Cyberthieves find workplace networks are easy pickings

091009_porousnets_cover_300px(Published USA TODAY, Oct. 9, 2009 P.1B)

By Byron Acohido, USA TODAY

It took only a modicum of skill for a cybergang to steal 94 million credit and debit card payment records from the TJX retail chain – and follow that up by hauling in 130 million records from credit card processor Heartland Payment Systems.

Court records reveal that those record-setting break-ins were almost too easy. Even more surprising: The thieves were able to take their sweet time extracting the data, in each case going undetected for more than a year.

What happened to TJX and Heartland was not unusual. And details unveiled in the prosecution of gang members involved in both thefts have shed fresh light on a business truism demanding more scrutiny: Workplace networks have turned out to be much more porous and difficult to defend than anyone ever anticipated.

Overly complex IT systems are producing endless opportunities for cyberthieves, who need only to master simple hacking techniques to get their hands on sensitive data. The result: Data breaches continue to plague companies, hospitals, universities and government agencies – any entity that collects data and conducts business on a digital network.

The vast majority of organizations routinely fail to take simple defensive measures, such as shoring up common website weaknesses or uniformly enforcing the use of strong passwords.

barmak-meftah_crop1“Networks have become a hodgepodge of components stitched together, creating security holes that can easily be taken advantage of,” says Barmak Meftah, senior vice president at applications security firm Fortify Software.

Though companies are loath to publicly disclose data losses, about 656 data breach cases made headlines in 2008, up from 446 in 2007, according to the non-profit Identity Theft Resource Center. Through nine months this year, ITRC has archived new stories chronicling 391 data thefts.

With IT staffs stretched thin – and concentrating on adding digital services – data heists are going unreported, or unnoticed, security analysts say. “The problem for any organization is, ‘How do I make sure all the doors and windows are closed, and how do I keep them closed, without stalling my business model?’ ” says Steve Dauber, marketing vice president at security assessment firm RedSeal.

Data thieves, in turn, are having a field day using well-understood hacking techniques to carry out increasingly refined cyberthefts. “They know where the money is,” says Ivan Arce, CTO of security assessment firm Core Security Technologies. “And they’re getting to where the money is faster and with less noise.”

Simple hacks

Federal charges filed against Albert Gonzalez accusing the 28-year-old Miamian of playing key roles in the TJX and Heartland capers illustrate just how easy data thieves have it.

Gonzalez pleaded guilty in August to fraud and conspiracy charges for his part in cracking into TJX, parent of T.J. Maxx and Marshalls discount clothing stores, and seven other national retailers from 2005 through 2006. He faces similar charges for his role in data thefts from Heartland and four big retailers from late 2007 through 2008.

albert-gonzalez_crop90pxIn the attacks against the retailers, court records show, Gonzalez and several cohorts used a technique called war driving. Despite its name, war driving is considered an innocuous pastime of hobbyists who cruise neighborhoods with a laptop and inexpensive antennas to map out Wi-Fi signals – wireless Internet connections – being broadcast from homes and businesses.

However, retailers have come to depend on password-protected Wi-Fi systems to transmit data from cash registers and price-checking scanners to a central computer server, because Wi-Fi eliminates the hassles and expense of laying cables. By war driving, thieves can readily pinpoint retailers’ Wi-Fi systems. Tapping in is “exceedingly simple,” says Andy Bokor, COO of security assessment Trustwave. Crooks can use free password-breaking programs widely available on the Internet.

Court records show the Wi-Fi system of a Marshalls store in Miami was initially compromised in July 2005. In September 2005, the intruders began downloading data from TJX headquarters in Framingham, Mass. By May 2006, they were able to establish a virtual private network connection to TJX’s servers, enabling them to install custom-built “sniffer” programs.

Sniffers are also widely available for free. Generic ones log all of the traffic moving across a network. To keep from getting swamped with data, the thieves installed sniffers specifically designed to recognize and capture data from the magnetic stripes on the backs of credit and debit cards.

“The interception of data is not technically difficult,” says Matt Marshall, vice president of engineering at security assessment firm Redspin. “You just have to be at the right place at the right time.”

Data thieves today are hustling to position sniffers inside retailers, financial firms and health care companies, in particular. “Anyone who keeps sensitive information on their networks is actively being targeted,” says Marshall.

Going undetected

heartlandpaymentxlarge2Penetrating Heartland’s network presented a fresh challenge. Heartland has no Wi-Fi-equipped storefronts, and its hard-wired, central network sits securely behind company walls in Princeton, N.J. However, like many corporations, Heartland has come to rely on a public website to interact with its clients: 250,000 restaurants and smaller retailers across the U.S.

Court records reveal that the thieves used a technique called SQL injection to break in and subsequently embed sniffer programs similar to those used in the TJX attack. In an SQL injection attack, the intruder simply types random characters into a Web page input box, such as those on a log-in page. A determined hacker can often break the connection between the Web page and the underlying database, gaining a foothold to go deeper.

alex_horan_90px“The attackers did not create any new techniques,” says Alex Horan, director of product management at Core Security. “They simply combined existing techniques in a new way.”

Companies, understandably, rarely discuss data breaches. However, proof that data thieves are targeting hundreds of organizations using similar approaches to breach networks comes from Verizon Business, a division of Verizon Communications that sells consulting services to other corporations. Since 2004, Verizon has dispatched forensic specialists to conduct CSI-like probes of nearly 600 cases of corporate data theft.

In the vast majority of those cases, investigators discovered thieves routinely took days after initially penetrating a network to locate and break into valuable databases. And most often, the intruders spent weeks to years extracting data before being discovered.

“It’s one of the more shocking statistics we’ve run across,” says Verizon principal researcher Wade Baker. “The length of time it takes an organization to discover that data is leaving is often five to six months” after the initial breach.

That pattern suggests “many organizations right now have breaches they don’t know about and won’t discover for some time to come,” says Baker.

Deeper attacks

Meanwhile, data thieves are increasingly seeking out other valuable forms of business data, besides credit card records. The attack of PayChoice, a leading supplier of online payroll services, is a recent case in point.

Attackers used an SQL injection hack to compromise PayChoice’s public Web page but showed little interest in flushing out any credit card account data. Instead, they took e-mail addresses of workers who get paid via PayChoice’s Web portal – and the names of their respective companies.

This put the attackers in position to send e-mails purporting to come from PayChoice addressed to individual people.

matt_moynahan_crop90px“This was a two-stage attack with the first stage being a minor attack to get relatively benign information that could be used in a more sophisticated second stage,” says Matt Moynahan, CEO of applications security firm Veracode.

Upon discovering the breach on Sept. 23, PayChoice shut down its website temporarily to “institute fresh security measures” before starting up again, says PayChoice CEO Robert Digby.

By then bogus e-mails had arrived at an undisclosed number of companies, including security monitoring firm Damballa, a onetime PayChoice client. Damballa was no longer a PayChoice customer when the hack occurred. Even so, several Damballa employees received e-mails asking them to click on a Web link to download a plug-in needed to continue accessing, PayChoice’s online portal.

Clicking on the link actually downloaded a version of the ZeuS banking Trojan, a malicious program widely used to break into online bank accounts. In recent months, a rash of malicious banking Trojans have taken aim at the online banking accounts of small businesses.

Tripp Cox, Damballa’s vice president of engineering, says he would not be surprised if the attackers’ ultimate goal was to access Damballa’s business accounts in order to execute wire transfers to money mules, accomplices recruited via work-at-home ads to set up bank accounts to receive stolen funds.

tripp_cox_crop90px“The end game of this scam is unclear, but the selection of the ZeuS Trojan indicates that the criminals were hoping to get banking account log-in credentials from all of their victims,” says Cox. “One can imagine that they would next check balances of the pilfered accounts and go for the deep pockets.”

In a similar, ongoing attack, a Chinese hacking group continues to send corrupted e-mails addressed to specific employees at targeted companies, says Joe Stewart, senior researcher at security firm SecureWorks, who has examined intercepted samples.

The messages appear to come from known sources referencing a subject the recipient is likely to be working on, Stewart says. Each message attempts to entice the recipient into clicking on a Web link, or to open an attached Microsoft Office file. Doing so implants a backdoor connection, giving the attacker full control.

However, unlike malicious programs of this type that automatically enlist an infected PC into massive spamming networks, this infection turns control over to an attacker who has gone through a lot of trouble to get a perch inside a specific company. “My guess is that they’re seeking to gain a foothold on the network,” says Stewart.

Such attacks illustrate how opportunistic cybercriminals continue to be in taking advantage of porous networks, says Redspin’s Marshall. “The hackers adapt to the current landscape and really leverage it to their advantage,” he says.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone