Monthly Archives: September 2014

The Safety Myth

On Tuesday, September 2, Home Depot disclosed that they were investigating a possible breach of their payment data systems. No less than a week later they had confirmed that those systems have in fact been breached, with direct impact on any customer that had used their payment card at their stores since April. While Home Depot was rather forthcoming about it, they were still not fully willing to bite the bullet and tell the world that in spite of the similar incident earlier this year in Target, they had not taken the necessary precautions. There is a huge gap in most POS system that can be exploited if the hackers can get behind the main firewalls through legitimate avenue. The scenario would go something like this: The POS Vendor has a networking company that manages their networks for them and by necessity some of the employees of the networking company will need to have access to secured layers of POS Vendor’s infrastructure. If someone decides to bring a memory scraper (a form of malware), and place it on a piece of software targeted to be delivered to the POS device, then all the amazing encryption and security is useless. Memory-scraping malware is typically designed to target Track 1 and Track 2 data — including a cardholder’s name, card number, expiration date, and the card’s three-digit security code (a.k.a. CVV or CVC) — at the place where it’s most vulnerable to being intercepted: in memory, where it’s in plaintext format. So what to do? Among other things, software delivery redundancy, and independent pre-staging servers for delivery of updates to the POS device would be a good start. Even better would be to have hermit servers, that are secured and server the sole purpose of delivering the update to the staging server for checksum comparison with the update being delivered normally. As crazy as it maybe, it is not very expensive to setup and it is even cheaper to maintain. Then you ask why didn’t Home Depot do it? The simple answer maybe much more mundane than you think. According to a security professional in that organization “the bosses were sure it was the incompetence of the IT people in Target that had let to their problems.” — Ah Arrogance loses the day once again. It is time for most IT professionals to acknowledge that safety is a myth and the best we can do is to run hard and fast and keep one step ahead of the hackers by continually innovating new ways of double checking what we already believe to be secure.