Interview with Andrew Komarov
Andrew Komarov is the CEO of security US security startup IntelCrawler. In March of 2013 he identified a variant of the malware used in the Target attack.
Q: Please describe the malware used in the Target data breach.
Komarov : The malware used to steal over a hundred million credit and debit cards from Target was a dump-memory-scrapper called Reedum. It is a variant of BlackPOS that I identified in March of 2013 when employed by another forensics company. The code is not very complex and there are other variants, such as Kartoxa. BlackPOS was reported at that time to Symantec and FireEye, at their request, and Dell Secureworks.
Q: Could Target have detected the Reedum malware and defended against it?
Komarov: It is difficult to detect malware like this because the bad actors that use it employ coding techniques that obfuscate them. Nevertheless, good Microsoft Windows system administration and security practices would protect against dump-memory-scrapper malware. Limiting remote access, controlling user account privileges that limit the software that can be run on the Windows based POS device, what resources a program can use, limiting the other devices to which a program can communicate and a good perimeter defense against intrusions, are some of the precautions that should be implemented. All of this is described quite well in the Payment Card Industry Data Security Standard (PCI DSS.)
Q: How did the perpetrators of the Target data breach steal the credit card data?
Komarov: The dump-memory-scrappers are all pretty simple - scanning the RAM and extracting strings of dumps after they are processed through the POS device to a remote PC using FTP and more recently HTTP.
Q: What did the perpetrators of the Target data breach get?
Komarov: But the card readers connected to the POS device encrypt the credit/debit cards and pins before sending it to the POS device, so the perpetrator of the Target data breach got away with encrypted data and still needs to decipher the data to make it useful.
In conclusion, if in fact the credit card data was nearly irreversibly encrypted using 3DES, Target still had to disclose the data breach to be in compliance with consumer data privacy laws. Whether the encryption between the card reader and the POS register was a weak link or a potent defense isn't known. Target doesn't have to disclose this or other technical details, and it may never. It is certain, though, that retailers are looking carefully at the link between card readers and POS devices and tightening up perimeters and policies. And PCI security auditors are now on the lookout for a new threat.
Source: Network World
Sign up for CIO Asia eNewsletters.