEE Abstract—Thispaperinvestigatesandexaminestheeventsleadinguptothesecondmostdevastatingdatabreachinhistory:the attack on the Target Corporation. It includes a thorough step-by-step analysis of this attack and a comprehensive anatomy of the malwarenamedBlackPOS.Also,thispaperprovidesinsightintothelegalaspectofcybercrimes,alongwithaprosecutionandsentence exampleofthewell-knownTJXcase.Furthermore,wepointoutanurgentneedforimprovingsecuritymechanismsinexistingsystems ofmerchantsandproposethreesecurityguidelinesanddefenses.Creditcardsecurityisdiscussedattheendofthepaperwithseveral bestpracticesgiventocustomerstohidetheircardinformationinpurchasetransactions. 7 1 IndexTerms—Databreach,informationleak,point-of-salemalware,cybercrime,networksegmentation,securityalert,systemintegrity, 0 creditcardsecurity,EMV,tokenization 2 (cid:70) n a J 8 1 1 INTRODUCTION tailers those possess vast networks across the nation, ] BetweenNovember27andDecember18,2013,theTarget like Target and Home Depot. Target security division R attemptedtoprotecttheirsystemsandnetworksagainst Corporation’s network was breached, which became the C cyber threats such as malware and data exfiltration. Six second largest credit and debit card breach after the . months prior to the breach, Target deployed a well- s TJX breach in 2007. In the Target incident, 40 million c known and reputable intrusion and malware detection credit and debit card numbers and 70 million records of [ service named FireEye [7], which was guided by the personal information were stolen. The ordeal cost credit 1 card unions over two hundred million dollars for just CIA during its early development [8]. Unfortunately, v multiple malware alerts were ignored. Some prevention reissuing cards. 0 functionalities were turned off by the administrators TargetCorp.isnottheonlytargetofdatabreaches.Up 4 who were not familiar with the FireEye system. Target 9 to the 23rd of September, 568 data breaches are reported Corp. missed the early discovery of the breach. 4 intheyear2014[1].Thelatestsignificantbreach,i.e.,the 0 Home Depot breach, came to light in September 2014. ThispaperanalyzesTarget’sdatabreachincidentfrom . both technical and legal perspectives. The description of 1 As of September 14, it is known that 23 out of 28 Home 0 Depot stores in the State of Alabama were breached [2]. the incident and the analysis of the involved malware 7 Theentireplotcouldinvolvealargeportionofthe2,200 explainhowflawsintheTarget’snetworkwereexploited 1 and why the breach was undiscovered for weeks. The HomeDepotstoresinthestatesand287storesoverseas, : v which might result in a larger breach than the Target Target data breach is still under investigation and there Xi breach. We list four other significant breaches in the isnoarrestmadeknowntothepublic.Eveniftheperpe- trators are identified, cyber crimes involving extradition last two years. The increasing number and scale of data r are notorious to prosecute. We discuss the difficulties a breach incidents are alarming. of data breach discovery, investigation and prosecution • Sally Beauty Supply discovered in March 2014 that withrespecttolegislationandinternationalcooperation. 282,000 cards were stolen [3]. Anearlierincident,TJXdatabreachin2007,ispresented • NeimanMarcusreportedthat1.1millioncardswere as the precedent for arresting and sentencing criminals stolen during July to October, 2013 [4]. committing financial cybercrimes. • Michaels and Aaron Brother reported that 3 million Asweobserveanincreasingnumberofdatabreaches, cardswerestolenfromMay2013toJanuary2014[5]. these incidents bring us to rethink the effectiveness of • P.F. Chang’s data breach occurred from September existing security mechanisms, solutions, deployments 2013toJune2014impactingover7millioncards[6]. and executions. Credit card breach has a huge negative Securing massive amounts of connected systems is impactoneveryentityinthepaymentecosystem,includ- known to be technically challenging, especially for re- ing merchants, banks, card associations and customers. In this paper, we provide several insights into weak • X. Shu, K. Tian, A. Ciambrone and D. Yao are with the Department of links in the payment ecosystem, specifically in existing ComputerScience,VirginiaTech,Blacksburg,VA,24060. E-mail:{subx,ketian,andrjc4,danfeng}@vt.edu. security techniques and practices. We give several best • *K.TianandA.Ciambronecontributeequallytothepaper. practice suggestions for merchants and customers to enforce their data security and to minimize information 2 September November 15 November 27 November 30 December 2 December 12 December 15 Attackers Attackers Attackers POSmal- Attackers Department Target compro- brokeinto beganto warefully beganto ofJustice removed misedFazio Target’s collect installed. movecredit notified most Mechanical network creditcard carddata Target. malware. Services. andtested data. Attackers out. malware installed onPOS data Additional machines. exfiltration FireEye malware. alerts triggered. Symantec andFireEye alerts triggered. Fig.1. TimelineoftheTargetdatabreach(2013). leak. 2.1 BreachIntoTarget The contributions of our work are summarized as follows. There are multiple theories on how the criminals ini- tially hacked into Target, and none of them have yet • We gather and verify information from multiple been confirmed by Target Corporation. However, the sources and describe the process of the Target data primary and most well-supported theory is that the breach in details (Section 2). initial breach didn’t actually occur inside Target [10]. • We provide an in-depth analysis of the major mal- Instead, it occurred in a third party vendor, Fazio Me- ware used in the Target breach, including its design chanical Services, which is a heating, ventilation, and features for circumventing detections as well as the air-conditioning firm. marketing of the malware (Section 3). • We discuss the complexities and challenges in According to this theory, we present the timeline of data breach investigation and criminal prosecution, the incident in Fig. 1 and steps of the plot in Fig. 2. specifically from the legal perspective. We describe Attackers first penetrated into the Target network with the TJX breach in 2007 as a precedent for arresting compromised credentials from Fazio Mechanical. Then and sentencing cyber criminals (Section 4). they probed the Target network and pinpointed weak • We provide three security guidelines for merchants pointstoexploit.Somevulnerabilitieswereusedtogain to enhance their payment system security: i) pay- access to the sensitive data, and others were used to mentsystemintegrityenforcement,ii)effectivealert build the bridge transferring data out of Target. Due system design, and iii) proper network segmenta- to the weak segmentation between non-sensitive and tion (Section 5). sensitive networks inside Target, the attackers accessed • Wediscussthecurrentstatusofcreditcardsecurity, the point of sale networks. point out problems in the credit card system, and give customers best practices to hide their informa- tion in purchase transactions (Section 6). 2.1.1 PhaseI:InitialInfection At some point the Fazio Mechanical Services system 2 THE TARGET INCIDENT was compromised by what is believed to be a Citadel ThesystemsandnetworksofTargetCorp.werebreached Trojan [11]. This Trojan was initially installed through in November and December, 2013, which results in 40 a phishing attempt. Due to the poor security training million card numbers and 70 million personal records and security system of the third party, the Trojan gave stolen [9]. Multiple parties get involved in the federal the attackers full range of power over the company’s investigation of the incident. The list includes United system[10].ItisnotknownifFazioMechanicalServices State Secret Service, iSIGHT Partners, DELL Secure- was targeted, or if it was part of a larger phishing Works,Seculert,theFBI,etc.Inaddition,companieslike attack to which it just happened to fall victim. But it HP, McAfee and IntelCrawler provide analysis of the is certain that Fazio Mechanical had access to Target’s discovered malware, i.e., BlackPOS, and the marketing Ariba external billing system, or the business section of of the stolen cards. Target network. 3 control path data flow PoS terminals 1. Phishing attack against Fazio Mechanical Service ⑤ 2. Accessing the ④ Target network ⑦ ⑥ 3. Gaining access to vulnerable machines Compromised Hosts ③ 4. Installing malware on PoS terminals Target network Drop sites 5. Collecting card information from PoS ② 6. Moving data out of ① the Target network Attacker Fazio Mechanical 7. Aggregating stolen card and person data Fig.2. AttackstepsoftheTargetbreach. 2.1.2 PhaseII:PoSInfection theclosestFTPServer[12].Thestolencardinformationis DuetoTarget’spoorsegmentationofitsnetwork,allthat thenrelayedtoothercompromisedmachinesandfinally theattackersneededinordertogainaccessintoTarget’s pushed to drop sites in Miami and Brazil [13]. entire system was to access its business section. From 2.1.5 PhaseV:Monetization there, they gained access to other parts of the Target network, including parts of the network that contained Sources indicate the stolen credit card information was sensitive data. Once they gained access into Target’s aggregated at a server in Russia, and the attackers col- network they started to test installing malware onto the lected11GBdataduringNovemberandDecember2013. point of sales devices. The attackers used a form of The credit cards from the Target breach were identified pointofsalesmalwarecalledBlackPOS,whichisfurther on black market forums for sell [14]. At this point, it is discussed in Section 3. unclear how these sellers, e.g., Rescator (nick name), is connectedwiththestolencardandpersonalinformation. 2.1.3 PhaseIII:Datacollection In Section 4.3, we describe the well studied case of TJX credit card breach. It hints possible paths of peddling Once BlackPOS was installed, updated and tested. The stolen credit cards in the black market. malwarestartedtoscanthememoryofthepointofsales toreadthetrackinformation,especiallycardnumbers,of thecardsthatarescannedbythecardreadersconnected 2.2 TargetsSecurity to the point of sales devices. Target did not run their systems and networks without security measures. They had firewalls in place and they 2.1.4 PhaseIV:Dataexfiltration attempted to segment their network using Virtual local The card numbers were then encrypted and moved area networks (VLAN) [7]. Target also deployed Fire- from the point of sales devices to internal reposito- Eye, a well-known network security system, six months ries, which were compromised machines. During the prior to the breach. FireEye provides multiple levels of breach the attackers took over three FTP servers on security from malware detection to network intrusion Target’s internal network and carefully chose backdoor detection system (NIDS). user name “Best1 user” with password “BackupU$r”, However, the breach demonstrates that sensitive data which are normally created by IT management software in Target, e.g., credit card information and personal Performance Assurance for Microsoft Servers. During peak records, is far from secure. Target failed at detecting or times of the day, the malware on the point of sale preventing the breach at several points, among which devices would send credit card information in bulk to we list the four most vital ones: 4 • Targetdidnotinvestigateintothesecuritywarnings generated by multiple security tools, e.g., FireEye, BlackPOS Symantec, and certain malware auto-removal func- tionalities were turned off [15]. program data exfiltration maintenance functionalities • Targetdidnottakecorrectmethodstosegmenttheir systems, failing to isolate their sensitive network register service scan process list assets from easily accessed network sections. The VLAN technique used for segmentation is reported easy to get around [16]. start service select process • Target did not harden their point of sale terminals, allowing unauthorized software installation and configuration. The settings resulted in the spread of repository scan process malware and sensitive card information read from aggregation point of sale terminals. • Target did not apply proper access control on ver- check time scan mem chunks ities of accounts and groups, especially the ones fromthirdpartypartners[17].Thefailureresultedin upload log extract track info the initial break-in from the HVAC company Fazio Mechanical Services Inc. 2.3 AftertheBreach Fig. 3. Components and functionalities of BlackPOS. The former CEO of the company, Gregg Steinhafel, re- Yellowboxesareentrypointsofdifferentfunctionalities. signed after the breach. Target appointed a new chief information officer Bob DeRodes and provided details onenhancingtheirsecuritywith100milliondollars[18]. the time before sending obtained credit card numbers. The plan includes upgrading insecure point of sale ma- Only during the busy office hours in the daytime, the chines and deploying chip-and-PIN-enabled technology repository aggregation function could be enabled and the forpayment.Defensessuchasbettersegmentationofthe card information is sent to the internal repository. network, comprehensive log analysis and stricter access Memory of target processes are read and analyzed in control are also mentioned in the plan. chunks,eachofwhichis10,000,000bytes.BlackPOSuses acustomlogictosearchcreditcardnumbersinthemem- 3 BLACKPOS ory trunks. It is believed that this method is more effi- BlackPOS, seen on underground forums since February cient and incurs less overhead than generally used reg- 2013 [19], is believed to be the major malware used in ular expressions [20]. Retrieved credit card information the data breaches at Target (2013), P.F. Chang’s (2013), are encrypted and stored in file “C:\WINDOWS\system and Home Depot (2014). The malware is a form of 32\winxml.dll” and then periodically uploaded to the memory scrapper that takes a chunk of a systems mem- internal repository via NetBIOS and SMB protocols. ory and looks for credit card numbers. We describe the functionalities of BlackPOS captured in the Target 3.2 DesignFeaturesforEvadingDetections breach, discuss its design features for circumventing BlackPOS evolves quickly during the past few years. detection techniques, and present the investigations of The earliest versions of it are discovered by McAfee POS malware development and marketing. in November 2011 as PWS-FBOI and BackDoor-FBPP. They only contain the bare-bone logic for retrieving 3.1 ComponentsandFunctionalitiesofBlackPOS and leaking sensitive information from individual ma- Belonging to the BlackPOS family, the malware discov- chines [21]. However, the modern versions – known to eredintheTargetbreachisdesignedtoinfectWindows- beusedintheTargetbreach(2013)andtheNeimanMar- based POS machines. The functionality of BlacksPOS is cus breach (2013) – are heavily customized for specific notcomplicatedandwepresentitscomponentsinFig.3. internal networks and perform sophisticated behaviors WhenaPOSterminalisinfected,themalwareregisters tohidethemselvesfromcommondetectionmechanisms. itself as a Windows service named “POSWDS”. The We detail multiple observed behaviors of BlackPOS in service automatically starts with the operating system, the Target breach to illustrate how it is designed to then i) it scans a list of processes which could interact circumvent detections. withthecardreader,andii)itcommunicateswithacom- • Multi-phase data exfiltration. Infected POS terminals promised server (internal network repository) to upload do not send sensitive data to the external network retrievedcreditcardinformation.Predefinedrulesapply directly.Instead,theygatherdatatoacompromised formatchingthesensitiveprocesses,aswellaschecking internal server, which is used as a repository and 5 one of the relies to reach the external network [22]. various laws and complex treaties among countries. Themulti-phasedataexfiltrationschememinimizes In this section, we discuss i) the laws that apply to anomalous data flows across network boundaries. cybercrimes, especially data breaches, ii) the difficulties • String obfuscation. Critical strings in the malware in data breach discovery and prosecution, and iii) a executablesareobfuscatedtoevadesignature-based precedentofinvestigationandsentenceintheTJXbreach anti-virus detection [21]. The strings include criti- case happened in 2007. cal process names for scanning and NetBIOS com- mandsforuploadingdatatotheinternalrepository. 4.1 CybercrimeLawandRegulations • Self-destructive code. The malware avoids unneces- The federal Computer Fraud and Abuse Act (CFAA) is sary infections to minimize its exposure. It de- the most applicable cybercrime law that applies to the stroys/deletes itself if the infected environment is Target breach itself. Other laws against theft and misuse notwithinitstargets[23].Thisbehaviorreducesthe of the wires apply, as well as specific laws prohibiting riskofbeingdetectedinanunfamiliarenvironment. thesaleofcreditcardsandidentitytheft[29].Underthe • Data encryption. The retrieved credit card informa- CFAA, unauthorized access to a computer engaged in tion is encrypted in the file “Winxml.dll” in each interstate commerce, which causes damage over $5,000, POS terminal before it is sent to the internal repos- is a crime punishable by 5 to 10 years in prison and up itory. The encryption guarantees that no credit card to $250,000 damages, per offense. Subsequent violations numbers are sent in plaintext, which hides the leak increase the potential penalty, and there are different fromtraditionaldatalossprevention(DLP)systems. provisionsandpenaltiesforunauthorizedaccesstogov- • Constrained communication. Communications in the ernment or financial computers. The Federal Bureau of internalnetworkareprogramedduringofficehours Investigation leads investigations and cases are prose- of the day [20]. Busy office hour traffic helps hide cuted by the Department of Justice Computer Crimes anomalous communications between infected POS and Intellectual Property Division. terminals and the compromised internal repository. • Customized attack vector. Internal IP addresses and 4.2 BarrierstoDataBreachInvestigation login credentials of compromised servers are hard- coded in the malware. It indicates the malware Businesses, for a long time, declined to publically dis- author is aware of the internal network. The coun- close a data breach in fear that the information would termeasures against detections are deliberately de- hurt their reputation in the eyes of customers and in- signed along with the data exfiltration process. vestors would. Today, 47 states have data breach notifi- cation laws. Although not uniform, these laws generally 3.3 MalwareDevelopmentandMarketing require a business to report a data breach to affected customers when personally identifiable information has The Target breach attracts considerable attention to been lost. The requirement to report a data breach can BlackPOSandsimilarPOSmalware,e.g.,vSkimmer[24] aidlawenforcementintrackingdownthecriminals,and and Dexter [25]. Several investigations have been per- arguably is an incentive for businesses to increase their formed to disclose the development and marketing of security. these pieces of malware. Terrogence web intelligence In data breach plots, attackers usually hide their iden- company tracked the sales of the malware on under- tities carefully using relays across the world in both the ground markets and pointed out BlackPOS was first penetration phase (hacking into the system) and the ex- posted for sale in February 2013 [19]. Cybercrime intel- filtration phase (leaking the data out). The international ligence firm IntelCrawler indicated Rinat Shibaev, a 17- relays pose significant challenges for investigation and year-old boy, and Rinat Shabayev, a 23-year-old Russian prosecution. In the Target breach case, two drop sites man, are the principle developers of BlackPOS [26]. arefoundinMiamiandBrazil,andthefinalaggregation AndrewKomarov,CEOofthecompany,alsohintedthat server where all data is sent is discovered in Russia. 6 more retailer breaches are linked to BlackPOS [27]. Thereisnoguaranteethatallinvolvedcountriestakethe iSIGHT Partners, working with United States Secret same level of effort as the United States to help inves- Service, investigated the POS malware market and con- tigate the incident. Each country is affected differently cluded a growing demand for such malware since 2010. by the breach, let alone the complicated relations mixed FBI tracked about 20 data breach attacks in recent years with cooperation and divergences among them. and warned retailers about this increasing threat [28]. In addition, if cyber criminals are from outside the UnitedStatesthenanarrestrequiresextraditionfromthe 4 PROSECUTION OF DATA BREACHES foreigncountry.Inordertoextraditeforprosecution,the The Target data breach is still under investigation and United States and the country must be signatories to a there is no arrest known to the public. Tracking down treaty agreeing to such cooperation. Many countries in data breach perpetrators is notoriously difficult, because Asia, Africa and the Middle East do not have treaties the criminals usually operate across the world to set with the United States. Even with a treaty, extradition barriers for investigation and prosecution in terms of involves a complicated process. 6 4.3 TJXBreachandtheSentence propose better design and more effective practices for developing and deploying security solutions. Before the Target data breach, 45.6 million credit card numbers and PINs were stolen in the TJX data breach [30]. The breach was fully investigated and the 5.1 EnforcingPaymentSystemIntegrity criminals were prosecuted and sentenced. The case sets a record for credit card breach as well as the stiffest In the Target breach, BlackPOS was installed on Target’s sentence for a cybercrime. We describe details of the pointofsaleterminals,andtheintegrityofPOSsystems investigation from both technical and legal aspects. was compromised. This key step for data breach can Albert Gonzalez, an American hacker, plotted the TJX be prevented by enforcing the integrity of point of data breach from July 2005 to January 2007. In addition sale terminals. Therefore, we provide a practical scheme to the TJX case, he was also charged with data breaches using digital signatures and certificates for ensuring the in BJ’s Wholesale Club, Boston Market, Barnes & Noble, integrity of operating systems on point of sales. Sports Authority, Forever 21, DSW and OfficeMax [31]. TheworkflowofourPOSintegrityschemeisshownin All aforementioned data breaches done by Gonzalez Fig. 4. Our key idea is to allow only trusted executables were carried out with similar schemes. Taking the TJX running on POS machines. An executable is trusted if it case as an example, Gonzalez started with war-driving isverified/auditedanddigitallysignedbythemerchant, along Route No. 1 in Miami to discover vulnerable i.e., Target Corp. retailer’s hotspots. With the help of his accomplices – Executable verification techniques such as digital sig- especially Stephen Watt, the author of the sniffer used nature for executables are known for a long time, and in the data breaches – Gonzalez employed delicate SQL manymodernoperatingsystemsprovideutilitiestoward injectionstogainaccesstothedatabaseandtoinstallthe thegoal,e.g.,MicrosoftAuthenticode[35].However,the sniffer software into the servers. Credit cards informa- execution policy is usually difficult to be enforced on a tionwassniffedusingARPspoofingtechniquesandwas normalconsumer’scomputerbecausethereareavariety uploaded onto two foreign servers leased by Gonzalez of software providers on the Internet. Users may install in Latvia and Ukraine. softwareorrunprogramsfromproviderswhoseidentify After obtaining the credit card information, Gonzalez cannot be verified. Public key infrastructure (PKI) helps sold the credit card numbers and PINs to a Ukrainian relieve the issue, but it does not completely solve it due card seller Maksym Yastremskiy. Yastremskiy paid Gon- to the complexity introduced by the variety of software zaleztotaling$400,000through20electronicfundstrans- providers. fers via e-gold during 2006 [32]. He peddled the stolen However, this approach is useful and practical in credit card information to other card sellers in the un- the dedicated environment where i) POS terminals are dergroundmarket.In2007,Yastremskiywasarrestedon specifically used for processing transaction and ii) they a separate charge, i.e., hacking into 12 banks in Turkey. are possessed and controlled by the merchant, e.g., Tar- In May 2008, Gonzalez was apprehended with $1.1 get Corp. The first property ensures the software or million cash, a 2006 BMW, a diamond and other assets. programs running on POS terminals are limited and He schemed to earn $15 million from a series of data feasible to be audited. The second property guarantees breaches, according to his chat logs found by the gov- one centralized integrity center auditing and signing all ernment. He worked as an informant for the U.S. Secret executables can be created. Service before he was arrested. Therearetwoplayers,integritycenterandPOSterminal GonzalezwassentencedonMarch25thand26th,2010 and 5 steps in our integrity enforcement scheme. The for the TJX case and the Heartland Payment Systems integrity center has four tasks: i) key generation, ii) case, respectively. U.S. District Judge Patti Saris sen- key distribution, iii) file auditing and iv) file signing. tenced Gonzalez to 20 years in prison, and U.S. District The POS terminal is hardened by a policy that only Court Judge Douglas P. Woodlock sentenced Gonzalez binaries signed by the merchant can execute. The five- to 20 years for the Heartland Payment Systems case. step-protocol is: According to the negotiation between Gonzalez and the 1. The integrity center generates a public-private key government, the sentences run concurrently [33] and pair(cid:104)pk,sk(cid:105)andcreatesaself-signedcertificateCert Gonzalez would be imprisoned for a total of 20 years, containing pk. which has reached record high on cybercrime [34]. 2. The integrity center distributes Cert to every POS terminal in the company. Cert is placed in the root 5 LESSONS LEARNED TOWARD BETTER AND certificate list at each terminal. MORE EFFECTIVE SECURITY SOLUTIONS 3. The integrity center audits every binary that needs AswediscussedinSection2.2,thereareseveralmistakes to be executed on POS, e.g., programs, installers, made by Target in the incident, including i) ignoring system patches, etc. and signs the binary with sk critical security alerts, ii) improper segmentation of its (encrypting the hash of the binary with sk). network and iii) insecure point of sale data handling. In 4. The signed binary is sent over the merchant net- this section, we analyze these three points in details and work to POS terminals. 7 10100011001101 01001010100011 10101010101000 10001111010101 1. Key-pair and self-signed 00001010101111 Integrity center 01010101101001 certificate generation 10100011001101 signa1ture 10100011001101 01001010100011 01001010100011 10101010101000 ③ 10101010101000 2. Certificate (merchant’s 10001111010101 ④ 10001111010101 identity) distribution 00001010101111 00001010101111 01010101101001 01010101101001 1 1 3. Auditing the incoming ② ⑤ signature executable ① 4. Digitally signing and distributing executable 5. Enforcing digital signature POS terminal checking before execution Fig.4. OurPOScodeupdateprotocolwithenhancedcodeintegrityandauthenticityverification. 5. ThePOSterminalchecksthebinarysignatureusing malware is provided, such as type and severity. Anoma- pk in Cert (encrypting the signature with pk to lous behaviors of the malware are tracked and listed verify whether it is the hash of the binary) and in malicious-alert. The classtype=“anomaly-tag” indicates executes only the ones correctly signed with sk. that this alert is triggered because of anomaly behavior Adopting our payment system integrity enforcement detected.Themsg anddisplay−msg brieflydescribethe protocol, merchants can achieve the following two secu- content of this alert. rity goals in their system. In the Target case, FireEye alerted the administrators • system integrity: only trusted programs are allowed with type “malware”, which is commonly seen in large companies or organizations. However, no sufficient de- to be executed or installed on the payment system, tailed information was provided, e.g., the name of the which excludes the possibility of malware infection malwareorthedataexfiltrationbehaviorofthemalware. on point of sale devices. • program authenticity: every program or piece of soft- Since the BlackPOS software, which extracts and steals ware should pass the test at integrity center before it sensitive financial information, is regarded as a zero- day malware and few administrators have experience is executed on point of sale machines, which allows dealing with it, the alerts were ignored [37]. merchants to have the full control of the payment system functionalities. 5.2.2 SecurityAlertDesign 5.2 DevelopingEffectiveSecurityAlertSystems Security alert systems are at the front line of cyber Target had been warned multiple times by a malware defense. They represent the first opportunity to detect, detection tool produced by FireEye Inc [36], [37]. Un- prevent, and stop attacks. Because human analysts are fortunately, the monitoring team in Bangalore for Target error-prone and tend be undertrained, making alert sys- Corp. took no actions in response to these alerts. They tems more usable and intelligent is critical. also turned off the functionality that can automatically The needs for designing effective security warnings remove a detected malware. These two serious mistakes have been studied. Sunshine et al. studied the effective- hinderedthedetectionoftheleakageofmillionsofcredit ness of SSL warning [39]. Akhawe and Felt investigated card information. For large corporations, processing a the browser warnings including malware, phishing and large number of security alerts produced by protection SSL warnings [40]. Modic and Anderson proposed to systems is challenging, if possible at all. Many of these adopt social-psychological techniques to increase the alerts are usually false alarms, which seasoned security compliment for the warnings [41]. analystslearntosafelyignore.Inthissubsection,wefirst Ourthesisadvocatedinthispaperonwarningsdiffers discuss the design of FireEye alerts, and then explore from the existing security alert research. We consider new out-of-box design strategies to improve the effec- the security protection needs for large companies and tiveness of alerts. corporations that produce hundreds of alerts on daily basis.Inthesescenarios,thealertsystemsneedtohandle 5.2.1 FireEyeAlerts and differentiate warnings with a varying degrees of The raw data output from FireEye Threat Prevention urgency. PlatformisinXMLstructure.Fig.5showsaFireEyealert We argue that the design of alert systems needs to be of a piece of malware [38]. Basic information about the adaptiveandintelligent,beyondsimplysendingalistof 8 Fig.5. AFireEyealertinXML. alerts. Specifically, we propose two design strategies for quences can be used to bridge alerts, connecting security alerts: multiplealertsindifferenttypestoaplot.Ifthecol- • Adaptive warning strength. Existing security systems lectionalertsindicatepotentialgranderdatabreach, provide severity information along with each alert, then sever alerts should be raised. but there is no guarantee that important alerts are not ignored by administrators. Thus, we propose 5.3 Controlling Information Flow with Network Seg- two methods to strengthen the efficiency of alerts: mentation – Raise the severity level of an alert when it is Target failed to segment its sensitive assets from normal not handled within a limited amount of time. network portions, which allows an attacker to escalate Thepurposeistoforcesecurityanalyststotake the intrusion if he/she attacks from the inside. We actionstowardseverealerts.Thismethodisnot explain the severity of this issue. applicabletoallalerts,especiallythelesssevere Themostcommonstrategiesusedinnetworkarchitec- ones. Otherwise, it requires the administrators ture are techniques based on building a strong exterior, to address all alerts in the end, which may not so that only those a system can trust can get inside. be practical. Because the only people inside are those who can be – Besides color, font size, length of the alert bar, trusted, security on the internal network is either low the system can raise alerts in different forms. or none existent. An example of this goes back to the For example, popping up flashing messages for Target breach. Once the attacker obtained the security the most critical alerts, emailing different level credentials from Fazio Mechanical Services, they then of alerts to different group of people. hadtheabilitytogainaccessintoTarget’snetwork.From The multiform alarming method utilizes differ- there they compromised three FTP servers and installed entwaystointeractwithdifferentpeople.Italso malware on many point of sales devices [7]. informs people who are not directly in charge The security principle advocated in a zero trust net- oftheissuetoremindsecurityanalystsifissues work [16] is simply don’t trust anyone. This means are not solved for a long time. all traffic is identified, authorized, and monitored. This • Mining and presenting connections among alerts. One makes all parts of the network secure regardless of drawback of existing detection solution is the lack location.Inaddition,virtualLANscannotprovidemuch of ability to correlate alert events. Some alert events security defense, because they cannot stop an intruder couldbelongtoasingleattackvectorandhappenin from gaining access into other portions of the network. sequence. Sophisticated modern attacks are usually The Target incidence demonstrates that virtual LANs, well planned and realized in steps. An alert may be especially when not configured properly, is ineffective triggered for each step, e.g., malware injected, file against the criminals. transmission. Connecting these alerts can reveal a While the zero trust strategy protects from outsider grander scheme of the plot. attacks it also protects against insider attacks because One approach to connect alerts is to analyze the all traffic is monitored and analyzed. If a member of consequences of each malicious event. The conse- a network does something unusual, e.g. deletes several 9 entries in a database that he or she usually does not use of this vulnerability as well as a vulnerability found access,thenetworkadministratorscandetectthechange in ATM random number generators. An ATM may gen- inbehaviors.However,thisstrategyhasthetrade-offfor eratepredictablerandomnumberswhichgivescriminals usabilitybecausemonitoringalltrafficleadstoextremely temporary access to credit card spending if the number huge computation power. And it is not convenient for is guessed correctly. practical usage in large scale networks. Besidesthetwovulnerabilities,themostsevereflawin the EMV system is the card not present (such as when 6 CREDIT CARD SECURITY AND BEST PRAC- a purchase is made online) fraud abbreviated as CNP fraud. CNP fraud now accounts for over fifty percent of TICES FOR CUSTOMERS fraud in the United Kingdom where the EMV system is Target and other breach incidents, e.g., Neiman Marcus, currently being used [45]. The EMV system is designed Sally’s Beauty and PF Chang’s, suggests that there is a forsecuringcard-presenttransactions,andithasnothing high risk at current credit card regulation and technol- in place to prevent CNP fraud from occurring, which is ogy. In this section, we discuss the issues in credit card why criminals are now using CNP fraud as their go to regulation as well as advantages and problems of new choice in fraudulent purchases. technologies for securing credit card transactions. 6.3 TokenizationandBestPracticesforCustomers 6.1 CreditCardAdministrationandRegulation Tokenizationisapaymenttechnologytominimizecredit Payment card security is self-regulated by the con- card information by merchants during transactions. In tract between the merchant and the card company. Ma- this section, we describe the technology and explain jor credit card companies require compliance with the why it helps protect personal account information. We Payment Card Industry Data Security Standard (PCI- give customers best practices to hide their credit card DSS) [42]. The description of Targets security, such information when shopping. as weak password at the POS, would not seem to With tokenization a customer asks an acquirer to act meet many of the standards, thus drawing attention to between he/she and the merchant. The acquirer i) takes whether the private contract self-regulation framework the customer’s credit card information c, ii) generates a is effective. one-time token t based on c (t is independent of c), and iii) sends t to the merchant to process the transaction. t 6.2 EMV:TowardaMoreSecurePaymentSystem is bound to the merchant and can be nullified after the transaction. EMV (Europay, MasterCard, and Visa) payment system There are two approaches to utilize an acquirer. One is the major technology developed to address the secu- is to pay through acquirer systems. Available systems rity issue in credit cards [43]. The EMV system adds a include PayPal, Amazon payment, Google wallet and temper-resistant chip to a credit card. The chip stores Apple pay. For example, customer Alice wants to buy confidential account information and provides on-chip an item in Amazon market from seller Bob. Alice can cryptographiccomputationssuchasencryptionanddig- pay through the Amazon payment system and Bob only italsigning.Thesystemworksbyauthenticatingthrough receivesatokentoprocessthetransaction.Googlewallet the chip and identifying the user by either a signature and Apple pay extend the service from online shopping or a pin; this is where the system gets its name of chip to in-store purchases. They also provide contactless fea- and pin. The difference between the EMV system and ture through near field communication (NFC), so that the traditional magnetic strip system is that the data on Alice does not need to swipe a card to authorize a thecard’schipisencrypted.Thereforeitwouldbemuch purchase. more difficult for an attacker to commit fraud. The second approach to utilize an acquirer is to gen- However, a flaw is found in the design of the trans- erate a one-time credit card number at acquirer banks. action protocol, which makes EMV ineffective. A no-pin Bank of America and Citibank provide such service, attack is the scenario where the criminal has the card namely ShopSafe and virtual card number, respectively. but not the pin. Murdech et al. show that by using an PayPal used to have a similar service and Discover electric device between the card and the terminal, the terminated its virtual card service on March 16, 2014. terminal can be tricked into believing that the criminal has the correct pin even though he doesn’t [44]. 7 CONCLUSION Another vulnerability is found in Point of Sale termi- nals. A POS terminal in the EMV system is assumed There is no silver bullet in cyber space against data temper-resistant, meaning that no one can open the breaches. With the increasing amount of data leak in- POS box and read/write to the internal circuits. Un- cidents in recent years, it is important to analyze the fortunately, real EMV-equipped POS terminals can be weak points in our systems, techniques and legislations tempered and authentication codes can be obtained and and to seek solutions to the issue. In this paper, we used at a later time on the same terminal to make presented a comprehensive analysis of the Target data additional transactions. Several criminals in Spain made breachandrelatedincidents,suchastheTJXbreach.We 10 describedseveralsecurityguidelinestoenhancesecurity [33] “United States district court district of Massachusetts in merchants’ systems. We presented the state-of-the- government’s sentencing memorandum,” http://www.wired. com/images blogs/threatlevel/2010/03/gonzalez gov sent art credit card security techniques, and gave customers memo.pdf. best practices to hide card information during purchase [34] K.Zetter,“TJXhackergets20yearsinprison,”March2010. transactions. [35] MicrosoftAuthenticodetechnology,http://msdn.microsoft.com/ en-us/library/ie/ms537364.aspx. [36] M.Riley,B.Elgin,D.Lawrence,andC.Matlack,“Missedalarms and40millionstolencreditcardnumbers:HowTargetblewit,” ACKNOWLEDGMENTS March2014. [37] J. Finkle and S. Heavey, “Target says it declined to act on early This work has been supported in part by NSF grant alertofcyberbreach,”March2014. CAREER CNS-0953638 and ARO grant YIP W911NF-14- [38] FireEye alert examples https://github.com/warewolf/fireeye/ 1-0535. blob/master/Alert Details example.com 20131025 181223.xml. [39] J.Sunshine,S.Egelman,H.Almuhimedi,N.Atri,andL.F.Cranor, “Cryingwolf:AnempiricalstudyofSSLwarningeffectiveness.” REFERENCES inUSENIXSecuritySymposium,2009,pp.399–416. [40] D. Akhawe and A. P. Felt, “Alice in warningland: A large-scale fieldstudyofbrowsersecuritywarningeffectiveness,”inUSENIX [1] “ITRC breach report,” http://www.idtheftcenter.org/images/ SecuritySymposium,2013. breach/ITRC Breach Report 2014.pdf. [41] D. Modic and R. J. Anderson, “Reading this may harm your [2] I.Hoppe,“TheHomeDepotdatabreach:amapofaffectedZIP computer:Thepsychologyofmalwarewarnings,”2014. codesinAlabama,”September2014. [42] Payment card industry payment application data security [3] B.Krebs,“SallyBeautyconfirmscarddatabreach,”March2014. standard, https://www.pcisecuritystandards.org/documents/ [4] E. A. Harris, N. Perlroth, and N. Popper, “Neiman Marcus data PA-DSS v3.pdf. breachworsethanfirstsaid,”January2014. [43] R. Anderson and S. J. Murdoch, “EMV: why payment systems [5] B. Krebs, “3 million customer credit, debit cards stolen in fail,”CommunicationsoftheACM,vol.57,no.6,pp.24–28,2014. Michaels,AaronBrothersbreaches,”April2014. [44] S.J.Murdoch,S.Drimer,R.J.Anderson,andM.Bond,“Chipand [6] “Updated statement from Rick Federico CEO of P.F. Chang’s,” PIN is broken,” in 31st IEEE Symposium on Security and Privacy, August2014. S&P2010,16-19May2010,Berleley/Oakland,California,USA,2010, [7] B.Krebs,“AfirstlookattheTargetintrusion,malware,”January pp.433–446. 2014. [45] “Challenges & opportunities for merchant acquirers,” 2012, [8] M.Riley,“FightingcyberthreatswithFireEye,”May2014. Capgemini. [9] B.Krebs,“TheTargetbreach,bythenumbers,”May2014. [10] M.J.Schwartz,“Targetignoreddatabreachalarms,”March2014. [11] ——,“Targetbreach:Phishingattackimplicated,”February2014. [12] M.Oh,“HackingPOSterminalforfunandnon-profit,”July2014. [13] K. Jarvis and J. Milletary, “Inside a targeted point-of-sale data breach,”January2014. [14] B. Krebs, “Who’s selling credit cards from Target?” December 2013. [15] D.Chiacu,“Targetmissedmanywarningsignsleadingtobreach: U.S.Senatereport,”March2014. [16] ForresterResearch,“Developingaframeworktoimprovecritical infrastructure cybersecurity,” NIST, April 2013, in Response to: RFI#130208119-3119-01. [17] B. Krebs, “Email attack on vendor set up breach at Target,” February2013. [18] “Target appoints new chief information officer, outlines updates onsecurityenhancements,”April2014. [19] A. Keren, “Cyber criminals ’TARGET’ Point of Sale devices,” January2014. [20] M.Oh,“AnevolutionofBlackPOSmalware,”January2014. [21] McAfeeLabs,“EPOSdatatheft,”McAfeeLabsThreatAdvisory, January2014. [22] B.Krebs,“NewcluesintheTargetbreach,”January2014. [23] ——,“TheseguysbattledBlackPOSataretailer,”February2014. [24] C. Shah, “VSkimmer botnet targets credit card payment termi- nals,”McAfeeblogcenter,March2013. [25] A.Raff,“Dexter–drainingbloodoutofPointofSales,”seculert researchlab,December2012. [26] IntelCrawler, “The teenager is the author of BlackPOS/Kaptoxa malware(Target),severalotherbreachesmayberevealedsoon,” January2014. [27] T.Kitten,“6moreretailersbreached?”January2014. [28] FBI Cyber Division, “Recent cyber intrusion events directed to- wardretailfirms,”January2014. [29] C.Doyle,“Cybercrime:anoverviewofthefederalcomputerfraud andabusestatuteandrelatedfederalcriminallaws,”http://fas. org/sgp/crs/misc/97-1025.pdf. [30] J. Vijayan, “TJX data breach: At 45.6m card numbers, it’s the biggestever,”March2007. [31] K. Poulsen, “Feds charge 11 in breaches at TJ Maxx, OfficeMax, DSW,others,”May2008. [32] “The indictment: The U.S. v. Albert Gonzalez, 08-CR-10223, case,” August 2008, http://www.yalelawtech.org/wp-content/ uploads/usvgonzalez.pdf.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.