Wednesday, July 30, 2014

Target Data Breach Unveiled

How It was done. You will be surprised that all the tools used where known!

By Cesar Ortiz- Trojan.POSRAM Identified As the RAM Scraper in the KAPTOXA Operation That Infected Target Stores

Article first published 1/23/2014  as "Target Data Breach Unveiled: Technical Details Are Known" in Yahoo! Contributors/ABC News Network.

The US government in an effort to warn other point of sale merchants of the potential danger of  more attacks that will provide another wave of  "Target like" customer victims, have released an internal document where detailed insight of the methodology used by attackers of the Target data breach is revealed. The consulting firm iSIGHT Partners was one of the investigative contracted forensics experts. The US Department of Homeland Security released to merchants a joint Department of Homeland Security, USSS, FS-ISAC and iSIGHT report titled "KAPTOXA POS Report" where we get a look at an insight of the methods and tools used to hack Target. Hopefully, merchants will take notice and immediately take preventive measures.

The methodology used at Target was almost exactly as I predicted in our original exclusive December 26, 2013 “ The Target Stores Data Breach ” Yahoo! article, right after the hack. Journalist Brian Krebs was also right on target when he mentioned at that time that the hack might have been based on a known trojan virus called BlackPos that is readily detected by all anti-virus software. The updated modified version of BlackPos trojan used in the Target breach is named Trojan.POSRAM, this derivative is highly sophisticated in stealth features in order to hide to prevent detection. POSRAM is believed to have originated in Russia.

When we compile the information given by the report and the media, specially an article in the Wired publication named “The Malware that Duped Target Have Been Found”, we come close to figure out the order of events in the Target data breach. First, the merchant network system is infiltrated with the malware, possibly remotely, exploiting an opening in the system or by executing a simple human engineering exploit. The malware is a data scrapping tool that takes data from the memory of the point of sale terminal (POS) or what we know as the cash register. This tool will reside in the system and will store the stolen data inside the merchant’s servers. The tool will monitor the data in the files named “pos.exe" and "PosW32.exe”; these files contain the memory space that includes magnetic strip data of your bank card. In the Target's breach event it remained still for six days. That inactivity period is excellent to prevent detection.

The residing malware in the merchant creates a connection to an out of the premises server that receives and transmits data to the victim server. The outside server, can be located anywhere, in the world, and, queries the victim server at specific time intervals. This one was located in Russia. Some of the malicious scripts used have references in Russian language. If the local merchant time is for example between 10 AM and 5 PM, as it is used in the old BlackPos tool, then the data is deposited in an a  temporary NetBIOS share “host” folder created by the malware. This share folder is then accessed using file transfer protocol (FTP). Many more complex technical details have been found by the media in just a few hours after the release of the KAPTOXA POS Report. All the details follow the same pattern; surprisingly, modified known exploits where used at all times.

 KAPTOXA is the name given by investigators to the specific operation methodology and compilation of hacking tools in the Target data breach. Nothing in the KAPTOXA operation is out of the ordinary. Probably the other tools used in the hack are already known in the trade. It is not that the criminals used super sophisticated malware, it is the way and the timing they where used. The fact that known hacking tools where used will open the doors to a wave of lawsuits that will claim that the merchants could have prevented the hack; this is one of the reason that the government has taken the unprecedented steps of releasing some of the facts and data about the crime before even finishing the investigation. Merchants should verify their systems immediately. Victimized stores should consider making public their breach ASAP. The more time the notifications to affected customers passes by, the higher the lawsuit figures will be and more damage to the customer is made.

Two individuals from Mexico were arrested in McAllen, Texas with ninety six fraudulent bank cards in their possession. The suspects had used bank cards with account information matching the Target stolen cards of South Texas residents. After the shopping spree, the suspects left for Mexico. They entered the US again possibly, for another shopping spree. They where detained upon arrival. This event confirms that the stolen data is sold in the illicit market by regions. Criminals are maximizing the use of the stolen data by being very creative. Regardless of Target's downplay efforts to minimize the impact, a customer can be a victim of identity theft with the specific data stolen at Target.

The Target Stores Data Breach Update

A Provocative View of the Event From an Industry Outsider

By Cesar Ortiz - (Article originally published on Yahoo! Contributors/ABC News). Many legal, commercial and social questions regarding the Target data breach will come to see the light after all the dust is settled. The answer to the technical side of one of the biggest security breaches in the United States history is as complex as these other questions. The breach, which was first reported Wednesday by Brian Krebs, a security blogger, began the day after Thanksgiving.The giant merchant said Thursday that about 40 million credit and debit card accounts may have been compromised in U.S. stores between Nov. 27 and Dec. 15, 2013. Included in the hack are Target's own credit and debit REDcards. One interesting note is that cards used for purchases made in the company web site were not affected.

Target advises at their web site in a page named; "Notice: unauthorized access to payment card data in U.S. stores" that "we began investigating the incident as soon as we learned of it. We have determined that the information involved in this incident included customer name, credit or debit card number, and the card's expiration date and CVV (the three-digit security code) ". This is what Target said originally. In reality, there are several "CVV's" and the one with the printed numbers on the card is called CVV2.

The industry regulates the use of credit cards by following several guidelines and standards. Everyone must follow the standards in order to maintain systems compliance. One standard is the PCI Data Security Standard Council (PCI DSS) that deals with security and operational payments handling methodology and the ISO/IEC standard 7811, which is used by banks. ISO/IEC 7811 specifies the hardware and methodology used to handle the transaction and specifies that the bank cards must have a magnetic stripe on the back of a credit/debit card, often called a "magstripe". This magnetic stripe must have three tracks. Your credit card normally uses only tracks one and two. Track three is a read/write track, which includes an encrypted PIN, country code, currency units and amount authorized, Use of track three is not mandatory and its contents is optional. The PIN is encrypted in a data base. It is never in clear text in the magnetic stripe. The Target stolen personal identifier information and financial data was taken from the magnetic strips read out.

The Card Verification Value CVV2 (a three or four digit) number is not included in the magnetic stripe because it will defeat its main purpose, that is, to validate the card manually when using on line, phone purchases and high value transactions. We know that some merchants in North America require the code at the POS to protect the customer by making sure the card is legitimate since it can be a fraudulent card made from information from some stolen data base that does not include the CVV2.

This is a professional well studied attack that must had taken many weeks of planning and careful design to the point that it started one day before the Black Friday major sale event. Breaking encrypted data is a very hard process that requires massive computing facilities and resources. By design, in all retail stores, all data flowing outside of the merchant's stores should be encrypted heavily and it is handled by an independent payment processor facility, a communications carrier(s) and marketing analysis facilities. The possibility of a remote access job to a weak point in the systems is very high.

According to NBC News, Target Spokeswoman, Molly Snyder, released a written statement on Friday that downplayed the initial impact from the event and advised that "To date, we are hearing very few reports of actual fraud, but are closely monitoring the situation,". "the stolen information was limited to data stored on the magnetic strip", "The hackers did not obtain PIN numbers used to access ATM's or the three or four digit that are printed on cards to verify online purchases", Snyder said. The fact is that reports of fraudulent usage of Target stolen cards sold in the Internet are showing up all over the nation, and in the world. JP Morgan Chase & Co is not downplaying the attack. On Saturday 12/21/2013 the bank sent an email to 2 million Chase debit card holders who used the Chase card at Target during the breach period limiting the bank debit card usage and will issue new debit cards, a costly measure. Chase also posted a notice in the bank web page.

If we take into account all the personal identifiers parameters that Target says was compromised, we must conclude that we have three possible alternatives where the hack took place (1) the Point of Sale Module (POS) card scanner (2) in a central card processor system at the merchant and (3) when it arrives at the authorization system processor for approval.

We are ruling out a job at the outside (external) payment processor because they all provide very secure modules, they will not accept unencrypted input from their merchants, that's their business after all, and they service many other merchants. This hack was to Target only. What probably most likely happen, is that the hackers were able to intercept, remotely, using malware scripts, the swipes of cards from the Target hardware card reader devices to the POS modules or from the credit cards in house gateways, specially if it was unencrypted (clear text) or poorly encrypted and the thieves had gotten the encryption key somewhere in the system, the later had happened before to other principals in other hacks. This is a very serious criminal monumental detrimental event, for the banking industry and the business society as a whole, taking into account that it was done to all the stores in the United States and possibly affecting in some way or another 40 million credit card holders, all at the same date time frame, nationwide.

In the original statement , Target's Molly Snyder said the breach had compromised the "CVV". Target has retracted now. Now they claim it was not compromised. Investigators are looking overseas for possible perpetrators. Stolen credit cards are showing up all over the world and many in the United States. Regardless of the downplay efforts by public relations people, this is a serious threat. If you used any debit/credit card at a Target store in the United States during the breach date time frame, including cards issued by non U.S. banks, don't take the matter lightly, act immediately and contact your bank first and then contact Target.

Comment by Cesar Ortiz, 7/30/2014: Looks it was right on the money when I categorized the Target Stores Data Breach as a “very serious criminal monumental detrimental event” in my article in Yahoo! above. Now, several weeks later after my article was published, we are finding out that the customer names, mailing address, phone numbers and email addresses were also compromised and that the impacted customers figure is now 70 million. Now more than ever contact your bank if you used any payment method other than cash at target during the date time frame and if you did, beware of postal letters, emails, phone calls  and IM’s, even if they don’t mention Target.
How to Protect Your Identity from PlayStation Network Hackers

 By Cesar Ortiz- (Article first published on Yahoo! Contributors/ABC News) This article still applies because hackers wait a long time to act, sometimes years, giving users time to forget to take measures against the original hack on April 27, 2011, As Sony finally broke the silence on why its PlayStation Network had been down for a week, new questions arise regarding the potential damage to the 70 million users. The illegal, unauthorized intrusion compromised members' real name, complete address, birth date, email, Network ID, password, user handle and security question/answer. All the personal, identifiable data previously mentioned has been breached and, as a matter of fact, confirmed by Sony. Sony warns that, at this time, the credit card names, billing addresses, card numbers and the expiration dates may have also been breached, but the company does not know that information presently.

The Sony PlayStation Network had been in several previous hacker-related incidents, none as serious as this one. Some facts come to light; the site was down for a week without anyone being told that it had been hacked and personal data had been compromised. This gave Sony and forensic criminal investigators time to research, detect and perhaps apprehend the criminal(s), but at the same time left member identities in a compromised mode for a week, and, worse, without the users' knowledge. It all now depends on what the hacker(s) has done with the stolen data.

Sony itself, in a blog post, warns users to prepare for a worst-case scenario. That's the same thing I advise my readers. If you are or know someone who is a member of the PlayStation Network, even if you have not used your account but provided the credit information, we recommend that you take the following steps immediately:

(1) If you are using the same PlayStation Network password and security question/answer at other websites or offline places, including banking outlets, change it.
(2) Be extremely careful when opening emails and clicking links in emails, Facebook or Twitter messages related to this breach; they may be a malicious scam.
(3) Monitor your bank account regularly
(4) If in the United States, consider using one of the free alert services provided by Expedia, Trans Union or Equifax. See the Sony blog post for phone numbers and email addresses.
Cybercriminals wait a reasonable amount of time before they begin to scam the victims using stolen personal information. That period of time may tend to make potential victims forget about the event.

Don't expect lots of online purchases, purchases by phone and scam emails to flow immediately. When the time comes, those who did not change their passwords, monitor their bank accounts and stay alert to email scams will be the victims.