The Virtual 9/11

Sept. 2, 2011
Point-of-Sale systems may be the ultimate IT Security vulnerability

Nearly everyone in the world today remembers what he or she was doing on September 11, 2001. I was on a flight from Chicago to Detroit, already in the air, when the first plane hit the towers. Our world changed channels that morning; it was as if we switched from Cartoon Network to the military channel in a blink of an eye.
In the last 10 years, I have traveled nearly 500,000 miles — from Europe to Asia to South America to Africa and back again. The increased security measures that once seemed like an incredible burden are now a normal, everyday occurrence. In an almost rhythmic cadence, I can undo my belt, remove my shoes, and extract my laptop from my bag, placing them all on the conveyor automatically.
Due to my role at Trustwave SpiderLabs, I have witnessed many cyber attacks and know firsthand what the most bleeding edge of cyber adversaries are capable of. To me, their motives, their tactics and even their core techniques have not changed in the last 20 years. These are just being applied towards newer, larger targets with greater impact. Could someone mount a devastating cyber attack against a nation or a group of nations? To fully understand how this could happen, we need to crank back the clock to understand how we got to the world we have today.

IRC Network Exploits
During my college years, I was an oper, or an administrator, of a chat server very much like the ones that the hacktivist groups call home in 2011. It was a text-based system, with private chat and file transfer capabilities. Back in the mid-nineties this system attracted nearly 10,000 people per day and was connected to a vast chat network known as Internet Relay Chat (IRC).
On this IRC network, early adopters of Internet technology explored situations that are very common for the general population to engage in today. Just as there were people who used IRC for positive motives, there were those who saw it as a way to engage in malicious activity. From time to time, virtual battles took place, typically consisting of people taking over the chat rooms of others, and kicking out all the individuals who legitimately wanted to be there. The attackers often planted bots in the rooms to maintain control. These wars eventually escalated to attacks against the systems that ran the IRC servers, the personal computers of the opers and the users of the chat network.
One morning, upon checking my inbox from my dorm room, I found hundreds of angry emails: someone had hacked into a system I used to maintain the IRC server and issued privileged commands to systematically disconnect all of the chat network servers from each other. The result was total disruption of communication between dozens of systems and hundreds of thousands of users from around the world. It took more than 24 hours to bring the entire network back online and stabilize it again.
The attacker did not exploit some zero-day vulnerability, rather, the attacker was someone known for only a short period of time and given access by someone I trusted to help maintain the IRC server.
In the 1990s, when the largest, most popular IRC network was taken out by a person with malicious intent, no one outside of the circle of opers who maintained the network knew about it. It didn’t make the news and no measurable monetary losses were measured or reported.
In today’s world, there are hundreds of thousands of networks used to communicate — all dependent on similar operating systems, applications and even network protocols. A catastrophic virtual 9/11 event might not be much more complicated than the story I just told, but we know the adversaries of today much better and an attack would not be that simple.
Simply shutting down a communication network for 12 hours may not have a lasting impact on targets. With a little imagination, they could devise a plan far more devastating. Below is just one example:

The Virtual 9/11 Stage One: The Quest for Data
Most cyber criminals of today have one main objective: to make money. But what if you took the monetary gain out of the equation? What could an organization — with the skills to both gain access to a large number of networks and systems, and to harvest its data — be able to accomplish?
To some, the first critical infrastructure that comes to mind is services such as traffic management, water treatment facilities and power grids. Cyber attacks against these types of environments, creating an outage of services, would certainly cause fear and confusion. While not impossible, performing these acts on a national or global scale would take a great deal of effort and resources. Further, shutting down the traffic management system in Chicago is likely not going to cause traffic problems in San Francisco, unless the fear itself prompts a shutdown in order to “patch” for the attack vector used.
Consider this instead: Accessing millions of systems worldwide could be easier than gaining access to a closed network such as one that controls traffic lights in a metropolitan area. Many point-of-sale (POS) systems in the world have direct access to the Internet with little protection from external attacks.
With this knowledge in hand, a terrorist group develops a piece of malware designed to seek out and infect credit card processing systems through multiple vectors: network, client-side and even social networking. The malware is truly custom and unique and is therefore not detectable by any of the anti-virus software on the market today.
Once installed on a business’s system, the malware performs two main operations: 1) it harvests credit card data in real-time and sends it to one of many different drop sites maintained by the terrorist group; 2) it connects to one of several public IRC networks and waits for commands to be sent to it by its command-and-control (C&C). Over time, the number of infected systems would grow into the millions and essentially create a payment network botnet.
In this scenario, the terrorist group is not yet interested in monetary gain, but would control this network of bots to harvest as much credit card data as possible. The harvesting of the credit card data would be for the purpose of using it to inject fear and confusion in the global payment network. They would not use a single card number for fraudulent purposes. Instead they store and catalog each card by type and the geographic location from which it was obtained. This activity could take place over a year or more, as “phase one” of their operation.
Once the terrorist group amasses a few hundred million unique credit card numbers, they then pick a date to launch phase two of their attack.

The Virtual 9/11 Stage Two: Crippling the Payment Network
In phase two, they begin to communicate with their bots via the C&C network. Using a sophisticated backend system, they systematically inject fraudulent transactions into the payment network via the millions of PC-based POS systems they control; however, they don’t just use random cards from their database at random locations controlled by their botnet. Instead, they make the transaction seem real based on the geographic location of the target systems compared to the location where the cards were harvested. For example, if they obtain a card from a pizza restaurant in Chicago they would NOT use it at a pub in London; rather, it will be used at a sandwich shop a few blocks away to avoid triggering any fraud detection systems used by the credit card companies.
Over the course of a few hours, hundreds of millions of accounts and a million compromised payment systems could be used to inject more than ten billion dollars in fraud into the payment network. Once discovered, the only likely solution is to suspend all transactions until the situation can be investigated, otherwise there is a risk the fraud will rapidly continue to grow. If not stopped or noticed, the fraud could easily reach a hundred billion dollars or more in less than 24 hours. Essentially, the entire payment network would not be able to differentiate between millions of legitimate transactions and millions of fraudulent ones.
The result of an attack of this nature by a terrorist organization could have crippling effects on our world. Millions of business and consumers would not be able to accept or use credit cards to make purchases. Massive aggregate loss in revenue could occur at the small business level. For the credit card companies and the world’s largest financial institutions — and everyone else involved or dependent on payment cards — core business activity would be paralyzed. This is the “Virtual 9/11” — as many businesses would be paralyzed.
You can imagine where this goes next. The global shutdown of credit as a method of payment for even a few days would have lasting effects on the economy. Businesses large and small would be affected. Individual consumers relying on credit would have to start using cash (if they have it) and many will defer purchases typically made via e-commerce.

Protect Yourself
For executives and managers who are tasked with ensuring their company does not suffer a security event, the following few strategic initiatives will be a good place to start to develop a defense-in-depth strategy.
• New technology: Invest in modern hardware and get rid of old systems, especially those that have been decommissioned by the vendor.
• Patching systems: Implement a Web application firewall (WAF) and apply a virtual patch to protect applications based on the result of the security testing. The development teams can then create a fix for the vulnerability — once it has been validated, the Virtual Patch can be safely removed from the WAF.
• Control remote access to closed networks: Third-party vendors and their products introduce vulnerabilities, mostly as a result of default, vendor-supplied credentials and insecure remote access implementations.
• Empower Incident Response Teams: The incident response team should have access to the security team’s notifications or information stored within log aggregation or analysis systems, such as a security information and event management (SIEM) system. Empower the team to investigate even the most obscure issues.
Cybercriminals will never stop trying to obtain valuable or proprietary data. By reviewing your information security infrastructure, paying particular attention to existing vulnerabilities, the assignment of security responsibilities to specific individuals or groups, and how data flows within the organization, business leaders can reduce the threat and impact of a security incident.
While taking these actions may not prevent every attack, the outlined initiatives above can be either be the start of a good defense, or affirmation that a good security strategy is in place. A comprehensive, defense-in-depth strategy for information security can help reduce risk, protect sensitive information and ultimately safeguard a company’s reputation.

Nicholas J. Percoco is senior vice president and head of Trustwave SpiderLabs, with more than 14 years of information security experience. Percoco acts as the lead security advisor to many of Trustwave’s premier clients and assists them in making strategic decisions around security compliance regimes.