Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Guidance for firms using the NetAccess N-1000

SpiderLabs' Incident Response team has recently seen credit card fraud involving the suspected compromise of a 'drop in' transaction processing devices in the Asia Pacific region. Specifically, we have seen issues with the NetAccess N-1000 Transaction Concentrator, payment processing middleware that is widely deployed across region. Based on what we have seen we have issued the following guidelines for any firm using the device.

Despite its 'drop in' nature, the N-1000 uses Windows XP as its underlying operating system. As such, the device needs to be treated with the same security hardening processes that you would use for any other Windows system in your business. The device's flaws highlight the risks of having vendor-deploy equipment in the sensitive and critical parts of your business.

At a minimum we recommend the four basic security practices outlined below. These are the same security controls we would recommend for all devices handling credit card data and we often find the failure of one or more of these controls when investigating fraudulent activity.

1. Restricted Network Access

The N-1000's role sees it placed at the border of a payment processor's network, handling transactions from devices installed at merchant premises. Typically the device will sit on the public Internet or a semi-public GPRS network. By default the device exposes a number of services, including Windows-specific ones (e.g. 139 and 445) and web service running an administration interface. As a result it is critical that it is placed behind a well-configured firewall.

Deploying any device on the boundary of your network increases your potential 'attack surface'. This problem is further exacerbated by many appliance-type devices not openly advertising what ports and services they expose. Firms can regain some control by ensuring ports are only opened on firewalls 'as needed', and using vulnerability scanning and penetration testing to get an external, independent, view.

2. Timely Application of Patches

Due to the N-1000's reliance on Windows XP it will suffer from a number of well-documented security flaws if left unpatched. The N-1000 devices we have seen have been installed by third-party vendors and have not been included in the normal patch management processes. This has resulted in devices that can be easily compromised by common hacking tools.

Unpatched systems are a common enough problem in most organisations, even when equipment isn't outside the normal patching process. Once again, regular vulnerability scanning across your internal infrastructure will give you the best chance of picking up devices that may have been left unpatched.

3. Strong Password Practices

Like most IT systems, the N-1000 relies on complex, non-guessable, passwords to protect both its Windows OS accounts and the administration web interface.

Trustwave has investigate many credit card fraud incidents that have ultimately been due to third-party implementers using weak passwords or reusing passwords across numerous clients. It is important for firms to regularly audit both the access and the security of passwords on these systems.

4. Appropriate Logging

Lastly, the N-1000 needs to be configured with comprehensive and secure logging. While the device has the ability to keep both Windows Event and application logs, it stores these logs in volatile memory (RAM). This means they need to be regularly transferred off the device if they are not to be lost at reboot. The N-1000 also receives, and has the ability to log, various pieces of sensitive transaction data, including Card Holder Names, Card Numbers and Track 2 data. Firms using the device should ensure it is not logging this sensitive information, particularly the Track 2 data. Capturing Track 2 data provides everything necessary to 'clone' a credit card and due to this storing it both violates PCI-DSS and provides an appealing target for attackers.

Investigations into security incidents and suspected fraud are often stymied because of a failure to keep adequate logs from key devices. However logging everything is often just as bad as not grabbing enough, particularly when sensitive information like card holder is stored and becomes easily accessible.

To recap, firms need to remain vigilant of the types of security weaknesses that can be introduced by 'drop in' appliances, like the NetAccess N-1000. To avoid sensitive customer details being compromised, Trustwave recommends that organisations ensure all devices deployed in a business have basic security controls configured, no matter who did the initial install and configuration. A regular programme of security audits and assessments will help confirm these controls are in place.

Latest SpiderLabs Blogs

Hunting For Integer Overflows In Web Servers

Allow me to set the scene and start proceedings off with a definition of an integer overflow, according to Wikipedia:

Read More

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More