Just like the detectives do on weekly television crime dramas, put yourself in the mind of the bad guy. Pretend that you’re the criminal who brokers stolen personal information with organized crime syndicates overseas. Put yourself behind the eyes of the malicious hacker who plans to breach merchant networks and compromise wholesale volumes of consumer payment card information, the kind of information that can be bartered within the internet’s dark underbelly.
How would you do it?
In the security industry, it is widely accepted that in exploring possible attack vectors to breach the network perimeter, malicious hackers will always choose the path of least resistance. And more often than not, the vulnerabilities they choose to exploit exist somewhere in the application layer of the system architecture. By launching attacks against application layer vulnerabilities within merchant point-of-sale (POS) installations, the bad guys are effectively given a platform to touch sensitive information residing within those systems. Namely, they get access to sensitive payment card information.
POS attacks are really heating up. Within the last 12 to 18 months, the majority of cases involving network breach and subsequent data compromise occurring at merchant and restaurant networks were facilitated through the exploitation of legitimate remote access tools existing within those systems. These are legitimate tools installed on POS systems for remote administration, maintenance and break-fix situations by the vendors who sell and manage those systems. Often it’s the business proprietors themselves who utilize these remote access tools. For instance, settling transactions from home falls under typical, legitimate usage.
However, be it through poor patch management or lackadaisical password configurations, the intruders are slipping into merchant networks through these otherwise legitimate remote access applications and stealing personal information. From a cost/benefit perspective, the remote access attack vector offers the identity fraudster huge potential payout for moderate effort.
Two of the most common remote access applications are Virtual Network Computing (VNC) and pcAnywhere.
VNC is a desktop sharing system that utilizes the Remote FrameBuffer protocol to control a computer from a remote location. It offers the user “at-the-keyboard” accessibility by transmitting keystrokes and mouse clicks from one computer to another over a network. Unfortunately, VNC version 4.1.1 has a serious application vulnerability that allows malicious intruders to bypass the authentication procedure normally required to access systems. That means that any POS server that touches the internet with VNC version 4.1.1 “listening” can be accessed by anyone over the Internet at any time. There’s even a user-friendly GUI-based exploit tool to accomplish this at Metasploit, an open-source platform for developing, testing, and using exploit code
Similar to VNC, pcAnywhere by Symantec offers remote connectivity to systems. The application’s many features, including 256-bit AES encryption capabilities and bandwidth auto-detection tools, have made it a favorite among network managers and systems administrators. As with many technical vulnerabilities, pcAnywhere is most often exploited through the human element – weak, obvious, and sometimes even non-existent passwords.
Merchants and restaurants whose POS systems suffer breach and subsequent account data compromise through the exploitation of pcAnywhere invariably discover that the username and password used to protect access to their network was left at the default setting. Sometimes it’s as simple as the name of the vendor who provided and manages the systems. Or worse, in some cases the password has been removed altogether.
As both of these otherwise valuable tools are being exploited by malicious hackers to breach systems and access personal consumer credit card data, businesses should do two things. First, it is imperative that they reassess the necessity to have VNC or pcAnywhere alive and “listening” at their POS controllers. If there is not a strong business critical reason for the existence of either or both of those applications within the systems architecture, get rid of them. It can mean significantly fewer headaches in the long run.
If that’s not the case, and there is a true business-critical reason to maintain either of these two applications, then lock them down. If you run VNC, patch your systems immediately and upgrade to the most recent version, VNC 4.1.2. If you are a merchant or service provider running pcAnywhere, lock down your passwords. Institute a mandatory alphanumeric password policy. Require that passwords are recycled every 45 days.
Bottom line: do whatever it takes so that your business — and your network — are not the lowest hanging fruit for the bad guys.
-J. Andrew Valentine is a security consultant in the Investigative Response Unit within Cybertrust.