Yawn.....Another multi-million dollar data breach

richlevy · 01-24-2009, 10:43 AM

From here

Quote:

The revelation this week by Heartland Payment Systems, the sixth-largest payment processor in the U.S., that criminals had secretly installed spying software on its computer network could go down as one of the biggest data breaches on record.

Quote:

Heartland says it doesn't know yet how much data was stolen, since the malicious program was capturing data as it flowed across the network, and in that type of intrusion it's hard to figure out how much data was snatched in transit by the interlopers. But the potential damage could be very large because Heartland processes 100 million transactions a month, mostly for small to medium-sized businesses.

Sources tell CBS News that hackers cracked Heartland's computers as far back as May of last year. But it wasn't until last week, after being alerted to suspicious activity by Visa and MasterCard, that the company uncovered malicious software in its system.

I thought that the TJX/T.J. Maxx/ Marshall's breach would be the worst ever, but it looks like I was wrong.

The TJX breach occurred with a WEP wireless crack.

Quote:

There, investigators now believe, hackers pointed a telescope-shaped antenna toward the store and used a laptop computer to decode data streaming through the air between hand-held price-checking devices, cash registers and the store's computers. That helped them hack into the central database of Marshalls' parent, TJX Cos. in Framingham, Mass., to repeatedly purloin information about customers.

It will be interesting to see how Heartland was compromised since they obviously don't use cash registers and scanners.

classicman · 01-24-2009, 11:33 AM

Quote:

... hackers cracked Heartland's computers as far back as May of last year. But it wasn't until last week, after being alerted to suspicious activity by Visa and MasterCard, that the company uncovered malicious software in its system.

I'm no IT guy, but spyware anyone? It took over 18 months to recognize there was malicious software in their system? There should be a few openings very soon if any of you are looking for a job.

dar512 · 01-24-2009, 02:54 PM

Quote:

Originally Posted by classicman

I'm no IT guy, but spyware anyone?

These were likely mainframes or unix systems -- so finding black hats is a whole 'nother level of geekiness. Not to be found by a simple McAfee check.

But, yeah. You'd expect processors like this to have the right people and software on the job.

classicman · 01-24-2009, 03:52 PM

I was being facetious, but still it took over 18 months to do find the problem. I may be naive here, but isn't that like at least 17 1/2 months too long?

dar512 · 01-24-2009, 03:59 PM

Quote:

Originally Posted by classicman

isn't that like at least 171/2 months too long?

Let's see 171 divided by 2 equals 85.5. No that's way too long. They should have found in a half a month at most.

(Just funnin ya)

classicman · 01-24-2009, 04:04 PM

Thanks dar.

wolf · 01-24-2009, 04:39 PM

Definitely bad, but unless they release a list of who they clear cards for, I don't know if it's "ohshitohshitohshit" bad or "doesn'tdirectlyinvolveme" bad.

I still want to know which breach caused citibank to replace all of their cards a couple of months back ... they refused to tell me where the breach occurred. I've been suspecting paypal, since that was one of only two places where that particular card number was in use (the other was AOL, but who the heck gives a crap about AOL anymore ...)

Beestie · 01-24-2009, 08:22 PM

WEP? It takes about 2 minutes to crack a WEP password.

We are all so screwed.

xoxoxoBruce · 01-24-2009, 08:38 PM

Quote:

Originally Posted by wolf

I still want to know which breach caused citibank to replace all of their cards a couple of months back

They did?

wolf · 01-24-2009, 10:16 PM

Mine was replaced after the TJ Maxx thing. I'm not referring to that. There was a data breach that they admitted to, but even when I called to speak to the security division, they wouldn't reveal the source, so I figured it was pretty big. I think they may have replaced it twice within a short period of time, based on what shows on their website and active/past accounts.

I'm no longer using my Citibank card ... not because of this stuff, just part of my debt reduction strategy.

xoxoxoBruce · 01-24-2009, 10:18 PM

Mine hasn't been replaced.

classicman · 01-25-2009, 12:04 AM

I remember the TJ Maxx/Marshalls breach. I don't recall another one. Details update - anyone?

mbpark · 01-25-2009, 12:09 PM

Hello,

I can tell you that they wanted to bury this under the Obama-mania.

This is a big deal, and it is because EVERY major set of regulations mandates version checking and proper change management for critical systems.

In other words, PCI-DSS, HIPAA, and other regulations (specifically the DODi 8500.1 and DODi 8500.2 overarching IA ones for government systems, and the DNS, UNIX, and Active Directory STIGs for DOD systems) specify that:

1. Every piece of data coming into the network needs to be examined.
2. The integrity of the systems doing the processing need to be checked using third-party tools such as Tripwire (7.5V works for Windows, Linux, and third-party platforms, and does send changes in real-time). This extends to systems that are in any way, shape, or form involved in processing of data, and many people do not understand that.
3. There needs to be multiple layers of protection at the host and network levels, using multiple layers of IDS/IPS systems, anti-virus (yes, these are available for Linux and UNIX), log analysis and correlation from multiple devices (again, if you cough up enough $$$ to IBM Global Services, Symantec, TriGeo, Quest or McAfee, they will provide you this), and the staff to handle this.
4. The staff to monitor and handle these logs, plus Job Rotation, is mandated by almost every major security best practice out there.
5. The fact that a third-party firm found this, rather than internal discovery, means that the internal staff which should have been checking this 24/7 didn't.
6. The fact that they didn't have a date as to when this was done shows that they weren't doing integrity checking on their critical systems.
7. The fact that they apparently aren't checking ports & protocols for incoming and outgoing traffic shows that they don't even know if the traffic is going to Russian Business Network or not. This is really bad! If you're in this business, you know who your partners are, and you only allow the ones you need to to business with inside. Even then, you check every damn packet going in or out, and the integrity of the systems themselves. There's a reason why every major critical system I am in charge of security of that has access to the outside world has IBM ISS, Tripwire, and a full Ports & Protocols workup for outgoing and incoming traffic done.
8. Don't even get me started on their apparent lack of ability to patch. Most of these breaches are caused by known public security holes that companies don't properly patch against, or assume that firewalls and NAT will protect against.
9. If the documentation for changes isn't there, they're dead. PCI-DSS mandates this too as part of the change management process.

If they processed Government payment cards in any way, shape, or form, it could be game over for them. GSA may see them for not following PCI-DSS regs, and put out a 2-sentence ruling that will kill their business.

I would not want to be Heartland Payment Systems now. I would want to be the competition or the third-party Audit Firm which will be brought in to remediate the situation (probably Deloitte).

tw · 01-25-2009, 01:51 PM

Quote:

Originally Posted by classicman

I remember the TJ Maxx/Marshalls breach. I don't recall another one. Details update - anyone?

A breech has occurred when they send you a new credit card with a new number; the old card has not yet expired. I assume everyone has seen this at least once. I have seen it multiple times AND have few credit cards.

Of course, the breech was rarely reported.

This can be done with credit card numbers. This is not routinely possible with social security numbers. Just another reason why we still have near zero identity protection.

xoxoxoBruce · 01-25-2009, 01:57 PM

Mitch, do you have a feeling for whether this Heartland fuck up was lazy IT people, or management cutting IT to the bone for the bottom line?

01-24-2009, 03:52 PM	#4
classicman barely disguised asshole, keeper of all that is holy. Join Date: Nov 2007 Posts: 23,401	I was being facetious, but still it took over 18 months to do find the problem. I may be naive here, but isn't that like at least 17 1/2 months too long? __________________ "like strapping a pillow on a bull in a china shop" Bullitt Last edited by classicman; 01-24-2009 at 04:04 PM. Reason: space - the final frontier

01-24-2009, 04:04 PM	#6
classicman barely disguised asshole, keeper of all that is holy. Join Date: Nov 2007 Posts: 23,401	Thanks dar. __________________ "like strapping a pillow on a bull in a china shop" Bullitt

01-24-2009, 04:39 PM	#7
wolf lobber of scimitars Join Date: Jul 2001 Location: Phila Burbs Posts: 20,774	Definitely bad, but unless they release a list of who they clear cards for, I don't know if it's "ohshitohshitohshit" bad or "doesn'tdirectlyinvolveme" bad. I still want to know which breach caused citibank to replace all of their cards a couple of months back ... they refused to tell me where the breach occurred. I've been suspecting paypal, since that was one of only two places where that particular card number was in use (the other was AOL, but who the heck gives a crap about AOL anymore ...) __________________ wolf eht htiw og "Conspiracies are the norm, not the exception." --G. Edward Griffin The Creature from Jekyll Island High Priestess of the Church of the Whale Penis

01-24-2009, 08:22 PM	#8
Beestie -◊\|≡·∙■·∙≡\|◊- Join Date: Feb 2003 Location: Parts unknown. Posts: 4,081	WEP? It takes about 2 minutes to crack a WEP password. We are all so screwed. __________________ ♠ ♥ ♣ ♦

01-24-2009, 10:16 PM	#10
wolf lobber of scimitars Join Date: Jul 2001 Location: Phila Burbs Posts: 20,774	Mine was replaced after the TJ Maxx thing. I'm not referring to that. There was a data breach that they admitted to, but even when I called to speak to the security division, they wouldn't reveal the source, so I figured it was pretty big. I think they may have replaced it twice within a short period of time, based on what shows on their website and active/past accounts. I'm no longer using my Citibank card ... not because of this stuff, just part of my debt reduction strategy. __________________ wolf eht htiw og "Conspiracies are the norm, not the exception." --G. Edward Griffin The Creature from Jekyll Island High Priestess of the Church of the Whale Penis

01-24-2009, 10:18 PM	#11
xoxoxoBruce The future is unwritten Join Date: Oct 2002 Posts: 71,105	Mine hasn't been replaced. __________________ The descent of man ~ Nixon, Friedman, Reagan, Trump.

01-25-2009, 12:04 AM	#12
classicman barely disguised asshole, keeper of all that is holy. Join Date: Nov 2007 Posts: 23,401	I remember the TJ Maxx/Marshalls breach. I don't recall another one. Details update - anyone? __________________ "like strapping a pillow on a bull in a china shop" Bullitt

01-25-2009, 12:09 PM	#13
mbpark Lecturer Join Date: Jan 2001 Location: Carmel, Indiana Posts: 761	Hi, I do InfoSec for a living Hello, I can tell you that they wanted to bury this under the Obama-mania. This is a big deal, and it is because EVERY major set of regulations mandates version checking and proper change management for critical systems. In other words, PCI-DSS, HIPAA, and other regulations (specifically the DODi 8500.1 and DODi 8500.2 overarching IA ones for government systems, and the DNS, UNIX, and Active Directory STIGs for DOD systems) specify that: 1. Every piece of data coming into the network needs to be examined. 2. The integrity of the systems doing the processing need to be checked using third-party tools such as Tripwire (7.5V works for Windows, Linux, and third-party platforms, and does send changes in real-time). This extends to systems that are in any way, shape, or form involved in processing of data, and many people do not understand that. 3. There needs to be multiple layers of protection at the host and network levels, using multiple layers of IDS/IPS systems, anti-virus (yes, these are available for Linux and UNIX), log analysis and correlation from multiple devices (again, if you cough up enough $$$ to IBM Global Services, Symantec, TriGeo, Quest or McAfee, they will provide you this), and the staff to handle this. 4. The staff to monitor and handle these logs, plus Job Rotation, is mandated by almost every major security best practice out there. 5. The fact that a third-party firm found this, rather than internal discovery, means that the internal staff which should have been checking this 24/7 didn't. 6. The fact that they didn't have a date as to when this was done shows that they weren't doing integrity checking on their critical systems. 7. The fact that they apparently aren't checking ports & protocols for incoming and outgoing traffic shows that they don't even know if the traffic is going to Russian Business Network or not. This is really bad! If you're in this business, you know who your partners are, and you only allow the ones you need to to business with inside. Even then, you check every damn packet going in or out, and the integrity of the systems themselves. There's a reason why every major critical system I am in charge of security of that has access to the outside world has IBM ISS, Tripwire, and a full Ports & Protocols workup for outgoing and incoming traffic done. 8. Don't even get me started on their apparent lack of ability to patch. Most of these breaches are caused by known public security holes that companies don't properly patch against, or assume that firewalls and NAT will protect against. 9. If the documentation for changes isn't there, they're dead. PCI-DSS mandates this too as part of the change management process. If they processed Government payment cards in any way, shape, or form, it could be game over for them. GSA may see them for not following PCI-DSS regs, and put out a 2-sentence ruling that will kill their business. I would not want to be Heartland Payment Systems now. I would want to be the competition or the third-party Audit Firm which will be brought in to remediate the situation (probably Deloitte).

01-25-2009, 01:57 PM	#15
xoxoxoBruce The future is unwritten Join Date: Oct 2002 Posts: 71,105	Mitch, do you have a feeling for whether this Heartland fuck up was lazy IT people, or management cutting IT to the bone for the bottom line? __________________ The descent of man ~ Nixon, Friedman, Reagan, Trump.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)