Thursday, January 29, 2009

Heartland Sniffer in Unallocated Portion of Disk

The Heartland Payment Systems data breach was facilitated by sniffer malware that hid in an unallocated portion of a server’s disk, reports Evan Schuman in StorefrontBacktalk. The malware, which was ultimately detected through a trail of temp files, was hidden so well that it eluded two different teams of forensic investigators brought in to find it after fraud alerts were triggered at both Visa and MasterCard, according to Heartland CFO Robert Baldwin.

"A significant portion of the sophistication of the attack was in the cloaking," Baldwin said.

Hiding files in unallocated disk space is a fairly well-known tactic, but it requires a high level of access as well as the skill to manipulate the operating system, though the relatively careless leaving of temp files on the server could suggest a less-skilled cyberthief who simply obtained some very powerful tools.

Consultants interviewed by Schuman agreed that this type of attack would require extensive access and the ability to trick the machine into believing the thief has very significant user privileges. But it wouldn’t necessarily require modification of the OS directly. "They could have done it two ways. You can modify the OS or you can install a modified device driver."

Another consultant said the ability to write directly to specific disk sectors is frightening. "Somehow, these guys went directly to the base level of the machine (to an area) that was not part of the file table for the disk," he said. "Somehow, they got around the operating system. That’s a scary mother in and of itself."

Heartland announced Tuesday that it will be creating a new department that will be "dedicated exclusively to the development of end-to-end encryption."

"PCI is a good and effective standard, but the bad guys have become more sophisticated to the point where encryption of data in motion appears to be one of the next required steps.
There is no single silver bullet that will secure payment systems, and constant vigilance and monitoring of the infrastructure will always be required," Heartland CEO Robert Carr said in a statement. "Nevertheless, I believe the development and deployment of end-to-end encryption will provide us the ability to implement increasing levels of security protection as they become needed."

End-to-end encryption is not a new approach. However, in today’s payment networks the card brands insist on dealing with card data in an unencrypted state, forcing transmission to be done over secure connections rather than the lower-cost Internet. This avoids forcing the card brands to have to decrypt the data when it arrives. As we've noted before, no matter how rigorous PCI standards are, if the banks and card issuers themselves don't impose similarly rigorous standards for themselves, they will prove to be the weakest link.

1 comment:

Ernie Schell said...

Comments at StorefrontBacktalk point out that files in unallocated portions of the server could have ended up there because they were deleted from elsewhere on the server. They could be normal artifacts, rather than evidence of super-clever stealth....

What do you think?

Web Analytics