Case Study: The Home Depot Data Breach

Interested in learning more about security?

SANS Institute

InfoSec Reading Room

This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.

Case Study: The Home Depot Data Breach

the theft of payment card information has become a common issue in today’s society. Even after the lessons learned from the Target data breach, Home Depot’s Point of Sale systems were compromised by similar exploitation methods. The use of stolen third-party vendor credentials and RAM scraping malware were instrumental in the success of both data breaches. Home Depot has taken multiple steps to recover from its data breach, one of them being to enable the use of EMV Chip-and-PIN payment cards. Is the use of EMV paymen…

copyright SANS Institute

Author Retains Full Rights

Case Study: The Home Depot Data Breach

GIAC (GSEC) Gold Certification

Brett Hawkins, [email protected]

Advisor: Christopher Walker

Accepted: January 2015

Abstract

The theft of payment card information has become a common issue in today’s society. Even after the lessons learned from the Target data breach, Home Depot’s Point of Sale systems were compromised by similar exploitation methods. The use of stolen third-party vendor credentials and RAM scraping malware were instrumental in the success of both data breaches. Home Depot has taken multiple steps to recover from its data breach, one of them being to enable the use of EMV Chip-and-PIN payment cards.  Is the use of EMV payment cards necessary? If P2P (Point- to-Point) encryption is used, the only method available to steal payment card data is the installation of a payment card skimmer. RAM scraping malware grabbed the payment card data

in the Home Depot breach, not payment card skimmers. However, the malware would have

never been installed on the systems if the attackers did not possess third-party vendor credentials and if the payment network was segregated properly from the rest of the Home Depot network. The implementation of P2P encryption and proper network segregation would have prevented

the Home Depot data breach.

Brett  Hawkins,    [email protected]

1. . Introduction

On September 8th, 2014, Home Depot released a statement indicating that its payment card systems were breached. They explained that the investigation started on September 2nd and they were still trying to discover the actual scope and impact of the breach. Home Depot explained that they would be offering free credit services to affected customers who used their payment card as early as April of 2014 and apologized for the data breach. They also indicated that their Incident Response Team was following its Incident Response plan to contain and eradicate the damage and was working with security firms for the investigation (“The Home Depot, Inc. – News Release,” 2014). This

is one of many retail breaches that have occurred and will continue to occur, until retailers become proactive in safeguarding their environments.

1.1 Making money with stolen credit cards

Payment card information is sold by cyber-criminals frequently. In more recent retail breaches, they have been able to steal payment card information from millions of customers and sell it online in what is known as the “Darknet.” Once the cyber-criminal has stolen the payment card information, there is a process that takes place in order to put the information on sale on the Darknet and for the cyber-criminals to make money.

The first step in the process is selling the payment card information to brokers. The brokers buy the payment card information in bulk and sell the information to “carders” on carder websites (Westin, 2013).

The definition from “How ‘carders’ trade your stolen personal info” says, “Carders are the people who buy, sell, and trade online the credit card data stolen from phishing sites or from large data breaches at retail stores” (Vamosi, 2008). An example of a carder website is Rescator shown in Figure 1 below (Lawrence, 2014). As you can see, the site has full search capabilities based on the type of card you are searching for.

Once the carder has bought a payment card on the carder website, they will buy a pre-paid credit card using that stolen payment card information. The pre-paid credit card is used to buy gift cards at stores like Amazon or Best Buy. The gift cards are then used to buy items at those stores, typically electronics, which are then resold on sites like EBay, Craigslist, or similar sites.

After the cyber-criminal purchases the items to be resold, they need the items shipped to a location that cannot be traced back to them. The items are shipped to a “re- shipper.” These re-shippers receive the items to be sold and ship them to the person who bought the items posted by the cyber-criminal. This process is difficult to track. By the time a breach is detected and the stolen payment card has been blocked, the cyber- criminal has already bought the items to be resold with the gift card (Westin, 2013). This is a well-known process and is used frequently because it has been proven to make a profit for cyber-criminals.

1.2 Hasn’t this happened before?

Ever since the Target data breach was disclosed by Brian Krebs on December 18,

2013, occurrences of similar retail data breaches have been on the rise. Until the Home Depot data breach, the Target breach was the largest retail breach in U.S. history (Bloomberg, 2014). In the Target data breach, 40 million payment cards were stolen

(Krebs, 2014). The Home Depot data breach topped that by having 56 million payment cards stolen (Krebs, 2014). Some of the most notable retail data breaches that occurred

after the Target breach are shown in Figure 2 below.

Figure 2 – Timeline of large retail data breaches after the Target breach

These companies should have used the Target data breach as a learning opportunity and applied the knowledge to their own payment card systems. The impact these data breaches had on each of the companies was significant. After the Target data breach, it posted profits that quarter which were 46 percent below expected profits (Gertz, 2014). That is a large impact. I remember the day of the Target breach, looking at the Target stock price take a significant hit. I saw the same thing when the Home Depot breach happened. Large retail breaches like the ones shown above in Figure 2 have a large impact and they will only continue to happen, unless the proper countermeasures are in place.

1.3 Better ways to take card payments, because that’s what customers want

The standard payment card in the U.S. has always used the magnetic stripe. These magnetic stripes are also called “magstripes”. On that magstripe there are three tracks that contain different data, although track 3 is hardly ever used. Some of the data included on the magstripe is name of credit card owner, credit card type (Visa, MasterCard, etc.), expiration date, and credit card number. The problem with these magstripes is they are extremely easy for the criminals to read data from. The traditional magstripe credit card has been under a lot of scrutiny since the large-scale retail data breaches have started to occur more often. There are alternative methods to accepting payment cards. There is

even a method to accepting traditional magstripe cards that will protect card data from being exposed.

1.3.1 Chip-and-Pin Cards

A new type of credit card is starting to become more familiar in the Unites States, called a chip-and-PIN card. The chip-and-PIN cards contain an embedded security chip and a traditional magstripe. This embedded security chip ensures that the card cannot be duplicated, as it masks the payment data uniquely each transaction (CreditCardForum,

2014). The problem with this alternative is that they cost significantly more to make than traditional payment cards and most merchants do not have systems that are capable of accepting the new chip-and-PIN cards. However, in October of 2015 if you have not changed your systems to support chip-and-PIN cards, the liability of the data breach now falls on the merchant, rather than the banks (Picchi, 2014).

1.3.2 Mobile Payments

Another alternative method to taking payment cards is by using mobile payment methods, like Apple Pay and Google Wallet. With each of these you have a “virtual wallet” in your smart device. This smart device could be a phone, tablet, or even a watch. With both of these mobile payment systems, they never pass your credit card

number to the merchant. The problem is Apple Pay and Google Wallet are only accepted at a handful of places. Until more merchants adopt mobile payments, this method of payment will not see any traction gained (Lee, 2014).

1.3.3 Point-to-Point Encryption

There is a way you can take traditional magstripe credit cards, while still protecting card data. This method is called point-to-point (P2P) encryption. P2P encryption encrypts card data at the point of swipe, all the way to the bank for approval/denial of the transaction. With P2P encryption, payment card data is never exposed and is

encrypted before it reaches memory. The only risk that still remains with P2P encryption is if someone were to install a credit card skimmer on the actual pin-pad. However, proper security awareness training for staff and having proper controls in place, will prevent skimmers from being installed. The creations of these alternative methods were outcomes of the most common method used in the large-scale retail breaches.

1.4 The latest way to steal credit cards

There are several methods to stealing credit cards. From hacking an online database of a website that stores credit card information, to physically stealing somebody’s credit card out of their purse. No matter which method is used, the goal is always the same; steal payment card information for personal gain. A known method of stealing payment card information arose in the discovery of the Target data breach, although this method did not get much attention before Target. This method continued to be discovered in thousands of other breaches, both large and small. The method used “memory scraping malware”.

1.4.1 Memory Scraping Malware

Memory scraping malware has been the key component in stealing payment card information in the large retail data breaches of 2014. This malware is able to read the contents of RAM on a POS terminal when the payment card data is present in clear text. The malware uses regular expressions to grab the payment card information. Once that data is captured, it is sent to servers owned by the attacker, or the attacker’s associates (Huq, 2013). This malware has been effective, as evidence of the recent retail data breaches has shown. It continues to be effective on POS systems that are not properly locked down.

2. 2. The Home Depot Data Breach

Home Depot was one of the many victims to a retail data breach in 2014. The unfortunate thing is the way the attacker’s infiltrated the POS networks and how the attackers were able to steal the payment card data, were the same methods used in the Target data breach. The attackers were able to gain access to one of Home Depot’s vendor environments by using a third-party vendor’s logon credentials. Then they exploited a zero-day vulnerability in Windows, which allowed them to pivot from the vendor-specific environment to the Home Depot corporate environment.

Once they were in the Home Depot network, they were able install memory scraping malware on over 7,500 self-checkout POS terminals (Smith, 2014). This malware was able to grab 56 million credit and debit cards. The malware was also able to capture 53 million email addresses (Winter, 2014). The stolen payment cards were used to put up for sale and bought by carders. The stolen email addresses were helpful in putting together large phishing campaigns.

2.1 Prevention & Detection

There were several countermeasures Home Depot could have had in place to prevent the breach from happening and to have been able to detect the breach sooner, minimizing the impact. Home Depot didn’t have secure configuration of the software or hardware on the POS terminals. There was no proof of regularly scheduled vulnerability scanning of the POS environment. They didn’t have proper network segregation between the Home Depot corporate network and the POS network. The last two controls that were lacking were proper monitoring capabilities and the management of third-party vendor identities and access.

                                                      2.1.1 What would have worked?

The secure configuration of software and hardware is vital to securing any environment, especially an environment dealing with sensitive data. Home Depot did have Symantec Endpoint Protection installed in their environment. Symantec Endpoint Protection (SEP) is an antivirus solution. The problem is that they did not have an important feature turned on in the product called “Network Threat Protection” (Elgin, Riley, & Lawrence, 2014). This module acts as a host intrusion prevention system

(HIPS). Having configured POS devices with this feature activated at my own organization, I can attest to the success of this feature when doing vulnerability assessments on these systems.

Another secure configuration missing was the use of Point-to-Point (P2P) encryption. This allows payment card data to be encrypted at the point of swipe and allows the data to be encrypted in memory. To be able to use this technology, it requires hardware that is capable of using the technology. In Home Depot’s case, an upgrade to the operating system of the POS devices was also needed.

Home Depot had another software configuration that was not secure on the POS devices, the operating system. An operating system is the most important software on a device. The operating system running on the POS devices was Windows XP Embedded SP3 (Mick, 2014). Windows XP machines are highly vulnerable to attacks, so the fact that Home Depot’s POS registers were still running this operating system, is just asking to get compromised. They should have upgraded to a more current Windows operating system for their POS devices. Some examples of more current Windows POS operating systems are Windows Embedded POSReady 2009, Windows Embedded POSReady 7, and Windows Embedded 8 Industry (Wikipedia, 2014, p. xx). I have successfully upgraded POS devices in my own organization to more current embedded operating

systems. The newer operating systems are compatible with P2P encryption, antivirus, and many other applications that are vital to locking down your POS systems.

In all of the sources I have looked at regarding the Home Depot breach, none have mentioned Home Depot having a vulnerability management program in place. If Home Depot had a vulnerability management program, performing monthly vulnerability scans of the POS environment; they could have used the results of those scans to show leadership the significance of the gaps in that environment and possibly started to mitigate the risk of that environment before the breach occurred.

Network segregation is another big gap in this breach. I will touch on this in more detail later, but Home Depot should have had the POS environment in its own restricted virtualized local area network (VLAN) and restricted access between the POS environment and the Home Depot corporate environment.

Another question arises from this breach. How did the attackers steal third party vendor credentials from Home Depot? Home Depot was not properly managing its third party vendor credentials and should have allowed minimal access to that vendor account. I will touch on this in more detail later.

Prevention is ideal, but detection is a must. Even if Home Depot couldn’t have prevented the attack, they still should have had monitoring capabilities, so that it did not take 5 months to detect an intrusion (Elgin, Riley, & Lawrence, 2014). Having the capability to forward any network or host activity in the POS environment to a SIEM, would have been beneficial to Home Depot and could have allowed them to detect the breach sooner, minimizing the impact.

2.1.2 What is working?

The fact I have actual experience locking down POS environments during my professional career and have been successful in securing those environments, I can tell you first-hand what is working. A defense-in-depth approach needs to be implemented. First, upgrading your POS devices to a current, supported operating system is a

must. If you are not running a current, supported operating system, all other system hardening you do is a waste. Second, ensure you have up-to-date antivirus software with HIPS capability. If an attacker penetrates your POS network, this will add another layer of defense in preventing the compromise of your POS devices. Third, you need to have automatic updates activated on the POS devices. It is vital that you follow patch

management best practices and keep the POS devices on the most current patches. This is required for PCI compliance. Fourth, you need to enable P2P encryption on the POS devices. This requires a pin-pad that supports this technology.

The fifth thing that you will need to implement is the disabling of all unnecessary ports and services on the POS devices. There is no reason the POS devices need to have services such as NetBIOS running. Another important system hardening configuration is to disable the use of USB ports on the POS devices. You can do this physically by installing USB port blockers, or through software that blocks the use of USB ports. In most cases, you will need to leave just 1 USB port active for the connectivity from the POS register to the pin-pad device. If somebody were able to circumvent your physical or software-based USB protection, you need a way to notify your security team of such an

act. Software can be installed on your POS registers that alerts you if a USB device has been inserted into the POS register. You also need to make sure that proper password and account policies are set on the POS devices. Now that all the host-based protections are in place, let’s talk about the networking-based countermeasures that need implemented.

First, you need to segregate the POS network from your corporate network. You can do this by making the POS network its own private VLAN. Second, once you have segregated the POS network, you need to apply rules on the networking device responsible for the VLAN, so that you can restrict access between your corporate

network and POS network. Third, you need to have all outbound Internet access coming from your POS network restricted at your corporate firewall. Firewall rules should be in place to only allow connections for the vital functions, such as credit card processing and Windows Updates. Having all of these preventive countermeasures in place is great, but you also need to be able to detect potentially malicious activity.

You should have a SIEM in place that is able to retrieve Windows event logs, Domain Controller logs, anti-virus logs, DNS logs, firewall logs, and other networking device logs. This will give visibility into the real-time activity in your POS environment and will allow you to create alarms within your SIEM to alert your security team of any malicious activity.

2.1.3 What will work in the future?

I would like to think that the current methods of prevention and detection of POS environments will work in the future. The reality is that the bad guys find new ways to exploit vulnerabilities every day and technology advances at a significant rate. Credit cards may not even exist in the future. There might be a significant vulnerability found in the chip-and-PIN cards down the road, which causes us to question how to take

payments, just as the traditional magstripe card is causing questioning now.

I think we are getting a glimpse into the future with Apple Pay and Google Wallet. The magnifying glass will shift from credit card security to mobile device security. The idea of a virtual wallet seems like it could be 5-10 years from having a significant adoption rate. How will mobile device manufacturers and mobile payment software companies react to the bad guys finding vulnerabilities in their systems? Will they be able to quickly release patches that fix security vulnerabilities related to the virtual wallet? I

think it is a large change that will heavily impact the retail landscape and will happen sooner than people think.

2.2 Preventing Home Depot, Target, and Other Retail Breaches

I previously stated many countermeasures that Home Depot should have had in place, but wanted to go into detail on 3 that I thought were the most important and could have been applied to all retailers that experienced a breach in the past year. The 3 main preventive measures that should have been in place were P2P encryption, proper network segregation, and managing third party vendor credentials appropriately.

2.2.1 Point to Point Encryption

The protection of credit card data is continuing to get more attention, since these large retail breaches have been occurring. Even after the attackers infiltrated the POS environments and installed the memory scraping malware on the POS registers, 1 countermeasure could have been in place to prevent the attackers from stealing credit cards. That countermeasure is P2P encryption.

P2P encryption provides encryption at the point of swipe when using your credit or debit card. In the use case of debit cards, it even encrypts your 4-digit PIN code you

enter. All of this is done before the data reaches memory, which prevents data from being captured in memory. The device that is used for swiping the credit card is injected with a derived unique key per transaction. This is only used for the payment card encryption and is not the same key used for the PIN encryption when using a debit card. Once you swipe your card, the payment card data is encrypted inside a tamper-resistant security module with the payment card industry standard 3DES algorithm, using the derived unique key

for the transaction (TSYS, 2014). That encrypted data is then sent securely to an off-site hardware security module owned by the POS solution provider, where the payment card data is decrypted (Knopp, 2013). The decrypted card data is then encrypted again using the bank’s encryption key(s) and sent to the bank where the data is decrypted again. The bank then sends the approval/denial back for the payment card. Figure 3 below shows the process.