Aloha point-of-sale terminal, sold on eBay, yields security surprises

Breaches involving point of sale (POS) systems in retail stores and the hospitality sector are all-too-common, and Aloha POS has been mentioned on this blog in some past breaches.  Now Jeremy Kirk reports: Matt Oh, a senior malware researcher with HP, recently bought a single Aloha point-of-sale terminal — a brand of computerized cash register widely used in the hospitality industry — on eBay for $200. Oh found an eye-opening mix of default passwords, at least one security flaw and a leftover database containing the names, addresses, Social Security numbers and phone numbers of employees who had access to the system. […] “What we found was that the overall state of security of the system was very poor,” he wrote in a blog post describing his analysis. Read more on Computerworld.

Possible security breach affecting members of the Waipahu Aloha Clubhouse

A statement from the Hawaii Department of Health: For Immediate Release: October 25, 2012 12-052 POSSIBLE SECURITY BREACH AT WAIPAHU ALOHA CLUBHOUSE Department of Health advises consumers to take precautionary action against identity theft HONOLULU — The Hawai‘i State Department of Health (DOH) is notifying members of the Waipahu Aloha Clubhouse of a possible security breach in a computer file that stored personal information on Clubhouse members. The breach was discovered on September 25, 2012, when an employee observed unusual activity on a computer suggesting that someone may have been remotely accessing it without authorization. “We very much regret that this incident occurred and the impact it may have on our Waipahu Clubhouse members,” said Dr. Bill Sheehan, Chief of the Adult Mental Health Division. “As soon as we discovered this possible security breach, the department acted quickly and ordered a forensic examination of the computer. Although we have no evidence of the information being used for a wrongful or unlawful purpose, the department is taking every precaution to notify all those affected. Immediate steps were also taken to prevent this from reoccurring.” Approximately 600 former and registered members of the Waipahu Aloha Clubhouse are being notified by mail of the possible security breach. The Clubhouse, located at 94-091 Waipio Point Access Road, serves adults living with severe and persistent mental illness and provides daily activities and programs to support individuals on their journey to recovery and self-sufficiency. Information contained on the computer dated back to 1997 and included Waipahu Aloha Clubhouse member’s names, birthdates, addresses, phone numbers, consumer record numbers, and some social security numbers. No medical records were stored on the computer. To date, DOH is unaware of any illegal activity resulting from the information breach. “Many of the affected Waipahu Aloha Clubhouse members may have changed their mailing addresses since registering with the program as far back as 1997. Because we may not be able to reach these families by mail, we hope the public will help us to get the word out,” said Dr. Bill Sheehan. All Waipahu Aloha Clubhouse members are advised to place a fraud alert on their credit files and notify the police if they find any suspicious credit activity. Anyone needing further information may call the DOH Adult Mental Health Division toll-free at 1-866-890-6394. Helpful website resources on identity theft include www.hawaii.gov/dcca/quicklinks/id_theft_info/ and www.consumer.gov/idtheft/. Clubhouses are a program of the DOH Community Mental Health Center System. The System provides comprehensive, coordinated, integrated, and culturally competent mental health services to individuals 18 years of age and older with severe and persistent mental illness. Currently there are eight active Clubhouses providing critical services in Hawai‘i, and more than 300 worldwide. ### h/t, Star Advertiser

Risky business: Remote Desktop opened the door for Aloha hackers

When nine restaurants in Louisiana and Mississippi filed lawsuits against Radiant Systems and its Louisiana distributor, they may have represented only the tip of a substantial iceberg of hacks affecting restaurants that used Radiant Systems’ Aloha POS system.  It seems that the scope of the problem is first coming to the public’s attention approximately one and a half years after the hacking incidents started. Breaches in Other Parts of the Country During a two-month period in late 2008, a Spicy Pickle franchise in Michigan was hacked and 150 customers’ card data were stolen and misused. The franchise closed in June 2009, reportedly unable to recover from the loss of customer confidence after the breach. At around the same time in 2008, Ted’s Cafe Escondido in Oklahoma also reported being hacked. Although both breaches were reported at the time on PogoWasRight.org, the POS system they were using was not reported in the media.  Unbeknownst to me at the time,  a forum member on FoodService.com commented on both breaches by noting both restaurants used the Aloha system. There was no indication in the forum member’s report, however, as to whether the restaurants  had removed any remote access software that was suspected of creating the vulnerability to hacks or whether the restaurants had used commercial grade firewalls. Hacks Started in Early 2008 Also flying completely under my radar at the time, in December 2008, WKZO News reported this about the Spicy Pickle hack: Co-owner Terry Henderson says the FBI’s been investigating fraud cases across the country for seven months and they were just the latest victims. “There’s a similar thread to all of it and it keeps leading to one particular software manufacturer,” says Henderson, adding that he’s not at liberty to say which manufacturer that is. “It’s a popular software that’s used by thousands of restaurants throughout the country.” Continuing to work backwards to see what else I had missed, I found that in August 2008, WAFB and the Associated Press had reported that a rash of hacks involving Louisiana restaurants began in March 2008. And although Aloha’s name did not appear in any media reports on affected restaurants, when the Secret Service met with Louisiana restauranteurs in August 2008, they may have specifically mentioned the Aloha system. Another poster on the FoodServices.com forum wrote on August 19, 2008: I spoke to someone who attended the meeting outlined in the Associated Press article. The meeting was set up by the Lousiana (sic) Restaurant Association and was attended by the Secret Service agent on the case, a US Attorney and a represtative (sic) from Visa. During the meeting it was presented that the 15 breaches occured (sic) were all Aloha POS systems. It was stated that he hackers were able to breach the systems as the Remote support software were all using the same User Name and Password (this is against PCI requirements). The hackers installed a “sniffer” program that would capture credit card data on the Local LAN (ie private network). So it seems as if suspicions about Aloha were being raised over a year ago but were not specifically mentioned in media coverage. Radiant’s Response In August 2008, within days of the Secret Service and Visa representatives meeting with Louisiana restauranteurs, Aloha sent a data security alert to its customers. The alert said, in part: Radiant Systems has been working with Visa on an emerging issue that could cause POS systems to be compromised. The specific vulnerability is related to Remote Desktop being enabled on BOH servers, POS terminals, and routers, which may allow intruders to gain access to POS systems. Once intruders gain access they could install malware such as packet sniffers to capture card holder data. Remote access to POS systems is critical to supporting sites, but can also provide a method for unauthorized users to obtain access to systems and potentially sensitive credit card data. Configuring and managing access to POS systems is extremely important. The alert then provided specific steps Aloha clients should take to configure their systems securely including: Disable Remote Desktop on routers, BOH servers, and POS terminals, if this remote access tool is not used to support the site. Use Command Center as the single means of remote access for Aloha POS systems to ensure the highest level of site security. Command Center has a number of inherent features that significantly increase your ability to support sites, and also significantly decrease the risks associated with accessing sites. Alternative measures were described for those who chose to leave remote access tools enabled. Their alert may well have prevented more restaurants from being hacked, but may be small comfort to the allegedly many restaurants who had already suffered hacks resulting in lost business, fines by Visa and Mastercard, and the cost of forensic audits and IT consultants.  Whether the juries will agree with the restaurant-plaintiffs or with Radiant Systems remains to be seen, but it would seem that some jurors are in for a real earful on security.

MLB to investigate Shohei Ohtani medical record leak

Ryan Falla reports: Just days after LA Angels signed Shohei Ohtani we began to see news regarding a surprise revelation; Shohei Ohtani is dealing with a minor UCL sprain. […] Reports that the MLB is investigating this matter began with Buster Olney breaking the news on Twitter the morning of December 14th. There’s no reason to assume the leak came from a rival ball-club, but at the same time it’s hard to imagine anyone outside the MLB would leak Ohtani’s medical records. Read more on Halo Hangout. There are just so many possibilities here that until the investigation is concluded, it’s hard to know how to code this one at all. Is it an insider at a club? Did a club get hacked? Did someone shoot off their mouth at home about something that should have remained confidential? We’ll have to wait to learn more…..

Update on Wendy’s breach

Wendy’s issued its first quarter report for 2016 this week, and a section of its press release on the report addresses its data breach: Update on investigation into unusual credit card activity As previously reported, the Company engaged cybersecurity experts earlier this year to conduct a comprehensive investigation into unusual credit card activity at some Wendy’s restaurants. Investigation into this activity is nearing completion. Based on the preliminary findings of the investigation and other information, the Company believes that malware, installed through the use of compromised third-party vendor credentials, affected one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants, starting in the fall of 2015. These findings also indicate that the Aloha point of sale system has not been impacted by this activity. The Aloha system is already installed at all Company-operated restaurants and in a majority of franchise-operated restaurants, with implementation throughout the North America system targeted by year-end 2016. The Company expects that it will receive a final report from its investigator in the near future. The Company has worked aggressively with its investigator to identify the source of the malware and quantify the extent of the malicious cyber-attacks, and has disabled and eradicated the malware in affected restaurants. The Company continues to work through a defined process with the payment card brands, its investigator and federal law enforcement authorities to complete the investigation. Based upon the investigation to date, approximately 50 franchise restaurants are suspected of experiencing, or have been found to have, unrelated cybersecurity issues. The Company and affected franchisees are working to verify and resolve these issues.