Is Target a Victim of SSL Accelerators?

The recent retail chain exploits have caused millions of personal and financial records to fall into the wrong hands. There are many theories on how hackers have been able to obtain this data from seemingly secure networks. In my opinion, there are several clues that make the recent data loss to retailers like Target unique. For example, in a typical information database theft, it is unlikely that a specific date range for the lost records comes into play. A hacker tapping into a central financial database would typically either hijack the whole database or a chunk of records that wouldn’t necessarily be sorted by date. Due to Target calling out customers who shopped during a specific date range (i.e. just after Thanksgiving until December 15th) indicates the breach had to come from a virus that had access to real-time data. A lot of reports indicate that the virus may have been installed on the payment terminals. In this way, as customers would swipe their credit cards, the virus could capture the data and then somehow send this data out of the network and into hacker’s hands. This could explain why email addresses were considered stolen as well during this hijacking. Have you ever been asked to have your receipt emailed to you while at the cashier? This is a perfect opportunity for hackers to capture your email address as well.

I have a theory on how this happened that is different from what is commonly being reported, but could just be the answer to how this happened. It may seem to be out there, but indications are that this is exactly the same way the NSA tapped into Google’s secure data transfers. If the NSA would use something like this, why wouldn’t hackers? The vulnerability lies in a technology called “SSL Offloading” or “SSL Acceleration”.

First, a little background is needed in order to understand what SSL Acceleration is. SSL is one of the de-facto standards of transferring encrypted data over a network. Encryption is basically scrambling data so that it cannot be read while it is being transferred from one point to another. For example, data leaving the payment terminal at Target is going to be encrypted so that the banks can validate the payment. In addition to scrambling the data, encryption protects it from being modified during transit.

The process of scrambling (encrypting) data and unscrambling the data when the other end receives it is a very time consuming process. It is also a very taxing process on the computers themselves because they have to run complex algorithms in order to perform the encryption process. This is where SSL Acceleration comes into play. SSL Accelerators are dedicated pieces of equipment that have the sole purpose of scrambling and unscrambling data so that they can present unencrypted “plain-text” data to the servers that need to process the data. This offloads the burden of having to decrypt data at the server since the equipment has already done this ahead of time.

So what’s the problem? Well, since the SSL Accelerators are typically separate pieces of network equipment, the data has to travel in “plain-text” over a wire to the server, a perfect situation if you’re a hacker. Why attempt to install a virus on thousands of terminals when you can infect a set of core servers responsible for processing the data coming from the terminals? All the virus has to do is sniff out the network interface, which connects the server to the network and read the data as it comes in from all of the terminals. In this case, the data would be completely readable thanks to the SSL Accelerator performing the decryption ahead of time. It is thought that the NSA tapped into Google in much the same way. The agency simply tapped into the data at the unencrypted, plain text, side after it had left the SSL Accelerator.

An additional benefit to this type of hack is that it makes it much easier to get the data out of the network. For example, it is much more likely that the central payment authorization servers have access to the internet compared to that of a store terminal, which should have restricted access to the internet and may only have access to a specific payment authorization gateway. Getting the data out is the other crucial point for this type of hack. Using this technique, it is much more possible.

So what does the data stream look like without an SSL Accelerator? Well, it’s completely encrypted from the terminal all the way up to the software that processes it on the server. A virus sniffing out the data as it enters and leaves the server only sees a random stream of data and user’s financial data is safe. Does this mean that SSL Accelerators are a bad thing? I don’t think so as they may be a necessity for now, but it does call into question how these are being used across the most secure networks.


Paul Martini, founder and CEO, iboss Network Security



« Big Data: The Jetsons, Not Minority Report


News Roundup: Pay Raises, Fog Computing and Tech Cartography »
Paul Martini

Paul Martini, founder and CEO, iboss Network Security

  • Mail


Do you think your smartphone is making you a workaholic?