This presentation has three parts:
Part 1: The mechanics of the attack against Target where 40 million full records of a POS transaction were stolen
Part 2: The state of computer security with a focus on HP NonStop systems: the need for a new paradigm
Part 3: Recommendations to secure HP NonStop systems
Unleash Your Potential - Namagunga Girls Coding Club
How the Target Data Breach Occurred
1. DISCLAIMER:
This presentation reflects the opinions and
recommendations of the authors only and does not in
any way represent the views or endorsements of any
other parties.
HP NonStop is a trademark of Hewlett-Packard
Development Company, L.P. All other trademarks are the
property of their respective owners.
copyright (2014) comForte 21 1
2. To be able to look at this presentation offline and without
the speakers audio, slide notes have been added to some
slides and are shown here, on the right.
copyright (2014) comForte 21 2
4. In the first part of the presentation, we look at how
exactly the attack against Target was carried out,
following each of the multiple steps
copyright (2014) comForte 21 4
5. The URL shown is a rather detailed write-up of the
breach – including how the stolen credit card numbers
are monetized in the “carder underground”. Highly
recommended reading.
The diagram “how the hackers broke in” is also from the
article – we will now look at the steps in more detail.
copyright (2014) comForte 21 5
6. This is the POS acquiring infrastructure at TARGET,
showing only the core systems required for the
processing of POS transactions.
The system on the right is a HP NonStop system, see
http://www.hp.com/go/nonstop for more information
about the computing platform. We use the term
“NonStop system” in the diagram for brevity.
If these were the only systems, the breach at TARGET
could not have happened in the same way.
copyright (2014) comForte 21 6
7. This diagram shows more systems which are part of the
larger TARGET infrastructure: Two internal servers are
used to process the “backoffice” data collected at the
Point of sale systems. Also, an HVAC system (Heating,
Ventilation, Air conditioning) is remote-controlled via an
external consultant.
copyright (2014) comForte 21 7
8. In the first step of the attack, the “bad guys” took over a
web site an employee of the HVAC company was
accessing. By doing so, they were able to obtain his
username and password for that – unrelated – web site.
Unfortunately, the employee used the same password to
access the TARGET network for remote HVAC
maintenance – and thus the attackers were inside the
TARGET network.
copyright (2014) comForte 21 8
9. They then were able to ‘take over’ an internal server
present at every TARGET store with direct connectivity to
the POS systems running Microsoft Windows.
copyright (2014) comForte 21 9
10. In the next step, they used the internal server to install
specifically crafted malware onto the Windows POS
system.
copyright (2014) comForte 21 10
11. At this point in time, the malware installed on the POS
system was collecting the full data for each and every
POS transaction. They used a well-known technique
called “memory scraping” to access the data sent from
the POS device “through” the Windows POS system to
the NonStop system processing the POS data.
The final step now is to get the data sent out from the
internal TARGET network and the attackers needed to be
careful not to raise an alarm by using new connections
(an outgoing FTP connection to an unknown host on the
Internet would almost certainly have raised alarms
immediately).
This final step is called “exfiltration”.
copyright (2014) comForte 21 11
12. For exfiltration, the attackers were able to take over
another internal server which was already shown on an
earlier slide. That server was not in the “critical network
zone” and hence not monitored for outgoing data as
closely as each TARGET store itself.
copyright (2014) comForte 21 12
13. In the final step, the attackers sent the data from the
POS Windows systems to the Internal server on the right
where they collected it for a while.
They then sent the data to a few servers on the Internet
and then downloaded the data to their own systems.
copyright (2014) comForte 21 13
14. Let’s take a moment to think about the attack: It clearly
shows a lot of planning, patience and sophistication. It is
a sad fact that many cyber criminals are rather excellent
at their “job” and would probably be able to earn a living
as a skilled administrator or developer.
Unfortunately, cyber crime continues to be the actual
choice of many talented “black hat hackers”.
For more background on these type of attacks which are
also called “Advanced Persistent Threats” please see the
following presentation on slideshare:
http://www.slideshare.net/thomasburg/from-russia-
with-love-modern-tools-used-in-cyber-attacks
copyright (2013) comForte 21 14
15. As companies improve their defenses, attacks are
requiring more and more steps to succeed. This is why
“defense in depth” is such an important concept – the
defender only need to prevent a single step of the attack
to thwart it. Here are a few measures which all could
have prevented the specific attack carried out
successfully against TARGET:
• Preventing distribution and installation of the malware
onto the POS systems:
• Better segmentation of in-store network
• Actually looking at the incident logs of the
advanced attack tool (“Fireeye”, see business
week article for details)
• Setting Fireeye to “block” rather than “alert”
• Using end-to-end encryption between the POS reading
device and the acquiring system.
• Detecting and blocking the outbound traffic in which
the confidential data was transferred to servers outside
of Target's store network.
(It should be noted that these measures are by no
means a comprehensive security architecture, they are
the few pieces of a whole defense-in-depth strategy that
copyright (2014) comForte 21 15
16. would have made the difference)
copyright (2014) comForte 21 15
17. The author of this presentation has followed the
computer security industry and trends for over ten years.
The attack techniques used in the attack against TARGET
are over a decade old (!) – so from a technological
standpoint nothing has really changed.
What _has_ changed is that the attackers are stepping
up their game while the defenders do not.
In the next few slides, we will look at the state of
computer security on a specific computing platform,
namely the HP NonStop platform.
copyright (2014) comForte 21 16
18. This is one of the key messages of this presentation – so
please pardon the non-subtlety of this slide…
There are hundreds of customers running the ACI
BASE24 product world-wide, processing about 50 % of
the world-wide POS and ATM transactions (!). Many of
these systems have been installed decades ago and
quietly hum along in the data center, never loosing a
transaction or going down. The fact that the systems
never go down is a key benefit of using the BASE24
software on the HP NonStop platform in the first place.
However, the world has changed and, to the best of our
knowledge, many BASE24 installations are not protected
as well as they should.
We do know for a fact that BASE24 does _not_ support
encryption of data at rest; therefore most of all BASE24
installations world-wide will _not_ be compliant to PCI
3.4.
The good news is that this can be addressed relatively
easily – compared to the cost of running a BASE24
system the cost to improve the security posture
massively is rather low.
copyright (2014) comForte 21
17
19. This is the prior statement generalized to HP NonStop
systems in general; again drawing on our experience as
vendor in the HP NonStop market place.
It should be pointed out that this is _not_ a weakness of
the platform at all; it rather is a weakness of either the
application or the way the platform is secured.
Any computing platform can be secured poorly or well
and the HP NonStop platform is no different in that. In
fact, the HP NonStop platform has several unique
strength when it comes to securing it.
copyright (2014) comForte 21
18
20. To be honest, this is somewhat of a mystery to the
author – after spending 10+ years focusing on IT security.
Really. Some suggestions to follow:
So why is Why are BASE24 or similar applications on HP
NonStop *NEVER* PROTECTED PROPERLY? Here are
some suggestions:
- There is typical a large “Organizational Disconnect”
between the CSO, CIO, CFO and CEO
- The attackers on the other hand are very well
connected and organized
- Who owns security anyway: that is a difficult
question in every organization: is it the platform
owner? The application owner? The CSO? The CIO?
The CEO?
- Penny pinching of IT costs
- For banks, IT is typically 6 % of the global
budget
- IT is often seen as cost factor (rather than as
asset) - where saving can be applied
whenever the economy is bad
- It should be noted that the BASE24
application is *very* profitable – but cost is
saved anyway
copyright 2014 comForte 21 19
21. About 20 years ago, users would connect to “big iron”
(mainframe type of computers) using dedicated
terminals which had no other functionality than to
access the system.
Today, PCs are used to connect to HP NonStop systems
and administer them. The big problem with this is that
many core security principles are based on so-called
“user authentication” – making sure the NonStop knows
which user name is currently connecting.
Historically, there have been many means on using this
information for “Authorization” – namely deciding who
can do what (and who can NOT do what).
This has worked well over the years – but most attacks
including the on TARGET show that attackers are able to
“0wn” (Hacker lingo for “own”) any PC or midrange
server in the organization. An “0wned” PC is effectively
remote-controlled by the bad guys – and with that user
authentication is broken and should not be relied on as
strongly as so far.
This knowledge is widely spread in the security
community – but unfortunately it is not that widely
spread in non-security realm.
copyright 2014 comForte 21
20
22. As explained on the prior slide, you should not trust the
fact that no-one will be able to log on as SUPER.SUPER.
In fact, it is a good “thought experiment”
(http://en.wikipedia.org/wiki/Thought_experiment) to
assume that the attacker has penetrated your network
and is able to log on to your NonStop system as
SUPER.SUPER.
Only if your defenses are able to thwart or – at least –
detect an attack even under this somewhat bold
assumption you should consider your defenses to live up
to best practices.
Well-known security standards such as the PCI-DSS
standard do take this into account – in fact this is most
probably the reason why encryption of data at rest is
enforced.
copyright 2014 comForte 21
21
23. In this final section, we give some general
recommendations on how to properly secure a HP
NonStop system. We focus on the PCI-DSS standard.
copyright (2014) comForte 21 22
24. In the comForte experience, the HP NonStop platform is
not always well understood by the auditors.
As mentioned earlier, the platform has unique strengths
– but also some unusual weaknesses (which are due to
mostly historic reasons).
copyright (2014) comForte 21 23
25. A PCI project landing on the desk on the HP NonStop
platform owner can look like a daunting task and/or
unpleasant surprise.
Rest assured that other platforms struggle just as well –
like in most projects PCI will be about:
• Properly allocating budget (Most large companies
these days have a “PCI office”) and human resources
• Expectation management (mostly towards the
auditor)
• long term planning – The auditors are coming at least
yearly so plan for the long haul
It is unlikely that you will get from 0 % compliance to
100 % compliance in a single year – we will talk about
the suggested order of things a bit later.
copyright (2013) comForte 21 24
26. Another key principle on the journey to properly protect
your systems…
While there is most likely software to be procured and
installed, the software very often needs to be actively
monitored and configured going forward.
copyright (2014) comForte 21 25
27. The PCI 2.0 standard has about 230 “line items”
(individual bullet points to comply with) and the 3.0
version will have more than 300.
The PCI council has published an Excel sheet attaching
priorities to the individual items – this was used for the
upcoming recommendation for the order of certain
tasks.
Another factor going in was how hard or easy a measure
is to implement.
copyright (2014) comForte 21 26
28. This is a suggested order of doing this which takes the
following into account:
• Ease of implementation
• Priority as per PCI prioritized approach
• budgetary constraints
copyright (2013) comForte 21 27
29. Note: it is recommended to actually start with Phase 1
rather than trying to combine Phase 1 and Phase 2 into a
“big bang” scenario. Your PCI auditor wants to see
progress early.
copyright 2014 comForte 21 28
30. The two presentations on slide share shown on the left
can be accessed via the following URLs:
http://www.slideshare.net/thomasburg/from-russia-
with-love-modern-tools-used-in-cyber-attacks
http://www.slideshare.net/thomasburg/the-verizon-
20122013-data-breach-investigations-report-lessons-
learned-for-running-base24-securely
(This is the last slide in this presentation)
copyright (2014) comForte 21 29