05
Feb 14

Target Hackers Broke in Via HVAC Company

Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.

hvachooverSources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.

Fazio president Ross Fazio confirmed that the U.S. Secret Service visited his company’s offices in connection with the Target investigation, but said he was not present when the visit occurred. Fazio Vice President Daniel Mitsch declined to answer questions about the visit. According to the company’s homepage, Fazio Mechanical also has done refrigeration and HVAC projects for specific Trader Joe’s, Whole Foods and BJ’s Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia and West Virginia.

Target spokeswoman Molly Snyder said the company had no additional information to share, citing a “very active and ongoing investigation.”

It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.

“To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software,” the source said. “This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.”

CASING THE JOINT

oktarget

Investigators also shared additional details about the timeline of the breach and how the attackers moved stolen data off of Target’s network.

Sources said that between Nov. 15 and Nov. 28 (Thanksgiving and the day before Black Friday), the attackers succeeded in uploading their card-stealing malicious software to a small number of cash registers within Target stores.

Those same sources said the attackers used this time to test that their point-of-sale malware was working as designed.

By the end of the month — just two days later — the intruders had pushed their malware to a majority of Target’s point-of-sale devices, and were actively collecting card records from live customer transactions, investigators told this reporter. Target has said that the breach exposed approximately 40 million debit and credit card accounts between Nov. 27 and Dec. 15, 2013.

DATA DROPS

While some reports on the Target breach said the stolen card data was offloaded via FTP communications to a location in Russia, sources close to the case say much of the purloined financial information was transmitted to several “drop” locations.

These were essentially compromised computers in the United States and elsewhere that were used to house the stolen data and that could be safely accessed by the suspected perpetrators in Eastern Europe and Russia.

For example, card data stolen from Target’s network was stashed on hacked computer servers belonging to a business in Miami, while another drop server resided in Brazil.

globeauth

Investigators say the United States is currently requesting mutual legal assistance from Brazilian authorities to gain access to the Target data on the server there.

It remains unclear when the dust settles from this investigation whether Target will be liable for failing to adhere to payment card industry (PCI) security standards, violations that can come with hefty fines.

Avivah Litan, a fraud analyst with Gartner Inc., said that although the current PCI standard (PDF) does not require organizations to maintain separate networks for payment and non-payment operations (page 7), it does require merchants to incorporate two-factor authentication for remote network access originating from outside the network by personnel and all third parties — including vendor access for support or maintenance (see section 8.3).

In any case, Litan estimates that Target could be facing losses of up to $420 million as a result of this breach, including reimbursement associated with banks recovering the costs of reissuing millions of cards; fines from the card brands for PCI non-compliance; and direct Target customer service costs, including legal fees and credit monitoring for tens of millions of customers impacted by the breach.

Litan notes these estimates do not take into account the amounts Target will spend in the short run implementing technology at their checkout counters to accept more secure chip-and-PIN credit and debit cards. In testimony before lawmakers on Capitol Hill yesterday, Target’s executive vice president and chief financial officer said upgrading the retailer’s systems to handle chip-and-PIN could cost $100 million.

Target may be able to cover some of those costs through a mesh network of business insurance claims. According to a Jan. 19 story at businessinsurance.com, Target has at least $100 million of cyber insurance and $65 million of directors and officers liability coverage.

Update, Feb. 6, 3:33 p.m. ET: Fazio Mechanical Services just issued an official statement through a PR company, stating that its “data connection with Target was exclusively for electronic billing, contract submission and project management.” Their entire statement is below:

Fazio Mechanical Services, Inc. places paramount importance on assuring the security of confidential customer data and information.  While we cannot comment on the on-going federal investigation into the technical causes of the breach, we want to clarify important facts relating to this matter:

–          Fazio Mechanical does not perform remote monitoring of or control of heating, cooling and refrigeration systems for Target.

–          Our data connection with Target was exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom we manage these processes on a remote basis.  No other customers have been affected by the breach.

–          Our IT system and security measures are in full compliance with industry practices.

Like Target, we are a victim of a sophisticated cyber attack operation.  We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive initiatives that will further enhance the security of client/vendor connections making them less vulnerable to future breaches.

Tags: , , , , , , ,

268 comments

  1. Oh can I make one guess right away? Judging from the fact that Fazio Mechanical’s site is suspended and under this redirect url:

    http://faziomechanical.com/cgi-sys/suspendedpage.cgi

    I will hereby guess they got in to Fazio Mechanical’s network via the web. They use cgi scripting, and from what I have seen in past, unifiedlayer (their hosting) often has had older vulnerable sites (I mean no insult to unifiedlayer itself — they (probably) do not control what people put on their websites).

    I will bet it is lateral, in, and lateral, in, and lateral again.

    As I have said before about how this malware was probably ‘pushed’… Things would probably be tested on small number of devices… at that point they would use the update servers that the stores all have I think two of. Worm? A worm is not needed to automate processes that exist already to make business possible. The best way to spread a malware is to take advantage of channels used to keep existing systems up to date. Don’t overcomplicate this; I am sure the people who infiltrated would have tried not to complicate it more than they would have had to.

    Should HVAC have had that much access? No. But do a lot of HVAC and scada like systems exist on various layers of systems anyway? Yes. Especially in cases like Target’s architecture and infrastructure. Again, as I have said: It is just lateral. Does not need to be on the SAME network to be able to go to the other network if they meet somewhere at some other point, or some chain is possible to get to any other point. And almost always is.

    • They never, ever should have run credit card/POS on the same network and/or subnet.

      Also I wonder if Target runs proprietary POS software. In spite of your analysis on the hosting, I think this was probably the biggest no-no of all of this.

      It’s not hard to suck up credit card data from any POS system, regardless of OS because of the way mag stripe readers work.

      • Actually my analysis of the hosting is separate from other comments I have made in the past month or two about this incident. This is the first time I have publicly commented on it.

        The main issue is and will always be that none of that should have been able to be accessed outside of a small dedicated network. This is the failure and it is an architectural one, but the supplier provided the pathway (note I do not believe the supplier is the failure; it is just one possible means of likely more than one; if it were not these people it would probably have been somebody else).

        People need to realise that you can not add security in after the fact if you do not design a system with security in mind in first place.

        Sniffing POS data is stupidly easy. Is far more complicated/difficult to get working PINs; given enough time and effort the DES can be cracked, but I will not discuss that or I would be hypocrite ;)).

    • This snapshot from archive.org shows a couple of Target locations:

      https://web.archive.org/web/20130829010644/http://faziomechanical.com/projects.html

  2. TheOreganoRouter.onion

    East European cyber criminals ‘‘Partnerkas’, protected from prosecution’

    Respected security researcher Nart Villeneuve has controversially declared that Eastern European cyber criminal gangs – responsible for the recent attacks on Target and other major retailers – are relatively safe from arrest and prosecution.

    hxxp://www.scmagazineuk.com/east-european-cyber-criminals-protected-from-prosecution/article/332548/

    • How long before an extrajudicial response?

      This looks to me–a layman–like something a lot more sophisticated than the work of even a large group of skilled hackers.

    • This article is hysterical. Literally.

  3. I am really surprised but I couldn’t say shocked that their network topology allowed this kind of thing. Unless there is some part of the story that’s not clear, it’s inexcusable for the payment “network” to be access to the broader corporate network. That’s how you protect against these kinds of things. Even internal folks can’t game the system as the network doesn’t allow for traffic to go out like it did here.

    I don’t know the Target CIO but I know the type. They manage up incredibly well, create great powerpoints, and are enthralled with buying IDS system after IDS system that gets them long nights out with the Cisco reps.

    • Scott Nicholson

      Agreed! While PCI DSS does not “technically” require card data and non card data be on separate network, it does require their be segregation between the two data streams. So, it could be as simple as a distinct VLAN between the POS, workstations, servers containing card data and all other network traffic. Most enterprise class security appliances, such as SonicWall’s, hand this and more sophisticated segregation. Will be interesting to see what was missed…

  4. The part that is STILL missing is how the data got out of Target.

    What protocol? FTP, DNS tunneling, what? This is the key to stopping this at other companies: not how they got in or what they did, but how they got the data out.

    • @JJ .. while i agree it’s vital to understand how the data LEFT, IMO it’s also critical to understand how they got IN.. drive-by on a webpage / bad document (pdf, etc.) / social engineering / direct physical connection into the main network.. thus my comment the other day about multiple forensic teams doing the investigation.

  5. And the hits just keep oooooooon comin’…

  6. Ugh. This could be really ugly. Google’s cache comes through again. Their client list:

    Air Liquide, Aldi, Inc., Allegheny Cold Storage, American Beverage Corp., Bilo, BJ’s Wholesale Club, Bottom Dollar, Cardinal Health, Central Catholic School, Community Market, Costco, Dairy Farmers Of America, Dave & Busters, Delallo’s, Denny’s, Dyno Nobel Inc., East End Co-op, Farmer Jones, Fisher Foods, Food Lion, Get Go, Giant Eagle, Goodwill, Greater Pittsburgh Food Bank, Home City Ice, Island Sports Center, John McGinnis & Co., Kuhn’s Market, Marathon – Exxon, Marcegaglia, McCormick & Schmick, Nestle’ Usa, O.K. Grocery, Oakland Catholic High School, Parma Sausage Incorporated, Penn Avenue Fish, Pittsburgh Public Schools, Sam’s Club, Sav A Lot, Shop N Save, Silver Star Meats, Snider Super Foods, Scheider’s Dairy, Sparkle Market, Super Valu, Target, The Uncommon Market, Top’s Market, Trader Joe’s, Trout’s Market, U Parc, UPMC – St. Margaret’s, Walmart, Whole Foods Market

    I live in their “target” market of Western Pennsylvania, Ohio, West Virginia, Virginia and Maryland. And I regularly use credit cards at three of those chains. And the cache of their Project page does include the area where i live.

    • And note that Fazio appears to only do work for those customers in a limited region, yet their access credentials allowed the attackers to ultimately infiltrate every Target in the US. A question would be whether their login was for a system on the Target main office network from which they accessed all of the stores or whether they accessed a store in their region and then were able to get to the main corporate systems and from there to the rest of the stores.

    • My increase of spam mail from Walmart and Costco made me wonder if they were part of the data breach.

    • Looks like FAZIO MECHANICAL SERVICES INC has government contracts too.

      • @DOF .. if you could provide some type of ‘source’ (where you came up with that info on the Gov’t thing), it could be most helpful.. thanks.

        • Should I post the links to the city and state contracts here or send them to Brian off the blog?

        • I also don’t know if obtaining a contract under FMS Engineering would encompass the IT practices of Fazio Mechanical Services. But I’ve found local and state for both.

          • Fazio Mechanical Services

            mailer.faziomech.com – Mail Server

            mailer.faziomech.com is a mail server for the domains fmsconstruction.net, faziomech.com, faziocleve.com, and resolves to the IP address 199.234.67.90.

            Domain Names

            @fmsconstruction.net
            @faziomech.com
            @faziocleve.com

            Also

            @faziomechanical.com

            • After all this, they even have RDP standard port open and etc….good grief. These guys should not be doing business with anyone!

      • They have contracts with public schools too.

    • It’s a mistake to assume that just because a company has been “serviced” by this company that all of these places are vulnerable. That is not how things work, and all of these companies have totally different set-ups. Is there potential for others? Sure if the others messed up like Target did (or messed up in other ways allowing this ridiculous level of access) but so many things were wrong with what happened with Target that it is not wise to make any assumptions. This is architectural.

      Fazio’s larger mistake in my opinion is posting their client list and making themselfs seem valuable. You’d be making a very wrong assumption if you’d think that these places can’t all be hacked in a ton of ways, including at the hosting level. It was probably some home person who got drive-by’ed and connected in to the network, not even the website. I will be devil’s advocate because the point is it does not MATTER. There is always a way in.

      • “It’s a mistake to assume that just because a company has been “serviced” by this company that all of these places are vulnerable.”

        Ya, but if I am one of their customers, it’s a mistake to assume I’m not vulnerable. Through Fazio, or any of my vendors.

        • If you are a customer and do not have your own machines secured, then you’re missing the point. One needs to operate under assumption one WILL eventually be breached from SOME way — maybe even by your own fault. The goal is to make sure it really doesn’t matter much. Could a hacker screw up your air condition or refrigeration should be the only concern. If not you are doing it wrong.

          And a list of their customers basically gives everybody else a list of their customers. If you are a customer you know you are a customer and if you’re reading this and do not make the connection… well that is also ‘doing it wrong’.

          • “…making sure it doesn’t matter much..” is spot on.

            IT’s current maximize data collection and store it forever (what I call ‘data hoarding’) mindset, the ‘big data’ scaling is exactly opposite this defense of making a breach not matter.

            Part of this is driven because data is viewed only as an asset, not a liability (until a breach happens). Whether on the balance sheet under ‘goodwill’, as legal defense, or specifically as intellectual property, the push to convert information that touches the edges of organizations to ‘internally owned private data’ is very much the business model that’s in vogue.

            Collecting and storing anything and everything actively increases scale and makes breaches matter more. I’m sure there will come a time, like overuse of derivatives in finance, when businesses say “that was silly, what were we thinking?”, but that time is not now.

            Given a non-zero likelihood of an event, and a long enough time horizon, the event will happen. That leaves reducing scale, or as you put it making it so a breach doesn’t matter much.

            -Lee

            • I keep thinking about Oracle’s ‘the computer is the network’ bullcrap from a decade and a half ago and thinking ‘so yes you got this — this is what cloud computing is — and it wasn’t a good idea then either.’ Repackaging a whore does not make her less of one (if you will pardon my crudeness).

              Either way we are agreed on ‘big data’.

  7. Thank you, Brian, for continuing with your follow-ups on this story. All too often all we see are headlines but seldom ‘the rest of the story’. In fact, I could say the same thing about pretty much any story you’ve posted!

  8. As a small business owner, we are required to take a PCI compliant test once a year. We also make sure every card is signed, and if it is not we ask for ID.
    Most customers say nobody else looks for the signature and few bother to ask for ID.
    All this to save one customer from getting hacked, while corporations like Target and their sloppy security expose millions. Golly!

    • PCI DSS for smaller businesses is vastly different than for large network structures. Unfortunately, the cumbersome information gathering required by large corporations in order to become PCI compliant makes it a very difficult venture, and many companies see it as a wager: How much of a liability do I need to be facing to make this PCI thing worthwhile?

      Many of them don’t factor in the serious reputation damage, and even when they decide to become PCI compliant, it can take years to properly structure their data for it, especially if they rely on third party vendors who have not yet managed this or if they have proprietary systems and have to do the coding themselves. Data encryption, network architecture, ad everything else has to fall after “defining the scope” of the compliance, which, in itself, can take a very long time considering the size and scope of some of the networks.

      Every retailer should be PCI compliant, but many of them are finding that to be a much larger task than is might seem.

      For small businesses, it is generally fairly simple. Your POS machine(s) tend to run through a phone line or are not connected directly to a network, your processor generally provides PCI compliant terminals, which encrypt the data and send it encrypted, and you’re not storing card info at your location. That’s generally the three parts that are most important for smaller retailers.

      For larger retailers, there is a lot more to look at if their POS systems are incorporated into their larger network architecture.

      I know of a hospital that uses card terminals that go through POTS lines, even though they have several hundred terminals. This increases their expense significantly, but it also means that card data never touches their network, so it simplifies PCI significantly. (There is more to it than that, but you get the idea)

  9. The fix (midterm) is to chip the cards of course.

    Short term profit seeking has dropped the US 10 to 20 years behind in advancing infrastructure. Seems to me no one (tax payers) is willing to invest for the future. Sort term gain and greed is the hallmark. Put chips in your cards and power lines in the ground for a start. Come up to today’s standard in infrastructure, physical and digital . Stop saying *we’re number one* when your only number one in decay and circus.

    • AMEN!!!

    • Using chips on cards and absolutely requiring only cards with chips blocks only the bogus card makers. It does nothing to block the rest of credit card fraud as an industry. And the US is unlikely to block the use of non-chipped cards for years and years. Even in EU countries with high penetration for chipped cards they are still accepting non-chipped cards in many locations.

      How you get rid of credit card fraud is to begin prosecuting the perpetrators. Use a stolen card number online and the police come to your door. Use a stolen card number in person and get hauled off to jail. It is the only way.

      Understand that today use of a stolen card number in a store, if it is detected in the store, carries the maximum penalty of NOT GETTING YOUR PURCHASE. The store has no standing to file a complaint. Only the card issuer has standing because they technically own the card and no card issuer in the US has ever, ever wanted to prosecute a potential credit card user.

      Today, the US is chasing after the top level of the credit card theft ring with the absolute foreknowledge that the crime originated outside the US and all of the perpetrators are almost certainly in countries where law enforcement isn’t going to touch them. Along the way, if they happen to come across people making bogus cards by the thousands they are being prosecuted, but not for credit card fraud. If you buy one of these bogus cards you will not be arrested for using it. And until that changes the market will continue briskly for selling stolen card information.

      • Chips on cards are like anything else. They solve one piece of the security problem but not the whole thing. So it takes a long time to adopt. You have to start sometime.

        Credit card fraud is a crime. If it’s not being prosecuted, that’s also a crime (in the vernacular sense). Astounding, if true. I see people being arrested frequently for skimming etc but it is all petty crime (e.g. the local bank or gas station, not the entire bank chain).

        As you say, if the perpetrators are outside the US it’s hard to imagine justice occuring.

        • As one who has (and has used) a chip card, I can agree that it is not a panacea. As many have pointed out here, there are multiple problems that we see with what went on with Target. If Target had proper network segregation, we wouldn’t be talking about this. It is possible/likely that if Target used two-factor authentication for anyone connecting to the POS network, that the problem would have never occurred. And chip cards would help as well.

          Whenever the NTSB investigates an accident of some sort, they find the chain of events that led up to the accident. If you break any one link in the chain, the accident would not have happened. But the outcome of such an investigation is that you correct all of the problems that are identified – not just one, and not just the cheapest/easiest.

  10. TheHumanDefense

    All,
    All this talk about lateral movement this and parameter security that.
    Folks can say that they have a defense in depth method, they can say that they are secure. They can say that lateral movement is the cause of bad network designs.

    I submit the following thoughts:
    Security professionals have created this issue………we brought the IT back ground……..we brought all the technology……..we are too blame here.
    We have implemented so much technology that we cannot even see the tree directly in front of our face, let alone know that we are even standing in a forest. We create so much log noise, event noise and alarms that operations teams feel like they are standing in a room full of alarm clocks and fire alarms they cannot shut off. The whole building could be on fire around you and you only start running because you feel the heat.
    Now we know who to blame, lets start looking at how we, the professionals can work together and use the best computer in the world, our brains. Lets start turning the noise down, and the analytics up!
    Stop, think, work the problem, and stop letting the problem work us.
    PCI requires this and that and now requires awareness training.
    I saw a plea from a small business owner who talked about how he is required to go through training on PCI. I imagine so does Target. I understand as I am a small business owner also. It’s a fine line between a loss and going out of business. It could happen overnight.

    Now, what happened here??
    What happened at Target??
    Poor system design…..well maybe?
    Why the poor system design??
    Well I imagine, maybe time?
    Time moves on and new system designs and standards come around every couple of years??
    Yep, sure does.
    How about the dozens of network engineers that have worked on the growing network over the last 25 years?
    That’s right, could be that each one applied their own standard or interpretation of some standard design. Is that true?
    I bet it is……you know why I could bet one of my limbs on it? Because I grew up in corporate America over the last 26 years. I have seen it all before. Not that its wrong, just that it is what it is.
    Have you ever contemplated what it would take and the losses that might be taken by ripping out an entire network?
    I have seen it done, but it takes so long that by the time your done, your already in your first refresh of gear and software.

    Look, somehow it all came back to the human element. Someone had a credential get snagged. How? Well no one knows just yet, and we may never know.
    Here’s what it typically happens:

    1. Recycling (otherwise referred as re-use) passwords or passphrases across both professional and personal life. One of the other sites were breached and their password was lifted and then used at Target

    2. Insider threat from the HVAC company (only time will tell)

    3. Weak password was used and the bad guys just used readily available tables, internet sites and half a dozen other tools to guess or brute force the password (76% of all network intrusions in 2012 were the direct result of weak or stolen credentials: Verizon Data Breach Investigations Report 2013)

    So what????? Who gives a sh$% what I say!???? You could be correct in thinking so. I am merely expressing my thoughts based off of my experience and statistics and I appreciate you listening.

    Maybe we should stop the blame game and learn from what happened. The banks and Target are learning. I am sure they are gonna have some interesting arguments in court or outside of court. No matter what, the public was protected by law both on the credit and debit cards compromised. This is not identity theft, so it really is as simple as taking care of your consumer rights and applying them with your institution. However, it may change how banks and merchants operate moving forward. I was in the credit card fraud prevention business, and I can tell you it’s virtually a seamless process to have your card issue rid your account of fraudulent charges (most of the time).
    Maybe with all of that said, consider starting new and start offering our services to the Targets, Neiman Marcus, Michaels…..and the thousands of small and large retailers out there. In fact, I would submit that the targets of this new malware (not really new but morphed) would be even more devastating to small retailers and small banks or credit unions. They have much less room for this type of loss.
    I hope some of you can see my point here and will consider a little radical change from just technology to a combination of our security teams great analytical skills and the technology. Consider if you have tools in your kit that are really just noise and what risk you have possibly added by putting too many controls in place that you cannot see the tree while your standing in the middle of the forest. Worse yet, all of the trees look identical.

    • Security Analyst

      I somewhat disagree with your statement about security professionals carrying the blame. To some degree, yes, however you have to understand that what probably went down is the security analyst(s) brought issues like this up to their superiors who blindly dismissed it because it wasn’t in the budget/wasn’t necessary/don’t have the resources/insert excuse here, and now the upper level management are kicking themselves in the ass while the entire security segment of the IT industry are salivating at the fact that this this event will be a catalyst for the change needed for upper management to listen more closely when IT surfaces potential weaknesses in their infrastructure. All that aside, HOW they obtained their PCI ROC is questionable in and of itself. What PCI auditor signed off on their compliance if their network architecture was in such a lax state?

      • TheHumanDefense

        Security Analyst
        PCI as a standard can be adopted or not. So if a PCI auditor came in, I believe that as a level one merchant they would have passed. I am pretty sure Target adopted the PCI standard, but frankly I don’t know if the auditor is looking at who has an access network account. It would be interesting to hear from one on this forum.

        So I know someone in the IT Sec at the largest issuer and they do not use PCI as their standard. Not even NIST-800-35!

    • @TheHumanDefense
      “No matter what, the public was protected by law both on the credit and debit cards compromised”

      What about the person who tried to use money in his checking account, but could not because his debit card was hacked? Is anyone going to pay his fees for late mortgage, bounced checks, etc?

      Or how about the person who was unaware of the theft for some time? Go to WWW DOT CONSUMER DOT FTC DOT GOV and search for “Lost or Stolen Credit, ATM, and Debit Cards.” Note how the loss for individuals can be $0, $50, $500, or unlimited.

      Even if Target eventually pays the victims for their loss, it might be years before any money changes hands, not to mention the 40% deduction for legal fees.

      “This is not identity theft”

      You do not know that for a fact. Target admitted losing email addresses, physical addresses, telephone numbers, and other personal information. It admits on its website that it will use credit/debit card application data for marketing purposes; how could it do that unless it retains a copy? Others wondered about pharmacy data: was it hacked too?

      • If anyone (in the US) loses money because their credit card is stolen, lost, etc. there is some criminal enterprise at work at the card issuer. It is clear in US law that the card holder is liable for a maximum of $50 – period, no exceptions, even if the card is not reported lost or stolen for a long period of time.

        It is possible I suppose for someone to not notice huge fraudulent charges, pay the bills and later think “I never got that TV that was purchased on the other side of the country. I guess I should complain.” This probably has happened but it is in some ways the cardholder’s problem.

        Ever time I have had a credit card “borrowed” (I still had the card but someone else was using the number) the charges have been removed without any question and my liability has been $0.00. This happens to me about once a year – partly because there is zero disincentive for thieves to commit credit card fraud – it simply isn’t prosecuted. There is also zero outcry from consumers because nobody loses on it.

        Now debit cards are a different matter. While there are nationwide, federal level rules about credit cards there are far fewer rules about debit cards. Most banks have adopted similar rules about debit cards as there are for credit cards, but not all banks have. In general, anyone using a debit card is risking the contents of their account and may be liable for the entire balance – without any assurance from the bank they will be protected.

      • TheHumanDefense

        saucymugwump,
        Interesting name by the way.

        Stolen credit and debit card numbers are not identity theft. Depending on the track data stolen and what was stored there. Based on the details released this is what I was speaking about.
        Regarding stolen emails and the like. That could be considered ID theft, but you can’t file a police report on it. So, PII theft is reportable, therefore designating it as such.
        Clear?……..again 18 years in the card world….so just saying

        • @TheHumanDefense
          “Interesting name by the way”

          I made it up to serve as a nom de guerre for my blog; I would use a different name today if I could start over. My most recent blog post is a work of very relevant fiction: “Swing until dawn.”

          “Stolen credit and debit card numbers are not identity theft”

          I understand that.

          Go to Target’s website. Click on any link to apply for a Target credit / debit card. On that page, scroll down to find this text: “By applying for a Target Credit Card, you agree that you are providing contact information from your application to TD Bank USA, N.A. and Target Corporation for their use, including marketing.”

          Given recent events, are you 100% confident Target does not simply retain all data from the application on a marketing server? I have personally seen how a company (not Target) retains application data on an unsecure server until the application is completed, with the loophole being that if a customer never completes the application, the data sits on the unsecure server forever.

          Then add in the fact that Target announced that email addresses, physical addresses, telephone numbers, and other data was stolen by the cyber-thieves. This data is not stored on a credit card and must have been stolen directly from a Target server. Perhaps this extra data was actually stolen from the credit / debit card application process where SSN and DOB are also available.

          Now do you understand my point?

          • I almost forgot about the email address theft. We haven’t heard any technical details about that, have we?

            I’ve ordered from Target’s web site a couple of times. They have my email address, and they used it to send me a notice about the breach. If the theft of the email addresses was related to online orders, the thieves got lots of useful info. Is it possible that the data entered and utilized for the online ordering process can be grabbed real time (or near real time) similar to how the POS memory scraping was done?

            • “Is it possible that the data entered and utilized for the online ordering process can be grabbed real time (or near real time) similar to how the POS memory scraping was done?”

              They might have stolen online order data, but that would have been a very different process.

              We are like blind people trying to determine what an elephant is by feel. Good thing we have the chief elephant feeler (Brian) working out in front.

              Does each Target store send updates to its wedding registry every night just like it does with POS data, with the hackers reading that data-stream? Or did hackers gain access to every database in Target Central?

              Did they hack the pharmacy database? That would classify as a “Holy Crap, Batman!” Or just as bad, was Target negligent with its credit / debit card application data?

          • TheHumanDefense

            suacymugwump,
            I do and did understand your point. It’s pretty clear that PII didn’t leave their shop at this point.

  11. While IT may have created the problem, it generally was created at least a few decades ago and it is almost impossible to correct today because “there is no business value” a.k.a. short-term profit, as one poster noticed.

    Most banks have flat networks. Yes, they use VLANs but there are no ACLs between them. Every teller has access to the full PAN due to creaky, old mainframe technology that until very recently did not even offer telnet over SSL. (Mainframe “security” is the modern equivalent of the Emperor’s New Clothes.)

    ACL’d VLANs in branch or store locations require more complex networks and outsourced network management “because they can do it better than us” and that means the charges go up for every tidbit added. I’m working with one vendor right now that wants to charge us 20% a month for a managed firewall in a remote location. 20% of what? Of the price of brand new hardware. After a year we’ve bought two of them and they still would not be ours. Oh, and they also will charge $55 per activated port on that firewall and on each switch per month. “Where’s the business value in this?” “What, and you want a separate VLAN in each store for cameras and another for registers? At these prices? What are the chances that ________?” and that’s why this stuff keeps happening.

    “Risk Management” has turned into a fancy alternative for “negligence”.

    Until the PCI Council starts publicizing their fine list as HIPAA publishes theirs, none of this is going to change because there is rarely any public spanking unless it is truly massive.

    • TheHumanDefense

      JJ,
      Yes decades old. Yes PCI maybe should do the same as HIPAA. Yes so what? Yes pass a law……make more regulations….lets start hitting companies where it counts, in the wallet. Well, ok cuz that’s all worked so well so far. Lets look at the regs in place for the housing market, someone figured out a way around those, and as a result the world economy, not just the U.S. took a giant crap. Look, I hear you, this is everyone else’s problem…it always is…but it’s not. At least not in my opinion. That’s all this is, my opinion; however based on 18 years in the financial credit card industry and banking. Overall years of sitting across the table from Federal OCC auditors, SOCs Auditors, NERC-CIP audits, and all I have seen is the blame game.
      I am simply submitting that if we all wait for the others to do it, then we are just adding to the problem. Obviously, the chip PIN is a great idea, but is it the solution? No, but using this forum to actually submit how to achieve the combination of expertise might be a great way to help achieve success.

      • Security Analyst

        I believe the word you were looking for is SOX auditors.. not SOCs… as in Sarbanes-Oxley.

        • TheHumanDefense

          Security Analyst,
          Yes sir, you are correct. I was up in the middle of the night reading when I wrote this and must have had the slip of the key.

          After almost 27 years as of this month in a multitude of roles and responsibilities across corporate America, I do understand that is probably what happened. Probably the same thing that happens to anything that I have ever seen cost money (except for marketing of course) get picked apart, sliced, diced and hung out to dry. However, the point I am making is this. We have in many cases let it happen by not getting the best possible information in front of management about the benefit and value of security and maybe used the FUD factor too much. Just saying if we want to influence change, you must first influence the culture of change within an organization to gain acceptance of security. Not try to change the culture to accept security.
          However, your statements are true and I very much believe that CISO and Security Director roles should be moved out of the IT environment and report to Legal or Risk areas…even better it’s own arena. This might allow a more pure approach to security by eliminating bias about combined budget concerns and the like (without spelling it all out as I think you know what I mean).

  12. And speaking of HIPAA and HITECH, has Target ever officially denied the loss of any pharmacy data? They would neither confirm or deny it before.

    If they lost health care information by either a direct hack or by intermingling it with retail data in that marketing database that got swiped, PCI and payment card implications are just going to be a footnote to the real financial penalties.

    And that, my friends, is how the government got health care providers to start getting serious about protecting data.

    But the PCI Council a.k.a. “the card brands” have too big a conflict of interest to be truly effective with large retailers. They need a massive lawsuit against them in order to fix that.

  13. Ok, I am perplexed. You need to give the HVAC access to the network for what reason?

    Hey Im a HVAC guy and I want to come onto your premises, tap into your POS network and monitor just heating and cooling. It could save you quite a some of money ! Ya, right, tell that to them now.

    Obviously the HVAC must have been doing this cheap, because Target obviously never heard of PROGRAMMABLE Thermostats.

    So, the HVAC snafu was given, or gets to place a box with network access on the target network and some person who uses the same user name and password combo all over the planet for these services now is a festering opening to the store.

    I dunno, I am simply shaking my head. In the end it boild down to Target’s issue for letting the HVAC people access to their network. Target supposedly accepted the risk, whether it was a busy manager on the phone and simply giving an ADHD nod, or a “well thought out risk asessessment process” was enacted and the employees voted for an eventual epic fail.

    One word sums up this find: Stupid.

    • Unfortunately with your programmable thermostat you indicate to many you have no clue what you are talking about.

      The problem here is that there weren’t the controls in place from the network side and the product selection by the mechanical wasn’t evaluated properly for implementation.

    • Modern HVAC systems are more complex than being controlled by programmable thermostats. Imagine… a sea of units on a rooftop….a technician can access each unit remotely to see if air temps, refrigerant pressures and amperage draws are ok. Further, each unit has alarm settings to notify if something goes wrong. Broken down equipment costs a lot of money in lost traffic as well as secondary repairs due to a primary failure. Properly controlled equipment saves a lot of money in energy costs as well. Most systems operate on their own language such as bacnet and really only access another system via a modem. To tie the system into a corporate computer system is poor thinking.many government agencies use stand alone systems for this reason.As an HVAC proffessional i have to say it is premature to blame the HVAC company.

      • Its the HVAC problem. Its lack of knowledge or due diligence or due care of a security practice. It cost Target a supposedly large amount of millions of dollars. If the bozos that operate these controls use the same username and password on every freakin thing they own, then guess what – expect more breaches.

        The solution is retarded. No matter what you want to say about HVAC on a PCI compliant network, it should be a violation of the PCI mandate. There is absolutely no reason for it. The BS line of monitoring the stuff to save the customer money is crap. In this case, the freakin AC people owe more money to Target than they would make in 100 years in business.

        Ther you two go thinking in the box again, can’t believe that a Thermostat based technology isn’t available for large facilities…why? Becuase people have to pay for a “service” which could easily be maintained by the night crew closing up for the night. Its more like a bogus insurance policy that will never get used. Only worse.

        This is one case – I am sure they will find many others where a 3rd party company thinks they can hop into some ones private network and offer a service which they can potentially cause a holes in the security of the network.

        Now, I wonder if the Feds will revisit the other major hacks and see if there were others avenues of attacks associated with insure 3rd party systems – like this HVAC epic fail.

        • “can’t believe that a Thermostat based technology isn’t available for large facilities…why?”

          The application is more complicated than you imagine. Programmable thermostats will not suffice for 24-hour super-stores. And they would only a part of energy-saving techniques; research “load-shedding” for just one technique for reducing energy costs.

          “I am sure they will find many others where a 3rd party company thinks they can hop into some ones private network and offer a service”

          I am not defending Fazio, but the U.S. is a dog-eat-dog country; whatever is not banned is allowed. Yes, Fazio was world-class incompetent, but so was Target for not realizing the risk. Some Target bean-counter decided that a separate network was too expensive. Target had already decided that splitting its software / IT function between many sites in the U.S. and India was acceptable, so what’s yet another hole in the dike?

  14. You’re missing a few technical issues in this: 1. Using EMV wouldn’t necessarily have prevented this issue. The malware used scraped memory and still could have collected credit card numbers. 2. On paper, Target may have segmented their network properly, PCI from non-PCI, but the malicious actor could have moved laterally through the network, finding a legacy system or admin backdoor. There may have been a “compensating control” in place that was accepted by the QSA. I don’t think people realize how hard PCI-DSS actually can be. I’ve worked in two PCI environments and it’s a constant battle to get this right while still being able to manage your network and production systems with some reasonable level of efficiency.

  15. Interesting…

  16. Michele,

    I couldn’t agree more with your statements. PCI is hard. I have been a C level security exec for a long time and at the end of the day this type of thing happens. Albeit very unfortunate. Between legacy systems, users storing things on open shares that they shouldn’t, network access being given that is more open than needed, etc, etc….there are so many possible scenarios that could have allowed lateral movement. It really comes down to detection of the command and control connections. Maybe you don’t catch the infection, but if you catch the attempts to control those infected machines, you could still avoid these types of things. Also, had they just had the capability to monitor access controls and realize that the HVAC userID was accessing things other than HVAC systems it would have clearly led them down the right path. Again we can all continue to speculate on what they did wrong and what could change, but when you are dealing with companies the size of a Target, there are TONS of moving parts. And in some cases running IT is like herding cats. Like the companies before them and the companies that WILL come after them, they will take this lesson and learn from it moving forward. Unfortunately these things have to happen in order for people to learn. Its like when we were kids, falling off your bike was the best way to learn to ride better.

  17. Fazio Mechanical Services also does work under it’s aggregate, fmsconstruction.net aka FMS Construction Services Project management or FMS Construction, Inc. I don’t know if their IT practices would be the same.

    • I cannot and will not speak for Brian, but as much as I’d love to see the links first-hand, my suggestion would be to pass them along to Brian first (unless he states otherwise of course). Not that I’m attempting to withhold info from ANYONE, just don’t want bad info posted to an incredibly SOLID source of public info (this blog).

  18. Excuse the self promotion but I just had a GIAC gold paper accepted on open source tools for business partner risk assessment. These are free or cheap techniques to keep tabs on your network as well as vendors or acquisitions. I wish I was 3 weeks later with it so I could add this horrible example. http://www.sans.org/reading-room/whitepapers/bestprac/open-source-reconnaissance-tools-business-partner-vulnerability-assessment-34490

    Look for Tim Tomes videos on recon-ng, they’re hilarious and valuable. Also, Dave Shackleford just put up a blog post with more tools. http://daveshackleford.com/?p=999.

  19. Is that Honeywell owned companies HVAC server product that has been in the news regularly for security issues?

  20. The fact that this was a local/regional supplier with access to a defined number of stores highlights the fallacy that MPLS or hub & spoke networks are secure. Once in, the hackers were able to proliferate the malware on to hundreds of POS systems and they would have had unprecedented access over the MPLS/H&S network to do so.

  21. Requirement 12 of the PCI regs states that the merchant must require PCI compliance by every business partner that has access to all PCI-protected systems. The idea was that PCI security would be pushed throughout the world by merchants.

    In this case, Target “should” have a contract with the HVAC company requiring its compliance with PCI. Imagine Target re-writing every single contract they have to include this clause and then assigning resources to confirm that compliance is still in place all the time.

    Is it possible that compliance with this requirement would have prevented the theft? Probably not , but it opens the door to saying that Target was not PCI compliant.

  22. Brian,

    I appreciate the continued focus on working through the Target Security breach. However, in your previous article you name-dropped BMC Software to be the potential culprit to this security breach.
    From those detailed comments (which seem to be now only speculation), you set off a firestorm to the credibility of a trusted vendor to its large customer base.

    I understand that you are doing your job as a blogger and that may not require you to live up to accepted journalistic standards, but some caution may be advised when attempting to be 1st to the party to “name names.”

    • It’s probably important to note that — at least in the eyes of the sources I’m talking with about this incident — the credentials stolen from a vendor (in this case apparently Fazio) and the network credentials left behind by BMC’s software are two completely different animals.

      The Fazio credentials are thought to have been used as an initial entry point into Target’s network — a foot in the door if you will. The BMC account — if it was enabled on Target’s network — would have made it much easier for the attackers to move data from one portion of Target’s *internal* network to another part of the internal network.

      I certainly never suggested nor intended to suggest that the BMC account was somehow used to gain external access to Target’s internal network.

      • Has it been confirmed for sure they even used BMC or that account or that that account if it was used was set by Target as the default? Because it seems to me that a hacker would be likely to use account which would blend in with the network; doesn’t mean it is ‘real’.

        • According to the SecureWorks document, the best1_user account was coded in the Exfiltrate subroutine of the POSWDS malware. And the Threat Report documented the network connection as coded.

          So it looks like they did indeed use that account for moving the files from the POS terminals to a central server.

          • What we don’t know yet (at least not that I’ve seen) is whether or not the password the hackers used for the account is the password that BMC set. If not, then either Target reset it or the hackers themselves did.

      • TheHumanDefense

        Brian,
        I believe you have made this abundantly clear on several occasions. Otherwise, what would be the point of this article.
        Great stuff by the way!!!!

      • Thanks for the clarification.

        It may be a good example of how the value attached to the two pieces of information are not the same, however once the bad guys have the lower value piece they trade up to higher value data.

        If one thinks about it, that IS what hacking is about. taking a lower value item and working it to obtain a higher value target (pardon pun).

        So with all due respect to the comment by someone here that cc transaction data is sacred , while other data isn’t, i would point out that the trading up of credentials makes the case that all data is sacred.

        regards,
        Lee

    • A firestorm? All that it implied was that there _might_ be a default user/pass shipped on some of BMC’s stuff. Easy enough to check, right? So, if you really have a “firestorm” on your hands, well… that’s scary for what it implies in terms of network admin ability.

  23. I haven’t shopped at Target since the breach. Another way they’ll lose money.

    • I’m not convinced that they were inept or careless. The problem is not entirely theirs, when you think about it. I still shop there.

  24. It’s hard to say who is to blame here, but it’s *not* Fazio. Without two-factor authentication all anybody had to do was to guess username and password, and locate the login portal. Maybe he used an easy password but frankly all passwords are easy to guess these days for a determined hacker with sufficient resources. When you are talking these sums of money that’s not enough protection. You need an additional factor, such as a token card of some kind. I’ve used two. One was about the size of a credit card and displays a constantly changing pseudo-random number which has to be entered during login. There’s a system on the other side following along with the algorithm that knows what number should be displayed for a user at all times. Another was slightly larger with a small numeric keypad. The authenticating system issues a numeric challenge which has to be entered to the token card, it displays a response which has to be entered to the authenticating system. No security is perfect but this considerably raises the bar. Target will try hard to push the blame onto Fazio, but it’s fundamentally Target’s fault for not implementing adequate security. Without it, if it hadn’t been Fazio it would have been somebody else.

    Also – are we supposed to cry that Target will pay $100M for chiped credit cards? Almost every other country does this already. The US is behind the curve. It’s getting hard to even use US credit cards when abroad. Fool me once, shame on you. Fool me hundreds of times…

    • I suspect both parties will be at fault. Target for giving remote access without requiring a contractor to use dual factor authentication (a well founded hunch) and weak segregation but the security of the Fazio network is also suspect. Somehow an entity broke into their network and compromised a Target ID. But this ID should not have been able to access the sensitive systems within Target and Target bears this responsibility.

  25. I will be interested to see the CBA discussions that occur once the full information is available. $420M in losses appears to be less than .5% of their annual revenue of $73B (USD). As anyone familiar with PCI-DSS knows, compliance in a level 1 merchant the size of Target is very, very expensive. There is a theory that says if you can minimize breaches to every 7-10 years or so, it’s better to spend less on security and write off the loss. Remember, TJX had record profits and revenues just 2 years after their major breach.

  26. The Remote Desktop Protocol(RDP) credentials of an HVAC vendor were used to access and then exploit Target’s corporate network. This is a very common and frequently overlooked vulnerability. I have seen instances in the field where RDP connections are initiated to remote computers with no expiration or timeout of the connection. I have seen RDP sessions started using login credentials with Administrator- or Superuser- level permissions. The knee jerk reaction would be to blame some weakness or vulnerability in the RDP protocol itself. I don’t think that is the case here. I suspect that the RDP connection between the HVAC vendor and Target’s server(s) was simply misconfigured and misused. When the hackers breached the HVAC company’s systems, among the first things they would do would be to scan and enumerate users on the network. Finding a user in the RDP user group with administrative permissions on a remote system would be pure pwnage!

  27. Kreb’s, could P2P encryption have prevented this?

  28. Was Fazio using a HVAC embedded server product on Target’s network?

  29. Why were Target’s systems able to reach the drop servers in Miami and Brazil? There’s so much effort around blocking inbound traffic but, what about the outbound traffic? The POS systems should have a finite list of legitimate communication partners using specific protocols and ports. Everything else should be blocked.

  30. Electronic billing would probably be an FTP or SFTP site. Contract submission would be either FTP/SFTP or Target has an externally facing login site for vendors to login and enter contract information (seems odd), same for project management (maybe an externally facing login page for a project management system? Either way, that would wreak of a SQL injection to dump all of the credentials. If this wasn’t directly linked to accepting CC data, then it probably wasn’t part of their PCI ASV scanning. Maybe there was an admin credential within the same authentication table that vendors were in that had domain admin level access in AD. If they didn’t have a separate AD for their CDE then any compromised domain admin, schema admin, enterprise admin or administrator group account could be ridden into the CDE without being detected. Would’ve looked normal. Interesting. If you think you are segmented and you don’t have separate AD domains, think again folks.