Retail Breaches: FBI Says Remote Management Software May Be The Culprit


The software used by service providers to remotely monitor and conduct maintenance on their clients' systems is consistently being targeted by attackers, according to a leaked FBI document warning about the threat.

Vulnerabilities in remote-access software used to monitor the networks at Target and Neiman Marcus may have been at the core of the two retailers' data security breaches, in which the personal data of millions of customers was stolen during the holiday shopping season. A two-page report, obtained by The Wall Street Journal, warns that the software was exploited during a recent string of payment card hacks.

Security experts told CRN that remote monitoring software is a common target of financially motivated cybercriminals. The software is often poorly maintained and frequently contains weak and default passwords and vulnerabilities that can be exploited by malware, they said.

[Related: POS Resellers To Clients: You're Just As Vulnerable As The Big Retailers]

Solution providers should be doing their due diligence -- strengthening passwords and ensuring that system patches are tested and up to date, said Ben Goodman, president of 4A Security, a managed security service and risk management consultancy based in New York. Goodman said his system engineers use McAfee software to monitor their customers' systems.

"This is a case where the cobbler's children have no shoes; the folks that are the most at risk are not necessarily doing the best they can," Goodman said. "How many administrators out there have passwords that are totally simple and easy to guess?"

Vulnerability scanning, which must be performed quarterly, is one of the most common practices seen lacking at retailer locations, said Aaron Reynolds, a managing principal within Verizon's PCI North America Practice. In an interview with CRN, Reynolds said retailers are often missing demonstrable evidence that identified vulnerabilities have been remediated.

"Vulnerability scanning would probably be the most challenging area," Reynolds said. "It is a quarterly process and with the threat landscape, zero-day attacks, and constant patching or lack thereof, a dynamically challenging environment is a major challenge and difficult to stay on top of."

Providers of point-of-sale systems say they constantly tap into their clients' systems remotely to help maintain and adjust systems. Jacob Bilton, a sales manager at Value Systems, a Myrtle Beach, S.C., point-of-sale reseller, said the payment processor has security policies in place to provide a way to adjust transaction errors such as duplicate payments and other system glitches. The payment terminals and the point-of-sale software is certified by the manufacturer to be validated by the Payment Card Industry.

"The software is PCI-certified so it's as secure as it can possibly be," Bilton said. "We use industry standards and take steps to maintain security. That is what we tell the business owners."

NEXT: Details Emerge In Target Breach