Malware, named Backoff, has been found on Dairy Queen Point of Sale computers in numerous states including Nevada.  The states with known infections are Alaska, Alabama, Arkansas, Arizona, California, Colorado, Connecticut, Delaware, Florida, Georgia, Iowa, Idaho, Indiana, Illinois, Kansas, Kentucky, Massachusetts, Maryland, Maine, Michigan, Minnesota, Missouri, Mississippi, Montana, North Carolina, North Dakota, Nebraska, New Hampshire, New Jersey, New Mexico, Nevada, New York, Ohio, Oklahoma, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, Wisconsin, West Virginia and Wyoming.

In case you're keeping count, that's only Hawaii, Rhode Island, Louisiana, and Vermont without known Backoff infections.  This does not mean that every Dairy Queen in these states has been infected, for instance there are only two locations with known infections in Nevada both in Las Vegas.  Click here for a full list of affected Dairy Queens.

Most Dairy Queen locations are independent franchises and at the time of the malware detection Dairy Queen did not have a policy requiring the independent franchises to notify Dairy Queen corporate of the breach.  It is likely after these incidents Dairy Queen will put this kind of policy in place.  As a result there may still be additional Dairy Queens that have the Backoff malware, but have not yet disclosed that information.

Julie Conroy of Aite Group told KrebsOnSecurity, "This goes back to the eternal challenge with all small merchants, where the mother ship is huge, each of the individual establishments are essentially mom-and-pop stores, and a lot of these stores still don't' think they are a target for this type of fraud. By extension, the mother ship is focused on herding a bunch of cats in the form of thousands of franchisees, and they're not thinking that all of these stores are targets for cybercriminals and that they should have some sort of company-wide policy about it. In fact, franchised brands that have that sort of policy in place are far more the exception than the rule."

Most people are familiar with the Target, UPS Store, or Supervalu breaches, either because you've received a replacement credit card in the mail or from news coverage, but how does this malware work and why are we continuing to see new infections and breaches?

First while we call it by a single name, Backoff has multiple variants, each new variant trying to make it so that Anti-Virus software won't detect and thereby block it.  Second is like Julie Conroy said often smaller companies don't believe themselves vulnerable to attacks like Backoff and either aren't running a quality anti-virus or aren't keeping their anti-virus up-to-date.

Either of those choices can have disastrous consequences.  Backoff infections are multiplying at an alarming rate, in July 2014 SC Info Security News Magazine reported that "Nearly 600 U.S. businesses compromised by 'Backoff' POS malware." by the end of August the Wall Street Journal reported, "More than 1,000 businesses affected by 'Backoff' malware."  If you count each Dairy Queen as a separate business, they account for over 400 infections alone.

Backoff is installed on Point of Sale terminals typically by attackers compromising remote access tools that allow users to connect to the computers via the Internet; often the compromise is as a result of the remote access account having too weak or an easy to guess password.

(See our article on password security.)

Once access is gained Backoff works as a simple backdoor Trojan that installs itself as a running service that initializes itself after startup, making it survive a reboot.  After it's installed Backoff opens port 80 and waits for instructions from the command and control server.  Backoff also cleverly hides itself by pretending to be an Adobe Flash Player update in the system registry.

What can small businesses do to protect themselves and their customers?  Most of it comes down to putting the right processes and protection in place and from there it's about network vigilance.  One giveaway, that someone monitoring your network should catch, would be port 80 being open; this would be unusual for a Point of Sale system unless a particular software required it, and in that case the person or company you have overseeing your network would keep note of any possible security concerns that could arise.

If you're in Northern Nevada and have questions or concerns about the vulnerability of your business's Point of Sale system give Top Speed Computer Service a call and we'll come out do an evaluation.  775-852-4333

I will start by saying that some technical mischief as a teenager (or later) does not automatically make a prospective employee undesirable.  More often than not it makes them more desirable because you know they've been willing to dig in and get their hands dirty.  Whether that means they took the family computer apart and it took them a few extra days to put it back together the first time, testing to see if that password you found online for the ATM machine will actually grant you access, or when their college professor said the college's network was 100% secure took that as an assignment and were later expelled for proving that incorrect. These are the people who enjoy the ins and outs of IT and are willing to dive in where others take a step back and ask for help or simply choose not to venture.

That being said, an employer also needs to be able to understand the difference between those whose interests inadvertently went too far and those who were intentionally malicious or destructive.

Now let's look at the case of the Home Depot breach where cyber criminals used malware to steal about 56 million customer details including credit card numbers.  Home Depot's former Senior Architect for IT Security, Ricky Joe Mitchell, as reported by Ars Technica has a past centered on the destructive side not the curious one.

Everyone in technology on the Internet has used a handle, ask your current IT guy, he may immediately tell you because it's something harmless or funny like Scooby or Coolio, or he may blush and be hesitant to tell you because it's something a little more risque like Rasta or Killa.  If he looks at you like you're crazy , it may be time to look for another IT professional, one who's gotten their hands a little dirty using a handle to cause a little mischief.  Coincidentally I know IT professionals who sported each of those handles, they are all excellent at the different IT positions they hold today, truly an asset to the companies they work for.  I would hire anyone of them in a heartbeat.

Back to Ricky Joe Mitchell, whose handle is RickDogg and on his 1996 personal website Mitchell provided a description of himself with the title "The story of RICKDOGG".  An excerpt of that story:

"Anyway, I love to write and distribute Viruses.  They intrigue me.  I have taught myself how to program in assembly, c-- and pascal. I also love to fix computers as well. I am considered smart in school although I am very lazy. I do not like the shit they try to teach me so I get bored and try to liven things up a bit."

Apparently livening things up included planting viruses in his high school's computer system.  Mitchell was suspended for three days for planting "108 computer viruses from floppy diskettes to disk space allocated and assigned to another student on the Capital High School computer system." per a memo to the Kanawha County School Board members, now part of court documents.  Mitchell went further, publishing "derogatory statements about the teachers and made threats to students he believed reported the virus", per the Charleston Gazette causing him to be expelled from Capital High School.

RickDogg didn't just hack in to poke around or change a grade, he uploaded viruses an act that is always destructive, right there as an employer I'd encourage anyone to walk away.  Do people change?  Absolutely.  Is that a risk worth taking with your company data and infrastructure?  No, in my opinion.

Years went by and if there is anything questionable that occurred in the interim it is not currently known.  And then RickDogg found out he was going to be terminated from EnerVest Operating in June 2012.  Here is the reason when it comes to your network security, terminations should be fast and efficient. Upon learning of his impending termination Mitchell, "remotely accessed EnerVest's computer systems and reset the company's network servers to factory settings. As a result of his intentional conduct, EnerVest was unable to fully communicate or conduct business operations for approximately 30 days. In addition, data that the company thought had been backed up could not be retrieved." Included in a Department of Justice press release after his conviction.

The indictment itself goes on to offer more details on the accusations, "...Mitchell did knowingly cause the transmission of a program, information, code, and command, and as a result of such conduct, cause damage without authorization, to a protected computer. That is...Mitchell accessed without authorization the protected computer and deleted backup information, transmitted a command to disable the data replication process designed to transmit backup data to the Houston, Texas location, deleted all of the Company's phone system accounts and extensions, deleted all accounting data, and deleted all information validation for the Houston, Texas location among other acts.  ...The acts of defendant Ricky Joe Mitchell caused damage...which resulted in a loss to the Company substantially in excess of $1,000,000."

You'd think the story of RickDogg would end here, with his January 2014 conviction and April 2014 sentencing to 4 years in federal prison, but it doesn't because after his June 2012 firing he took a position with Home Depot where in March 2013 he would be promoted to a position in Home Depot's IT security.

This month Home Depot has disclosed a security breach which puts at risk, "approximately 56 million unique payment cards".  The malware is "believed to have been present between April and September 2014."  A breach of 56 million credit cards takes the title of largest breach from Target, where 40 million credit cards were exposed.

Is Home Depot's breach related in anyway to Ricky Joe Mitchell?  To date I've seen no comment from Home Depot or the Justice Department on this coincidence, but I'd hazard a guess that RickDogg's time at Home Depot is being scrutinized very closely and if anything is found we'll all know about it soon enough.