Physical Access, Point of Sale, Vegas
Physical Access [1], as most of us know, is the final point of control. While in Las Vegas (on a well earned vacation) my wife and wandered all over. It only took around a day of being completely unplugged before my mind wandered back to 'security' land. While scoping out places to eat my partner drug us into a 'pricey' looking place (will attempt to remain nameless to protect the 'really' not so smart, however I am not a photo editor so if something slipped, I tried).
When we get into this place, at first in tourist-mode, had a lot of things designed to take my money. After spending a little bit more time in the place, I was most curious about the point of sale suite. Then I noticed, where it was placed, convenient on the floor, but the attendant not that close, distracted from the clients. It getâ??s worse, when I spending more time by the counter the attendant did even notice (as expected sadly) [2].
Â
At this point I suspected that I could easily drop a USB key or a leave behind device and decided to take a quick picture of all the ports accessible.
If you look at the photo closely:
Â
- I was not challenged by anyone
- I had plenty of time to snap a shot
- Easy access to a USB port
- Well known Point of Sale System
- Premium Las Vegas location
- Printed and taped details near device
Â
Conclusion? I paid cash (Not that it helps much, but sure did make me feel better)! Physical security and awareness of your staff regarding it cannot be missed. Reduce your attack surface anyone?
Are you picky about PoS locations now? What things have changed in your shopping habits?
Â
References:
[1] http://www.sans.edu/research/security-laboratory/article/281
[2] http://www.police.psu.edu/physical-security/what-is-physical-security.cfm
Â
Comments
I gladly contacted the company.. got a "Gee thanks" but nothing more was done, so I do not shop there.
I leave you with this question, is it not our duty to inform all to protect all? If not we are in the wrong line of edification.
Anonymous
Jul 6th 2014
1 decade ago
Anonymous
Jul 7th 2014
1 decade ago
Anonymous
Jul 7th 2014
1 decade ago
Doug
Anonymous
Jul 7th 2014
1 decade ago
Anonymous
Jul 7th 2014
1 decade ago
Anonymous
Jul 7th 2014
1 decade ago
Yes, but with a caveat. Be careful how you report when someone else's security is poop. Back before "wardriving" was a buzzword, a friend of mine fired up his laptop in a bank parking lot while his housemate was depositing a check. He happened to notice that they had an unencrypted WiFi (wait for it...) transmitting customer info in the clear. (face-palm) Being the good whitehat, he dutifully tried to track down someone in IT at the bank to let them know they had a problem. They called the FBI and said he'd attacked their network. (sigh)
Anonymous
Jul 7th 2014
1 decade ago
Yes, but with a caveat. Be careful how you report when someone else's security is poop. Back before "wardriving" was a buzzword, a friend of mine fired up his laptop in a bank parking lot while his housemate was depositing a check. He happened to notice that they had an unencrypted WiFi (wait for it...) transmitting customer info in the clear. (face-palm) Being the good whitehat, he dutifully tried to track down someone in IT at the bank to let them know they had a problem. They called the FBI and said he'd attacked their network. (sigh)[/quote]
Well, it would have not been difficult to prove their accusations were :BS: My first response.. do you see a handshake, authentication or IP address attached to this NIC/MAC, and no you may not have any device, that pesky piece of paper ie the 4th says Negative, thanks for playing.
However, duly noted :tiphat: I guess if a few more would have paid attention to a company called Max, then a huge breach might have been avoided. This was a battle I fought and lost (job) because the owners daughter at a company I worked at (controls/HVAC) would allow the techs to turn off the AV and like since it got mad a PCAP and other sniffers. Well, what happened at Target and what how did the breach happen.
And as we all know, a laptop does not have to be carried around. Those that say, oh, disable the USB in the BIOS.. not tough to get around especially when a lot of them use wireless peripherals.. oh look, snarf away. Pathetic when the arrogance of those who are ignorant take it as stupidity when it is not the same.
But in the case of your friend, alas no deed goes unpunished.
Anonymous
Jul 7th 2014
1 decade ago
Access to the endpoints (POS and card reader) should be secured anyway since it would be trivial to slip a bluetooth capable hardware keylogger inline on the keyboard or card reader for data exfil.
Universal adoption of end to end encryption on the card reader would also be nice since it would defeat keyloggers and blackpos as well.
Anonymous
Jul 8th 2014
1 decade ago
My point is that properly disabling a USB port is very easy with most modern hardware. I can envision some ignorant media reporter reading the above post and start crying "THE SKY IS FALLING! THE SKY IS FALLING!" for every USB port he sees -- meaning most any POS using hardware purchased in the last 15 years.
Lastly hardware based P2PE at the point-of-entry is the best preventative measure for all the malware described and implied in this thread. Is the offending POS using P2PE?
As a side note I would treat the USB port as a honey pot: attach a "will prosecute" warning, install an alarm and have people arested for tampering with the port – but that’s me.
Anonymous
Jul 11th 2014
1 decade ago