Retail IT Security

Introduction

In today’s world there is a lot of talk about security and big corporate businesses being hacked into and losing who knows how much information. It’s to my surprise how many small businesses get hacked into but do not get the media publicity because it is not as sever to the general public. Retail security lacks. This phrase says it all to our current retail environment. It is time to admit that our retail stores are most defiantly a weak point for consumer’s credit cards to pass through.   This is for many different reasons. The use of old hardware to cut costs, not to mention the use of hardware meant for your home in an office environment. Another issue is normally there is no staff specifically hired for IT, they just use upper management. These upper managers just cannot juggle keeping up with the daily manager duties and keeping their store secure.

Offloading to 3^rd party

What managers need is a way to focus on what they do best: manage. 3^rd parties are great for many IT related tasks for retail. What is great is these tasks can be managed quite easily. As an exclaimer there are many technologies that corporate businesses use that retail environments do not need to manage themselves.

One very large task is a webpage. To host a webpage from your own server is no easy task, let alone keeping it up to date and functioning. Hosting a webpage also opens up your systems to a whole bunch of different security vulnerabilities that now puts more pressure on upper management that has to deal with it.

There are many functions that don’t make sense in a retail environment. The use of domain controls and multi-tiered routing systems for a retail chain in most scenarios just doesn’t make sense. I can see why failover is important for retail but I cannot justify the cost of setting up these systems and then having the need to maintain them…all from 1 manager. 

Exchange servers for email would be a great function to instead of hosting your own exchange services, offload them to a 3^rd party. All the security issues and spam and everything else that comes with email has just been sent to a 3^rd party to work on and all management has to do is manage.

Setting up policies and procedures

I am sure managers have been able to setup a policy that makes sure their tills are always on every day…or even more than that. What I am sure many managers haven’t done however, is setup a policy or procedure for security. If someone steals an item what are the specific steps to reporting the issue? Do you store employees confront the felon? If you can answer these questions then take it a step further: what is your policy if your backup of all your customer info just got stolen? Do you even have systems in place to tell you the data was stolen?

It is coming to a point that retail stores no matter how big need someone or some service to make sure security policies and procedures are in place.

Staffing your IT department

I would probably be safe to say many retails do not have any type of IT department. They are just too much for retail to employee. As we have found out from above there is a need for retail IT departments. So what can retail do?

You can use professors from colleges looking for experience in the professional field. They are trustworthy and usually you can get away with not spending very much on them. They have been teaching students things that your company needs so they are knowledgeable and can find solutions for your retail setup.

You can use students in college that are learning and need experience. You will have to look for a trustworthy person however. They will want benefits like college tuition pay. 

Securing data transfers

Data for retail is money. Your customer database is also money which many others would like to get a hold of. Secure you data inside and out. Who are the people in your company that if they brought a flash drive to work could grab your entire database of customers and walk out the door with it? Is there any type of system that is configured correctly to prevent this? When was it tested last?

Secure backups and storage physically and digitally on and offsite

Backups are a great target for hackers. It usually is stored in places that are easier to get to then the live data. If you data is stored on site make sure to secure that closet space. Find a place to store your database server that isn’t easy for someone to walk into your offices and walk away with it.

I sure hope you have a system in place that is storing your files offsite from you location. This is a must if major catastrophes occur and you still want to do business afterwards. Any offsite backup should be encrypted and password protected with some huge password no one can ever guess. Only key people should know this password to your data. If the password is written down then that password must be secured also. Storing your data on someone else’s server offsite using the cloud or some other technology for backups is a wonderful thing, as long as you make sure it is a reputable place and your data is encrypted and password protected before you transfer it to them. Any security they say they have should not be your only line of defense.

Small business setups vs home setups

I have seen many small business retails using home routers for their networks. A simple Linksys WRT54G for your routing functions is not going to be a good defense. A great way to stay in budget on retail networking equipment is to use small business hardware. There are so many options and configurations that it is to difficult to include in this blog. To make the correct decision for your company use a service. There are many out there that can make those correct decisions for your company.

Keeping up with technology by research and slow implementation

Old technology is a key factor in why our retail stores are not secure. What is hard for retail business however is to justify costs for newer technology. A good rule of thumb on old technology is if it isn’t receiving updates from the manufacture or if the manufacture says they do not support that hardware anymore then it is time to buy newer (not to be confused with newest). Calling the manufacture and asking them about your hardware is a great way to tell if they still support it. If they have trouble finding your hardware then it probably is a good indication you need an upgrade.

Your weakest point is the level your security is at currently

The best rule of thumb with security is this: your weakest point is the highest level your security is currently. Even if you have some awesome sonic firewall and intrusion detection hardware, if someone can walk into your office and access your folder named “confidential” then that firewall did no good. This is where audits and research comes in. Sometimes it even takes outsiders to point out your security issues. If I might suggest something it would be use your connections you have with other retail companies. I am sure you have many and they have many also. If we were to build a community of retail managers talking about how to secure your stores down then you would be doing exactly what everyone else is doing…figuring out solutions to problems by community efforts.

Conclusion

Mangers: do what you do best and manage. Find solutions you need through community efforts and 3^rd party services. Even though your efforts are not publicized like those corporate businesses you still have a major role in our community. You process consumer credit cards and store our personal data. When it comes down to it all that is exactly what the big guys are doing also. Keep up with security and find ways to offload your IT tasks to someone that can build your security up to standards.

I am currently an IT Manager for an amazing retail company. I have found that the best ideas come from those that specialize in that area. Even though my retail environment is small, I strive to make it just as secure as any one of a big corporate office would. 

Passwords, hackers, hashes and defense against it all

P@sZW0rd!

This seems like a great password correct? WRONG! This password can be cracked in as little as a half hour or less with a hacker that has some simple tools. This article is to enlighten us on the use of passwords and their frailty to keeping our most secure personal information safe. I intend to write this article for reference only and will not name any actual tools the hackers use.

Hashes and their Uses:

To make things secure programmers do not store the password of users in plain text.  In other words programmers don’t have an excel spreadsheet with usernames in column A and Passwords in Column B. If they do…they’re doing it wrong. Instead they store what is called a hash of the password. A hash is a mathematical equation that only the password can solve. So when you type in your password and hit “login” you send your answer to the server and the server uses the password to solve the equation. If it solves then it allows the user to enter if it doesn’t then you get the “login failed, please try again”.

Hackers love Hashes

Hackers have a lot of tools to grab these hashes from the servers. Some tools are as simple as breaking the login page with what is called an SQL injection. Other programs could “dump” the contents of a file that stores these hashes to their own PC. Why do hackers want a bunch of seeming less garble? If they can solve these equations they can get your password. If they can get your password they can use your account for whatever they want. If you account happens to have privileges such as administrator…they can have anything they want.

Hackers always like to boost about how many hashes they have cracked…Its like playing Farmville to them. There are blogs all over that all they do is post hashes that people have “collected” from somewhere and then you get posts back of “I got 34,000 of the 90,000 in 16 hours!”

How do hackers solve these hashes?

There are plenty of tools that hackers have that are already built for solving hashes. Some use attacks called “brute force” where it just keeps guess on letters till it solves the hash. They use brute force both randomly and also more focused. If the hacker knows anything about the hash and where it comes from (which is always) the can use “Wordlists” and hope that someone has made a password that relates to information about the hash.  Hackers can also randomly put characters together and hope for the best with “Rainbow Tables”. All these tools are very easy to use and widely documented on the internet on how to use them.

Now I would like to go through some statements that I defiantly would hear from others:

“My password is secure.”

I am interested in what people think is secure. If they think the name of their dog that they talk about every day with the date he was born is your password please think again. Anniversary dates, any dates for that matter, are cracked in seconds. A laughable password is the use of special characters to form a word like I displayed at the beginning of this blog. With some simple tweaking of the hackers program it can find those passwords in seconds. How about a sentence from your favorite book with commas, spaces and the whole thing? This can be hacked by a simple wordlist made from millions of books cracked in hours. Now I know of people using sequences of keys to make their password. The famous QWERTY comes to mind. I myself thought this was very secure. It doesn’t make a word or anything. Hackers have created wordlists for every key combo on your keyboard and will eventually get that one too. How about some random long character password with all the different types of symbols and strangeness to it? If you have this type of password you probably have it written down somewhere like a sticky note on the back of your monitor or keyboard. “BUT MY HOUSE IS SECURE!” Could be your argument against someone getting that sticky. Look if someone wants in your house that bad they can find a way in.  What I laugh at is the password programs that keep all your passwords in one safe spot…behind a single password. That single password allows access to all other passwords.

“I have a password that is 15 characters long.”

These are hard to crack. There are different types of hashes and when you get above 14 characters it forces a more secure hash to be created. Chances are you used a phrase or names to get all those characters which as described above is fairly easy with the right wordlist. On the other hand you probably have it written down to remember it.

“How can someone guess a password that is so random?”

The hacker doesn’t do much of anything once they get good enough. They just run a program with different ways. They let the computer do the work. The hacker doesn’t even need a powerful machine. All the hacker needs is a little creativity. Although it is true someone with some money can buy a very powerful password cracking machine for as little as $15Gs. 15,000 is a lot for some…but when a hacker can get into some financial institution that can 15Gs can be made in milliseconds. What they get for $15Gs is billion passwords a second speed. Yes they are trying to solve a hash they stole up in the 14 billion tries each second. To translate that a bit lets say your password is 8 characters long. These machines can crack that password no matter what character, symbol or number you use in 5 hours or less. To clarify it will take 5 hours if it has to guess your password on the last guess it tries.

“But a crack my passwords website says it will take 2 zilion years to crack my password..”

This is laughable. What this website is based on is what hackers use as a last resort called brute force incremental. Brute force was explained earlier but with incremental it does something like this: start with a and go through z then add an a and then go through to z again. So a-z then aa-az then aaa-aaz and so on with every combo also including numbers and symbols and CAP lock. Now a smart program that does incremental would just start in some random place as it is better then starting at “a” as if you have no idea where to start always start in the middle and choose randomly up or down.  There are lots of other ways to try cracking hashes before they try this. The hacker will avoid this last resort at all costs. Just to make the point crossed the hacker will usually get a hit before they have to turn to this last resort.

Why is this so scary?

To gain access to any system all a hacker needs is ONE username and password. The hacker will always go after a user name with the most privileges (admin or root). All they need is to get one of these accounts to start their work. After they gain access…they get to have even more fun. Now this relates to some system that is usually company owned and has lots of users on it. Personal accounts (gmail, facebook, linkedin) they are still targeted. If someone gained administrative access to a linkedin server they could find a users list of hashes on it. Your personal password could be one of those hashes. So it all comes back to the customer in the end.

What do we do then?

Unfortunately we as consumers can’t do much. We have to wait for our supplier to work things out and find ways to combat this. The high hope is that the suppliers are the only ones that have these admin rights/privileges and they understand the importance of strong passwords. There are some groups doing great things. 2 form factor authentication is becoming a great way to combat this. How 2 form essentially works is there are different ways you can tell the system you are who you say you are. These forms answer one of these three questions:

·         What you know

·         What you have

·         What you are

Since passwords are “things that you know” there has to be a second question answered for it to become 2 form authentications. Google has done this well with their gmail accounts. They are now allowing these 2 forms by answering “what you know” and “what you have” by making a password and getting a password from your phone. To finish this idea “What you are” can be answered by finger prints or retina scans.

What do we have left for a defense then since passwords are not secure?

Since we are stuck with what we have and no way to make it different we should find the best way to make our passwords harder than the other guys. This is a theory I like to call “Better than your neighbor”. If a potential burglar wants to get into a house on the block they will choose the easiest door. The easiest door usually is the one that is unlocked or partially open. Now think if you have a dog, an alarm, a fence, a dead bolt… it deters the confidence of the burglar to look elsewhere…most of the time. Burglars usually are not that smart. Think of it, if they were smart why would they be robbing? They could make money a lot easier than robbing a couple places. Now it is true we have those shady people that like to do it just to have fun. These people we got to watch out for cause they take all these obstacles as a challenge and enjoy the more challenging. Also to cover the bases I guess you can say there are exceptions to the above statements. You can have a smart burglar.

What are some pointers to creating a good password?

With companies still enforcing passwords I guess the best thing we can do is make it at least somewhat hard for them.  Here are some pointers:

1. passwords:
1. Of all the ways to create a password, sequences seems to throw off hackers a lot. Find a way to sequence your passwords on the keyboard using letters, upper and lower, numbers and symbols. So maybe something like this for  a linkedin.com

                                                              i.      “L” for the first part of the website name (linked) then count left 2 “j” then up 2 “&” then right 2 “9” then down 2 “l” then use “i” for in (the second part) and go left one “U” up one “7” right one “*” down one “i”. then to finish it off put something random like “%laugh” the entire password together would look like this:

1.      Lj&9liU7*i%laugh

a.       You may laugh at this but that will almost never be cracked…and the above 14 characters is met (more secure hash) and you don’t have to write it down.  Notice the use of the shift key is every other one.

2.      Now I am going to get some reader saying “OK I will do it exactly like that above…” Please be creative and at least think how you can personalize this sequence. At least change the numbers or the direction of your sequence. I would suggest coming up with a new password scheme all together as some crafty hacker/programmer is already trolled this website and put my above scheme and any other scheme that relates to it into a wordlist just in case…which he will use if he has to.

2. Create a DIFFERENT password for all websites you sign into. If your password is cracked then the first thing a hacker will do is use this password for all the other websites you go to.
3. I would like to pause here and just say that a hacker isn’t doing a lot of work here. Someone did a ton of work in creating a program to do all this digging into a personal life and just hands over the program to other hackers. All they do is run programs and let the program do all the work. So when you think “man these hackers get personal” just remember they aren’t doing much work…just letting a program do it all for them. ** it may be true that some hackers out there do some manual things…but I think you get this “exceptions happen always in life”.
1. Passphrases: As a side note these passphrases are starting to become the target rather then the password hashes. They are easier by the fact that a hacker gets to see details (the questions) of what the hash could contain that make it easier for the hacker to use to gain access to the account.
1. Do not use the correct answer to the question. If the question is “What was your favorite pets name?”  do NOT answer the question…at least directly. If you pets name was “Charlie” please oh please do no use this. A keen hacker that is focused on you will be getting to know you very well and if anything is on the internet it would be personal details about your life…especially that of your favorite animal. I have heard use something that isn’t even expected…like the word “telephone bike” or something random that cannot be guessed. As you notice telephone and bike have almost nothing in common and no one in their right mind would think your favorite pets name is related to telephone or bike…

Conclusion:

• Please, tell all your neighbors, tell your friends and family about “safe” passwords. The more people know about this the better we all get. We live in a community that survives by people telling others of hazards.
• Please tell them to put “safe” passwords on their wireless. Please put “safe” passwords to the configuration page of your routers as well as a DIFFERNET good “safe” password for access to your wireless network.
• Use password sharing on all your files and folders inside your network…yes even to your trusted itunes shared folder on your Drobo or NAS.
• Use a good “safe” password on your cloud storage. This is a big target as it houses all your personal financial data.
• Do not think that your home “firewall” can block intruders from accessing your PC. All it takes is one email or one exploit (some malicious piece of code that uses vulnerabilities from software to gain access to your pc) to get into your PC behind a firewall. Use the next to bullet points to guard
• Use an antivirus. There is some debate on if they really do a good job. I say the freebies do a lot. The freebies (like avg free, MSE, etc) at least block known bad places and even can tell you you are accessing a bad website. It is better then nothing. I personally enjoy webroot endpoint. It is not free but they do a great job and there is very little that can get passed them as they do a ton more then the freebie such as automatically update the clients with any exploit that just barely dropped into an outsiders knowledge (zero day exploits).
• Do not click on anything that you don’t know where it will take you. Popups, stray emails, banners (those flashing “free screensaver!” things), any thing saying “click here” without reference to where “here” is.

I hope this helps everyone. I truly hope I have shouted this loud and clear. I have done lots of research…but as always there could be some kind of mistake out there…Who can say they haven’t made a mistake?

Some after notes:

I refer to hackers as a HE…there are SHE’s. I don’t get why but for some people this he/she bit gets people angry. Any English book will state: the word “He” can be used in a non gender specific setting. Same goes for all the other languages in the world. If you are speaking to general public and you even have the inclination that someone out there could be male then you always talk to the group as a HE audience not a she… If I offend…just remember what they say about “taking offence”…I am not to blame.