the attack on target: how was it done - lessons learned for protecting hp nonstop systems

DISCLAIMER:

This presentation reflects the opinions and recommendations of the authors only and does not in any way represent the views or endorsements of any other parties.

HP NonStop is a trademark of Hewlett-Packard Development Company, L.P. All other trademarks are the property of their respective owners.

copyright (2014) comForte 21 1

To be able to look at this presentation offline and without the speakers audio, slide notes have been added to some slides and are shown here, on the right.


In the first part of the presentation, we look at how exactly the attack against Target was carried out, following each of the multiple steps


The URL shown is a rather detailed write-up of the breach – including how the stolen credit card numbers are monetized in the “carder underground”. Highly recommended reading.

The diagram “how the hackers broke in” is also from the article – we will now look at the steps in more detail.


This is the POS acquiring infrastructure at TARGET, showing only the core systems required for the processing of POS transactions.

The system on the right is a HP NonStop system, see http://www.hp.com/go/nonstop for more information about the computing platform. We use the term “NonStop system” in the diagram for brevity.

If these were the only systems, the breach at TARGET could not have happened in the same way.


http://www.hp.com/go/nonstop

This diagram shows more systems which are part of the larger TARGET infrastructure: Two internal servers are used to process the “backoffice” data collected at the Point of sale systems. Also, an HVAC system (Heating, Ventilation, Air conditioning) is remote-controlled via an external consultant.


In the first step of the attack, the “bad guys” took over a web site an employee of the HVAC company was accessing. By doing so, they were able to obtain his username and password for that – unrelated – web site.

Unfortunately, the employee used the same password to access the TARGET network for remote HVAC maintenance – and thus the attackers were inside the TARGET network.


They then were able to ‘take over’ an internal server present at every TARGET store with direct connectivity to the POS systems running Microsoft Windows.


In the next step, they used the internal server to install specifically crafted malware onto the Windows POS system.


At this point in time, the malware installed on the POS system was collecting the full data for each and every POS transaction. They used a well-known technique called “memory scraping” to access the data sent from the POS device “through” the Windows POS system to the NonStop system processing the POS data.

The final step now is to get the data sent out from the internal TARGET network and the attackers needed to be careful not to raise an alarm by using new connections (an outgoing FTP connection to an unknown host on the Internet would almost certainly have raised alarms immediately).

This final step is called “exfiltration”.


For exfiltration, the attackers were able to take over another internal server which was already shown on an earlier slide. That server was not in the “critical network zone” and hence not monitored for outgoing data as closely as each TARGET store itself.


In the final step, the attackers sent the data from the POS Windows systems to the Internal server on the right where they collected it for a while.

They then sent the data to a few servers on the Internet and then downloaded the data to their own systems.


Let’s take a moment to think about the attack: It clearly shows a lot of planning, patience and sophistication. It is a sad fact that many cyber criminals are rather excellent at their “job” and would probably be able to earn a living as a skilled administrator or developer.

Unfortunately, cyber crime continues to be the actual choice of many talented “black hat hackers”.

For more background on these type of attacks which are also called “Advanced Persistent Threats” please see the following presentation on slideshare:

http://www.slideshare.net/thomasburg/from-russia-with-love-modern-tools-used-in-cyber-attacks



As companies improve their defenses, attacks are requiring more and more steps to succeed. This is why “defense in depth” is such an important concept – the defender only need to prevent a single step of the attack to thwart it. Here are a few measures which all could have prevented the specific attack carried out successfully against TARGET:

• Preventing distribution and installation of the malware onto the POS systems:

• Better segmentation of in-store network

• Actually looking at the incident logs of the advanced attack tool (“Fireeye”, see business week article for details)

• Setting Fireeye to “block” rather than “alert”

• Using end-to-end encryption between the POS reading device and the acquiring system.

• Detecting and blocking the outbound traffic in which the confidential data was transferred to servers outside of Target's store network.

(It should be noted that these measures are by no means a comprehensive security architecture, they are the few pieces of a whole defense-in-depth strategy that


would have made the difference)


The author of this presentation has followed the computer security industry and trends for over ten years. The attack techniques used in the attack against TARGET are over a decade old (!) – so from a technological standpoint nothing has really changed.

What _has_ changed is that the attackers are stepping up their game while the defenders do not.

In the next few slides, we will look at the state of computer security on a specific computing platform, namely the HP NonStop platform.


This is one of the key messages of this presentation – so please pardon the non-subtlety of this slide…

There are hundreds of customers running the ACIBASE24 product world-wide, processing about 50 % of the world-wide POS and ATM transactions (!). Many of these systems have been installed decades ago and quietly hum along in the data center, never loosing a transaction or going down. The fact that the systems never go down is a key benefit of using the BASE24 software on the HP NonStop platform in the first place.

However, the world has changed and, to the best of our knowledge, many BASE24 installations are not protected as well as they should.

We do know for a fact that BASE24 does _not_ support encryption of data at rest; therefore most of all BASE24 installations world-wide will _not_ be compliant to PCI 3.4.

The good news is that this can be addressed relatively easily – compared to the cost of running a BASE24 system the cost to improve the security posture massively is rather low.

copyright (2014) comForte 2117

This is the prior statement generalized to HP NonStop systems in general; again drawing on our experience as vendor in the HP NonStop market place.

It should be pointed out that this is _not_ a weakness of the platform at all; it rather is a weakness of either the application or the way the platform is secured.

Any computing platform can be secured poorly or well and the HP NonStop platform is no different in that. In fact, the HP NonStop platform has several unique strength when it comes to securing it.

copyright (2014) comForte 2118

To be honest, this is somewhat of a mystery to the author – after spending 10+ years focusing on IT security. Really. Some suggestions to follow:

So why is Why are BASE24 or similar applications on HP NonStop *NEVER* PROTECTED PROPERLY? Here are some suggestions:

- There is typical a large “Organizational Disconnect” between the CSO, CIO, CFO and CEO

- The attackers on the other hand are very well connected and organized

- Who owns security anyway: that is a difficult question in every organization: is it the platform owner? The application owner? The CSO? The CIO? The CEO?

- Penny pinching of IT costs

- For banks, IT is typically 6 % of the global budget

- IT is often seen as cost factor (rather than as asset) - where saving can be applied whenever the economy is bad

- It should be noted that the BASE24 application is *very* profitable – but cost is saved anyway

copyright 2014 comForte 21 19

About 20 years ago, users would connect to “big iron” (mainframe type of computers) using dedicated terminals which had no other functionality than to access the system.

Today, PCs are used to connect to HP NonStop systems and administer them. The big problem with this is that many core security principles are based on so-called “user authentication” – making sure the NonStop knows which user name is currently connecting.

Historically, there have been many means on using this information for “Authorization” – namely deciding who can do what (and who can NOT do what).

This has worked well over the years – but most attacks including the on TARGET show that attackers are able to “0wn” (Hacker lingo for “own”) any PC or midrange server in the organization. An “0wned” PC is effectively remote-controlled by the bad guys – and with that user authentication is broken and should not be relied on as strongly as so far.

This knowledge is widely spread in the security community – but unfortunately it is not that widely spread in non-security realm.

copyright 2014 comForte 2120

As explained on the prior slide, you should not trust the fact that no-one will be able to log on as SUPER.SUPER.

In fact, it is a good “thought experiment” (http://en.wikipedia.org/wiki/Thought_experiment) to assume that the attacker has penetrated your network and is able to log on to your NonStop system as SUPER.SUPER.

Only if your defenses are able to thwart or – at least –detect an attack even under this somewhat bold assumption you should consider your defenses to live up to best practices.

Well-known security standards such as the PCI-DSS standard do take this into account – in fact this is most probably the reason why encryption of data at rest is enforced.

copyright 2014 comForte 2121

In this final section, we give some general recommendations on how to properly secure a HP NonStop system. We focus on the PCI-DSS standard.


In the comForte experience, the HP NonStop platform is not always well understood by the auditors.

As mentioned earlier, the platform has unique strengths – but also some unusual weaknesses (which are due to mostly historic reasons).


A PCI project landing on the desk on the HP NonStop platform owner can look like a daunting task and/or unpleasant surprise.

Rest assured that other platforms struggle just as well –like in most projects PCI will be about:

• Properly allocating budget (Most large companies these days have a “PCI office”) and human resources

• Expectation management (mostly towards the auditor)

• long term planning – The auditors are coming at least yearly so plan for the long haul

It is unlikely that you will get from 0 % compliance to 100 % compliance in a single year – we will talk about the suggested order of things a bit later.


Another key principle on the journey to properly protect your systems…

While there is most likely software to be procured and installed, the software very often needs to be actively monitored and configured going forward.


The PCI 2.0 standard has about 230 “line items” (individual bullet points to comply with) and the 3.0 version will have more than 300.

The PCI council has published an Excel sheet attaching priorities to the individual items – this was used for the upcoming recommendation for the order of certain tasks.

Another factor going in was how hard or easy a measure is to implement.


This is a suggested order of doing this which takes the following into account:

• Ease of implementation

• Priority as per PCI prioritized approach

• budgetary constraints


Note: it is recommended to actually start with Phase 1 rather than trying to combine Phase 1 and Phase 2 into a “big bang” scenario. Your PCI auditor wants to see progress early.

copyright 2014 comForte 21 28

The two presentations on slide share shown on the left can be accessed via the following URLs:


http://www.slideshare.net/thomasburg/the-verizon-20122013-data-breach-investigations-report-lessons-learned-for-running-base24-securely

(This is the last slide in this presentation)



http://www.slideshare.net/thomasburg/the-verizon-20122013-data-breach-investigations-report-lessons-learned-for-running-base24-securely

the attack on target: how was it done - lessons learned for protecting hp nonstop systems

Technology

pos data

pos systems

windows pos system

pos windows systems

pos device

internal target network

target store

cyberattacks copyright