Welcome, visitor. Register Log in
Stiennon onSecurity
by Richard Stiennon
Previous Article Next Article
Lessons learned from Hannaford breach
By stiennon on Mon, 03/31/08 - 2:30pm.
As a frequent chronicler of data breach incidents it is my duty to chime in on the Hannaford Supermarket data breach incident. There are two aspects of this and previous breaches that should be considered. One aspect is best practices in disclosure; what should you do when your organization is the victim of data theft? The other is the mechanics of the attack including the who, what, why, and where.
Just to get you caught up, here is the chronology of events. On February 27th Hannaford was notified by FirstData, the massive credit card transaction processor, that there was unusual activity that could be tracked back to Hanneford indicating a likely theft of credit cards.
By March 10th Hannaford says they had isolated and addressed the security problem and then disclosed on March 17th, the loss of 4.5 million credit cards. Only until their data disclosure responsibility was questioned by the State of Massachusetts did they reveal in a letter that extent of the intrusion. They had found Trojan software on servers in all 300 Hannaford stores.
Notice that the breach was discovered by FirstData, not Hannaford’s security team. This evokes memories of the other two massive credit card thefts in recent history. Both the theft at CardSystems International and TJX were discovered by the credit card associations. This is pretty easy to do and thankfully these organizations are doing simple analysis of fraud reports. Here is how it works. Several dozen people report erroneous charges on their credit cards. Visa, Mastercard, or in this case FirstData, just compare all the places those people shopped at in the previous couple of weeks. If there is a common store among even a very small sample you have your source of leakage. That the retailers are not aware of the breach is a very strong sign that they have inadequate security measures in place.
Note that CardSystems went out of business after their breach event. TJX has set aside over $200 million to account for potential liability. In addition the FTC just announced a settlement with TJX that requires them to undergo a comprehensive security assessment as well as twice annual security audits overseen by the FTC for the next twenty years. This is the same onerous penalty that the FTC slapped BJ’S Wholesale with in 2003 and I am sure Hannaford will eventually see similar sanctions.
Let’s look more closely at the methodology used in the Hannaford case. There are various news reports that depict the management of Hannaford as confused and shocked at the “unique” use of Trojan Horse malware to steal information from them. Trojan software is malware that is disguised as something else as it is installed on a remote computer. It can then be used to steal files, record keystrokes, even take over the computer. Trojan Horses are the simplest way to infiltrate a network. They arrive as email attachments, can masquerade as PowerPoint presentations, and they can be easily modified to avoid detection by any signature based AV program. Trojans such as the Storm Worm are said to infect hundred’s of millions of machines on the Internet. The Haaphrati Trojan was used to steal hundreds of documents from dozens of companies in Israel. A Trojan Horse was implicated in the CardSystems International case. Hardware and software Trojans were used in the Sumitomo Bank heist . And the Chinese Red Army has infamously used Trojan Horses to blanket the world in the most massive case of industrial espionage in history. Any reader of my blog knows of the dangers of custom Trojans.
Lessons learned from the Hannaford case? That retail organizations are being targeted. This attack appears to be almost complete and most likely emanating from overseas. Being a target for attacks means a different different level of security preparedness is required. Firewalls plus AV is not enough. Encryption is required - at rest and in motion. Behavior analysis and alerting systems have to be in place. Not IDS, but something that can detect when authorized insiders have changed their behavior. Investment is required.
To the executives of retail operations; answer this question: Do you want to invest in security now or wait until after a major breach and you have the FTC breathing down your neck for the next eighty quarters?
Write me. Tell me what you think about data protection.
- About Stiennon onSecurity
-
Richard Stiennon is a security industry analyst. He is currently consulting, speaking and writing on all manner of security topics for IT-Harvest, the IT research firm he founded to cover the security space. He was most recently chief marketing officer for Fortinet. He has served stints at PricewaterhouseCoopers, Gartner, and Webroot Software.
-
-
- Contact Requires Login
-
- Archives
- April 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
Sponsored Links
- SQL Server Experts: Virtually unstoppable- Microsoft
- Stay informed with custom newsletters from Tech Dispenser- Tech Dispenser
- Do more for less with Cisco Borderless Networks: Routing and Switching Solutions- Cisco
- Discover the Four Trends Driving the Future of Data Centers - Emerson Network Power
- Migrate easily to Windows 7 by virtualizing apps with VMware ThinApp- VMware
- Trust Motorola Wireless Network Solutions for your network - Learn More- Motorola
- ARCserve® Family of Products: The Right Tools for the Right Situation- Computer Associates
- Podcast: Novell File Management Suite. Listen Now.- Novell
- Take the TwinFin TestDrive today!- Netezza
- Nimsoft On Demand - IT monitoring, datacenter to the cloud, delivered as SaaS-Try it now!- Nimsoft
-
Network World, Inc
The Leader in Network Knowledge
-
- About Us
- Jobs @ NWW
- Contact Us
- Newsletter Subscriptions
- Advertise
- Reprints & Links
- Partnerships
- Media Guide
Tip of the Iceburg?
It is hard to believe that this is the only such breach going on. No doubt that the investigation will show that other retailers have been affected by similar Trojans.
If I were a retailer, I would be doing a top-to-bottom security analysis; and praying very, very hard.
Tip of - probably
As long as the money has been around there has been fraud and even before that. Now - computer systems don't change that, except maybe make it more widespread and faster. And credit card companies seem to do a good work (sometimes annoying when you use the card cross the country or in foreign country) but it is after the fact.
The business has to get more security conscious. It doesn't have to be difficult or expensive - if you have inside people who understand security (all of it!) and don't go buying vendor solutions all over, they may know technical details but they don't know your business (mostly.)
An example is the insurance business - a lot of money to gain but they have very good security and risk groups. Trust me - I used to work on than field and sooner (most often) or later any fraud is found out. It is part of business, someone tries some scam and there is no bullet proof (technical) way to avoid all but the idea is to be as secure as you can and catch it as fast as you can.