Via Wired.com -
Methods of stealing data are becoming increasingly sophisticated, but attackers are still gaining initial access to networks through known, preventable vulnerabilities, according to a report released by Verizon Business on Wednesday.
“The attackers still usually get in the network through some relatively mundane attacks,” said Wade Baker, research and intelligence principal for Verizon Business’s RISK Team, in an interview. ”But once they’re in, they’re getting more and more adept at getting the data they want and getting it effectively and silently. And we seem to be on a plateau in terms of our ability to detect [them].”
For example, while companies have been expanding their use of encryption to protect bank card data in transit and in storage, hackers countered with RAM scrapers that grab data during the few seconds it’s unencrypted and transactions are being authorized.
“A paper was published about the theoretical possibility of this about three years ago,” Baker said. “But 2008 was the first time we saw [the attacks] live and active. It is a fairly sophisticated attack to be able to grab data from memory.”
The attacks are detailed in a new report issued by Verizon’s RISK Team, which conducts forensic investigations for companies that experience a breach. The report supplements the company’s 2009 Data Breach Investigations report, released in April. That report also indicated that thieves were conducting “more targeted, cutting-edge, complex” attacks, but provided few details.
The supplement provides case studies, involving anonymous Verizon clients, that describe some of the tools and methods hackers used to compromise the more than 285 million sensitive records that were breached in 90 forensic cases Verizon handled last year.
In one case, for example, a simple SQL injection attack opened the door for intruders to breach the entire network of an unidentified consumer banking institution. Once inside, the attackers got into the hardware security modules (HSMs) for the bank’s ATM system, from which they were able to grab account numbers and PINs.
Another card processor was also breached through a SQL injection attack. In this case, the attackers installed “an extensive array” of packet sniffers on the processor’s network to map it out and locate card data. Then they installed keystroke loggers to record administrative passwords to get into the core payment system and installed other sniffers that siphoned millions of transactions records.
Another Verizon case involving POS systems affected a number of unrelated supermarkets across the country that were all breached through an attack originating from a single IP address in South Asia.
The attacker used legitimate credentials to gain access, but rather than having the same default credentials, the systems used different logins and passwords. Verizon discovered that the supermarkets had all hired the same third-party firm to manage their POS systems. It turned out that an attacker had hacked the firm and stolen its customer list, which identified the unencrypted log-in credentials the firm used to access the POS system at each supermarket.