This is page 3 of:
Loading Dock Chaos: CIO Had No Idea What His Passwords Could Do
“I think this demonstrates that security is much more than password protection, PCI compliance and intrusion detection—much more,” said Jerry Sheldon, an analyst with the IHL Group. “There is a huge education effort that has to be invoked here. Imagine if someone with nefarious intentions were trying to do harm. I can only imagine the havoc that someone could create in the supply chain after accessing this site: canceling shipments, rerouting stuff, etc.”
It appears that the system was not capable of changing or rerouting products, but it could change the information in the supply-chain system, which would change expectations. Consider a truck driving to a distribution center in Austin, Texas, loaded with 20 pallets of air-conditioners that are slated to arrive on Thursday at 4 PM.
A change in this system wouldn’t likely reroute that truck. But if the distribution center crew looks up what’s coming and someone has changed the expected time of the shipment to Friday at 9 AM, that could be almost as bad. The crew isn’t ready for the truck when it arrives, and/or it would waste time waiting for a truck that isn’t coming.
Walt Conway, a QSA for 403 Labs and the PCI columnist here at StorefrontBacktalk, said this incident raises a wide range of security issues.
Referring to it as a “case of credentials left in the open for whatever reason that can be used to your detriment by a bad guy, it also reminds me of the Verizon breach report findings that it is the ‘unknown unknowns’ that hurt you. That is, the unknown places you have confidential [payment card] data that you did not even know existed,” Conway said.
The biggest fear, though, is that these types of attacks can happen so quietly, IT might not even be aware of it. “If a bad guy could get this access, what else could he get? That is the big question. It might not be obvious today or even next week. Bad guys are patient. With access to a supply-chain system, the bad guys can capitalize on it to hijack. Think if this were Apple with iPad2s. They could also do any other manner of mayhem a competitor might want to inflict. To me, the idea of a competitor having free access to my IP space is kind of scary,” Conway said. “A real bad guy could potentially use this as the start of a probe/penetration test for real and see how far they can get into the internal systems like E-mail (spear phishing), HR (PII), marketing (card data), treasury (banking info and maybe credentials), etc. And the company would be the last to know. Seems a bit disturbing to me.”
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
