Rodney Thayer
-
Upload
sahil-dhir -
Category
Documents
-
view
223 -
download
0
Transcript of Rodney Thayer
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 1/45
Plastic Money == Plastic Trust
Why you should never trust a
merchant with your credit card
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 2/45
TSC LABS Plastic Money - Plastic Trust 2
About this talk«
� Work in progress
� Agenda
± Credit card backgrounder (hacker style) ± PCI Overview & Defenses
± PCI Flaws
Ongoing project, to be updated
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 3/45
TSC LABS Plastic Money - Plastic Trust 3
Who do you trust?
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 4/45
TSC LABS Plastic Money - Plastic Trust 4
A California Driver¶s License
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 5/45
TSC LABS Plastic Money - Plastic Trust 5
CA License Spec
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 6/45
TSC LABS Plastic Money - Plastic Trust 6
PAN Tester (Front)
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 7/45
TSC LABS Plastic Money - Plastic Trust 7
Commerce without Trust
� Cash Commerce
± You visit a merchant
± You give them (money) ± They give you (goods or services)
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 8/45
TSC LABS Plastic Money - Plastic Trust 8
Commerce with Trust
� Diner¶s Club starts in the 50¶s
± ³A customer is as good as their name´
± Merchant (via a Bank) extends µcredit¶ ± Customer carries (paper) µcredit card¶
± Merchant trusts customer to pay
± Customer extends no extra trust to merchant
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 9/45
TSC LABS Plastic Money - Plastic Trust 9
And the joke is«
� Credit cards are clonable
� Trusting the merchant was a bad idea
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 10/45
TSC LABS Plastic Money - Plastic Trust 10
PCI
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 11/45
TSC LABS Plastic Money - Plastic Trust 11
The Players«
� Customers
� Merchants
� Acquirers� Banks
� Credit Card µAssociations¶
� The bad guys
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 12/45
TSC LABS Plastic Money - Plastic Trust 12
Payment Card Industry
� Industry association
± Agenda:
� defend the brand
� Make the customers feel safe
� Protect profits
± ³Standards´ issued
± Created auditor/expert role ± Advocate of ³PCI Security´
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 13/45
TSC LABS Plastic Money - Plastic Trust 13
Credit Cards
� ISO Standard
� Machine readable (³partially´)
� Clonable� Purely data
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 14/45
TSC LABS Plastic Money - Plastic Trust 14
CC Process Assumptions
� (³CC´ means credit card)
� The customer will defend the CC
� The merchant will defend the CC� It¶s hard to steal the CC
� If the CC is stolen, revocation will minimize
damage
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 15/45
TSC LABS Plastic Money - Plastic Trust 15
PCI ³Standard´
� Requirement 1: Install and maintain a firewall configuration to protect cardholder data
� Requirement 2: Do not use vendor-supplied defaults for system passwords and other
� security parameters
� Requirement 3: Protect stored cardholder data
� Requirement 4: Encrypt transmission of cardholder data across open, publicnetworks
� Requirement 5: Use and regularly update anti-virus software� Requirement 6: Develop and maintain secure systems and applications
� Requirement 7: Restrict access to cardholder data by business need-to-know
� Requirement 8: Assign a unique ID to each person with computer access
� Requirement 9: Restrict physical access to cardholder data
� Requirement 10: Track and monitor all access to network resources and cardholder data
� Requirement 11: Regularly test security systems and processes� Requirement 12: Maintain a policy that addresses information security
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 16/45
TSC LABS Plastic Money - Plastic Trust 16
Interpretations
� There are many (at least one per auditor)
� Not generally as good as current µbest
practice¶� Implicitly hides merchants who don¶t use
µbest practice¶
� Advisory ± ³they won¶t really fine us´
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 17/45
TSC LABS Plastic Money - Plastic Trust 17
PCI Defense
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 18/45
TSC LABS Plastic Money - Plastic Trust 18
PAN Sample (Front)
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 19/45
TSC LABS Plastic Money - Plastic Trust 19
PAN Sample (Back)
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 20/45
TSC LABS Plastic Money - Plastic Trust 20
PCI Defenses
� The standard
� The audit process
� Technical upgrades and workarounds� Payment process improvements
� Best Practices for a modern enterprise
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 21/45
TSC LABS Plastic Money - Plastic Trust 21
Defenses ± the standard
� ³The usual best-practices motherhood and
hacker pie platitudes about computer
security.´
� Intuitively obvious µrequirements¶
± N ever save the CVV
± PAN should be encrypted when at rest
± PAN should be defended while in motion
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 22/45
TSC LABS Plastic Money - Plastic Trust 22
PCI Defenses - Crypto
� Pre-Internet crypto use
� Vaguely bank-like crypto
� (Some) symmetric algorithms� (Some) key hygiene
� (Some) use of encrypted data
� (Some) use of encryption in the network
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 23/45
TSC LABS Plastic Money - Plastic Trust 23
PCI Defenses - Audit
� Country club auditors
� Non-technical
� Paid by merchant� Interpreter of requirements
� Interpreter of solutions
� anonymous
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 24/45
TSC LABS Plastic Money - Plastic Trust 24
PCI Security Research
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 25/45
TSC LABS Plastic Money - Plastic Trust 25
PCI Security Research
� Targets ± PAN
± End nodes
� Data ± At rest
± In motion
� Processes
± Merchant ± Back-end
± Contractual
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 26/45
TSC LABS Plastic Money - Plastic Trust 26
PAN Research
� PAN Tester
± Credit card
± Gift Card ± Captive cards
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 27/45
TSC LABS Plastic Money - Plastic Trust 27
PAN Tester (Front)
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 28/45
TSC LABS Plastic Money - Plastic Trust 28
PAN Tester (Back)
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 29/45
TSC LABS Plastic Money - Plastic Trust 29
Faux Credit Cards
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 30/45
TSC LABS Plastic Money - Plastic Trust 30
Target Sample
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 31/45
TSC LABS Plastic Money - Plastic Trust 31
Targets
� Decrepit POS terminals are mainstream
± Win2k is considered modern
± Very low horsepower
± Not patched
± Not encrypted
± On undefended network
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 32/45
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 33/45
TSC LABS Plastic Money - Plastic Trust 33
Other Targets
� Acquirer connection
� Out of bounds for merchant audits
� Not clear anyone checks them� Defense of acquirer not discussed
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 34/45
TSC LABS Plastic Money - Plastic Trust 34
Recon
� Physical security of end systems
� Process recon
� Web access� PAN Processing flaws
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 35/45
TSC LABS Plastic Money - Plastic Trust 35
PCI Violation
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 36/45
TSC LABS Plastic Money - Plastic Trust 36
PCI ³Crypto´
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 37/45
TSC LABS Plastic Money - Plastic Trust 37
Crypto Vulnerabilities
� No key management
� Weak keys
� Poor key management� Poor key hygiene
� Home-grown crypto
� Ignorance of crypto work in the last 5years
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 38/45
TSC LABS Plastic Money - Plastic Trust 38
Potential Crypto flaws
� SQL Injection to find keys in the database
� Format glitches
� Information leakage (first 6 plus last 4 == 6decimal digits in namespace«)
� Key generation
� Algorithm implementations
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 39/45
TSC LABS Plastic Money - Plastic Trust 39
Boring Attacks
� Porous perimiter
± Web site� #include <web_site_attack.h>
± Storefront� Digital limpet mines
� Bored quasi-geek employees
± Back office
� #include <frugal_dp_management.h>
± Corporate office� #include <simple_enterprise_attacks.h>
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 40/45
TSC LABS Plastic Money - Plastic Trust 40
Boring Targets
� Windows 2000 is ³current´ for POS
terminals
� Databases contain keys, leakedinformation
� Effectively unsecured networks
± 40 bit WEP at best
� Genuinely unsecured networks
± Cleartext internal networks
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 41/45
TSC LABS Plastic Money - Plastic Trust 41
Boring Exploits
� Anything in ³The Idiot¶s Guide to Attacking with
Metasploit´
� All your (Cisco) passwords are belong to us
� Logs? We don¶t need no steenkin¶ logs
� Klingon logins (³authentication is for the weak
and timid´)
� Passwords last changed when Reagan wasPresident
� Passwords based on employee id/name
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 42/45
TSC LABS Plastic Money - Plastic Trust 42
Conclusions
� A TJX-class incident might happen
± Oops old news.
� Someone might get caught using 40 bitWEP
± Oops old news.
� Someone might use a digital limpet mine
± Oops old news.
� Databases might be compromised«
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 43/45
TSC LABS Plastic Money - Plastic Trust 43
Conclusions (Seriously)
� Major compromises are possible
� Litigation is possible
� Paypal on a bad day might be better than Visa
� People will start to question the use of pre-
Internet legacy payment networks
� Merchants should use 21st century network
defense technologies� Merchants are enterprises handling money and
should act accordingly
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 44/45
TSC LABS Plastic Money - Plastic Trust 44
Credits
� Conference venue by Toorcon
� Three Stooges Driver¶s License found at http://www.imhimports.com
� Driver¶s License Spec: http://www.aamva.org/NR/rdonlyres/66260AD6-64B9-45E9-
A253-B8AA32241BE0/0/2005DLIDCardSpecV2FINAL.pdf
� PAN Sample photographs by O perations
� PCI Standard: https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf � Visa® Gift Card from Visa International Service Association http://www.visa.com
issued by Wells Fargo® Bank
� Presentation software Office 2003� Excel� by Microsoft®
Disclaimer
No actual PANs were harmed in the production of this presentation.
8/7/2019 Rodney Thayer
http://slidepdf.com/reader/full/rodney-thayer 45/45
TSC LABS Plastic Money - Plastic Trust 45
Rodney Thayer
www.thesecurityconsortium.net