Security of Point-of-sale devices

POSDeviceAlong with the rise in successful attacks on retailers, there has also been a rise in concern about the vulnerability of point-of-sale (POS) devices. Target, Subway, Nieman Marcus are all good examples of why a hacker would choose the POS device as their target. The rewards are both far reaching and highly lucrative.

Particularly with POS devices, it’s impossible to emphasize enough the difference between compliance and security. These cannot be equated and sometimes are not even in the same ballpark. Taking the Subway breach as an example, you can be PCI and PA-DSS compliant and still be exploited if you leave other security measures untended.

Ensuring you are following the guidance in NACS/PCATS 8-point plan is a good way to stay on top of those other security measures that can improve not only compliance, but also security. It provides guidance to a layered security approach to protect the POS devices beyond the local device. One of the most important elements is keeping the PA-DSS compliant software up to date and compliant, but also keeping any other applications residing on these systems patched and updated is imperative. Segmenting the POS devices, and eliminating internet access directly from the POS device further protects them. CERT’s Alert (TA14-002A), released in January 2014, emphasizes many of the same points for protection of the POS devices.

As we approach the Windows XP End of Life (EOL) in April, concerns have been raised regarding the broad reliance of ATMs on Windows XP Embedded. While XP Embedded is still supported until 2016, many of the systems supporting the ATMs will remain dependent on Windows XP and will go unpatched after April. This raises the concerns around letting platforms that will increase the risk of exploitation come in contact with POS devices.

Many banks have already been in negotiations with Microsoft to extend support for the support of these dependent XP systems. Extending the support for these systems will allow banks to deploy private-release critical security patches to them, but this may require additional effort on the part of the IT teams to package the private patches for delivery to the EOL systems. For companies choosing to extend XP support beyond the April EOL date, you should contact your vendor regarding custom patch support. Shavlik has done this in the past with the EOL of Windows NT and 2000 systems. We are already discussing this type of service for customers who know they will have a prolonged dependency on Windows XP.

Many of the banks will be moving to Windows 7 Embedded, but are holding off for a few years to wait for the chip and pin rollouts before performing the migration to Windows 7 Embedded. That will occur over the next few years. By the time most have made the switch, it will be time to start looking at the next migration, as they will have about three years until Windows 7 Embedded reaches its own EOL and the problem repeats.

Last week our content team released support for Windows 8.1 Embedded. For the Shavlik customers who have already been requesting support for this platform, it is available for you now. For those customers upgrading to Windows 7 Embedded, that is already supported as well.  For more information, please visit http://www.shavlik.com/solutions/patch-management/ 

 

Protecting my Mom – New Generation of Attacks Threaten us All

Most days I sit comfortably at my desk behind multiple layers of defenses keeping myself and my machine from harm. I sip my coffee and don’t even think about defending threats from myself, instead most of my energy is focused on how do we push forward in our industry against those armies of darkness that seek to compromise our privacy, security and exploit information for their own cause. This week, was different. In three different cases, I found myself at the center of the attack. It was humbling, and at the same time reminded me of how much work we have to get done.

What scares me the most is the unsuspecting prey that countless hackers stalk?  I’m knowledgeable about what and how hackers try to exploit victims. But I worry about my friends and family members that don’t have that same savvy knowledge. I think about my Mom, using the internet for her banking and the occasional check of Facebook… little does she know she’s in the epicenter of the attacks.

So this Blog is the first of a series of three chronicling my last week. I want to share with you three attacks that happened to me in the hopes that it gives you a flavor for where attacks are coming from nowadays. No longer is it the rogue link to install software or the email bomb that just annoys you.  It’s a whole new world where callers, innocent internet checks, and group emails all lead towards exposure.

MONDAY:  Attack 1 – “Windows Service Center”

Last Thursday, I ended up getting home a bit early from a week of travel.  It was about 4:00 p.m. in the afternoon and the house phone rang. It was just me and my kids at home. My kids range in age from seven to eleven and in most cases, it would have been them to answer the phone, but I happened to be there. I grabbed the phone, looked at the number and saw it was a originating from New York. With family on the East coast, I didn’t think twice about grabbing the phone. After five seconds with no one speaking, I should have just hung up, but I stuck this one out. Then it happened… the attempted hack started.

Access DeniedThe caller identified himself and began, “Hello this is XXXXXX from the Windows Service Center.”  Intrigued, I decided to let him continue. “We have detected you have a computer virus on your machine and we’re here to help fix it.” At this point, my hack-o-meter instantly was pegged and I knew this was a scam, but for fun, I decided to let this play out. I asked, “how do you know I have a virus?”  He responded, “because we have systems that detect these sort of things.”  I asked, “how do you know it is my machine?” He retorted, “because we in America spy on our citizens.”  I had to laugh at this one, to use that approach was fascinating, and more curiously, based on background noise, I firmly believe this call was not originating in the United States. Again, I pushed a little bit harder, “I have two machines in my house, which one is it?”  He then responded, “I’m sure it is all of them, so we’ll fix them both.

If memory serves me right, I was cutting some tops off of strawberry’s at this point in the kitchen and he asked me to go over to my computer. I told him I was in front of my computer at this point even though I was still cutting up strawberry’s. He started off by asking me to go to my control panel in Windows and told me that my Windows Firewall wasn’t active. WOW! I thought to myself, this is an impressive scam!  Sure enough he successfully told me what to click (if I actually was in front of the computer) to navigate to my windows firewall and then told me the instruction to disable it because “bad software had taken it over.” Pretending I did, we continued. I asked him, “Are we done now?”  To which he responded that he’d need access to my machine to make sure. I told him that I didn’t know how to do that and he asked me to go to some website by an IP address. Of course, at this point he began to see through my ruse. I told him I couldn’t get there but asked him what was there and he told me it was something “like a WebEx or online meeting” where he could control my machine.

He pushed really hard to get me there, but after a few more questions from me he started to get VERY mad. Not to mention I had moved onto rinsing some peppers and the water running was likely giving me away too. He told me, “You could be arrested if you don’t eradicate this virus” and even played off the emotional heart-strings, “you are exposing your family to harm.”  Then he crossed a line that I’ve never seen before, “I’m not asking you to go here, I’m telling you that you must” as his voice took on a threatening tone.

At this point, I told him that I needed to speak with a supervisor to validate this was the right thing to do. A man got on the line, didn’t identify himself and when I asked where they were and what company they worked for, you could tell I now was the one trying to go after them.  After I told them how shallow it was to attack innocent people like this, he blurted out a few expletives and mumbled some other inappropriate comments before hanging up.

If I had played his game, I have no doubt that the website I would have gone to likely would have been a way for them to remote control into my computer and more than likely it would have been used to download some Malware onto my machine. Things like key-loggers to capture my every password, my access, and even troll around my machine for some good documents that I might have. No doubt, my machine would have gone from a well-protected one to one that was riddled with Malware with a firewall turned off. All scary realizations for me.

…But could this have turned out differently?

What’s more scary though is I still play this story out with the “what-if” scenarios. What if my son had answered the phone? What if my wife had answered the call? Would they have played along or have gotten off the phone before damage was done? If they had played along, would the call have ended so innocently that they’d not have shared what happened with me? Could they have used my home machines (which don’t have valuable data) as a conduit to my work one, which definitely is more sensitive? The caller had the skills to make themselves sound believable, and the pressure-cooker capabilities of a time-share salesperson. They were well skilled to have seen this be a success.

On the heels of this event, I did everything I could to trace this attack back. It turns out the NY phone number was masked and it was originating from an exchange in India. The IP address website I was asked to access was from China. The call-back information was obviously invalid and I didn’t take the charade far enough to get more data to track them Typing on computerdown. Hindsight being 20/20, I wish I had spun up one of my Malware Virtual Machines to access their website and see what else they did or at least trace the traffic from that event back to a more authoritative location so I could snoop back at them. More than likely they were using the computer of their previous victim, so that likely would have led nowhere, but nonetheless, I came up short on sleuthing this one.

Beyond the attack on me, I went online and began to search for the keywords from this conversation, “Windows Service Center” and a few others. It turns out there were more than a few dozen of these attacks reported, each recounted a story like mine, and in many cases, the victims acknowledged they were successfully exploited as part of this attack.

The Moral of Part One

What’s the moral of this story?  There is no safe phone call and there is no innocent phone call. Unfortunately, it won’t take you long to go online and search and find other scams like this. Just this week we heard of the IRS phone scam defrauding millions from people impersonating the IRS. Some tips for all of us (and my mom) on this one:

  1. If someone calls, unfortunately, don’t trust them and make sure you validate their identity.
  2. Watch for key signs that the call is illegitimate. Ask yourself, does the caller ID number make sense? If it is “Unknown” really question it. If it is from outside of your home country, question it as well.
  3. If they are legitimate, they should be fine with you calling them back. Ask for their number and extension and ring them to validate you have a good number for them. At the same time however, if they give you an out of country number, DON’T CALL IT. This is a different type of scam…
  4. Never put yourself at risk doing something you know is wrong. Your firewall is there for a reason. We write patch-management software for a reason, never let someone ask you to take it down.
  5. If someone asks you to do something suspicious like go to an unverified website… don’t do it.
  6. Never… EVER… let them pressure you with commands or threats to do something you don’t want to.
  7. Call the authorities and email us. This activity is illegal and is a cybercrime. By you reporting it, people like me find out about it and then we go after these criminals.
  8. When in doubt, call/email me before you do anything… and I’m not just talking about emails from my mom… I’ll take emails from anyone on subjects like this.

I wish there was a switch on the wall that I could flip for us all to turn off the darkness.  Unfortunately, there isn’t. In the interim though, we’re here to make it safe for us all as best as we can. Be safe everyone.

Replace Dell Patch Authority Ultimate with Shavlik Protect

Dell offered Patch Authority Ultimate to its customers looking for a complete patch solution but not wanting the unwanted burden of a full client life cycle solution. Dell announced the end of life of the product last year and will discontinue support for the product on May 31, 2014.

RIP PAU

Having a good patch solution and process in place is critical to managing all the software updates in an organization, including both the OS and third party applications.  Dell Patch Authority did a good job keeping your systems up-to-date, but with the end-of-life announcement, you are now you are faced with a choice of either patching manually (unacceptable), using multiple tools to patch your enterprise, or choosing a more full featured systems management product which tends to be much more expensive.

Now that you’ve heard the bad news, let’s hear the good news. Shavlik Protect offers many of the same features of Dell’s Patch Authority and can even use the same patching database you have already built for your enterprise with Patch Authority.  For customers who are currently using Patch Authority, now is a good time to take a closer look at Shavlik Protect.

Stay tuned for my next blog where I go into details around product strategy for a large organization such as Dell.

March Patch Tuesday Round Up

What would Patch Tuesday be without a Critical IE Cumulative Update.  It would probably just feel wrong.  So it is no surprise that the lead in patch for this month was an IE Cumulative, was rated Critical, and covers a whopping 18 CVE’s  Needless to say this is the most important update to push for March.

There was also a Security Advisory for IE and an Update from Google Chrome to add plug-in support for the Adobe Flash patch that released on the 11th.  While this Flash update was only rated as a Priority 2 (by Adobe’s definition of severity), this update replaces APSB14-07 from February 20th which was a Priority 1.  That update resolves three CVE’s of a more serious nature.  Unless you are patching your endpoints multiple times each month that puts the Flash update to a high priority in our opinion.   The other two Flash updates we have seen so far this year (1/14 and 2/4) resolve three additional high priority CVE’s.  Long story short, UPDATE FLASH!

Google Chrome had a update to the Stable Channel resolving 4 high priority CVE’s and 3 additional vulnerabilities that were not as severe.  The 4 high’s plus the Flash plug-in push Chrome up into the spotlight with IE and Flash this month.  Roll those three product updates out ASAP!

Aside from that Microsoft did have another Critical update this month, in DirectShow (MS14-013), which should be a priority.  While there are no active attacks currently identified, the vulnerability could allow for Remote Code Execution by enticing a user to click on a JPG file in IE.  This type of exploit reemphasizes the importance of the least privilege rule.  It could mean the difference between giving the attacker keys to the kingdom vs keys to the room they entered.

The Important bulletins for March may not be as high of a priority, but we have two Security Feature Bypass exploits in the SAMR protocol and in Silverlight.  Although possibly more difficult to exploit and not currently being exploited in the wild, you will want to get these rolled out in a timely manner.  We also have a Kernel-Mode Driver to update.  Again, only rated as Important, but as with all Kernel updates, you will want to ensure proper testing before rolling out.

For these types of updates and more, join us each month for the Shavlik Patch Tuesday webinar.  In this monthly webinar we discuss the Microsoft and 3rd Party updates that affect you and your users.  We focus on Patch Tuesday, but we also discuss what happens in between.  Remember, 86% of attacks of reported vulnerabilities target 3rd Party applications.  Those vendors do not release on the same schedule as Microsoft and what happens between Patch Tuesdays can often be of more importance than what happens on Patch Tuesday.

 

 

Windows IT Pro Weighs in on Shavlik Patch

You’ve heard a lot of talk from us about the new Shavlik Patch for Microsoft System Center, but you may be wondering, “What are people who don’t have the word ‘Shavlik’ on their business cards saying about this new product?”

Windows IT Pro Community Manager Rod Trent answered just that in his article Shavlik Patch for System Center Simplifies Securing the Other 86 Percent of Windows Vulnerabilities. Trent is a leading expert on Microsoft System Center technologies and has more than 25 years of IT experience.

Here are some of his insights.

  • “…86% of reported vulnerabilities come from third-party applications, 10% comes from the operating system itself, and 4% is attributed to the hardware.”
  • “Shavlik Patch for System Center takes a normally manual process for third party application patches and automates it such that administrators can have the confidence that the ‘other 86%’ of known vulnerabilities are covered.”
  • “Shavlik was one of the first vendors to understand the need to patch products other than those provided by Microsoft. …the company knows patching.”
  • “Configuration is easy and scheduling is provided to automate the download of deployable .cab files and publishing of updates.”
  • “In addition to the console integration, the product also takes full advantage of the capabilities built into ConfigMgr for targeted deployments of software patches.”

Learn more about Shavlik Patch for Microsoft System Center or download a free trial here.

 

March Patch Tuesday Advanced Notification

Microsoft has announced this month’s Patch Tuesday release.  There are 5 total patches expected to be released on Tuesday, March 11th. Here is the breakdown for this month:

Security Bulletins:

  • Two bulletins are rated as Critical.
  • Three bulletins are rated as Important.

Vulnerability Impact:

  • Two bulletins address vulnerabilities that could allow Remote Code Execution.
  • One bulletin addresses a vulnerability that could allow Elevation of Privileges.
  • Two bulletins address vulnerabilities that could lead to Security Feature Bypass.

Affected Products:

  • All supported Windows operating systems
  • All supported Internet Explorer versions
  • Microsoft Silverlight 5

Join us as we review the Microsoft and third-party releases for March Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, March 12th at 11 a.m. CST.  We will also discuss other product and patch releases since the February Patch Tuesday.

You can register for the Patch Tuesday webinar here.

Windows XP: Bring on the Viruses

Here we are, just a couple of months away from the EOL of Windows XP.  If you haven’t already started on the migration you’re not the only one.  Many companies know that they will not make the EOL date for migrating all of their XP systems.  Many more know they will have XP systems remaining for some time after that.  I am not here to talk about Migrating but  I would like to address the risks and concerns of having such a well known product residing in your environment after the vendor stops releasing security patches for it.

For an operating system you can expect around 3-5 critical security patches to affect that system each month.  This could be Kernal, .Net, XML, IE, DirectDraw, etc.  After Microsoft stops releasing patches publicly the threats don’t disappear, they go unpatched.  Hackers know this and therefore are looking forward to May 15th.  But Windows XP is not your only concern, products like IE, Office, Java, Adobe Reader and Flash, and more, all have EOL versions still present in many companies today.  Java 6 for instance, has been EOL for over a year now.  There have been off the shelf hacking toolkits available for as little as $450 that allow a hacker to take advantage of any publicly available Java 6 install to exploit it and launch their payload.

It is unreasonable to think you can eliminate all threats, so what you need to do is mitigate that risk when you know you must keep it around and eliminate it where it is not needed.  I will be teaming up with Stephen Pritchard and Infosecurity Magazine later this month to talk about what companies can do to reduce the risk in a webinar called “Diffusing the End of Life Timebomb”.  We will be joined by a panel of experts and will discuss the need to keep these products around, the risks in doing so, and how to mitigate those risks including:

  • Understanding the software you have in your environment and identifying dependencies;
  • Identifying risks, and alternatives to at-risk systems;
  • Look for alternative solutions that do not have this dependency;
  • Premium support options;
  • Virtualisation and even hardware upgrades to remove end-of-life systems from the network.

So join us on March 27th and lets discuss how to mitigate the risks to your environment with solutions that work.