Workplace Networks Are Easy Pickings

CU360
December 3, 2009 | COMMENTS

Credit unions were among those stung in two separate cybergang attacks: the thefts of 94 million credit and debit card payment records from the TJX retail chain and 130 million records from credit card processor Heartland Payment Systems.

Court records reveal those record-setting break-ins were almost too easy. Thieves were able to take their sweet time extracting the data, in each case going undetected for more than a year.

What happened to TJX and Heartland wasn't unusual. Details unveiled in the prosecution of gang members, reported in USA Today, show workplace networks have turned out to be much more porous and difficult to defend than anyone ever anticipated.

Overly complex information technology (IT) systems produce endless opportunities for cyberthieves, who need only to master simple hacking techniques to get their hands on sensitive data. Data breaches continue to plague companies, hospitals, universities, and government agencies—any entity that collects data and conducts business on a digital network.

The vast majority of organizations routinely fail to take simple defensive measures, such as shoring up common Web site weaknesses or uniformly enforcing the use of strong passwords. Networks have become a hodgepodge of components stitched together, creating easily-breached security holes.

About 656 data breach cases made headlines in 2008, up from 446 in 2007, according to the nonprofit Identity Theft Resource Center. Through September 2009, ITRC has archived new reports of 391 data thefts.

With IT staffs stretched thin—and concentrating on adding digital services—data heists go unreported or unnoticed, security analysts say. Data thieves, in turn, are having a field day using well-understood hacking techniques to carry out increasingly refined cyberthefts.

Simple hacks

Federal charges filed against hackers in the TJX and Heartland capers illustrate just how easy data thieves have it. In the attacks against the retailers, court records show, perpetrators used a technique called war driving. Despite its name, war driving is considered an innocuous pastime of hobbyists who cruise neighborhoods with a laptop and inexpensive antennas to map out Wi-Fi signals—wireless Internet connections—broadcast from homes and businesses.

Retailers, however, have come to depend on password-protected Wi-Fi systems to transmit data from cash registers and price-checking scanners to a central computer server because Wi-Fi eliminates the hassles and expense of laying cables. By war driving, thieves can readily pinpoint retailers' Wi-Fi systems. Tapping in is simple, as crooks can use free password-breaking programs widely available on the Internet.

After the Wi-Fi system of a Marshalls store in Miami was initially compromised, the intruders began downloading data from TJX headquarters. They were able to establish a virtual private network connection to TJX's servers and then installed custom-built "sniffer" programs.

Sniffers are also widely available for free. Generic ones log all of the traffic moving across a network. To keep from getting swamped with data, the thieves installed sniffers specifically designed to recognize and capture data from the magnetic stripes on the backs of credit and debit cards.

Data thieves today are hustling to position sniffers inside retailers, financial firms, and health care companies, in particular. "Anyone who keeps sensitive information on their networks is actively being targeted," says Matt Marshall, vice president of engineering at Redspin, a security assessment firm.

Going undetected

In penetrating Heartland's network the thieves used a technique called SQL injection to break in and subsequently embed sniffer programs similar to those used in the TJX attack. In an SQL injection attack, the intruder simply types random characters into a Web page input box, such as those on a log-in page. A determined hacker gains a foothold by breaking the connection between the Web page and the underlying database.

Proof that data thieves are targeting hundreds of organizations using similar approaches to breach networks comes from Verizon Business, a division of Verizon Communications, that sells consulting services to other corporations. Since 2004, Verizon has dispatched forensic specialists to conduct CSI-like probes of nearly 600 cases of corporate data theft.

In the vast majority of those cases, investigators discovered thieves routinely took days after initially penetrating a network to locate and break into valuable databases. And most often, the intruders spent weeks to years extracting data before being discovered.

The length of time it takes an organization to discover that data is leaving is often five to six months after the initial breach. That pattern suggests many organizations right now have breaches they don't know about and won't discover for some time to come.

Deeper attacks

Meanwhile, data thieves are increasingly seeking out other valuable forms of business data, besides credit card records. The attack of PayChoice, a leading supplier of online payroll services, is a recent case in point.

Attackers used an SQL injection hack to compromise PayChoice's public Web page but showed little interest in flushing out any credit card account data. Instead, they took e-mail addresses of workers who get paid via PayChoice's Web portal—and the names of their respective companies.

This put the attackers in position to send e-mails purporting to come from PayChoice addressed to individual people. In a two-stage attack, the first stage is often a minor foray to get relatively benign information that could be used in a more sophisticated second stage.

By the time PayChoice shut down its Web site temporarily to institute fresh security measures, bogus e-mails had arrived at an undisclosed number of companies. At those firms, employees received e-mails asking them to click on a Web link to download a plug-in needed to continue accessing PayChoice's online portal.

Clicking on the link actually downloaded a version of the ZeuS banking Trojan—a malicious program widely used to break into online bank accounts. In recent months, a rash of malicious banking Trojans have taken aim at the online banking accounts of small businesses.

While the end game of this particular scam is unclear, the selection of the ZeuS Trojan indicates the criminals wanted banking account log-in credentials from their victims. The next logical step would be to check balances of the pilfered accounts and go for the deep pockets.