eIQcast Episode 19: BUSTED! Great Heartland Hacker Goes Down
August 18, 2009
Not a good day to be busted!
This past Monday the U.S. Justice Department charged 28 year-old Albert Gonzalez with a series of crimes that resulted in the theft of more than 130 million credit and debit card numbers from late 2006 to early 2008.
The indictment places blame for several high-profile data theft incidents on a small group of individuals who found holes in websites used to transfer the credit card data. Basically, these folks have to be the best hackers out there if they were behind every high profile data breach of the past two years.
In the latest episode of eIQcast, Security and Compliance Evangelist John Linkous reviews the charges, talks about how retailers and consumers can protect themselves, and notes how the crime was carried out by exploiting a well-known (and extremely easy to replicate) web site security weakness.
Running time: 13:30
Direct Link: http://eiqcast.podOmatic.com/entry/2009-08-18T14_31_20-07_00
Don’t be like Dick and check out eIQ’s video at logdataisnotenough.com
PCI is just the beginning…
August 13, 2009
It’s not surprising that many of the folks I talk to continue to focus on PCI-DSS. They handle credit card data, so they have to. What is surprising is the amount of institutional apathy to going beyond the guidance of the regulation, and this doesn’t just apply to PCI, but also to all the other regulations and frameworks. Most of these organizations continue to look for a band-aid. They want to be “compliant” and be done with it. They come up to our stand at a show or call on the phone and want to know how they can make their assessor happy and get back to their business.
Even worse, you have some organizations that won’t accept responsibility when something does go wrong. I won’t rehash the discussion here, but Heartland’s CEO Bob Carr stepped on the security industries toes in this interview with CSO by trying to throw his QSA under the bus. That didn’t really sit well with me, so I posted a response (BTW the response is my opinion and my not reflect the views of eIQ – how’s that for a disclaimer?)
Regardless of whether someone is looking to check the box or make the auditor go away, they are delusional. You see, PCI is only the beginning of the process. Hats off to the PCI Security Standards Council that have proscribed a set of practices that will improve security. Any organization in compliance with PCI is in decent shape, but they are far from done.
Let me make sure I’m absolutely clear, COMPLIANCE DOES NOT EQUAL SECURITY. If you have any misconceptions that it does, get up to the white board and write it about a zillion times. Compliance is a lowest common denominator, by definition. A rubber stamp is not going to keep you secure.
The regulations are also moving targets, which is a good thing. As new attacks emerge, they will keep moving the bar for PCI compliance. The updated version (1.2) hit last October, and subsequently there was additional guidance on securing applications and wireless in-store networks. Yet the fact remains, PCI is looking backwards and responding to the issues, but about 2-3 years behind.
For example, PCI 1.2 specifies that retailers can no longer use WEP to protect wireless networks. A few retailers learned that lesson the hard way. But the industry has known WEP has been broken for years.
Let me repeat this again, if you are serious about security, any regulation should be a lowest common denominator to base your security program on. That being said, we all need to spend a lot of time documenting what we do and preparing reports for the auditors. This is tremendously resource intensive and something that can and should be automated.
But that’s another topic for another day. Let’s stay focused on the reality that the technical controls to meet a compliance mandate is a subset of what you need to do to actually protect your organization.
Byline on RSI: PCI is not enough
February 3, 2009
Ah, the Heartland breach continues to generate opportunities for us to get on the soapbox and talk about PCI compliance vs. security. The latest to appear is at Retail Info Systems News. Here is a little snippet (so I can make Anton a bit more crazy today).
“The message coming from the Heartland Payment Systems Breach is loud and clear. It’s reinforcement of what seemed to be evident from the Hannaford Bros. breach last year. PCI is not enough. Merchants have been relying on PCI as a crutch. Comply with the 12 requirements and credit card data is secure.
Of course, anyone that has been in the security business for a while knows the folly of thinking that any set of requirements and controls will truly create security. Throughout my 20 years in the industry, that just hasn’t been the case. Attackers are good and getting better. They are launching innovative attacks and rendering our defenses moot.
To be clear, there is value in the 12 requirements set forth by the PCI Security Standards Council. The PCI-DSS does a good job of laying the foundation for security, but just like you don’t live just on a foundation and expect to stay warm and dry in the winter, you can’t just rely on your security foundation for protection.”
You can check out the entire piece on the RIS site.
eIQcast Episode 5: Heartland and PCI
January 23, 2009
PCI = FAIL
This week’s episode is focused on the Heartland data breach and it’s eventual impact on PCI. Mike Rothman, eIQ’s SVP of Strategy, is interviewed by Ross Levanto and discusses some of the specifics behind the breach and reinforces the message that log data alone is not going to catch these new attacks. More importantly, Mike talks about some of the changes that are needed with the PCI standard, given that two “PCI compliant” organizations have had high profile data breaches.
Running time: 10:57
Direct Link: http://eiqcast.podomatic.com/player/web/2009-01-23T05_35_33-08_00
Photo credit: “Fail (19/08/07 137)” originally uploaded by The Happy Robot
Heartland Proves that Log Data is NOT Enough
January 22, 2009
The tech press is all aflutter with news of a new, high profile and potentially large data breach at Heartland Payment Systems. You can check out coverage on InformationWeek, ComputerWorld, SearchSecurity, Security Fix and probably another 50 other books.
So what do we know? We know that Heartland WAS PCI compliant. At least that is their story. They passed their assessment back in April. Not sure how many more times folks have to learn the hard way that compliance DOES NOT equal security. As with the Hannaford Brothers breach last year, this is yet another data point that PCI is a good start, but by no means sufficient to ensure the safety of credit card data.
In terms of the attack, it’s also very similar to Hannaford. The network was breached via the firewall and then a number of servers were compromised on the internal payment network. The attackers loaded up sniffers (where Hannaford’s seemed to be based on key loggers) to snoop the payment traffic on the network. But the concept of the attack was the same.
PCI compliance is no defense against this kind of attack. At least how the PCI-DSS is written now. Logging data (requirement 10) is not going to catch this attack because the firewall was breached (which means the traffic was allowed) and the malware (key logger or sniffer) was installed on a set of devices.
The fact that Heartland was compromised is not the real point. The issue is how to make sure this doesn’t happen again. And not to you. Based on what we know of the attack, there were a number of points where the attack could have been detected.
Of course, since we are in the business of security and compliance management, I’ll feel free to illustrate the importance of looking at a broader data set than just syslog by discussing how SecureVue would have alerted to this attack in NUMEROUS ways.
- The malware was installed on a number of devices, which means the configuration was changed in some way shape or form. SecureVue tracks configuration data and report on changes that don’t adhere to the baseline policy.
- Key loggers and sniffers are very resource intensive, so the compromised devices would have displayed significant performance anomalies. SecureVue monitors performance characteristics of the devices, so the administrators would have been alerted to these issues.
- The malware was some kind of executable, and SecureVue’s asset management capabilities track executables on managed devices, so the attack would have caught that way as well.
- Finally, the attackers can’t monetize the stolen credit card data until they send the data outside of the network for mining, so our network flow analysis would have alerted us to the fact that a strange traffic flow was being sent from those devices to a site outside of the network.
Clearly LOG DATA IS NOT ENOUGH, especially since these folks were PCI compliant (or so it seems). It goes back to my ages old mantra that compliance DOES NOT equal security. Traditional SIEM and Log management products do not look at this broad array of data and thus cannot detect this specific attack. If you are not monitoring configuration, asset, performance, and flow data in addition to logs, you are exposed. I
To be clear, there is no guarantee any of these different data types alone would have pinpointed the attack. But if you combine all of these TOGETHER, and correlate across all of these different data types it’s clear that SecureVue would have detected something that needed to be investigated and in many cases, help a savvy administrator prioritize the areas to investigate.
Unfortunately, this won’t be the last time we hear of a successful attack on PCI compliant organizations. Leading organizations won’t wait until they are compromised to put in place a broader and more effective monitoring environment.
