Saturday, August 11, 2007

No firewall + windows registry entry = BAD!

I can't claim the title as my own, as I pilfered it from a colleague who forwarded me this story from Storefront Backtalk about the now-infamous hacker breakin at TJX that led to the theft of hundreds of thousands of credit card numbers and other personal information. While the company had attributed the theft to rogue hackers who had infiltrated the company's wifi network from a nearby parking lot, it now looks as like the attackers may have instead used an unprotected kiosk as the entry vector. The kiosk in question is normally used for taking employment applications (you've probably seen them at your local department store or supermarket). The current theory is that the attackers opened the back of the kiosk and attached a USB drive to the device that was then able to download software onto the kiosk's hard disk, and ultimately the corporate network (which it was connected to directly, sans firewall). Once inside the network, the attackers made quick work of any other security precautions, and went on to steal the data.

So let's do a quick review of what went wrong:

  1. Access to the employment kiosks' innards (e.g. computer hardware) was not restricted (why on earth weren't these locked?)
  2. The computers' USB ports were not disabled, even though they served no purpose on the kiosk.
  3. The kiosks were running an operating system that could somehow be fooled into loading arbitrary software from a USB key
  4. The kiosks were connected to the corporate network WITHOUT A FIREWALL
And of course that partial list leaves off other burning questions, like how store employees didn't notice somebody messing around with the kiosk's innards right inside the store?

Yet, as bad as each of these problems is, they were all avoidable.

For #1, a simple padlock (key or combination) would have done fine. Padlock holes are standard issue on lots of computer cases, and most kiosks come with locking doors.

As for #2, disabling unused USB ports can often be done from the BIOS (which itself can be password protected), but if that option isn't viable, a little crazy glue works wonders.

While I normally don't flog WireSpring's products in this blog, our FireCast kiosk operating system was designed with #3 in mind. We've gone through VISA's PCI compliance testing and PABP certification process, as should pretty much anybody working inside a retail environment these days.

As for #4... well... I'm just dumbfounded. How anybody can put a device on a network these days that ISN'T behind a firewall is just beyond me. I can only hope that TJX's lesson is being learned by others who will now go and re-examine their current customer-facing applications to make sure they're as locked-down and secure as possible.

Tags: , ,

No comments: