Thursday, January 29, 2009

Heartland Sniffer in Unallocated Portion of Disk

The Heartland Payment Systems data breach was facilitated by sniffer malware that hid in an unallocated portion of a server’s disk, reports Evan Schuman in StorefrontBacktalk. The malware, which was ultimately detected through a trail of temp files, was hidden so well that it eluded two different teams of forensic investigators brought in to find it after fraud alerts were triggered at both Visa and MasterCard, according to Heartland CFO Robert Baldwin.

"A significant portion of the sophistication of the attack was in the cloaking," Baldwin said.

Hiding files in unallocated disk space is a fairly well-known tactic, but it requires a high level of access as well as the skill to manipulate the operating system, though the relatively careless leaving of temp files on the server could suggest a less-skilled cyberthief who simply obtained some very powerful tools.

Consultants interviewed by Schuman agreed that this type of attack would require extensive access and the ability to trick the machine into believing the thief has very significant user privileges. But it wouldn’t necessarily require modification of the OS directly. "They could have done it two ways. You can modify the OS or you can install a modified device driver."

Another consultant said the ability to write directly to specific disk sectors is frightening. "Somehow, these guys went directly to the base level of the machine (to an area) that was not part of the file table for the disk," he said. "Somehow, they got around the operating system. That’s a scary mother in and of itself."

Heartland announced Tuesday that it will be creating a new department that will be "dedicated exclusively to the development of end-to-end encryption."

"PCI is a good and effective standard, but the bad guys have become more sophisticated to the point where encryption of data in motion appears to be one of the next required steps.
There is no single silver bullet that will secure payment systems, and constant vigilance and monitoring of the infrastructure will always be required," Heartland CEO Robert Carr said in a statement. "Nevertheless, I believe the development and deployment of end-to-end encryption will provide us the ability to implement increasing levels of security protection as they become needed."

End-to-end encryption is not a new approach. However, in today’s payment networks the card brands insist on dealing with card data in an unencrypted state, forcing transmission to be done over secure connections rather than the lower-cost Internet. This avoids forcing the card brands to have to decrypt the data when it arrives. As we've noted before, no matter how rigorous PCI standards are, if the banks and card issuers themselves don't impose similarly rigorous standards for themselves, they will prove to be the weakest link.

Wednesday, January 28, 2009

Mail Delivery Only Five Days a Week?

Massive deficits could force the post office to cut out one day of mail delivery, the postmaster general told Congress on Wednesday, in asking lawmakers to lift the requirement that the agency deliver mail six days a week.

If the change happens, that doesn't necessarily mean an end to Saturday mail delivery. Previous post office studies have looked at the possibility of skipping some other day when mail flow is light, such as Tuesday.

Faced with dwindling mail volume and rising costs, the post office was $2.8 billion in the red last year, reports CNBC.

"If current trends continue, we could experience a net loss of $6 billion or more this fiscal year," Potter said in testimony for a Senate Homeland Security and Governmental Affairs subcommittee.

Total mail volume was 202 billion items last year, over 9 billion less than the year before, the largest single volume drop in history.

And, despite annual rate increases, Potter said 2009 could be the first year since 1946 that the actual amount of money collected by the post office declines.

CDS Global Offers White Paper

CDS Global, a full-service outsourcing service bureau, has announced its latest white paper, "The Advantages of Outsourcing and Co-sourcing in 2009," examining the benefits pf teaming with a well-qualified partner to "improve efficiencies, gain thought leadership, and reduce the financial burden of keeping up with technology and staffing needs."

Click HERE for a copy of the White Paper

Saturday, January 24, 2009

More on Heartland Data Breach

According to Evan Schuman of StorefrontBacktalk, the Secret Service has identified a suspect in the Heartland data breach case whose location is "somewhere outside North America" and that the matter has been turned over to the U.S. Justice Department, according to someone close to the investigation.

Heartland first learned of the breach in late October/early November, according to Heartland spokesman Jason Maloni, and that the niffer application had already been deactivated, presumably by the cyber thieves who had planted it. Whether it had been fully terminated or merely dormant, programmed to awaken at some future point, is not yet known. It is possible the thieves shut off the sniffer to make it more difficult for investigators to discover their location.

Maloni also confirmed that Heartland had been certified as PCI compliant in April 2008.

Heartland’s CEO, Robert O. Carr, issued a statement Friday, reports Schuman, that his company is faring well despite the announcement of the breach. Heartland has "added more than 400 merchants to its client base in the past few days, exceeding results for the same period from last year," Carr said. "Despite the headwinds of the economy and attacks by some of our competitors, we have installed new merchants, new payroll clients and new check management clients since our disclosure of the breach on Tuesday morning." These new clients were presumably already signed up before the disclosure.

Carr also more openness regarding cyber assaults. "I have talked to many payments leaders who are also concerned about the increasing success and frequency of cyber crime attacks," Carr said. "Up to this point, there has been no information sharing, thus empowering cyber criminals to use the same or slightly modified techniques over and over again. I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week."

Does this mean that there are significant numbers of other data breaches that have thus far gone unreported?

Thursday, January 22, 2009

NY Sales Tax Law Hits Amazon, Overstock

As reported in Multichannel Merchant, and have lost the first round of their lawsuits challenging the new tax law allowing the state of New York to collect sales taxes from Web retailers with no physical presence in the state. has already announced it will appeal the decision handed down last Tuesday by New York state supreme court Justice Eileen Bransten, who dismissed the suit in its entirety "for failure to state a cause of action."

The law, signed into effect by New York Gov. David Paterson last April, requires out-of-state online retailers to collect state and local sales taxes when they makes sales to New York state residents. New York is the first state to impose such a law. It is expected that some or all of the 44 other states with sales tax will eventually pass similar laws.

We've covered this a few times before, most recently last May.

Wednesday, January 21, 2009

Retail Pro (Island Pacific) in Chapter 11

Retail Pro (formerly Island Pacific), vendor of retail solutions for some of the country's largest retailers, and its wholly owned subsidiaries, Page Digital, IP Retail Technologies International, and Sabica Ventures, entered into Chapter 11 bankruptcy on Jan. 10, reports Multichannel Merchant magazine.

Retail Pro has been hit over the past several years by declining sales and dwindling annual maintenance renewals. In addition, last September the Securities and Exchange Commission filed securities fraud charges against the company and two of its former CEOs, as well as a former chief financial officer, for their alleged roles in an accounting fraud scheme designed to inflate Island Pacific's revenues.

Some of its customers have taken on further development and maintenance of the product internally or through the use of third-party vendors -- some of which are former Retail Pro software designers and developers.

Whether Retail Pro will be able to regroup under the protection of Chapter 11, and whether investors or another company will acquire it, remains to be seen, says the magazine.

Payment Processor's System Breached

Heartland Payment Systems has disclosed that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants, reports USAToday

Robert Baldwin, Heartland's president and CFO, said in a USAToday interview that the intruders had access to Heartland's system for a month or more in late 2008. The number of victims is unknown. "We just don't have the information right now," Baldwin said.

Tech security experts said the breach could set a record. Retail giant TJX lost 94 million customer records to hackers in 2007. With more than 100 million transactions per month, they could discover that several months' worth of transactions were captured, says Michael Maloof, chief technology officer at TriGeo Network Security.

Heartland processes card payments for restaurants, retailers and other merchants. It discovered the hack last week after Visa and MasterCard notified it of suspicious transactions stemming from accounts linked to its systems. Investigators then found the data-stealing program planted by the thieves.

"Our discussions with the Secret Service and Department of Justice give us a pretty good indication that this is part of a group that appears to have done security breaches at other financial institutions," said Baldwin. "This is a very sophisticated attack." Once it sorts out the matter, Heartland plans to notify each victim whose data were stolen to comply with data-loss disclosure laws in more than 30 states, Baldwin said.

[In my discussions with vendors regarding PA-DSS regulations, which I will be covering at length here soon, there is a consensus that the payment processors and banks themselves are more at risk than the merchants are....]

Friday, January 16, 2009

25 Most Dangerous Programming Errors

Security experts from Microsoft, Symantec and a host of other organizations including the NSA have compiled a list of the Top 25 Most Dangerous Programming Errors. The list shifts the focus of IT security discussions from the results of programming vulnerabilities to the programming process itself.

“The publication of a list of programming errors that enable cyber espionage and cyber crime is an important first step in managing the vulnerability of our networks and technology,” said Tony Sager of the National Security Agency, in a statement. “There needs to be a move away from reacting to thousands of individual vulnerabilities, and to focus instead on a relatively small number of software flaws that allow vulnerabilities to occur, each with a general root cause.”

The list separates the errors into three categories: insecure interaction between components, risky resource management and porous defenses. The errors themselves range from improper input validation to hard-coding passwords, and can lead to issues such as cross-site scripting and SQL injection attacks.

Two other common errors included on the list are improper encoding or escaping of output and the use of broken or risky cryptographic algorithms.

The impact of all these errors is wide ranging. According to the SANS Institute, just two of the errors led to more than 1.5 million Web site security breaches last year.

Paying attention to these problems earlier on allows people to focus on improving software development practices, tools and requirements earlier in the development lifecycle where it is more cost-effective, Sager added.

When knowledge of the most common problems becomes pervasive, buyers will exert more pressure on software vendors to certify the code they are delivering is free from these errors. The certification, the authors contend, puts responsibility for the errors – and any damage they cause – in the hands of the software vendor. While this would likely cause some inevitable clashes between development teams, marketing and sales, it would also ensure vendors take more time vetting their products.

Manhattan Order Management Integrates with WebSphere

Manhattan Associates, Inc. has announced that its Distributed Order Management (DOM) solution will feature certified integration with WebSphere Commerce from IBM. DOM, part of Manhattan's Order Lifecycle Management suite within the Manhattan SCOPE™ portfolio, enables customers to fill orders from multiple inventory channels and provide packaged capabilities for buying products online with pickup in stores, shipping online orders from stores and orchestrating vendor-drop shipments.

This certified integration between WebSphere Commerce and DOM provides retailers with a complete stack of cross-channel solutions: Commerce for cross-channel marketing and selling and DOM for order fulfillment from an extended supply network, including distribution centers, stores and drop-ship vendors.

"Solutions like Manhattan's DOM are the future for cross-channel order management, especially given the certified integration with a leading eCommerce solution like WebSphere Commerce," said John Morrow, chief information officer for David's Bridal. "This technology allows us to have complete order and inventory visibility along with better communication with our customers in every selling channel. As you'd expect, having absolute certainty over ability to deliver by our customers' wedding day is core to the David's Bridal culture, and Manhattan DOM gives us the tools we need to make this happen."

Thursday, January 15, 2009

Amazon Offers Public Data Sets

David Linthicum of Intelligent Enterprise Reports the following --

It was bound to happen sooner or later -- Amazon is now in the live data business with the recent launch of Public Data Sets on AWS (Amazon Web Services). In short:

"Public Data Sets on AWS provides a centralized repository of public data sets that can be seamlessly integrated into AWS cloud-based applications. AWS is hosting the public data sets at no charge for the community, and like all AWS services, users pay only for the compute and storage they use for their own applications. An initial list of data sets is already available, and more will be added soon."

In essence, most data out there in the public domain, including information provided by the government, is now available, for free, from Amazon. This is clearly the company's entrance, with other data sets to appear shortly. Perhaps there will be address validation, mapping, and other information that can be delivered through Web APIs to mashups, portals, ecommerce sites, or even traditional enterprise applications. The idea is that you can access information you could find on the Web visually, as an API, for machine-to-machine integration.

This is nothing new, by the way; there have been a number of startups that have been providing information-as-a-service through Web APIs (typically Web services) for some time now, including much of the information that AWS is looking to provide with this initial offering. However, they have been charging for that information while Amazon [is not] when it's for use within their own cloud. You can count on Amazon offering these services, perhaps for a fee, to those who want access to the systems outside of their cloud.

AWS is not, however, offering high-value services of the kind offered by D&B or credit check services. They will have to charge for those, since those source providers do not give that information away. The end game for Amazon will be to offer as much useful information as it can get its hands on, thus increasing the value of the cloud services and APIs.

This is a different game for Amazon. It's more than providing infrastructure-as-a-service, such as databases and application processing clouds, but they are not maintaining the underlying data (that's a different type of business to be in, trust me). However, it could be more lucrative for the company in the long run, and among the larger players, Amazon is the first to broker this type of information as-a-service. You can count on Google,, and perhaps Microsoft, to follow up with such offerings. My bet is that Google will be second out of the gate, since they are already API-rich.
Web Analytics