Brian Krebs reported recently in Krebs on Security that some Nordstrom’s department stores in Florida had been the apparent victims of potential data thieves. It seems someone had installed skimmers and keyloggers on some of their point-of-sale equipment. The keyloggers used were the type that looks like the ends of a PS/2 keyboard cable. They are easy to insert and often go unnoticed. Fortunately, the store had a security camera properly placed that observed the devices being installed.
Krebs tells the story well at the link above and so have other outlets, so I don’t need to repeat it here. What I’d like to talk about is the method of capturing the data – rather than attack the data on a network or where it is stored at the card processor, the attack was at the edge, a notoriously unprotected point.
Physical and software keyloggers have been around for a long time. The hardware ones can be easily purchased online. (There’s a link in Krebs’ article, but I’m not putting it here because its presence or clicking on it might trigger some corporate security mechanism somewhere.) Sellers of these products are legitimate businesses and these are not underground products in any way.The simplest of these devices capture data and store it in flash for later retrieval. More expensive varieties also have Wi-Fi radios to transmit the data over a network. There are also keyloggers for USB keyboards. Most of these devices are marketed as “security products” – to ensure people don’t break some kinds of rules, I suppose. I have even seen some marketed to parents so they can observe their children’s web activities.
We discuss these in Learning Tree Course 468, System and Network Security Introduction. In the past these would be installed on unattended workstations, often at night. While security auditors may look for them, users are seldom aware of their existence in the marketplace, let alone of their deployment. I don’t know a single end user who checks, even occasionally, for such devices. That makes them quite simple to deploy and they often can go undetected for extended periods of time. Few workstations, outside of those potentially used in very high security environments, have any means of securing keyboard connections.
So what’s the point? The point is that endpoints are quite vulnerable to attack. If attackers can install skimmers and keyloggers in an open department store, it seems many businesses are vulnerable, too. It only takes a moment for an unattended device to be compromised in this way. Physical security – in the form of a camera – will help, both as a deterrent and to assist in identifying the activity, if the camera operator notices, or if tapes are reviewed promptly. That is not a guarantee, however, that sensitive information will not have been compromised by the time the activity is discovered.
Keyboards and point-of-sale devices aren’t the only vulnerable endpoints, though. I will talk about more in the future. P let us know in the comments what endpoint vulnerabilities you’ve seen (but not where please!).