BlackHat 2014 Part 1: Memory Scraping – That’s Gonna Leave a Mark

Over 8,000 security professionals and enthusiasts gathered in Las Vegas this month for a very successful BlackHat 2014 US Conference. Deemed one of the top security conferences of the year, researchers, federal agencies, security firms, critical infrastructure, foreign governments and just plain old hackers met to discuss and demonstrate the threats we’re all currently facing and the outlook of the cyber-security landscape.

You’re never more than a few steps away from a sign reminding you you’re at a security conference, and due to the “exploratory” nature of (some) of our fellow attendees, you’re warned to keep your Wi-Fi & Bluetooth disabled and other communications devices off unless you really want to cause yourself some grief. Story after story about phones being wiped or hijacked could be heard walking down the hallways. Some people consider it fun, others are unsuspecting while others are simply gluttons for punishment. I wasn’t taking any chances, especially after seeing some of the demonstrations of what’s capable first hand. My devices were off. If you need to get a hold of me, grab a pen and a pad of paper!

Here a Breach, There a Breach…
We’re all well aware of the weekly (sometimes daily) breach reports of payment card data, and there was no shortage of discussion of these topics at BlackHat. 2 million account numbers here, 80 million PANs there. How are thieves getting this data? How can we stop them? How do they keep coming back? Why is the sky blue? Slava Gomzin, Payments Technologist at HP and author of the book “Hacking Point of Sale” outlined these points in his session at the TripWire booth. PCI’s Point to Point Encryption recommendations are intended to protect card holder data throughout the transaction. Technologies such as XYPRO’s Data Protection (XDP), which provide Format Preserving Encryption (FPE) and Secure Stateless Tokenization (SST), go even further to secure that precious data while at rest.

Say Hello to Memory Scraping
These types of advancements naturally leads to thieves seeking out new attack vectors and more creative methods to get access to the data while in transit at specific points that aren’t encrypted.

Memory scraping, or RAM scraping is, quite simply, an advanced form of skimming. Memory scraping involves installing malware on the retailer’s POS system which then exfiltrates payment card data directly from system memory. Nearly undetectable, it sits quietly as it siphons off card data as it’s swiped in plain text format. Memory scraping is not new and retailers aren’t the only target. Multiple industries from healthcare to hospitality to food service and others have, at one point or another, been the target of these attacks, but retailers get the most press because of the sheer volume card numbers and the value of the data.

What Do We Do?
We have to protect sensitive data and XYPRO’s top 10 list describes how this can be accomplished on the HP NonStop server, but what other attack vectors are thieves using to compromise POS systems? To look at this, we’ll have to look at how the POS is connected to the rest of the network and how its access is managed. The United States Department of Homeland Security recently put out an advisory warning of the attack vectors used for installing memory scraping malware. Default weak credentials of remote desktop or remote access software are the prime targets of attackers as well as vulnerabilities in software running on internet exposed servers. Once the credentials to the remote connection are compromised using alternate methods, attackers can install software, including memory scraping software, on that system. .

There are currently no reliable methods to detect memory scraping malware, so security and antivirus companies are quickly scrambling to come up with a solution. In the meantime we rely on compensating controls outlined in PCI-DSS requirements to protect the systems that hold any type of card data. These include using hardened credentials with two factor authentication, using account lockout setting and firewall rules, limiting access to what the logged on user can do and changing the port remote desktop is listening on as well as several others. These types of small, but obviously powerful changes can and should significantly reduce the attack vector these thieves can target.

Next time we’ll dig deeper into some of the other more popular BlackHat discussions including the vulnerabilities with USB devices, the OMA-DM protocol on mobile devices and Bruce Schneier’s review on the State of Incident Response.

Steve Tcherchian, CISSP
XYPRO Technology

One Response to “BlackHat 2014 Part 1: Memory Scraping – That’s Gonna Leave a Mark”

  1. [...] month, we explored data breaches involving memory scraping – how payment card information can get into the hands of thieves by siphoning off unencrypted [...]

Leave a Reply