Brian Pennington

A blog about Cyber Security & Compliance


July 2014

Point of Sale Malware and the 7 stages of an attack.

Point of Sales Malware

Why is there a Cloud Multiplier effect on the risk of a Data Breach?


Hospitality Industry alerted by the U.S. Secret Service on the threat of Keyloggers

The U.S. Secret Service has issued an advisory to the hospitality industry to be on alert for keyloggers on the computers in the business center. Whether your hotel received this advice or not, this is something that will undoubtedly affect your business in the near future. We’ve put together this brief guide on reacting to the advisory.

What happened?

  • According to the advisory issued by the Department of Homeland Security/Secret Services, (which can be found on Task force agents arrested a group of suspects that had installed keylogger software on computers in various hotel business centers.

The suspects were able to obtain large amounts of information including other guests’ personally identifiable information (PII), log in credentials to banks, retirement, and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers

What is a keylogger?

How to check if a business center has been compromised

  • Physically inspect your keyboards and computers and their connections to ensure no unknown devices are present
  • Investigate active processes on the machine to determine if they are making malicious outbound communications that would be sending out the data collected by the keylogger
  • Perform a hash analysis of all files on the drive to see if they match any known malicious hash values

What to do if you have a compromised business center?

  • Remove or disconnect the computer from the network but leave the computer on and running
  • Engage a security consultant to determine the scope of the potential compromise to determine the best approach to remediate

What should you tell your compromised customers?

  • In accordance with state and industry breach rules, inform them of the facts
  • Let them know the steps you’ve taken to ensure it won’t happen again

How can you protect your business center?

  • Application and process whitelisting
  • Disable unused USB ports
  • Configure firewalls to block outbound connections to known malicious sites

Overall, the impact of this issue can be devastating to a business. Performing some or all of the proactive actions listed here can be critical to identifying these issues in your environment. In a perfect world, these proactive checks will find no evidence of intrusion or compromise. In that case, your business would be able to prove ‘due diligence’ in the face of this advisory, and could quell any customer concerns before they arose.

Written by Dan Fritsche, Practice Director, Coalfire Labs. The original post is here.

The Top 7 HIPAA Risk Analysis Myths


Travel company fined £150,000 after losing 1,163,996 Credit and Debit Card records

An online travel services company called Think W3 Limited, has been fined £150,000 after it breached the Data Protection Act.

Think W3 Limited was hacked in December 2012 after using insecure coding on the website of a subsidiary business, Essential Travel Ltd.

A hacker extracted a total of 1,163,996 Credit and Debit Card records. Of these records 430,599 were identified as current and 733,397 as expired.

Cardholder details had not been deleted since 2006 and there had been no security checks or reviews since the system had been installed.

Stephen Eckersley, The ICO’s Head of Enforcement, said:

This was a staggering lapse that left more than a million holiday makers’ personal details exposed to a malicious hacker.

“Data security should be a top priority for any business that operates online. Think W3 Limited accepted liability for failing to keep their customers’ personal data secure; failing to test their security and failing to delete out-of-date information.

“The public’s awareness of the importance of data protection is rising all the time. Ignorance from data controllers is no excuse. They must take active steps to ensure the personal data they are responsible for is kept safe or face enforcement action and the resulting reputational damage

The Information Commissioner’s fine will be in addition to the costs levied by the Credit Card schemes under PCI and the banks.

Sony has reached a Class Action settlement for it’s PSN Data Breach

Sony has reached a Class Action Settlement for its PSN Data Breach (good article here Preliminary $15M Settlement Reached in Sony PSN Data Breach Class Action).

The Data Breach happened in 2011 and since then Sony has been hit by all manor of Data Protection agencies and now they appear to have settled on a class action in the USA.

However the actual final hearing on whether the settlement was fair is in May 2015 which means the sorry Sony story will have been kicked around for over 4 years.

Every time the story appears Sony users and the security industry do a double take to make sure that it isn’t “another data breach” which further impacts the reputation of the organisations.

Data Breaches have a habit of lingering like bad odours and organisations should think about that when planning their approach to Cyber Security. 

29% of Consumers Don’t Trust Retailers With Securing Their Data

Global Consumers: Concerned and Willing to Engage in the Battle Against Fraud,” is the second in a two-part series conducted by ACI Worldwide and Aite Group. Among other findings, only slightly more than 50% of consumers feel stores where they shop use security systems that adequately protect their financial data against hackers and data breaches

  • 29% do not trust retailers (e.g., stores, online shopping sites, restaurants, etc.) to protect stored personal and financial data against hacking attempts and data breaches.    
  • 58% think financial institutions (large multinational institutions, community banks and credit unions) do a better job of protecting their data than do retailers, or for that matter, government agencies and law enforcement.  
  • Only 55% feel stores where they shop use security systems that adequately protect their financial data against hackers and data breaches, compared to 62% who believe that online shopping websites adequately protect this information.  

Mobile Customer Engagement

  • 77% are “very interested” in being contacted about suspicious activity on their cards or accounts via a phone call, email or text message.  
  • 73% prefer that their banks not post transactions to their cards until they respond to fraud alerts. 

Consumer Awareness

  • 42% do not recall receiving any anti-fraud information from their financial institution.
  • 32% think theft by a computer hacker is the greatest fraud risk. 

Prepaid Card Implications

  • In many countries, prepaid card usage and the rate of fraud on such cards correlates. China and India have the highest rates of prepaid card fraud at 17% and 18%, respectively, and very high consumer use rates at 93% and 91%, respectively. 
  • Conversely, in countries with use rates of 70% or less, such as Australia, Canada, New Zealand and the United States, fraud rates are 4% or less, indicating that the fraud rate may rise as more consumers use prepaid cards.  

Consumer distrust is exacerbated by the widely publicized retail data breaches over the past year,” Mike Braatz, senior vice president, Payments Risk Management Solutions, ACI Worldwide.

Retailers have their work cut out for them – to change consumer perception that shopping, be it online or in-store, is unsafe,” Mike Braatz, senior vice president, Payments Risk Management Solutions, ACI Worldwide.

Consumers want to engage in the battle against fraud. Financial institutions must take a proactive role in not only engaging customers in fraud-alerting activities, but educating them on preventative measures to take to most effectively combat it,” Shirley Inscoe, analyst, Aite Group. 

Communication is key when it comes to financial institutions making customers aware of the tools available to fight fraud. This can have a big impact in customer satisfaction and loyalty,” Shirley Inscoe, senior analyst, Aite Group. 

65% have experienced an SQL injection attack

The second DB Networks sponsored Ponemon Institute report on the SQL injection threat has been released. 

The report explores what IT security professionals think about the likely attack chain of recent data breaches involving major retailers such as Target, Michaels and Neiman Marcus. The first report focused on how organizations respond to the SQL injection threat and their awareness about different approaches to managing this risk. 

The study surveyed 595 individuals who work in IT and IT security. The majority of respondents are familiar with core IDS technologies that detect rogue SQL statements on the network that connect the web application to the database. 

69% of respondents say their organization must comply with Payment Card Industry Data Security Standard (PCI DSS). As such, a majority of the respondents are very familiar with and required to comply with the security requirements for retailers who accept payment cards. 

SQL injections have been defined as being used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injections exploit security vulnerabilities in an application’s software. SQL injection is most commonly known as an attack vector through public facing websites but can be used to attack SQL databases in a variety of ways.

Background on retail breaches 

Details of the recent retailer network intrusion and data breach haven’t been readily forth coming from either the retailers who were breached or the U.S. Secret Service in charge of the breach investigations. As a result, security professionals are left to piece together the attack chain details based on the nascent amount of information that has been shared thus far. 

Target, for example, has revealed the credentials from an HVAC contractor were compromised. Those compromised credentials they claim initiated the attack chain that ultimately resulted in two major breaches. While certainly an interesting factoid, that information actually offers little insight into the events that ultimately resulted in the breach of 40 million credit cards and another 70 million database records containing personally identifiable information (PII). 

The HVAC vendor credentials only provided access to Target’s vendor billing and invoicing system. It’s a rather long leap from those systems into Target’s POS systems. How that feat was accomplished hasn’t been made public. Further, a report by BusinessWeek revealed that Target’s IT security systems were able to identify the hacker’s suspicious activity multiple times during the attack. But unfortunately those alerts were not agreed upon by Target’s IT security staff. 

Some of the key takeaways from this study include:

  • 50% of respondents believe cyber syndicates are to blame for the large retail data breaches. Only 16% believe an individual perpetrated the attack.
  • Many respondents believe notification of victims is better later than sooner. 36% of respondents would prefer to wait to notify victims until a thorough investigation was conducted.
  • SQL injection threat was one of the components of these retail breaches. 53% of respondents say SQL injections were used to steal sensitive and confidential information.
  • 65% of respondents say continuous monitoring of the database network followed by advanced database activity monitoring are the best approaches to avoiding a mega data breach
  • 33% of respondents say they either scan continuously or daily for active databases. However, 25% scan irregularly and 22% do not scan at all
  • SQL injection was considered by respondents to be one of the components of these attacks. 57% (36% + 21%) of respondents believe the likelihood that the attacks against the U.S. retailers involved SQL injection was 51% or greater
  • 65% of organizations represented in this study experienced a SQL injection attack that successfully evaded their perimeter defences in the last 12 months.
  • 49% say the SQL injection threat facing their company is very significant. On average, respondents believe 42% of all data breaches are due, at least in part, to SQL injections.
  • Many organizations are not familiar with the techniques used by cyber criminals.
  • 46% are familiar with the term Web Application Firewalls (WAF) bypass
  • 39% of respondents are very familiar or familiar with the techniques cybercriminal use to get around WAF perimeter security devices
  • BYOD makes understanding the root causes of an SQL injection threat more difficult. 56% of respondents say determining the root causes of SQL injection is becoming more difficult because of employees’ use of personally owned mobile devices (BYOD) in the workplace. Another challenge, according to 41% of respondents, is increasing stealth and/or sophistication of cyber attackers
  • Expertise and the right technologies are critical to preventing the SQL injection threat. While respondents see the SQL threat as serious, only 31% say their organization’s IT security personnel possess the skills, knowledge and expertise to quickly detect SQL injection threats and 34% agree that they have the technologies or tools to quickly detect a SQL injection threat 

Find the report here

The risk to Industrial Control Systems and SCADA is believed to have substantially increased

In a Unisys sponsored Ponemon survey of 599 Global IT and IT security executives across 13 countries, IT practitioners whose job involves securing or overseeing the security of their organisation’s information systems or IT infrastructure were permitted to complete the survey. They are also familiar with security standards such as NERC, CIP, NIST, ISO, PCI DSS, Sarbanes Oxley and other regulations on the protection of information assets and the critical infrastructure.

Key findings of this research

Most companies have not fully deployed their IT security programs

  • 17% of companies represented in this research self-report that most of their IT security program activities are deployed
  • 50% of respondents say their IT security activities have not as yet been defined or deployed (7%)
  • 43% say they have defined activities but they are only partially deployed
  • 28% of respondents agree that security is one of the top five strategic priorities across the enterprise

The risk to industrial control systems and SCADA is believed to have substantially increased

  • 57% of respondents agree that cyber threats are putting industrial control systems and SCADA at greater risk
  • 11% say the risk has decreased due to heightened regulations and industry-based security standards

Security compromises are occurring in most companies

It is difficult to understand why security is not a top a priority because 67% of respondents say their companies have had at least one security compromise that that led to the loss of confidential information or disruption to operations over the last 12 months. 24% of respondents say these compromises were due to an insider attack or negligent privileged IT users

Upgrading existing legacy systems may result in sacrificing mission-critical security

36% of respondents are not confident and 18% are unsure that their organisation would be able to upgrade legacy systems to the next improved security state in cost-effective ways without sacrificing mission-critical security.

Many organisations are not getting actionable real-time threat alerts about security exploits

  • 34% of respondents say their companies do not get real-time alerts, threat analysis and threat prioritisation intelligence that can be used to stop or minimise the impact of a cyber-attack
  • 22% of those that does receive such intelligence say they are not effective
  • 15% of respondents say threat intelligence is very effective and actionable

Find the full report here.


The hospitality industry increases it’s adoption of Tokenization and P2Pe

The 2014 and 16th edition of the Hospitality Technology magazine Restaurant Technology Study has produced an 18 page report. 

Of specific interest to me was Chapter 5 Payment Security – “End of Swipe-and-Sign Looms”, the chapter states:-

The U.S. payment industry is in a period of transition. October 2015 will mark the end of swipe-and-sign. While card brands are committed to swapping mag-strip for EMV chip-based cards, the standard for authentication remains under debate: signature capture or PIN. While PIN authentication is considered the more secure option, there’s concern that Americans, who tend to have a variety of credit cards, would struggle to manage multiple PINs.

As the restaurant industry, and U.S. merchants at large, take a wait-and-see approach, HT (Hospitality Technology) measures the industry’s current and planned payment security practices in its 2014 Restaurant Technology Study.

The food service industry, with its fragmented technology, has historically been a target for card data theft. The sunset for swipe cards will be a welcome improvement. EMV preparedness is on restaurants’ radar, with 70% of those surveyed agreeing that it is important to have a well-defined roadmap for EMV preparedness.

When asked about their organization’s current approach to preparing for EMV

  • 26% report having some form of road-map in place; likely due to the lack of a standard
  • 37% will make this a priority in the year ahead.

What’s more, confusion with the current PCI DSS remains:-

  • 86% reporting that their organizations are “in compliance” but far fewer are able to identify compliance with some of the 12 specific requirements
  • 72% report that their organization maintains a policy that addresses information security for employees and contractors (item 12 of the PCI DSS).

With payment security an on going process and a moving target, restaurants are leveraging third parties for assistance. More than half of those surveyed outsource their PCI compliance efforts (54%), and nearly as many (52%) have purchased some form of breach protection or insurance.

Respondents were further asked about their organizations’ use of tokenization and point-to-point encryption (P2PE). Though not a requirement of PCI DSS, these technologies can reduce scope by shrinking the footprint where cardholder data is located throughout the organization.

  • 43% use P2PE and 33% plan to add the technology by 2016
  • 36% use Tokenization and an additional 30% have future implementation plans

The full report can be found here..    

Most Americans feel EMV chip cards make their debit or credit card transactions more secure

NXP Semiconductors has announced the results of its ‘Security Matters: Americans on EMV Chip Cards’ survey.

To gain further understanding of how confident Americans are in the security of EMV chip card technology and debit/credit card purchases in general, NXP polled more than 1,000 American adults on credit card usage, behavioural trends and consumer sentiment toward the electronic and cashless movement.

Attitudes towards Breaches and Retail Hacks
Overall sentiment reveals that while consumer confidence in credit card technologies remains high, Americans continue to demand better solutions that protect identity, personal information and financial data. With recent reports of compromises in security at Target, Neiman Marcus, PF Chang’s and other retailers, Americans are more likely to pay in cash following a security breach at large retailers, with 37% of the millennial age group (18 to 34 years of age) being the most likely to convert to cash. For example, 80% of Americans are confident in their financial institution and the security of their financial accounts, as well as the security and protection of their credit/debit cards (73%).

However, once a security breach at a major store occurs, consumers automatically turn to less convenient forms of payment (64%) – such as cash – to complete a purchase.

Credit Card Protection Technology
Respondents were asked a number of questions pertaining to security, confidence in financial institutions and credit cards, purchasing habits, geographic location, gender and general understanding of current magnetic strip and EMV technology. When asked specifically about the underlying technologies of a credit or debit card, Americans responded favourably, with 69% stating that EMV chip cards are making their debit and credit card transactions more secure, with only 5% feeling chip cards make their transactions less secure. When asked about the tap and pay feature available on some EMV chip cards, the most common concern expressed was an increased risk of theft (61%), followed by 37% expressing concerns about being charged incorrectly for purchases.

Security and Personal Information

  • 69% of Americans feel EMV chip cards make their debit or credit card transactions more secure
  • 28% believe they are much more secure
  • 31% of men believe they are much more secure compared to 24% of women

Security of finances

  • 73% of Americans are confident in the security of their credit/debit cards or their financial accounts (80%) with their primary financial institution
  • 33% are very confident in the security of their accounts, compared to 26% feeling very confident in the security of their credit/debit cards
  • 64% of Americans say they are more likely to pay in cash after hearing about security breaches at large retailers
  • 36% say they are not more likely to pay in cash
  • 37% of 18 to 34 year olds say they are much more likely compared to 27% of 35 to 54 year olds and 23% of those 55+
  • 5% believe chip cards make their transactions less secure

From this survey, we see a high consumer awareness of EMV chip card security and readiness to adopt secure technologies that protect credit and debit card purchases,” said Brintha Koether, Director Payments at NXP Semiconductors. “We recognize the sensitivity and loss of trust consumers immediately feel after learning of a major security breach. We have seen how secure chip technology employed outside the U.S. drastically reduces fraud as well as builds consumer confidence in card transactions, financial institutions and retailers

For full NXP Retail Hacks survey click NXP Study.

Blog at

Up ↑

%d bloggers like this: