POS Breach Bigger Than Reported?

Point-of-sale (POS) maker Harbortouch last week disclosed a breach involving “a small number” of its restaurant and bar customers, who were impacted by malicious software that allowed thieves to siphon customer card data from affected merchants. KrebsOnSecurity is reporting that a major U.S. card issuer has said that the company is radically downplaying the scope of the breach, and that the compromise appears to have impacted more than 4,200 Harbortouch customers nationwide.

Brian Krebs notes that “banks were so anxious about the unexplained fraud spikes as stolen cards were used to buy goods at big box stores that they instituted dramatic changes to the way they processed debit card transactions. Glastonbury, Ct. based United Bank recently included a red-backgrounded notice conspicuously at the top of their home page stating: “In an effort to protect our customers after learning of a spike in fraudulent transactions in grocery stores as well as similar stores such as WalMart and Target, we have instituted a block in which customers will now be required to select ‘Debit’ and enter their ‘PIN’ for transactions at these stores when using their United Bank debit card.”

Harbortouch denied the report, saying the “malware incident impacted individual merchant locations, not Harbortouch. Harbortouch is not a processing platform, not a gateway and we do not store any cardholder data. This is not an ongoing incident and the malware was eliminated rapidly upon detection.”

Read the rest of Kreb’s investigation into this issue, here.

Rombertik: Malware with An Attitude

Rombertik is an exceedingly odd piece of malware. While some are describing it as the latest harbinger of digital doom, we side with the opinion that this is not a terrifying threat but is certainly something that deserves serious attention.

On its surface, Rombertik is just another piece of browser spyware. It hijacks browser transactions in order to capture and relay username/password combinations. It attempts to grab useful data before HTTPS connections are established.

Attackers appear to primarily targeting corporations, financial institutions, and other high-value, high-volume targets.

Where Rombertik differs from other Malware is in its destructive capabilities. If a malware scan threatens it. Rombertik permanently encrypts all user data files. If it is detected, Rombertik attacks and overwrites the Master Boot Record (MBR) of the hard drive of the system on which it resides, which renders the computer inoperable.

It If it does not have permission to overwrite the MBR, it encrypts all filers in the infected machine’s Documents and Settings folder. After performing these actions, it reboots the computer.

On reboot, the computer displays a black screen with the words “Carbon crack attempt, failed”, then enters an infinite loop, preventing successful startup.

The destructive actions Rombertik can be triggered by legacy antivirus solutions, the key to dealing successfully with this malware is to block its activities without triggering a kill action on the PC. Fast response by IT is essential, users should be warned not to try to remove the malware on their won. Rombertik reinforces the importance of monitoring the entire chain of potential attack vectors, as Rombertik can be delivered via URLs, .Doc files, compressed folders (.zip, .RAR, etc) and .exe..

“Before Rombertik begins the process of spying on users, Rombertik will perform one last check to ensure it is not being analyzed in memory,” Cisco researchers Ben Baker and Alex Chiu write in a blog post describing the threat. “If this check fails, Rombertik will attempt to destroy the Master Boot Record and restart the computer to render it unusable.”

Say Goodbye to Patch Tuesday?

Almost one year ago, IT struggled through the infamous June 2014 “Patch Tuesday,” with its 66-vulnerability collection of fixes – 59 holes in Internet Explorer alone.

Starting with Windows 10, Microsoft will introduce Windows Update for Business to its enterprise customers, issuing patches as they’re available instead of the second Tuesday – occasionally the fourth Tuesday – of every month.

(Which is followed by Exploit Wednesday, when malicious hackers frantically attempt to use the documentation released with Tuesday’s patches to develop and launch attacks on yet unpatched machines.)

Patch Tuesday can now be removed from your schedule (maybe, read on for details). Patches will be available sooner, and Windows Update for Business has new tools that enable you to prioritize which client machines get updated first, as well as set time frames to control when updates should and should not take place.

Microsoft has patterned this after the mobile market, where devices receive updates as soon as they become available. Windows Update for Business users can opt to enter the “fast ring” to get the quickest possible delivery of security patches or a “slow ring” which provides a more conservative schedule of bundled updates.

The new model won’t work for everyone, and Patch Tuesday will continue to be an event for some. According to Microsoft, “customers that choose to distribute updates themselves will continue to receive the updates on the 2nd Tuesday of the month.”