Monday, August 25, 2014

BlackHat 2014 Part 1: Memory Scraping - That’s Gonna Leave a Mark

Over 8,000 security professionals and enthusiasts gathered in Las Vegas this month for a very successful BlackHat 2014 US Conference. Deemed one of the top security conferences of the year, researchers, federal agencies, security firms, critical infrastructure, foreign governments and just plain old hackers met to discuss and demonstrate the threats we're all currently facing and the outlook of the cyber-security landscape.

You’re never more than a few steps away from a sign reminding you you’re at a security conference, and due to the “exploratory” nature of (some) of our fellow attendees, you're warned to keep your Wi-Fi & Bluetooth disabled and other communications devices off unless you really want to cause yourself some grief. Story after story about phones being wiped or hijacked could be heard walking down the hallways. Some people consider it fun, others are unsuspecting while others are simply gluttons for punishment. I wasn’t taking any chances, especially after seeing some of the demonstrations of what’s capable first hand. My devices were off. If you need to get a hold of me, grab a pen and a pad of paper!

Here a Breach, There a Breach...
We're all well aware of the weekly (sometimes daily) breach reports of payment card data, and there was no shortage of discussion of these topics at BlackHat. 2 million account numbers here, 80 million PANs there. How are thieves getting this data? How can we stop them? How do they keep coming back? Why is the sky blue? Slava Gomzin, Payments Technologist at HP and author of the book "Hacking Point of Sale" outlined these points in his session at the TripWire booth. PCI's Point to Point Encryption recommendations are intended to protect card holder data throughout the transaction. Technologies such as XYPRO's Data Protection (XDP), which provide Format Preserving Encryption (FPE) and Secure Stateless Tokenization (SST), go even further to secure that precious data while at rest.

Say Hello to Memory Scraping
These types of advancements naturally leads to thieves seeking out new attack vectors and more creative methods to get access to the data while in transit at specific points that aren’t encrypted.

Memory scraping, or RAM scraping is, quite simply, an advanced form of skimming. Memory scraping involves installing malware on the retailer’s POS system which then exfiltrates payment card data directly from system memory. Nearly undetectable, it sits quietly as it siphons off card data as it’s swiped in plain text format. Memory scraping is not new and retailers aren’t the only target. Multiple industries from healthcare to hospitality to food service and others have, at one point or another, been the target of these attacks, but retailers get the most press because of the sheer volume card numbers and the value of the data.

What Do We Do?
We have to protect sensitive data and XYPRO’s top 10 list describes how this can be accomplished on the HP NonStop server, but what other attack vectors are thieves using to compromise POS systems? To look at this, we’ll have to look at how the POS is connected to the rest of the network and how its access is managed. The United States Department of Homeland Security recently put out an advisory warning of the attack vectors used for installing memory scraping malware. Default weak credentials of remote desktop or remote access software are the prime targets of attackers as well as vulnerabilities in software running on internet exposed servers. Once the credentials to the remote connection are compromised using alternate methods, attackers can install software, including memory scraping software, on that system. .

Overcompensating?
There are currently no reliable methods to detect memory scraping malware, so security and antivirus companies are quickly scrambling to come up with a solution. In the meantime we rely on compensating controls outlined in PCI-DSS requirements to protect the systems that hold any type of card data. These include using hardened credentials with two factor authentication, using account lockout setting and firewall rules, limiting access to what the logged on user can do and changing the port remote desktop is listening on as well as several others. These types of small, but obviously powerful changes can and should significantly reduce the attack vector these thieves can target.

Next time we’ll dig deeper into some of the other more popular BlackHat discussions including the vulnerabilities with USB devices, the OMA-DM protocol on mobile devices and Bruce Schneier’s review on the State of Incident Response.

Steve Tcherchian, CISSP
XYPRO Technology

Continuously Monitor Security Compliance: #2 on XYPRO’s Top 10 List of NonStop Security Fundamentals

Because high-availability and fault-tolerant systems need strong security

Alright, so let’s assume that you’ve followed the best practices described in items #3 to #10 of XYPRO’s Top 10 NonStop Security Fundamentals, as well as security recommendations from HP and other sources, and you’ve established strong security procedures for your HP NonStop system—how can you actually assess the strength of your security configuration and verify compliance with corporate policy, industry best practices and regulations, like PCI DSS or SOX? And equally important, how do you re-assess and maintain that strong security configuration over time as changes occur?

Those questions bring us to #2 on our Top 10 List:

#2: Continuously monitor security compliance

Defining a security policy and applying it to your system is essential to protecting your NonStop system and complying with government and commercial regulations. Of course, applying a security policy is not a one-time event. Managing system settings, access rules and security configurations is an on-going requirement that must account for new users, new objects, new rules or other system changes.

In a complex payments environment, for example, there may be thousands of security parameters that need to be measured, managed and reported to auditors—manually monitoring and measuring security compliance is not really feasible, it’s time consuming, a resource hog and prone to human error. XYPRO recommends a systematic approach using NonStop-specific compliance monitoring software. There are a few 3rd-party vendor compliance solutions for the NonStop, including XYGATE Compliance PRO (XSW).

Whichever solution you choose, it should enable you to easily research the security on your HP NonStop server, report the information found, build policies that monitor the state of the security rules in your environment and compare your existing security against supplied PCI, SOX, HIPAA and standard best practice policy recommendations. Furthermore, the solution should allow you to analyze configuration data for security, audit and system management information in the current snapshot, compared over time or compared against a set of absolute rules. Of course, this compliance information is important to auditors (both internal and external) so the solution should have the ability to automate investigations and report generation for security and system configuration information.

An effective compliance monitoring program should include, at least, the following aspects:

• Monitor compliance with Corporate Security Policy
   and Standards.
• Systematically review security settings vs. NonStop best
   practices.
• Assess compliance with applicable government or industry
   regulations (e.g., PCI, SOX, HIPAA).
• Monitor security configuration changes.
• Enable security compliance alerting.
• Conduct periodic integrity checking of operating system and
   application object files to ensure that only authorized
   and tested versions are in use.
• Obtain file access maps for Safeguard, Guardian, and access
   management software , such as XYGATE Object Security (XOS)
   and XYGATE Access Control (XAC).
• Report compliance with key regulations (like PCI DSS, SOX or
   HIPAA) and your own information security policy.


A quick note on “Best Practices”: we’ve referenced them quite a bit in this article and throughout our Top 10 list, so what are NonStop best practices? NonStop best practices typically document the expected (i.e., recommended) value of a single characteristic of a single object. These best practices are positive system configuration parameters that can be measured and tested. For example, a best practice can consist of the following: “The Safeguard parameter NAME-LOGON must be set to YES”. While there are many sources of best practice information, a comprehensive resource for NonStop security information can be found in the books “Securing Your HP NonStop Server: A Practical Handbook” and “Securing HP NonStop Servers in an Open Systems World”.

So, that’s #2: Continuously monitor security compliance. Ensuring compliance is a critical aspect of any IT security program and compliance monitoring solutions provide the means to systematically measure, manage and report on a complex and dynamic NonStop security environment.

Stay tuned to the XYPRO blog site—next up on our list is NonStop Security Fundamental #1. Also, get notified automatically when new XYPRO blogs come out by following XYPRO on LinkedIn or Twitter.

If you’d like additional information or help with NonStop security, please contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).