Data thieves exploiting flaws in retail systems and the public cloud
Most of us know the denizens of cyberspace include some shady characters but recent news about the bad guys using Amazon's cloud was the latest of a series of noteworthy events for those watching security trends. The ability of criminal rings to deploy botnets and install trojans has become a serious threat. In May 2009, for example, a federal judge ordered the shutdown of Pricewert, LLC (3FN.NET), a rogue ISP that recruited nefarious users involved in phishing, child porn and using botnets to distribute spam and malware.
The recent episode of an Amazon Web Services cloud instance being used to distribute malware caught my eye because it followed on the heels a lawsuit that's made news in the restaurant industry. In both cases, security flaws enabled hackers to use trojans to install keyloggers to steal financial information.
Restaurant owners are suing for losses because the keylogger enabled cyber thieves to steal credit card information using the Aloha point-of-sale (POS) system from Radiant Systems. The lawsuit involves systems installed by a US distributor for Radiant Systems, with Radiant and the distributor named as co-defendants. Law enforcement has prosecuted criminals in past cases of data thefts, but there could be an increase of victims suing for damages caused by security breaches from flawed software. That would have important ramifications for the public cloud providers for whom security has been a persistent obstacle to cloud adoption.
In December 2009, an Amazon Web Services EC2 instance was part of a scheme to use a botnet for propagating a trojan for malicious purposes. In November 2009, researcher Jose Nazario of Arbor Networks reported a similar security problem involving the use of Google AppEngine for botnet command and control.
Don DeBolt, the director of threat research for Computer Associates' (CA) Internet Security Business unit, reported the Amazon EC2 instance was used to control a Zeus botnet intended to receive stolen banking information captured by a keylogger. DeBolt was one of the contributors to the recent CA report "State of the Internet 2009:A Report on the Ever-Changing Threat Landscape."
CA found that the Internet was a much greater distribution threat than e-mail or removable media. The CA report indicates that trojans are currently the most prevalent form of malware, far outranking virus, worm and spyware infections. The report also notes that "banking trojans are flourishing".
The Internet provides a channel for all sorts of nefarious activity so any organization should adhere to the guideline that security measures are necessary for any system with an Internet link. Retailers such as 7-Eleven and TJX have been hacked, along with payment processing organizations such as Heartland Payment Systems and Hannaford Brothers. The Heartland and Hannaford crimes involved a single criminal ring that reportedly acquired data for 130 million credit cards. The Heartland case involved the installation of malware that captured information as credit card charges were being authorized.
In November 2009 testimony before Congress, Steven R. Chabinsky (Deputy Assistant Director, Cyber Division of the FBI) noted the FBI and Secret Service had been involved in the Heartland and Hannaford investigation. He testified that in 2008 there had been a staggering number of Internet crime complaints filed by consumers. More than 70,000 of the complaints were referred to law enforcement agencies for investigation. Steven Chabinsky testified:
"At the consumer level, the FBI established and leads the Internet Crime Complaint Center (IC3) in partnership with the National White Collar Crime Center. The IC3 website (www.ic3.gov) is the leading cyber crime incident reporting portal, having received 275,284 complaint submissions in 2008 alone."
Court cases in Louisiana show that victims are willing to take other legal action besides filing a complaint with law enforcement. Users of the Aloha POS software are involved in multiple lawsuits over the theft of credit card information via the Internet. The defendants include Radiant Systems and one of its distributors, Computer World. The lawsuits illustrate that restaurant systems with an Internet connection are vulnerable to cyber crime if the systems are not hardened.
A press release from the plaintiffs illustrates a new resolve among victims of security breaches:
"This finding of alleged negligence is at the heart of a collective action lawsuit filed by seven restaurants claiming that hundreds of customers had their identities stolen as a result of poor business practices and faulty software from Radiant and Computer World (the distributor). "
The press release said the United States Secret Service was involved in the investigation of the credit card data thefts. The attorney for the defendants, Charles Hoff, noted that Radiant and Computer World said "their software and business practices are PCI-DSS compliant". On its web site, Radiant Systems reports the company's commitment to the payment processing security standard:
"Our security effort begins with a commitment to ensuring that our systems are validated as meeting the Payment Card Industry (PCI) Payment Application Data Security Standard (PA DSS)."
Software versions may be germane to the question of Aloha POS vulnerability. One of the issues of the lawsuit is whether the Aloha POS stored credit card information, which is a violation of the PCI DSS standard. The plaintiffs' petition alleges:
"The unnecessary storage of cardholder data made this software and its users high risk targets for data breaches."
The threat level was likely related to which version of the Aloha Suite software was running at each restaurant. Different specifications for payment application security were in play as different versions of the Aloha POS suite were released.
The Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS) was derived from Visa's Payment Application Best Practices (PABP) specification. According to the PCI Security Standards Council, the Aloha Suite 5.3.15 was validated prior to the PABP 1.3 specification, with that validation expiring 2 December 2009. Aloha Suite 6.1 was validated according to PABP 1.3, with its validation expiring 2 June 2010. Aloha Suite 6.2 was validated according to PABP 1.4 with its validation expiring 2 December 2010. Aloha Suite 6.4 and 6.5 were validated according to PA-DSS v1.2 and their validation expires 2 October 2013. For new deployments Aloha Suite 6.x versions are acceptable, but the 5.3.15 version is not recommended.
The PA-DSS version 1.1 specification was published in April 2008, with version 1.2 following in October 2008. The version 1.1 specification states that payment systems that store magnetic strip data after authorization are out of compliance. In the Requirements and Security Assessment Procedures for PCI-DSS version 1.2, there's a list of 14 requirements including:
"Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data"
The Aloha POS is reportedly addressing that aspect of PA-DSS v1.2 spec compliance with a token replacement scheme for credit card information that uses an off-site secure server for credit card number storage. Other requirements for compliance include replacing vendor-supplied default passwords and security parameters when the payment application is installed and using encrypted communications.
With cloud computing having become the Next Big Thing, there's been interest in moving applications and databases to the cloud. This raises questions about the capability of specific cloud infrastructure and platform providers to support payment processing applications that comply with the PCI-DSS version 1.2 standard. Section 12.8.2 stipulates :
"Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess."
Amazon has stated it is not currently possible to support applications that are compliant with PCI level 1 using an EC2 instance and Amazon S3. Today building a PCI level 1 application in the cloud would require a token replacement system that uses an external, secure server for storing encrypted credit card information. Providers of tokenized payment services include IP Commerce, CyberSource, Payments Gateway, USEPay and zoPay.com.
Just as protecting our credit card information is a reasonable requirement for a retail POS system, so it is for a payment application hosted in the cloud. If it's based in a public cloud such as Amazon Web Services, securing the AWS instance is a reasonable expectation, as is complying with the PCI-DSS specification.
The cloud computing marketplace is fluid these days so it remains to be seen what the future of payment processing applications in the cloud will be. PCI compliance is not a legal requirement. But it's conceivable that Amazon Web Services, Microsoft Azure, Rackspace, Joyent and other providers would require PCI compliance of any payment processing applications that are hosted in their cloud.
One has to wonder whether the restaurants' lawsuit is the canary in the coal mine; is it an indication we'll see more litigation over security holes and database breaches?