The massive security breaches and theft of credit card information at The Home Depot and Target have something in common. They were both allowed by a vulnerability in XP embedded that was more than 10 years old!
The XP embedded, used in their POS systems, (yes, both definitions apply) was Win XPe SP3, which is not the last version of the XP-based embedded OSes. This whole disaster could have been avoided if Target and Home Depot upgraded to Win7 for Embedded Systems. Internal IT security people knew about this and told their friends and relatives to pay cash at Home Depot. OUCH.
Specific malware created for embedded XP systems reared up its ugly head in the middle of the last decade. They use a technique called "RAM scraping", as WinXP has relatively weak memory access protection. Win 7's memory protection is much better.
This means that once malicious code is inside the XP box, it can pretty much do what it wants. RAM scraping is how hackers stole credit card data from TJ Maxx stores, Office Max, Barnes & Noble, Sports Authority and several more.
Moral of the story? Despite brutal economies, increased worldwide competition, and demanding shareholders that only look at short-term quarterly numbers, skimping on IT security budgets is a Really Bad Idea. And oh, using whitelisting software on those XP-based POS machines would also have prevented this type of attack. Incredible, no? More at
And as expected, cyber thieves are now raiding bank accounts via stolen Home Depot data, there is a spike in PIN debit card fraud. The fact that it is still possible to use customer service or an automated system to change someone else’s PIN with just the cardholder’s Social Security number, birthday and the expiration date of their stolen card is "remarkable", to say the least. Brian Krebs explains how this is done: