Appalling Negligence: Decade-Old Windows XPe Holes Led to Home Depot Hack

In the wake of a stunning data breach at America’s largest home improvement retail chain, The Home Depot, Inc. (HD), a stunning picture of negligence is slowly emerging.  Both Home Depot and Target Corp. (TGT) — whose registers were compromised last December — appear to have fallen victim to a decade-old exploit of Windows XPe.
What’s more, these losses — which may total as many as 100 million customer credit and debit card numbers — could have likely been prevented by simply paying to upgrade to a more modern Microsoft Corp. (MSFT) operating system, such as Windows 7 for Embedded Systems.  But since Target, Home Depot, and others have refused to protect customers, customers are now paying the price.  Banks are scrambling to try to control the damage of these massive intrusions perpetrated by hackers in Russia and Ukraine.  But much damage is already done and will yet be done due to retailers’ appalling technical negligence.
I. Windows XPe — The OS Behind Retail’s Credit Card Breaches
This week Brian Krebs, a top security research affiliated with The Washington Post, wrote in his blog Krebs on Security fresh details of a hack that potentially compromised millions of Americans’ credit cards.   Mr. Krebs had broken word of the hack last Tuesday, writing that it appeared to be the work of Russian hackers. Now he’s offered up fresh details on the malware they used to siphon credit card numbers (CCNs) from checkouts of Home Depot.
The hack was first noticed sometime in the last month or two after bank fraud prevention specialists began to notice a reoccurring pattern of fraud, abuse that was correlated with customers who shopped at the retail giant.  

In need of repairs: outdated softwae at America’s largest home improvement retailer led to yet another loss of millions of customers’ credit card numbers. [Image Source: Reuters]
The new report reveals that Home Depot’s registers — most of which are believed to still be running the aging point-of-sale versions of Windows XP or a derivative — were infected with a kind of malware which was also installed on registers during the massive Dec. 2013 hack of Target.
To understand this malware, it’s crucial to first understand its host — a badly aging Microsoft operating system, that’s behind the times security-wise, but still broadly used in the world of retail.  The OS in question is a derivative of Windows XP, one of the most popular consumer OSes in history.  
The version used by retailers is known as Windows XP Embedded (aka Windows XPe).  It launched a month after the consumer version of the 14-year-old OS, in Nov. 2001.
According to Wikipedia, Home Depot was indeed using the original Windows XPe Service Pack 3 (SP3) on its point-of-sale (POS) devices (aka, registers in layman’s terms).  An article on Wikipedia reports that the chain uses the “Zune” theme, which was released in Nov. 2006 by Microsoft.  The theme features dark grey windows tops and an orange Start Button, a departure from the standard green start button in Windows XP/XPe.
Target was also believed to be running the same aging OS — Windows XPe SP3 — on its PoS hardware.  A Jan. 2003 press release from Microsoft rather ironically mentions both retailers in the same paragraph, indicating they adopted the OS late in 2002.  It writes:
Retailers taking advantage of Microsoft .NET-enabled solutions include Rite Aid Corp. and Metro Cash & Carry, which are equipping retail stores with point-of-sale (POS) systems based on the Windows® XP Embedded operating system; Target Corp., which plans to deploy Windows XP Embedded in its Target and Mervyn’s Stores; Best Buy Co. Inc. and 7-Eleven Inc., which are using Windows XP Tablet PC Edition in their corporate and store operations; and, most recently, Home Depot Inc., which has chosen to update its store point-of-sale terminals with Microsoft technologies because of their high degree of flexibility.
That sentence is painfully ironic today, as it ultimately reveals the root of one of the biggest successful cybercrime campaigns in recent history.
II. No Shame In Their Game
To be fair to both Home Depot and Target, when they adopted Windows XPe it was the best available solution.  And also it should be noted that even today the two major Windows XP-based Microsoft embedded operating system releases continue to dominate the point of sale (PoS) infrastructure of American retail.  In other words, Target and Home Depot aren’t exactly alone.  What happened to them could have happened to — and could yet happen to most large American retailers.
That said, just because everyone is using it, doesn’t make it less foolhardy; the fact is that Microsoft has released three generations of new embedded OSes since the last XP-based version of Windows XP, Windows Embedded 2009.  Retailers simply refuse to use them, hence effectively refusing to protect customers.
The decision to cling to Windows XP-based OSes has received a fair deal of noisy criticism in information technology (IT) circles.  IT specialist and sometimes blogger Harry Brelsford wrote in his SMBnation blog a number of posts criticizing retailers clinging to Windows XP.  
Mr. Brelsford has been working with fellow small-to-midsize business (SMB) IT employees on a project called the “Million Mile Tour”, affiliated with the site  A decade ago he and his cohorts conduct the first Million Mile Tour, a nationwide OS evangelism mission to promote Windows XP.  Now they’ve embarked on a similar effort to try to push businesses to finally move on.
In a November post entitled “Show Us Your XP!” he sought to shame Home Depot and others into upgrading, posting a picture of the home improvement chain’s registers running the aging OS.  

Home Depot’s registeres still mostly use Windows XPe. [Image Source:  Harry Brelsford] 
In a Dec. 2013 follow-up entitled “OMG 76% IT Pros still running Windows XP*” he bemoans the results of a Spiceworks study which indicated that 76 percent of IT professionals are still using Windows XP in some of their company’s and clients’ infrastructure.  He calls the study results “sadly accurate and summarizes that they were at best procrastination, and at worst outright greed, writing:
Bottom-line is that it all amounts to an unexpected delay in upgrades. Reasons cited for the delay (procrastination wasn’t an allowed responseJ) include lack of budget, time and resources. Application compatibility ranked last on this excuse list.
But those complaints have fallen on deaf ears.  In a bitter piece on the Home Depot hack, Mr. Brelsford writes:
A year ago last Fall, I predicted the end of the world was near. I was on a Windows XP migration mission to seek and destroy legacy XP assets. My pillar message was the security threat. My secondary messages focused on productivity, getting to modern, economic incentives and compliance matters. I used a few examples from the field. One of my “tales from the trenches” concerned Home Depot. As you might know by now, earlier this week, Home Depot reported a massive security breach exposing over 70 million customer payment cards to hackers. In the Kerbs report, please pay close attention to the Windows XP conversation.

I told you so. The picture I have taken reflects a late Saturday night last Fall when I was running an unexpected errand. The location is the Home Depot store in Poulsbo, Washington. I had to purchase some quick dry concrete for my son’s Eagle Scout project – he was building a bird blind to view coastal fowl. At check out, I snapped this pic and was confronted by the lady in the background. After a brief chat, she understood I was trying to document Windows XP installations. I told her there was no way that Home Depot could meet the April 8th deadline for Windows XP end-of-support. We parted ways as friends.

Fast forward the movie nearly a year. Home Depot has been hacked. Top management better be floating resumes around LinkedIn if you know what I mean – join former Target execs LOL.

What’s sad is that (a) this didn’t have to happen and (b) the IT Pros who attended my Windows XP Migration Madness workshops (44 events in 2013 sponsored by Lenovo) did not follow my advice and contact Home Depot to help solve this problem. A missed opportunity.
It’s usually bad form to gloat, but given the damage that Home Depot and Target’s negligence has done to consumers’ credit, in this case it seems pretty fair.
III. The Men Behind the Register
The mastermind of Home Depot’s Windows XP installations was likely its chief information officer (CIO) and executive vice president of IT, Robert P. “Bob” DeRodes.  Mr. DeRodes was named CIO of Home Depot in Mar. 2002.
If that name sounds somewhat familiar, there’s a reason why.  In an ironic twist, Mr. DeRodes was just named CIO of Target following the resignation of its old CIO Beth Jacobs in March 2014 over the data breach.  Mr. DeRodes had in 2008 retired from Home Depot, and then spent most of the last half-decade in semi-retirement operating a consulting firm, DeRodes Enterprises LLC, which followed a brief two-year stint at online payments firm First Data Corp.  Mr. DeRodes has reportedly been a long-time member of the think tank “Research Board”, a secretive group whose roughly 100 active members are CIOs of the world’s most profitable companies.
While the Target-Home Depot connection via Target’s new CIO is somewhat ironic, Mr. DeRodes can’t be blamed for his former company’s decision to cling to the Windows XPe SP3-powered infrastructure he set up. That honors goes to his replacement, Matt Carey.  Still Home Depot’s CIO (although perhaps not for long), Mr. Carey had previously worked as chief technology officer (CTO) at Wal-Mart Stores, Inc. (WMT) (1985-2005) and eBay, Inc. (EBAY) (2006-2008).
Home Depot has more than 2,200 stores in the U.S., but it’s unclear how many of them were infected with the malware.  It’s also unclear what percentage of the registers ran Windows XPe SP3.  While it’s believed that the majority of the PoS hardware at Home Depot stores was still running Windows XP, a 2006 piece in EE Times reveals that some PoS hardware at the retailer also ran a Linux distribution installed by 360Commerce — an IT firm that was acquired by Oracle Corp. (ORCL).
That report stated:
Other software giants are jumping into the retail market, most notably SAP and Oracle. Oracle’s most recent acquisition, 360Commerce, is OS-agnostic. It has installed retail solutions based on Linux at large retailers that include Circuit City Stores, Home Depot and Pep Boys. But it has also provided Windows solutions for FedEx Kinko’s Office and Print Services and others. “Our strategy is to continue to enable our customers—and through that, gain market share—as an open systems vendor,” says Jerry Rightmer, VP of store solutions in Oracle’s retail global business unit. “We’re one of the few vendors that truly can operate across the entire gamut of IT infrastructures that exist in the market.”
The clients installed by Oracle are believed to be Wincor Nixdorf AG’s (ETR:WIN) “Beetle” clients, which popped up around 2002.  These clients are powered by Red Hat Inc.’s (RHT) Red Hat Enterprise Linux (RHEL) distributions.  A Nov. 2006 piece on LinuxGizmos describes these devices in more depth.    

Wincom Nixdorf’s “Beetle” comprise a handful of Home Depot’s registers. [Image Source: LinuxGizmos]
While some may still remain in the wild, it is believed that they were largely phased out, leaving the insecure Windows XPe registers powering the majority of Home Depot’s brick and mortar IT infrastructure.
IV. Windows XPe: “[Retailers] Get What [They] Deserve”
Assuming the majority of Home Depot’s registers are indeed still running Windows XPe SP3, that places them on a rather old and historically vulnerable platform.  Windows XPe SP3 will follow the consumer Windows XP into end-of-life in just two more years — 2016.
It’s possible Home Depot (and Target) may have been running the slightly more recent upgrade to Windows XPe SP3, dubbed Windows Embedded 2009 (WE 2009).  In the Windows Vista era Microsoft never released a Vista-based version of embedded.  Instead WE 2009 — which comes in various flavors such as Windows Embedded POSReady (WEPOS) or Windows Embedded Industry (WEI) — was essentially a second Windows XP-based embedded operating system.  WE 2009 was released in Fall 2008.  Support for WE 2009 varieties generally will end in 2019, so they’re just past the midway through their life cycle.
Microsoft has since launched a Windows 7-based version of WE, Windows 7 [edition] for Embedded Systems was launched in Fall 2009 — roughly a year after WE 2009.  Despite the popularity of Windows 7 on the consumer side, its embedded variant suffered somewhat weak adoption.  Windows Embedded 8 and 8.1 haven’t fared much better.
What’s somewhat surprising about the widespread trend in retail (and elsewhere) of clinging to Windows XPe SP3 and WE 2009 is that these platforms suffered a number of security issues since day one.  By 2003, ATM machines using Windows XPe had already been hit by several worms.  A piece in Geek comments:
Well, you get what you deserve. There is always a price attached to convenience and functionality, especially when it means moving from a very stable to a less stable environment.

Diebold said that its ATM machines used to run IBM’s OS/2, which was dropped in favor of the more familiar and graphically powerful Windows system. This move makes sense for Diebold, since it is only the provider giving the customers what they want.
What I want to know is who told the banks to start requesting Windows? It sounds like someone in their I.T. department didn’t think this whole thing through.
The criticism seems fair given that the malware that afflicted Target and Home Depot is only a slightly freshened version of a very old and nasty kind of Windows XP malware — the RAM scraper.
This type of malware emerged in the middle of the last decade.  As Windows XP has relatively weak protections against unauthorized memory access, an easy way to steal credit cards in compromised machines is to spy on the RAM used by the local PoS software.  When a user swipes their credit card, the reader and firmware decrypts the card number and stores it in RAM, before connecting to bank networks to validate the number.
Hacker Albert Gonzalez (handle: “SoupNazi”) and his cohorts used RAM scraper malware to steal an estimated 170 million credit cards from 2005 and 2007.  The breach touched a seeming litany of retailers including The TJX Companies, Inc.’s (TJX) TJ Maxx stores, Office Max, Dave & Busters, DSW Inc. (DSW), Heartland Payment, BJ’s Wholesale Club, Barnes & Noble Inc. (BKS), and Sports Authority.
Mr. Gonzalez — currently serving a 20-year prison sentence for the hack — had even earlier been a member of a New Jersey hacker collective known as the “ShadowCrew” who had pioneered using RAM scraping malware to exploit POS and ATM hardware.  Viewed as a bit player, he was not charged when that group’s ringleaders were indicted.
V. “Same Old Story Now, Not Much to Say, [XP Machines] Get [Hacked] Every Day”
While malicious hardware affixed to scanners has been at times used — name in a 2010 attack on the ALDI Group’s grocery stores and a separate May 2011 attack on arts and craft retailer The Michael Companies Inc. (MIK), the most popular route to intrusion remains exploit the weak security of Windows XP via remote software attacks.
On a basic level these attacks have remained little changed since Mr. Gonzalez pulled off his massive haul.  Hackers commonly use SQL injection, packet sniffing, or spear phishing to steal the login credentials of the targeted retailer or an affiliate (as in the Target hack) with high-level access. Once in, it’s as simple as distributing the RAM scraping malware du jour to the victim machines.
Of course some finer details have changed.  Malware authors have grown increasingly sophisticated in both disguising their malware as antivirus software or parts of Windows, and at circumventing weak protections in patched versions of Windows XP designed to stymie the crudest of scraping attempts.  According to Mr. Krebs, the malware used in the Target and Home Depot hacks — BlackPOS (aka Kaptoxa) — has been receiving these kinds of improvements.

A recent sample of BlackPOS [Image Source: Krebs on Security] 
In late August Trend Micro security researcher Rhena Inocencio reported discovering new variants of BlackPOS operating in the wild.  While better at hiding themself, these variants still followed the same general strategy, scraping the RAM for credit card data and storing it in a file for exfiltration.  A second piece of malware acted as a simple FTP pusher, streaming these card numbers to hackers in Ukraine and Russia, after a hop to a proxy to cover their tracks.  Hashing analysis on samples of this new malware indicates it was compiled on June 22, 2014.
What’s making these new attacks more dangerous than ever is not so much improvement on a software front even, but rather a new nationalistic overtone than makes punishing those responsible difficult coupled with the emergence of large cybercrime marketplaces that openly sell the stolen credit cards.
Past hacks — Mr. Gonzalez’ plot, for example — were typically perpetrated locally by hackers living in the country with the targeted businesses.  The hackers would personally use the stolen credit cards in the early days of these schemes.  In time they turned to intermediaries to try to mildly cover their tracks.  But ultimately it was relatively easy to trace these plots back to their source and prosecute those involved.
By contrast, today’s hacks — including the Home Depot and Target ones – offer no guarantee of justice.  The masterminds behind these attacks have come up with a brilliant twist on this tried and true deviant scheme.  Rather than cash out the stolen cards directly, they sell them to petty criminals worldwide.  The advantage here is that the hackers can hide behind the anonymity of modern encrypted payment networks.  The people actually using the stolen card data are simply buyers.  They typically have no direct connection to or knowledge of the ringleaders.
The biggest such marketplace is perhaps rescator[dot]cc who Mr. Krebs has blogged a great deal about.  Reportedly named after a hacker from Odessa, Ukraine who started the site, the marketplace has already released many cards from the Home Depot hack.  Mr. Krebs writes:
Cards apparently stolen from Home Depot shoppers first turned up for sale on Rescator[dot]cc, the same underground cybercrime shop that sold millions of cards stolen in the Target attack.

Clues buried within this newer version of BlackPOS support the theory put forth by multiple banks that the Home Depot breach may involve compromised store transactions going back at least several months. In addition, the cybercrime shop Rescator over the past few days pushed out nine more large batches of stolen cards onto his shop, all under the same “American Sanctions” label assigned to the first two batches of cards that originally tipped off banks to a pattern of card fraud that traced back to Home Depot. Likewise, the cards lifted from Target were sold in several dozen batches released over a period of three months on Rescator’s shop.
Rescator — believed to be a young male programmer — has been hypothesized to be the author of, or one of the authors of the BlackPOS malware.  He’s been linked to the cybercrime forum LampedUZA, the first place where the batches of stolen cards were announced.
VI. Crime Under the Guise of Nationalism
The LampedUZA is a rather politicized entry that bills itself as “Republic”.  Affiliate pages espouse a throwback political ideology that celebrates late Libyan dictator Muammar Muhammad Abu Minyar al-Gaddafi.  Commonly known as “Colonel Gaddafi”, this despotic leader was traditionally an outspoken critic of the U.S. government despite his family’s love of American pop culture.  He was shot and killed in Oct. 2011 by Libyan rebels.
Rescator operated two URLs — gaddafi[dot]me, a chat hub, and gaddafi[dot]hk, a now defunct companion marketplace that was later folded into the central rescator[dot]cc.
The group also pines for the fallen Russian “motherland”, aka the USSR.  It has widely supported former KGB Lieutenant Colonel Vladimir Vladimirovich Putin, who is currently serving a six-year term as President of Russia.  Lampeduza has condemned U.S. actions in Ukraine, Syria, Libya, and Egypt.
A page (since taken down) on gaddaffi[dot]me is quoted by Mr Krebs as stating:
The movement of our Republic, the ideology of Lampeduza – is the opposition to Western countries, primarily targeting the restoration of the balance of forces in the world. After the collapse of the USSR, we have lost this fragile equilibrium face of the planet. We – the Senate and the top people of the Republic are not just fighting for survival and our place under the sun, we are driven by the idea! The idea, which is ??living in all of us – to return all that was stolen and taken from our friendly countries grain by grain! We are fighting for a good cause! Hot blood is flowing in us, in citizens, who want to change situation in the world. We do not bend to other people’s opinions and desires, and give an adequate response to the Western globalism. It is essential to be a fighter for justice!

Perhaps we would be living completely differently now, if there had not been the plan of Allen Dulles, and if America had not invested billions in the collapse of the USSR. We were deprived of a common homeland, but not deprived of unity, have found our borders, and are even closer to each other. We saw the obvious principles of capitalism, where man to a man is a wolf [[see here for more context on this metaphor]]. Together, we can do a lot to bring back all the things that we have been deprived of because of America! We will be heard!

Citizens of Lampeduza – “free painters” ready to create and live the idea for the good of the Motherland — let’s first bend them over, and then insert deeper!!!
The group’s reference to Allen Dulles is a somewhat dated and interesting one.  Allen Welsh Dulles was head of the U.S. Central Intelligence Agency (CIA) between 1953 and 1961 and was known for his agency’s role in the 1953 coup that installed Mohammad Reza Pahlavi as the Shah of Iran, a despotic figure.  He was also tied to the failed 1961 Bay of Pigs invasion of Cuba, a botched operation that ultimately led to his resignation.

BlackPOS’s code contains links to this cartoon criticizing America’s role in Egypt, Libya, Syria, and Ukraine. [Image Source: Krebs on Security] 
The latest build of BlackPOS includes links to a cartoon depicting Molotov cocktails with the flags of Libya, Egypt, Ukraine, and Syria.  A matchbook emblazoned with the American flag stands next to the hand bombs, with a single match reclining against its strike face.  Mr. Krebs reports:
Another link leads to an image of the current armed conflict in Ukraine between Ukrainian forces and pro-Russian separatists.
The released batches of credit cards on the rescator[dot]cc marketplace carry the title “U.S. Sanctions” and “European Sanctions”, a reference to sanctions leveled by the U.S. and its European allies against Russia for its support of Ukrainian rebels.
Russia has been accused of providing arms to pro-Russian separatists who have been fighting in southern and eastern Ukraine, regions that border Russia.  The U.S. and its allies have meanwhile been accused of providing weapons and financial support to rebels whom today control western Ukraine, having overthrown the democratically elected government in a coup.  America’s government today recognizes these rebels as the “official government of Ukraine” despite the Obama administration’s supposed policy of not support regimes that take power via coups.
While it’s unclear how passionately the hackers truly are in their support of Russia’s efforts, their vocal support of them has made them exceedingly hard to prosecute, as they’ve successfully cast themselves as pro-Putin, anti-NATO “activists.”  While most would call them criminals, it’s unlikely that they will see prosecution in Russia or Russian-controlled parts of Ukraine, given the Russian government’s bitterness at American policies and sanctions.
VII. Americans Must Pay Cash to Protect Themselves Against Retailers’ Negligence
The Founding Father Benjamin Franklin once wrote, “An ounce of prevention is worth a pound of cure.”
That quote rings true in the case of preventing further breaches like those that hit Home Depot and Target in recent months.  As prosecution is often a hollow victory at best, and in this case is simply not an option, the best and perhaps only choice is to embrace solutions that prevent these kinds of problems.
And therein lies the particularly nasty irony for customers: these solutions have been available for nearly half a decade, however retailers simply refuse to spend the money necessary to buy them and protect their customers.
The gaping hole of memory scraping in Windows XPe was mostly closed with the release of Windows 7 for Embedded Systems in 2010.
You could say retailers are adhering to the motto “if it isn’t broke, don’t fix it.”  But that would be inaccurate as the reality is that Windows XPe and Windows Embedded 2009 are broken.  Anyone who gains system access basically has free reign in Windows XP-based operating systems to steal credit cards passing through the system, until the illicit activity is spotted and the machine is cleaned up.

Retailers are putting profit ahead of security. [Image Source: Alamy]   So after a decade of hackers gleefully using RAM scrapers to victimize Windows XP and the customers who patronize businesses to use it, we’re still seeing history repeat itself.  Worse, consumers no longer even have the emotional catharsis of seeing prosecutions and convictions for those who stole their financial information, as Pyrrhic a victory as such enforcement efforts may be.
This sad state of affairs is telling of how badly broken the world of retail IT is at the top.  An incestuous inner circle of CIOs and CTOs controls the infrastructure of the world’s richest companies.  And that group continues to cling to Windows XPe as a cost-saving measure, refusing to embrace new, more secure solutions.
Detecting these hacks after the fact is better than being ignorant of them, but by the time retailers detect these kinds of breaches, million of their customers may already be at risk.  And the worst part is that we now see that Home Depot and Target seem to have cared little about that risk.  They refused to protect customers for the simple sake of profit.

In the aftermath, of course, there will be boatloads of mea culpas, newfound concern, and scripted sympathy.  But if retailers truly cared about customers’ security more than their bottom line, these hacks would never have happened in the first place.  Target and Home Depot rolled the dice — as many of their peers are still doing — by clinging to legacy technology to pad their profits at the expense of consumers.  Fate had it that their decision backfired, and in the aftermath they’ll say whatever they can to convince consumers that they actually cared.

Obviously they only began to care when their gamble alienated customers and harmed their bottom line.  But perhaps the worst part of all is that they’re not alone.  Far from it, their cavalier approach is perhaps the predominate policy in the retail IT space.

Target and Home Depot fell victim to the hack, but the negligence that allowed that to happen was sadly standard in the American retail space. [Image Source: AP]
Retailers have deflected the blame for their gross negligence onto the banking industry.  They argue the solution isn’t to replace Windows XP, but rather to embrace more advanced two-factor chipping solutions, which rely on physical validation that can’t be copied.  While such solutions are a good idea, the problem is banks have been resistant to pay for their rollout.  It now appears these solutions — widespread in Europe already — will deploy at retailers and via reissued bank cards in 2015 across the U.S.

This industry-wide collaboration between the banking and retail sectors may provide a “work-around” to the insecurity of Windows XP.  But until it does, savvy shoppers have little option but to pay with cash, if they want to reduce the risk of having their credit and debit card data stolen.