BradReese.Com Cisco vs. ZTE Price Quote Comparisons

Home About Repair Power Supplies Refurbished Blog Quick Links Site Map Contact Us

Mike Patterson speaks out
Learn more about Mike Patterson...


Power Supplies

VoIP Gateways

Cisco Repair

Refurbished Cisco

Cisco CPQRGs

New Cisco

New HP ProCurve

Cisco Tools

Competitive Lab Tests

Tech Forums

How-to Tutorials

CCIE Gossip


View the archive of Mike Patterson speaks out

Subscribe to Bloggers speak out on BradReese.Com

POS theft detection is difficult

As the infected POS terminals harvest credit card numbers, small batches of numbers are compressed and uploaded to a host on the Internet. The reason for the small quantities at a time is presumably part of their effort to stay incognito. The goal of most advanced threats once they get in is to move laterally and camp out forever. They want to establish a form of foothold.

Kennebunk, ME:   Wed, 2/26/14 - 11:59pm    View comments

Update: 3/5/2014 - 7:26pm

"Exploring what Cisco Security Solutions are most effective at defending PoS."

Network World: Breach! Defending Point of Sale Networks and Systems

TargetPlixer InternationalPoint of sale (POS) thefts from major retail organizations have cyber threat detection vendors working overtime to improve detection of these thefts because they're particularly damaging, hurting the reputation of the retailer by creating fear among its valuable customer base.

How POS thefts infiltrate

POS thefts are a form of targeted attack because the assailant observes the cashier's register and by paying attention to the way the interface behaves it allows the assailant to determine the operating system behind the buttons being pushed on the screen. If it's running on a Microsoft Windows operating system it could be an ideal target.

LinkedInFacebookThe next step would be to take notes on the name tags of the managers within the store.

Then the theft mastermind can search for these store managers on social networking sites such as LinkedIn and Facebook.

After trying to socially connect with these store managers or by simply guessing at their email addresses, a phishing attack is often one of the preferred methods for trying to gain an initial foothold inside the retailer.

The reason many phishing attacks can be so effective is because "persistence pays." The targeted store managers may not click on the first ten emails, but they haven't yet received all 100 from different people disguised as someone they know, eventually a store manager will be taken off-guard and click.

Once the malware is inside, it could be making an encrypted connection right through the firewall and out to a host on the Internet for further instructions. If the end user of the infected host has the right permissions, the malware might be able to make connections to servers holding sensitive information. In the case of a POS attack, the goal is to find the server with the addresses of all the registers. If it can be harvested, the malware can then attempt to move laterally and infect the point of sale systems.

POS theft tools

Once the POS device is infected, it may download a compressed file like those containing an executable that performs memory scrapping. On Windows operating systems a REGEX search is often utilized.

A Visa data security alert posted in April of 2013 states:

"Since January 2013, Visa has seen an increase in network intrusions involving grocery merchants. Once inside a merchant's network, hackers install memory parsing malware on Windows based cash register systems or back of house (BOH) servers to extract full magnetic-stripe data.

"The malware is configured to 'hook' into certain payment application binaries. These binaries are responsible for processing authorization data, which includes full magnetic-stripe data. When authorization data is processed, the payment application decrypts the transaction on the cash register system or BOH server and stores the authorization data in random access memory (RAM). The data must be decrypted for the authorization to be completed, so hackers are accessing full track data when it is stored in RAM and using malware such as memory parsers to steal it."

How POS thieves sell credit card numbers

POS thieves sell stolen credit cards via the Internet:

POS thieves sell stolen credit cards via the Internet
Source: Mike Patterson

How to defend against POS attacks

Antivirus software installed on POS systems usually provide little protection from the malware which scrapes the memory of the systems. This is because the malware has been compiled to be unique and has never been seen by up-to-date signature matching firewalls and Antivirus software.

According to Visa, one of the best ways to avoid POS infiltrations is to:

"Implement hardware-based point-to-point encryption. Visa recommends EMV-enabled PIN-entry devices or other credit-only accepting devices that have Secure Reading and Exchange of Data (SRED) cap abilities. SRED-approved devices can be found at the Payment Card Industry Security Standards website."

POS infection traffic patterns

As the infected POS terminals harvest credit card numbers, small batches of numbers are compressed and uploaded to a host on the Internet. The reason for the small quantities at a time is presumably part of their effort to stay incognito. The goal of most advanced threats once they get in is to move laterally and camp out forever. They want to establish a form of foothold.

Palo Alto NetworksThe traffic created by some POS infections is often times compressed, encrypted and on typical TCP/UDP ports.

The uploads to the Internet could be made during regular business hours by a host who won't have any problems making connections right past even the latest next generation firewall.

How to discover POS infections

Since Antivirus solutions are usually ineffective at uncovering POS infection, some admins believe that evidence of malice can be uncovered if the system logs are regularly reviewed.

However, Visa also stated:

"Hackers are also using anti-forensic techniques such as tampering with or deleting security event logs, using strong encryption or modifying security applications (e.g., whitelist malware files) to avoid detection."

To uncover POS malware, it helps to monitor all systems that make up POS traffic patterns. It should be noted how the applications used to process new orders communicate with the main servers.

Characteristics to be mindful of include:

  • How large and frequent are the traffic patterns?
  • What ports do they use, are connections encrypted?
  • How does a busy season like Christmas or Valentines day impact traffic?
Loaded with the above notes or possibly a saved historical behavior baseline that doesn't include the malware, we can begin to sleuth for signs that are indicative of some type of contagion. One of the best technologies to use when monitoring network communication behaviors is NetFlow or the IETF standard: IPFIX.

CiscoLevi GundertLevi Gundert - Cisco threat research, analysis and communications (TRAC):

"We really like NetFlow.... from a storage perspective, it's a little bit more scalable for your devices to offload-it into a database for collection and analysis vs. a full packet capture.

"It's also very good for sort of profiling general activities on the network. If you can do one to one sampling of NetFlow meaning you are capturing the header meta data of every packet traversing the network device then you are really going to have some very useful insight into what is happening on your network."

Cisco POS threat detection

Although there is no one solution acting as a panacea for uncovering all types of POS attacks, NetFlow should be part of your:

Cisco cyber threat solution

Here are some example behaviors to monitor on machines with access to POS data:

  1. Are there any strange DNS requests for domains that meet certain criteria?
  2. Host reputation: Are the machines communicating with known Internet bots?
  3. Are there any occasional Internet connections where the POS host does not receive a response and how often does it occur?
  4. On encrypted connections to Internet hosts, is the upload greater than the download byte volume? What is the pattern?
Even with lots of events matching the above behavior, a certain amount of false positives is expected. This is why it is smart to build a Threat Index (TI) for all internal hosts.

Threat index by violator

The TI shown below is a moving value:

Threat index by violator
Source: Mike Patterson

The threat index is a moving value

The idea behind the Threat Index for each host is that they rise for an individual host each time it participates in a behavior that is suspicious. Depending on the type of behavior (e.g. scanning the network), the event may increase the index by a higher value than others (e.g. receiving an ICMP redirect). If the Threat Index of a host hits a threshold, a notification can be triggered.

Keep in mind that the Threat Index is a moving value because individual events age out over time. For this reason, an IP address must reach the Threat Index threshold within a configurable window of say 14 days because the same events that increased the value are also aging out and as a result, the index can also be reduced.

Investigating POS threats

When you go looking for strange behaviors and you need to use a solution providing insight everywhere in the network, many believe that there is no better solution available today than NetFlow/IPFIX. Since it is generated by routers and switches, the POS malware can't easily delete it.

When flow data is combined with a scalable flow reporting solution, the forensic investigation value is second to none.

Scalable NetFlow Analyzer solutions which can crunch data collected on thousands of systems involved with the POS process can provide the filtering and speed of delivery desired when you are under the gun and need answers fast.

Related stories:

Network World: Breach! Defending Point of Sale Networks and Systems

Palo Alto Networks: Better POS security

Mike Patterson's other blog stories:

Dell solves complex business problems

Enterasys Secure Networks

Mike Patterson speaks out

Systrax High-Impact Network Monitoring

TMCnet Advanced NetFlow Traffic Analysis

Join the NetFlow Developments Group on LinkedIn

What's your take?

Subscribe to Bloggers speak out on BradReese.Com

Favorite Blog Story Picks

  1. Cisco's being investigated for corrupt business practices
  2. 2014 Q1 CCIE Job Statistics / Average CCIE Starting Salaries by Track
  3. Cisco denies complicity of top executive accepting $10 million contract as NSA backdoor payoff
  4. Rumored shenanigans behind Cisco's $655 million defective memory fiasco
  5. Rumor SEC recently investigated cooked books at Cisco
  6. Rumor big Cisco layoff is coming
  7. Meaningless nonsensical Internet of Everything driving Cisco's sales straight into the ground
  8. IPexpert founder Wayne Lawson looking for job
  9. Cisco senior vice president Sheila Jordan skedaddles
  10. Billionaire Paul Singer attacks $159K software engineer salaries at Juniper Networks
  11. Cisco wins fight against Net Neutrality
  12. Former top Cisco executive Brian Schipper new VP of HR at Twitter
  13. Rumor Cisco product development engineers penalized for reporting security issues
  14. Unconfirmed rumor: Cisco does not adhere to their own NDA regarding CCIE lab exam
  15. Cisco senior management shake-up: Marthin De Beer out, Pankaj Patel in
  16. Top Secret National Security Agency (NSA) JETPLOW firmware persistence implant (backdoor) for Cisco firewalls
  17. Cisco Express Forwarding (CEF), NetFlow and OpenFlow - Mike Patterson
  18. Cisco gold partner MicroTech center of $1.4 billion federal contracting scandal
  19. Cisco CCIE emeritus star Greg Ferro SLAMS Cisco's SDN platform: Application Centric Infrastructure (ACI)
  20. View the archive of Bloggers speak out on BradReese.Com
comments powered by Disqus

CCIE available Metro DC

Supplement Cisco SMARTnet Contracts


©2014 Alliance Networking LLC - Home - About - Repair - Power Supplies - Refurbished - Blog - Quick Links - Site Map - Contact Us