February 5, 2014

Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.

hvachooverSources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.

Fazio president Ross Fazio confirmed that the U.S. Secret Service visited his company’s offices in connection with the Target investigation, but said he was not present when the visit occurred. Fazio Vice President Daniel Mitsch declined to answer questions about the visit. According to the company’s homepage, Fazio Mechanical also has done refrigeration and HVAC projects for specific Trader Joe’s, Whole Foods and BJ’s Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia and West Virginia.

Target spokeswoman Molly Snyder said the company had no additional information to share, citing a “very active and ongoing investigation.”

It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.

“To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software,” the source said. “This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.”



Investigators also shared additional details about the timeline of the breach and how the attackers moved stolen data off of Target’s network.

Sources said that between Nov. 15 and Nov. 28 (Thanksgiving and the day before Black Friday), the attackers succeeded in uploading their card-stealing malicious software to a small number of cash registers within Target stores.

Those same sources said the attackers used this time to test that their point-of-sale malware was working as designed.

By the end of the month — just two days later — the intruders had pushed their malware to a majority of Target’s point-of-sale devices, and were actively collecting card records from live customer transactions, investigators told this reporter. Target has said that the breach exposed approximately 40 million debit and credit card accounts between Nov. 27 and Dec. 15, 2013.


While some reports on the Target breach said the stolen card data was offloaded via FTP communications to a location in Russia, sources close to the case say much of the purloined financial information was transmitted to several “drop” locations.

These were essentially compromised computers in the United States and elsewhere that were used to house the stolen data and that could be safely accessed by the suspected perpetrators in Eastern Europe and Russia.

For example, card data stolen from Target’s network was stashed on hacked computer servers belonging to a business in Miami, while another drop server resided in Brazil.


Investigators say the United States is currently requesting mutual legal assistance from Brazilian authorities to gain access to the Target data on the server there.

It remains unclear when the dust settles from this investigation whether Target will be liable for failing to adhere to payment card industry (PCI) security standards, violations that can come with hefty fines.

Avivah Litan, a fraud analyst with Gartner Inc., said that although the current PCI standard (PDF) does not require organizations to maintain separate networks for payment and non-payment operations (page 7), it does require merchants to incorporate two-factor authentication for remote network access originating from outside the network by personnel and all third parties — including vendor access for support or maintenance (see section 8.3).

In any case, Litan estimates that Target could be facing losses of up to $420 million as a result of this breach, including reimbursement associated with banks recovering the costs of reissuing millions of cards; fines from the card brands for PCI non-compliance; and direct Target customer service costs, including legal fees and credit monitoring for tens of millions of customers impacted by the breach.

Litan notes these estimates do not take into account the amounts Target will spend in the short run implementing technology at their checkout counters to accept more secure chip-and-PIN credit and debit cards. In testimony before lawmakers on Capitol Hill yesterday, Target’s executive vice president and chief financial officer said upgrading the retailer’s systems to handle chip-and-PIN could cost $100 million.

Target may be able to cover some of those costs through a mesh network of business insurance claims. According to a Jan. 19 story at businessinsurance.com, Target has at least $100 million of cyber insurance and $65 million of directors and officers liability coverage.

Update, Feb. 6, 3:33 p.m. ET: Fazio Mechanical Services just issued an official statement through a PR company, stating that its “data connection with Target was exclusively for electronic billing, contract submission and project management.” Their entire statement is below:

Fazio Mechanical Services, Inc. places paramount importance on assuring the security of confidential customer data and information.  While we cannot comment on the on-going federal investigation into the technical causes of the breach, we want to clarify important facts relating to this matter:

–          Fazio Mechanical does not perform remote monitoring of or control of heating, cooling and refrigeration systems for Target.

–          Our data connection with Target was exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom we manage these processes on a remote basis.  No other customers have been affected by the breach.

–          Our IT system and security measures are in full compliance with industry practices.

Like Target, we are a victim of a sophisticated cyber attack operation.  We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive initiatives that will further enhance the security of client/vendor connections making them less vulnerable to future breaches.

268 thoughts on “Target Hackers Broke in Via HVAC Company

  1. Fred

    “To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.)…”

    Let me guess: As domain administrators, or via services running at that privilege level.

    1. John Lockman

      Yeah, sounds like they broke in and got the first few boxes via this HVAC company, stole some local credentials that were crackable or simply readable and then used those to spread.

  2. Vinny Troia

    Your point on PCI Requirement 8.3 is correct. However, it is clear that 8.5.6 was not being followed:

    8.5.6.a – Verify that any accounts used by vendors to access, support and maintain system components are disabled, and enabled only when needed by the vendor.

    8.5.6.b – Verify that vendor remote access accounts are monitored while being used.

    1. Bottzy

      Also, PCI states that no vendor default passwords should be used. Clearly, we found out early that this attack preyed on default credentials. PCI is a horribly unregulated specification. While it needs regulation, the program needs to be fixed so that QSAs can spot this stuff, and companies follow what was audited. It is all pretty much a joke at the moment. Target isn’t innocent in this, they have some explaining to do.

    2. Edward

      To me it appears the big PCI DSS failure must have been requirement 1.3 – Prohibit direct public access between the Internet and any system component in the cardholder data environment.

      Testing procedure – Examine firewall and router configurations, as detailed below, to determine that there is no direct access between the Internet and system components, including the choke router at the Internet, the DMZ router and firewall, the DMZ cardholder segment, the perimeter router, and the internal cardholder network segment.

  3. Ed Tomchin

    I suppose there’s no getting away from it. The weakest link will always be human rather than digital.

  4. TheOreganoRouter.onion

    Boy the s### is going to hit the fan on this one when they find the hacker(s) in Eastern Europe. Both Target and Fazio Mechanical Services, are real going down the toilet now

    You would think that a big retail company like Target would use very secure and dedicated VPN’s to third party payments services or in this case a maintenance companies who does contracting work.

  5. Disco

    It’s incredible to me that they would use the same network for monitoring climate and energy as they would for payment processing. I can understand using the same physical infrastructure, but not a separate network?

    1. Titanic

      You act as though you know that they just waltzed in using those credentials and had free run of the network. That’s highly unlikely.

      What they maybe got was a small foothold in the network. Perhaps a VPN was used to log in to check an HVAC system periodically, so a vendor account was made in AD that the RADIUS server could authenticate.

      Then maybe an admin didn’t actually ban that account from logging in on a particular computer, or at a particular time of day.

      Then maybe someone finds an unattended workstation in a store somewhere. Pops in real quick and installs a small backdoor.

      Then they find an unsecured XP box.

      Then they sniff the network.

      Then… then… then…. A crack becomes a flood.

      “One does not simply walk into an enterprise network.”

      1. Disco

        Correct me if I’m wrong, but physical access to a retail location and its systems has not yet been suggested as a method of intrusion.

        “One does not simply walk into an enterprise network.”

        True, but the pattern that I see is one of weak security on the part of Target. Also, that statement sort of contradicts your earlier conjectures.

        1. itsecman

          I’m quite sure he was using the term “walk” figuratively, as his proposed scenario started of with…

          “What they maybe got was a small foothold in the network. Perhaps a VPN was used to log in to check an HVAC system periodically, so a vendor account was made in AD that the RADIUS server could authenticate.”

          That vendor account is the one for which the credentials were stolen. The article didn’t say just HOW they were stolen. They may have been sniffed when someone either at Target or Fazio was stupid enough to share the login credentials via insecure email.

          You might be amazed at how often I see that done by naive employees. They think no one could be lucky enough to intercept 3 separate emails, so they send the address, ID and Password in separate emails. All the hacker needs to do is see any one of those, and find a way to break into an email account of the sender or any recipient to find the others.

      2. Anura

        It’s plausible that the account had administrator rights on a machine, probably not even a critical one, within the domain. By getting admin access to any machine, you can get the cached LM/NTLM credentials that are stored on the machine. Even the server is on a domain, those domain credentials are cached on the server by default (this feature is primarily there for workstations which need to be accessible even if they don’t have a connection). The passwords are hashed, but LM and NTLM hashes are notoriously weak (especially LM, which is cached by default on Windows Server 2003, although I believe it is disabled in Server 2008) – even NTLM uses unsalted MD4 hashes, vulnerable to rainbow tables.

        If you can get admin access to a machine, and a domain admin account with a somewhat weak password (including one-word passwords with special characters and numbers) also has recently logged into that machine, then you can from there gain access to the rest of the network.

        No physical access is necessary, just default server configurations.

    2. Old School

      This story is going make a great movie. Truth is stranger than fiction.

      1. Serena

        I like your idea! If they do make it though, I pray it’s realistic. Please no people outrunning explosions, cars flying off of parking structures and landing on bridges, hackers or Target employees who look like they could be professional wrestlers or Hawaiian Tropic babes, etc. But guessing passwords, usually that one bugs the heck out of me but I don’t think it’s entirely unrealistic in this case.

    3. Greybeard

      Exactly: “remote into the system” — THE system? How about “remote into the HVAC system”? Somebody got lazy there, methinks.

  6. RLT

    In response to the 8.5.6, it could be as simple that the review hasn’t come up, vendor monitors 24×7 and thus need the accounts active all the time.

    In response to Disco – it really is not that uncommon. Where I work we used to have corporate and payment all on the same network, but that would mean the entire network would need to be PCI compliant. So instead we pushed everything behind firewalls and segregated it. This helped cut down on the cost of the assessments and maintenance.

  7. EJ

    My security teammates and I read this, looked at each other, and began the task of fathoming how many (or how few) mistakes and violations of secure design needed to be made in order to let this happen. Can’t wait to hear more details.

  8. SusanB

    typo – “Nov. 15 and Nov. 28 (Thanksgiving and the day before Black Friday)” Nov 15, was not Thanksgiving

    And I am amazed that they penetrated the network so pervasively in basically 2 weeks. Especially with the previous article saying how it can take months to distribute updates to all the POS devices.

    1. BrianKrebs Post author

      Susan, that may be inartfully written, but I assure you that Thanksgiving is the day before Black Friday.

      1. SusanB

        I see my confusion. Two dates before the parentheses, two day descriptions within, guess I assumed a “respectively” that wasn’t there.

  9. CD

    Hacking HVAC systems has been a common topic at many conferences I attend. Sometimes the problem is the facilities management takes care of this, which means enterprise security professions may never be involved (obviously an oversight by an enterprise). In many cases, default or no passwords are involved. SHODAN and other search engines can look specifically for these kinds of systems.

    1. TheHumanDefense

      You are correct, I have monitored those events closely, however, this was not a hack of HVAC. They used creds assigned to the HVAC vendor to gain entry to the system. How they got the creds……..that is yet to be seen.

  10. GunkMonkey

    This gets back to a common problem with internal networks in many companies…once you breach the perimeter, you’re golden. I think its time to accept that the internal network is potentially hostile and protect accordingly.

  11. Not Happie

    Could it have been that someone had hacked into the HVAC system and, while snooping around, discovered the connection to Target(and potentially other major retailer clients)? Then, finding the vulnerability, took advantage by, perhaps, selling the knowledge/logistics of the opportunity ? That the HVAC company is also a victim?

  12. Lisa Curious

    I wonder if anyone has looked into the possible skimming risks posed of information contained in the magnetic strips on our Drivers License or ID cards? I know some states use magnetic strips on their Drivers Licensed & ID’s and up to just a few years ago some states still used a persons Social SecurityNumber as their actual DL or ID#. Now although my state doesn’t use the SSN as an ID# they do require all applicants to put it on to a Drivers License or ID application. Could the SSN be stored on the magnetic stripe of a persons DL/ID card? And what are the possibilities or opportunities of having that information skimmed from a DL?

  13. Dan Martin

    I’m not sure that Fazio Mechanical is responsible for anything, except maybe carelessness. My guess is that they installed comm gear with factory default passwords, accessible by anyone who has the time to download the documentation.

    Fazio may have even installed the system on a separate physical network. Target has control over what devices connect where, and I’m guessing they reconfigured it to make it easy to use their existing network to allow Fazio into the system.

    I wonder if there were change orders to Fazio’s original contract/quote, requested by Target, that allowed them to save a couple of dollars a month on remote access.

  14. Anton Chuvakin

    > the current PCI standard (PDF) does not require organizations
    >to maintain separate networks for payment and non-payment

    Actually, it kinda does. You either have to segment or make the whole environment compliant. Most people, obviously, decide to segment.

    1. bsdwiz

      but can you define “segment” exactly? a network can be “segmented” and still be vulnerable to pivoting as is usually the case. if it is completely segmented how does one manage the environment? There is always lateral movement at some point.

      1. Greg

        Lateral movement opportunities are the direct result of network design. You are correct that lateral movement opportunities are ussually present. This is directly the result of current network archetectures that relay on hub and spoke topologies (such as MPLS or Internet VPN) because they force multiple apps to traverse a common access router, common circuit, ect. The result is extremely complex partitioning policies that are often in conflict or fraught with human error. This is where the vulnerabilities that are exploited arise, and how card data is ultimately exported out of the payment network.

        Networks can be architected differently using by establishing dedicated logical networks that do not share common routing elements, or completely separating the networks physically. The later is very cost prohibitive. SDN-like WAN architectures can eliminat lateral movement if properly designed. But you are correct that access must be granted to allow for administration of the network and POS systems themselves. But even if the user credentials are breached to access the dedicated logical payment network, there are controls that eliminate the ability to export the data out of the network. If they cannot export the data, they cannot steal the card data.

  15. J P

    What I find most odd is the idea that people see this as so incredulous; organizations do not want to pay for security, and everyone knows that. We all strive to provide the most protection with the least amount of spend, and it’s more common than not to shave on costs until that day comes – and what people may only now be learning is that day is coming for everyone. It used to be you could hide behind more lucrative targets, but that is no longer the case; being insignificant is not an especially useful defense, whereas in past years it was at least sometimes good enough.

  16. Earl

    Target blew smoke up, er, at Congress about chip and PIN and Gartner is still blowing… I *like* chip and PIN, but if the POS devices are owned, what good with chip and PIN do, other that driving the cost of fake cards up a few cents?

    1. Bottzy

      Earl – Good point. Except that while chip and pin doesn’t prevent the attack, if used correctly the stolen data can’t be used for new transactions (make fake cards with or user not present transaction without cards). This makes the most of the payload stolen unusable. In theory, if all the cards were chip and pin, there would be little the hackers could do with the information (as far as transactions go).

      I agree with JP though, hackers always going to go to the weakest link, and right now, the US market is by far the weakest n the developing world. Congress has washed their hands of this long ago and allow Vis and MasterCard police it all by incentive rather than mandate, in a vacuum, and in their own interests. Corporation will act in their own interests – profit.

      Unfortunately, my card was affected as well and really wish Congress would regulate this area. Some industries can’t do it on their own.

      1. Earl

        Bottzy, I don’t see how, if the POS device is owned, since all data reads and writes would be compromised… including keys, if used at some point in the future… but I’m willing to learn!

        1. ottzy

          Earl: Issuers can enforce additional data for validation protected in the chip (crypto) but not stored on the PoS and also the PIN for some transaction. So essentially, if a hacker goes to use the data they DID get, the issuer can (and will typically with chip and pin) further interrogate the transaction where it would fail. Basically.

    2. itsecman

      and what good is chip & pin if the majority of customers don’t have chip cards; might as well be fish & chips!

    3. VH

      Except the POS terminal (the thing that reads data off the card) was not owned, it was the Windows electronic cash register (which is also considered part of the POS) was.

      Regardless, the message coming from an EMV card reader still has the PAN (the number on the card) and the cardholder name in plain text.

  17. Ken Alas

    Anton – good point (he wrote the book on PCI – look it up).

    It will be interesting to see if direct external access was made via this “trusted partner” credentials or if there were some other means of access and this credential just happened to have the weak password that got cracked. By visiting their offices I am guessing the intrusion happened by hacking Fazio from outside and using a point to point VPN between them and Target – begin lateral movement and further penetration.

  18. Chris Munger

    I worked at an association where getting anyone to pay more than superficial attention to security was almost impossible. Easy to implement fixes, no problem. Anything that would involve serious costs or “disruptions” were ignored. I finally left a very nice paying job because I knew that the refusal to follow PCI DSS guidelines, deemed as “too onerous” (when they’re really just the most basic form of security guidelines), would eventually lead to a breach, and the IT staff would be the fall guys. I absolutely refuse to believe that Target is any different than 90% or more of all organizations that should be protecting key consumer/organizational data but aren’t.

    1. Old School

      “I knew that the refusal to follow PCI DSS guidelines, deemed as “too onerous” (when they’re really just the most basic form of security guidelines), would eventually lead to a breach, and the IT staff would be the fall guys. ” Leaving a mismanaged company is understandable but consider another approach as a more constructive solution. For instance, write a detailed plan on how to infiltrate the company’s computers then send the plans to the president of the company. I was once told of a situation where an employee convinced upper manage that the business system was insecure by telling the president that a container of the company’s product would be sent to the president’s home and no bill would ever be sent. Something like that. As for me, when I was a payroll programmer for a large Chicago retailer I saw that the company’s employee discount system could be easily defrauded by former employees. So I wrote a simple program to see if my hunch was correct. Talk about “hit the fan.” Even a dead former employee was still making purchases. The Director of Personnel was not amused. I used that story to get a better paying job at a large Chicago bank.

  19. Mark Higdon

    Surely I am not the first to notice that Target’s offer to compromised customers of a year’s free credit monitoring will be provided by Experian. That is the same Experian that was seriously hacked last year and that sold tens of thousands of records to an identity thief.

    On the one hand, one might say to Target (channeling John McEnroe): “You can’t be serious!!”

    On the other hand, after last years major lapses, Experian might now be the most securely locked-down of the major credit reporting agencies.

    At this writing, I have not yet decided whether or not to take Target up on its offer.

    1. Disco

      Much of what I’ve read suggests that credit monitoring is kind of a joke. It’s a feel-good solution but not much else.

    2. voksalna

      If your banking information was taken from your computer: do take people up on this offer, if you don’t mind your privacy violated and understand that it probably won’t do much good if they somehow also got your ‘fullz’ (SSN, etc, and enough to impersonate you; in this case you should investigate freezing your credit with the major agencies over making use of one of these services until you can clear the mess up).

      If your card only was skimmed, then it is probably not worth doing; call bank, get new card issued (same account, don’t need to make new account, they will give a new card number and you should set a new pin) and don’t consider these identity theft service offers as much more than Target or places like Target trying to make themselves look concerned to limit punitive financial damages later. It has become common to offer this service, but having a card solely skimmed, with a pin, really is not appropriate for this sort of service (and the way they do this is laughable anyway, if your computer is/was breached already — not the best way to do this sort of thing; false sense of security or pointless).

      1. Mark Higdon

        Yeah, I ordered and got a new card from my bank immediately upon hearing about the Target breach. Overall, the idea of submitting all the personal info necessary to register for the free credit monitoring strikes me as using hair of the dog to cure a hangover.

        Meanwhile, I watch my bank and credit accounts closely and often. But then, I always have.

  20. Steve Connolly

    What possible reason could there be for tying store environmental controls into the point of sale terminals?

    It’s one thing to have like systems tied together, but systems that have absolutely no similar purpose…….

    1. Disco

      They weren’t tied together; they were simply accessed via the same network.

  21. JimV

    Graphically demonstrating that while in principle the “Internet of all things” promises a potentially wonderful interconnected existence, in practice it continues to remain highly, perhaps fatally, flawed. Another revealing and well-done story, Brian.

  22. Bottzy

    Seems to me that PCI needs to have rules that are similar to how HIPAA has evolved. Although HIPAA by itself is ridiculously weak, it does have something in there that now states a) definition of what a “covered entity is (essentially a partner you entrust your data to or access to it) and b) you are completely responsible for having a plan to mitigate threats on their side and pay the price if it and when it happens.

    Anton can likely comment further if this exists, but seems to me it only does in pieces and parts, not overall for accountability when something happens.

    By the way, what happens to cases like Target? Does Visa dig in to see what they didn’t do, does the QSA get shot if they did a crappy job? Will target face any penalties by sanctioning authorities (or cartels) like Visa? Really curious. Seems like it always gets buried and moved to the next one after everyone forgets.

  23. Bill

    So, as I read it, there are a few new “details” – The initial point of entry was a 3rd party vendor account, we know nothing about it other than it was used by an HVAC maintenance company to monitor climate controls (and we know nothing about how this arrangement worked, for instance, did all of the stores HVAC controllers report back to one aggregation account? Were the stores individually monitored?)

    -Drop sites. One in Miami, and one in _Brasil_? I’m not surprised that packet inspection didn’t catch it, as we know that in all likelihood that the dumps were encrypted at least once. But man, Brasil? That surely wasn’t on the net/ACL list!

    -The time frame just doesn’t add up if this were just a “target” of opportunity (e.g found through Shodan.) Evidently, they were able to pick a select few registers, somehow load the code, evaluate the performance and once satisfied…. well sheesh! I guess my question is, was this more “wormlike” than we thought? Did it stealthily crawl the network in search of hosts? Or did it arrive wrapped up in a nice target stamped patch through officially sanctioned channels?

    -I’m betting on it being a worm.

    1. SeymourB

      It could have been a phishing attack against the HVAC contractor, which was used to gain credentials for Target.

      The servers in Miami and Brazil are kind of superfluous, they probably just stashed the data wherever they had a “reliable” compromised server. (AKA organizations with outsourced IT)

      1. Bill

        Yeah, I didn’t think of that. I guess once they had the (trusted) pipe stuck in, moving it back through the HVAC contractor would have been the logical thing to do.


  24. Tony the Tiger

    It always amazes me when people talk about how many mistakes were made and how they can’t believe $victim was so stupid.

    If you think your house is in order, give me and my buddies carte blanche and we’ll demonstrate how many mistakes you’ve made and how stupid you are. Nobody is immune. What we need to do is discuss what we can learn from the situation, not try and make ourselves feel better by saying, “we would never do that.”

    It’s not about stupidity. It’s about competing interests, compromise, failed understanding, and a grand failure of Security professionals to adequately explain -in business terms- what the stakes are in this “game.”

    *No, I don’t work for Target or any other affected retailer

    1. Anura

      I think the biggest problem is just the size of the organization. It’s hard enough to keep your house in order if it consists of 100 desktops and 10 servers, simply because security itself is hard, and often more security means less efficenccy simply due to red tape. When it consists of thousands of stores, dozens of vendors, hundreds or even thousands of servers, and thousands of contractors, then it all of a sudden becomes significantly harder, and I would say it would be next to impossible to be fully secure against a determined attacker.

      That’s not to say that small businesses will be more secure, just that they can be more secure if they put reasomable effort into it and hire good people. In reality, way too many small businesses spend next to no resources on security; you need to hire good people, and be willing to take the time to audit and follow through. I’d imagine most credit card theft is not against the big players, but among the little guys that you don’t hear about (and who possibly don’t even know they’ve been hacked themselves).

      I think the problem of credit card security is something that we can’t rely on merchants to handle; it has to be fixed at the bank level with protocols that prevent unauthorized transactions even if everything the merchant receives from the purchaser is stolen in full.

      1. bsdwiz

        I agree. A network can only get so big before “securing” it becomes unreasonable. It’s the whole complexity breeds insecurity problem..

    2. Old School

      “It’s not about stupidity. It’s about competing interests, compromise, failed understanding, and a grand failure of Security professionals to adequately explain -in business terms- what the stakes are in this “game.” ” made me think of Alexander Pope’s
      “True wit is nature to advantage dressed,
      What oft was thought, but ne’er so well expressed. “

  25. Curt Wilson

    Anyone who has done a decent pentest, and any attacker who has performed lateral movement after the initial penetration will understand that finding a dual-homed system or some system that’s included on some ACL can be a potential goldmine. If the attacker is any good, that initial entry point is going to be enough for the flower of evil to bloom.

  26. Greg Tennant

    PCI DSS compliance does guarantee security from breaches. As the Gartner Analyst Avivah Litan stated…

    “the current PCI standard does not require organizations to maintain separate networks for payment and non-payment operations”

    Retailers keep beating their heads against the same wall of trying to secure a network perimeter that cannot be defined anymore (given partner access, firewall holes, cloud services, Wi-Fi networks, public IP based VPNs, ect.). You cannot protect what you cannot define.

    Perimeter security is porous. Detection is very difficult. Containment is absolutely critical, but not after the fact. A properly segmented network would have contained the breach from the payment network because there would have been no common network elements to exploit.

    PCI DSS does not require this. So guess all you want about which PCI requirement might have been lapsed by Target, but you miss the fundamental point…a seperate payment network eliminates the vulnerabilities that were exploited.

    1. Greg Tennant


      I meant…

      PCI DSS compliance does NOT guarantee security from breaches. As the Gartner Analyst Avivah Litan stated…

  27. Mark Bower

    “In testimony before lawmakers on Capitol Hill yesterday, Target’s executive vice president and chief financial officer said upgrading the retailer’s systems to handle chip-and-PIN could cost $100 million.”

    Yet EMV would not have stopped the breach, nor protected the PAN data (Primary Account Number) from the malware. Bob Russo, GM of the PCI Council, even went to the extent of clarifying this today to the congressional committee reviewing data security. EMV doesn’t secure the data: it authenticates transactions and devices and make it much harder to clone a physical card.

    The stolen EMV data could still be monetized in card-not-present environments, including Targets own e-commerce store, and anywhere EMV isn’t 100% implemented which will be the case for a long time in the full US transition from stripe to chip.

    The bottom line is that Target needs to not only migrate to EMV, but to encrypt EMV and Track data at the point of entry in the secure devices. Only then will this category of attack and others like be rendered ineffective.

    Heartland learned this lesson 4 years ago almost to the day and led the way with full end-to-end encryption with its E3 solution. Many other retailers and acquirers have embraced the approach too for cost and risk reduction. Target needs to think beyond EMV as it only addresses a fraction of today’s risk to card data – and tomorrows.

  28. TheHumanDefense

    Without reading all the comments since this story posted, I wanted to see if anyone knows how the HVAC vendors Target Network Creds were obtained?

  29. TheHumanDefense

    The Critical Infrastructure Protection (CIP) was initiated to protect the grid and all that. However, the best thing that came out of that was the separation of the power network and the corporate network. It might be time to start thinking of the theft of 40+ million credit card numbers as critical to the infrastructure to your economy. I recall a similar housing fraud scheme impacting the entire world economy. Just imagine if this was 500 million……….????? Who knows for sure, but I know its all about reducing risk

Comments are closed.