We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Twenty-Four Seven Security


Heartland Data Breach a Failure of PCI: Mike Rothman Explains

Vote 1 Vote

Mike Rothman, Senior Vice President of Strategy for eIQnetworks and who many of you are familiar with for sharing his security expertise right here on ebizQ. In this podcast we discuss the recent fiasco at the Heartland Payment Systems data breach, what happened, how it could have been avoided, and what the threatscape looks like ahead.

Listen to or download the 9:25 podcast below:

Download file


PS: So for anybody's that's not aware, can you just give me a quick overview of the Heartland data breach?

MR: Sure. Heartland Payment Systems is actually one of the credit card processors so they're kind of -- think about them as a little bit one-step removed. So you got a merchant, you got the merchant's clearing bank and then you have a credit card processor. So these guys are, again, two steps removed from the actual customer but the bad news is they actually see a huge amount of data.

And a few of their servers on their payment network were compromised with network sniffers or key loggers that were basically stealing data off of the wire or the network as it was passing by. So it's still not clear how many credit card records were actually stolen. It ranges from 10 to 15 million up to -- it could be 400 to 600 million depending, again, just based upon the volume of payments that these guys actually see.

I think fiasco is the right term because, again, hats off to the bad guys on this one -- or gals, right, because they targeted not just the bank but kind of the central repository where almost everything is and they did it successfully.

Wow, that's pretty scary. Now, why exactly is this considered a failure of the PCI requirements?

Well, Heartland was PCI certified. I think they got their stamp in April. And to have compromised servers to be able to steal that much data. Again, even if in the best case scenario where its only 15 to 20 million different credit card records, that's still fairly significant from that perspective. So it makes you wonder about how useful PCI still is as a metaphor for security. I mean, listen, at the end of the day, PCI prescribes 12 different requirements that tend to be good common sense security practice.

But I think a lot of people fell into the false delusion that somebody's that's PCI compliant is somewhat immune to being compromised or immune to hackers. And I think that from the perspective of what Heartland showed us and what Hannaford Brothers, which is only may three or four million identities last year, but they were also PCI compliant.

What this shows us is that compliance does not equal security and we really have to kind of really scrutinize the requirements that are within PCI to figure out whether -- obviously, they're still relevant at what level but where does PCI need to go now given that there've been two high profile breaches of PCI compliant organizations.

What exactly should Heartland have done to have stopped this?

Well, there's one school of thought that says there's really nothing that an organization can do to truly stop these kinds of attacks, right. It's not clear how they got in or compromised the perimeter. It's not clear to what degree the damage was done. It's not clear how long the software was on these servers that was basically stealing data.

So part of my whole philosophy which, of course, I shared when I was working with you guys at ebizQ is really this whole concept of reacting faster and monitoring your environment much more effectively. Now, the attackers always leave a trail. Now, the latest press reports have kind of indicated that the malware or the rogue files were found in an unallocated portion of disc on these servers. Well, that could mean almost anything, right.

That's not an indictment that says, oh, it was something that was done outside of the operating system, nobody could figure out how to do it. It may be just that the malware was actually deleted from the file system when they realized that they may have gotten caught from that perspective.

So, again, I mean, I think that what is important for folks like Heartland and everybody else to understand is that the attackers do leave a trail and that monitoring for things like applications changes, configuration changes, network flow data, that will all contribute some little data point to what is actually happening out there. I think that's important to keep in mind and that's something that a Heartland and anybody else that handles that amount of credit card data really needs to take a lot more seriously.

So is there a specific application you would say that you would say that would've pinpointed this problem?

Given that the Super Bowl was last week, right. The old adage of the Tuesday morning quarterback always completes the pass. Sure, I mean, but the realities without having a lot more information about the actual attack, it's really hard to kind of definitively sit there and say if they did this, they would not have been immune. What you want to do is stop it before it becomes a total catastrophe, right.

And that's the difference between may be in their case maybe a million identities just given the volume of credit card transactions that they see versus what could be potentially be 400 million identities. So I think a lot of lot of it gets back to, again, looking at not just the log data, looking at your configurations, looking at kind of your network flows, and really looking for anomalies.

Because, listen, it was an unnatural act whatever it was. It wasn't supposed to be there. If they were monitoring performance, (Inaudible) characteristics on some of these servers. If there were monitoring the flow of traffic on the network, they should have seen kind of data being sent from one server inside the network all the way out -- somewhere outside the network. That is foreign traffic. That is something that shouldn't happen in any kind of PCI compliant type of environment.

So those are clues, right. You're never going to get a smoking gun. But what you're looking for are enough clues to figure out that you have a problem and to launch a firm investigation as quickly as you can.

Now, as you used to be ebizQ's resident security expert, any other threats you can scare us about right now or maybe, hopefully, calm us down a little bit as well.

Well, with this kind of technology, which is really, think about it like a masking technology, right. It's in there and what it's doing is its just listening. And again, those are hard to detect because you're not doing anything different, you just have something looking over your shoulder. And whether it's a sniffer or a key logger, that's exactly what this technology does. And by the way, this isn't new stuff, right.

Key loggers have been around for at least seven to ten years. Sniffers will -- gosh, sniffers have been around for 20 years because a lot network people use them to detect problems on their network. So this is older technology that's being used for malicious intent. And this kind of attack is -- it can do all sorts of different things, right. Most of the phishing attacks, most of the trojans and zombies, which we certainly talked about a lot on the show in the past.

All of that -- this is all the same technology. What they're trying to do is catch you in your daily activities, figure out what it is you're doing, and in effect mine that data for the stuff that's important to them, right. I do all sorts of stuff on my computer. Most of it isn't relevant to somebody that's trying to steal my identity.

But every so often, I'll go to my bank. I'll kind of check my e-mail and enter a password, so on and so forth. That's the stuff that these guys are looking for. And the big difference now between now and a couple of years ago is the fact that they're just much more effective at mining that data. So they scads and scads of data, terabytes of data that they get and they're getting better at finding that needle in a haystack, which is a password, an account number, a credit card number, or CBB2, any of those kind of information.

They can check and they can find that data in their big stolen data set and that's where they're really doing the most damage.

Well great, Mike, thanks so much for the info. I'd ask everybody listening to check Mike out at Security Incite and as well as eIQnetworks. I imagine you guys must have some interesting stuff going on.

We do and, again, PCI is something that we work with a lot customers on to help them put the right defenses in place as well, again, the right kind of documentation, which is critical for a compliance. So you never like to see a breach but we do think that folks can certainly do things a little bit more effectively.

Leave a comment

Peter Schooff's blog is a daily look at what's going on in the world of computer security with an emphasis on how it affects businesses.

Peter Schooff

Peter Schooff is Contributing Editor at ebizQ, and manager of the ebizQ Forum. Contact him at pschooff@techtarget.com

Recently Commented On

Monthly Archives