The Hacker Factor Blog

In my last two blog entries I have been very critical of CompUSA. First, there is the risk from selling of pieces of their point-of-sale systems as they go out of business. And second, there was the reply that stated that their PoS system didn't save credit card numbers; this misstatement by their Director of Technology Services raises more doubts about their understanding of security.

The risk from information stored on hard drives has been known for years. CNet's Robert Vamosi pointed out an instance in 2003 when two MIT graduates purchased drives online and at swap meets, only to find many drives with personal and sensitive information. I have personally purchased computers at auctions and found sensitive information on each and every one of them.

One would think that in an era of hypersensitibity for personal information, that we would take better care of our data and computers. However, one would be mistaken...

On the heels of the CompUSA risk comes another announcement: a contractor for global investment management firm T. Rowe Price lost laptops containing sensitive data on the hard drives. The data was reportedly unencrypted.

In their privacy policy, T. Rowe explicitly states:

We maintain physical, electronic, and procedural safeguards to protect your personal information. Within T. Rowe Price, access to such information is limited to those who need it to perform their jobs, such as servicing your accounts, resolving problems, or informing you of new products or services. Our Code of Ethics, which applies to all employees, restricts the use of customer information and requires that it be held in strict confidence.

The key item is "which applies to all employees". A contractor, CBIZ Benefits and Insurance, lost the drives, not employees. It seems that T. Rowe Price does not require contractors to maintain the same safeguards. (I should mention that neither T. Rowe Price nor CBIZ mention this information breech in their web site press release pages.)

As the Internet Storm Center's Marc Sachs told me, "Yes, when encryption is as easy as a mouse click it's insane that people don't use it to protect themselves." In fact, most of today's operating systems have encryption systems built-in -- you just need to turn it on. For older systems, cryptographic file systems are available.

Frankly, anyone not using disk encryption on a laptop is just plain stoopid. This is regardless of whether you are storing SSNs or obviously personal information. If we had learned anything from Sebastian Boucher, it is that anything on your laptop could be used against you. Encryption is always your friend.

However, the ineptitude from the recent laptop theft does not stop with stolen data. T. Rowe spokesman Brian Lewbart is quoted as saying: "there is no reason to believe the burglars were after the data on the machines." What does T. Rowe think the thieves will do with the stolen laptops? I doubt that the thieves plan to use the laptops to run Linux. No - they will probably sell them at a pawn shop or swap meet or auction for cash. Remember when the VA recovered their stolen laptops? They were sold on the black market, out of the back of a truck. And all data was still intact.

Saying that the thieves were unlikely interested in the drives does not make the situation any better. Hopefully an intermediary will flash-install the drive with a bootleg version of Windows. But there is a very good chance the computers will be sold as-is... and you just know that the buyer will look at the drives.

[Update 2008-01-28: I received feedback from Fujitsu Transaction Solutions. They state: "No Fujitsu Transaction Solutions software is on TJX POS terminals or back office servers." This blog entry has been corrected to reflect this feedback.]

My previous blog entry voiced a concern about point-of-sale vulnerabilities. In particular, some CompUSA stores are reported as only accepting credit card purchases. As CompUSA sells off everything in their stores, they increase the risk of selling off parts from their point-of-sale solution. This increases the likelihood customer information exposure.

In response to my blog posting, I received the following comment from Mark Gertenbach:

You may not understand very much: PCI compliance will not allow credit card information to be stored IN the POS.

CompUSA isn't owned or run by CompUSA any more... the same company that owns dozens of other companies that are going out of business owns it now- and as far as not accepting cash- so one local person screws up and you site the entire chain-not sure that is very clear thinking The 7000 people that lost their job went to work everyday to didnt all NOT care, worked hard to make a dollar, and are now working toward closing the storedown, or are already left. Try to put yourself in that position just for a moment.

Rebates are often forced on the retailer from the manufacturer in order to protect their "price vs. value" and they have the final say...Best Buy is accountable for a missing rebate check I never got- but I don't blame them entirely, the manufacturer has done their part to make that happen as well.

As for prices- the less retailers there are ( no matter if it is CompUSA, Macy's, Bombay Co. or someone else that is being liquidated) means eventually prices will go UP at Best Buy and Walmart, and they will be happy to tell you they are still the low price- there will be no one left to compete at any level. Prices have already gone up a Best Buy on certain things.

Dear Mr. Gertenbach,

As CompUSA's director of technology services, I am pleased to have you respond to my blog entry. However, I believe you are mistaken.

You stated that "PCI compliance will not allow credit card information to be stored IN the POS." This is false. The closest PCI comes to any such statement is under the PCI Data Security Standard (DSS) Requirement 3: "Protect stored cardholder data" and the PCI PIN Entry Device (PED) checklist item B7 "Sensitive information shall not be present any longer or used more often than strictly necessary." There is absolutely nothing in the PCI that says a PoS device (branch server, terminal, or PED) cannot store credit card information. I strongly recommend that you download and read the PCI DSS and PCI PED security specifications.

As an example of a PCI-compliant PoS device, you should take a look at the Verifone Vx-series. These are PCI PED compliant PoS devices and they can store credit card information (only accessible with the proper password).

Nearly every point-of-sale system stores credit card information. For non-PED devices, storage is required for common tasks, such as reconciling the day's sales and addressing register discrepancies. As I mentioned in my paper, Verifone, IBM, Panasonic, and other PoS vendors all explicitly store credit card information. The paper includes references to technical specifications and manuals that describe exactly how to recall the stored credit card information.

Beyond the cash registers are the branch servers. These also store credit card information. Card storage at the branch servers led to last year's huge TJX compromise and the 2006 OfficeMax compromise. These compromises happened because PoS systems stored credit card numbers on the back end.

Last October a group of merchants formally requested changes to the PCI and card processing system. In particular, the credit card industry currently requires the storage of credit card information for as long as 18 months. The merchants want this requirement removed. Their argument is that thieves cannot steal what does not exist. However, the credit card industry has not yet addressed this request.

Back to your company: CompUSA is reported as using "an IBM 4690, an SAP system running on Microsoft SQL Server 2000, and a collection of Oracle databases". How does CompUSA plan to liquify these systems? And what will happen to the local servers found in each store? Unless all drives are securely wiped, it is highly likely that sensitive and personal information will be compromised if any of the hard drives ever get outside of CompUSA.

CompUSA is also reported to use Verifone PoS devices. According to these documents, CompUSA may use the Verifone Omni 7000 terminal. These PED terminals are designed to work with PoS devices that do store credit card information, even if the terminal itself does not.

Your second point was that "CompUSA isn't owned or run by CompUSA any more". A change in management does not alter the point-of-sale systems, the fact that the they are liquifying over 100 stores, or reduce the risk of exposure.

You also mentioned the people who will be losing their jobs as the stores close. While some people at CompUSA probably did care about their jobs, the consistently rude and ignorant service and support staff seriously tarnished CompUSA's reputation. While this may have been a minority, they were highly visible. I should point out that this is based on my personal experience as well as testimonials from other unsatisfied customers. And while I have not visited every CompUSA, the service was consistently bad among the stores I visited -- in California, Nevada, Texas, Illinois, Hawaii, and Colorado.

Your third issues concerned rebates. You wrote: "Rebates are often forced on the retailer from the manufacturer in order to protect their 'price vs. value' and they have the final say". You are effectively saying that vendors are conducting price fixing and exhibiting anti-competitive behaviors. Perhaps that is why the FTC pursued charges of fraud and deceptive practices against CompUSA's rebate program.

However, if what you say is true about the requirement for rebates, then it would not explain why an item at CompUSA needs a mail-in rebate, while the same item at OfficeMax and Circuit City does not require a mail-in rebate. In the cases that I have seen, the same item sells for the same discounted price, or within a very small difference. It is my understanding that rebates are a negotiation tactic between the merchant (e.g., CompUSA) and the product vendor in order to offer a product for a lower price. The lack of rebate payment, as even you pointed out, is effectively a bait-and-switch tactic. It is no wonder BestBuy decided to phase out rebates by 2007. (I should point out that it is 2008 and BestBuy has not yet totally phased out mail-in rebates.) Similarly, OfficeMax decided to end their mail-in rebate program. In contrast, CompUSA never phased out rebates.

Finally, you mention that prices will go up as physical retailers become rarer. This is a point of debate since it is based on demand and competition. Brick-and-mortar merchants are competing against online merchants, so prices cannot become too high. And there are always "urgency" and "local access" factors, where online retailers will never succeed. For example, when you need an replacement part right now and cannot wait for Amazon to ship it out. Customers pay for convenience. However, my previous blog entry only compared physical merchants. There is no reason for CompUSA to be almost consistently more expensive than competing stores. Even at 20% off, I saw no "bargain prices" at CompUSA.

What we are right now seeing is Darwinism among technology merchants. The high priced, unfulfilled mail-in rebate merchants with poor customer service are the first to go. I do not believe that CompUSA will be missed.

Mr. Gertenbach: I suggest you take the time to learn more about your field. Good luck on your next job.

When I think about tech stores that people dislike, a few always come to the top of the list. First, there is BestBuy. Their prices are higher than OfficeMax, their mail-in rebates rarely ever pay back (at least, I've still not received my last 3 rebates), and their employees seem to actively run and hide if you have a question. BestBuy is a truly horrible store. (As an aside, I now refuse to buy anything based on a mail-in rebate. If the in-store price is not better than other stores, then I go elsewhere.)

While some people dislike Circuit City, my experiences have not been too bad there. Then again, I rarely find anything I want to buy. I seem to buy more technology products from Target than Circuit City.

However, one tech store has been consistently bad: CompUSA. Their prices are high -- when I can find the prices. You see, the tags on the shelves don't clearly list the prices. Everything has a company code that cannot be easily matched to tags. I frequently don't know how much things costs. They also have mail-in rebates that, as far as I know, never paid back. And compared to CompUSA, the blue-shirted helpers at BestBuy are friendly and knowledgeable.

When CompUSA announced that they were going out of business, nobody mourned the loss. (But lots of people recalled bad experiences.) However, it just seems that they are not going out of business fast enough, and the horror stories continue to pile up.

The most recent story is that a CompUSA store refused to accept cash for a purchase. This led to many different hostile responses; some based on fact and some not. For example, many people complained that this was illegal. However, shops and businesses do not need to accept cash.

As CompUSA goes out of business, I can fully understand why they would not want cash transactions for large purchases. First, without a long-term future, the company would not be able to recoup losses from large counterfeit purchases. In contrast, fraudulent in-store credit card purchases would not be too significant. Second, they could cut back on armored car services (for additional savings).

However, I see a much bigger screw up coming down the line. CompUSA will be closing 103 stores. Some stores are already selling shelving and displays. I really expect them to sell the store's computers and point-of-sale systems in the last few days. And those will almost certainly contain credit card, customer, and corporate information. In my paper on Point-of-Sale Vulnerabilities, I mentioned the risk from using credit cards during going-out-of-business sales. CompUSA is just asking for more problems. Their compromise will probably be the next big thing.

Thanks to the Funsec mailing list for the link to the story and legal interpretation.

[Disclaimer: I am not a lawyer and this is not legal advice. It is just common sense.]

A recent court case has the network and security community in an uproad. The case is Sierra Corporate Design, Inc., v. David Ritz, District Court (County of Cass, North Dakota, File No. 09-05-C-01660). The issue concerns the judge's ruling on DNS. In particular, the judge ruled that performing a DNS zone transfer is an unauthorized action.

Doing Zone Transfers

DNS zone transfers are defined in RFC 1034 for passing all domain information to another host. These transfers were intended for use by secondary DNS servers and some caching DNS servers. Zone transfers can also be useful for debugging DNS issues.

Tools to perform zone transfers exist on most operating systems. For example, host -l lists every host in a domain. The command host -l wikipedia.org ns0.wikimedia.org lists every host in the wikipedia.org domain from the DNS server ns0.wikimedia.org. Other tools, such as digg and nslookup can also perform zone transfers.

Abusing Zone Transfers

While the action itself is not hostile, zone transfers do imply a security risk from information leakage. Rather than blindly attacking hosts in a network, an attacker can request a zone transfer from a specific domain and then systematically target known hosts.

Many organizations turn off zone transfers, or restrict access to specific hosts such as authorized secondary DNS server. This reduces an attacker's ability to lists hosts. However, this does not mitigate the threat. An attacker can simply iterate through all IP addresses within a domain in order to find known hosts. For example, if "host -l" did not work with Wikipedia, then the following shell command can be used:

i=0; while [ $i -le 255 ] ; do host 66.230.200.$i | grep -v "not found"; ((i=$i+1)); done

It is important to recognize that not every host is listed in a public DNS system, and not every host listed in DNS actually exists. Many large organizations run two DNS servers. One is a public server that lists public hosts, and the other is for internal or private use.

Case Interpretation

The ruling by the North Dakota judge has been widely interpreted as unjust. Many people have complained that the judge got it wrong. Other people complained that the judge ruled on things that he clearly did not understand.

A set of legal documents related to the case are publicly available. However, the evidence for this case is not public. Thus, any speculation about right or wrong is limited to the public documents.

Having read many of these court documents, I disagree about the judge's lack of knowledge. The court should not bring in external opinions or judicial prejudice to the case. Even if the judge fully understands DNS, SMTP, and TCP, he needs to let the case arguments guide the judgment. In my non-legal and personal opinion, the failure of this case was due to the defense and not the judge. In particular, the problem as I see it, is that the entire case was based on the testimony of involved witnesses. This makes it a case of he-said-she-said. Unless the evidence itself is obviously overwhelming, this will be a tough call for the judge.

The defense should have brought in one or more expert witnesses. These are people who are believed to be subject experts. Expert witnesses are not biased by any involvement in the case (not named in the lawsuit) and can provide testimony on definitions, whether a behavior (such as zone transfers or issuing SMTP queries) is atypical, whether evidence appears tampered, or if private information was disclosed publicly (as claimed by the plaintiff and ordered censored by the court).

An expert witness is usually given a set of questions to answer. For example, an expert witness in this case should have been asked questions like:

• Did Ritz conduct a DNS zone transfer for the purpose of an attack?
  
• What is the SMTP "vrfy" command used for and does its use by Ritz imply an attack?

Without seeing the evidence, I will not venture to answer these questions. Each requires an understanding of the technical process (I've got that) as well as the intended use (alright) and use demonstrated by the evidence (that's what I'm missing).

So consider this: the judge saw the plaintiff and defense define the terms and usage. Neither side seems to have provided the same definition. The Ritz argument appears to have been that the technology permits the use and is therefore acceptable. However, a hammer permits hitting someone on the head, but that is not the intended use. The plaintiff's witnesses claimed that they were under attack. The judge had to decide whether the use was atypical or acceptable, and whether it was part of an attack. Having read the judge's ruling -- and not seen the evidence nor reports from expert witnesses -- I am inclined to not question the judge's ruling.

Was the judge wrong in deciding that a zone transfer was an abuse? Without seeing the evidence, I cannot answer this. However, since there was no expert testimony I will have to assume that the court made the best judgment based on the provided materials.

Did Ritz do anything wrong? Again, without seeing the evidence, I cannot make this determination.

Did Sierra Corporate Design do anything wrong? Yes. If a zone transfer disclosed private information, then they willingly permitted the public exposure of private information. They could have picked up any book on network security and seen how to harden their network. They clearly ignored common security-oriented procedures and policies. They failed to keep private information private and did not disable undesirable public services.

The question is not whether Ritz found that Sierra Corporate Design had lax security practices. The question is whether Ritz exploited this as an attack. Without access to the evidence, I cannot comment on this.

Either way, the community should not blame the judge. Sierra Corporate Design had poor network defenses, and Ritz had poor legal defenses.

The after Christmas is Boxing Day. Historically, this stems from a tradition of giving gifts to employees and the poor, but recently it has become the day we box up all the things we no longer want to keep.

A couple of years ago I proposed a new, security-oriented holiday: Carding Day. This holiday follows New Years and is when all of the disgruntled employees sell off the credit cards they collected over the holiday season.

Last year -- January 2007 -- we celebrated Carding Day with the announcement of the massive TJX credit card compromise. As the year progressed, the estimated compromise size increased; from an unspecified "millions" in January 2007, to 45.6 million in March, to nearly 94 million accounts by October 2007.

This year's Carding Day compromise was just announced. GE Money, a division of General Electric, lost a tape that contained accounts. Granted, this isn't a multi-million card compromise; it is just a piddly 650,000 credit cards that were on a lost tape. However, it includes customers from JC Penneys and over a hundred other retailers, and may contain 150,000 SSNs.

My biggest concern is not that they lost a tape (although that is bad). Rather, my concern is that GE Money handles credit card processing for multiple companies. This has the echo of the 40 million card compromise from CardSystems Solutions. Considering that they are a card processing organization and offer credit and identity protection services, I find it less that impressing that they lost a tape and there is no mention of cryptography.

Then again, it may not be GE Money's fault. You see, they didn't actually lose the tape. Iron Mountain lost it. If the name sounds familiar, it is probably because I blogged about them last June. Iron Mountain is the same company that lost tapes from Bank of America, Citigroup, and Ameritrade. And that is just the beginning (Fergie has a much more complete list of their security blunders.) Iron Mountain has clearly shown a consistent track record.

Companies and organizations that depend on Iron Mountain should re-evaluate their solutions. According to the Iron Mountain press releases, this includes ICANN (ICANN has enough problems already, do they really need to compromise accounts due to losing tapes?), the U.S. Intelligence Community, and over 100,000 corporate clients. Unless these companies and organizations can afford to lose a tape, they should seriously reconsider their data protection partner.