February 5, 2014

Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.

hvachooverSources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.

Fazio president Ross Fazio confirmed that the U.S. Secret Service visited his company’s offices in connection with the Target investigation, but said he was not present when the visit occurred. Fazio Vice President Daniel Mitsch declined to answer questions about the visit. According to the company’s homepage, Fazio Mechanical also has done refrigeration and HVAC projects for specific Trader Joe’s, Whole Foods and BJ’s Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia and West Virginia.

Target spokeswoman Molly Snyder said the company had no additional information to share, citing a “very active and ongoing investigation.”

It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.

“To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software,” the source said. “This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.”

CASING THE JOINT

oktarget

Investigators also shared additional details about the timeline of the breach and how the attackers moved stolen data off of Target’s network.

Sources said that between Nov. 15 and Nov. 28 (Thanksgiving and the day before Black Friday), the attackers succeeded in uploading their card-stealing malicious software to a small number of cash registers within Target stores.

Those same sources said the attackers used this time to test that their point-of-sale malware was working as designed.

By the end of the month — just two days later — the intruders had pushed their malware to a majority of Target’s point-of-sale devices, and were actively collecting card records from live customer transactions, investigators told this reporter. Target has said that the breach exposed approximately 40 million debit and credit card accounts between Nov. 27 and Dec. 15, 2013.

DATA DROPS

While some reports on the Target breach said the stolen card data was offloaded via FTP communications to a location in Russia, sources close to the case say much of the purloined financial information was transmitted to several “drop” locations.

These were essentially compromised computers in the United States and elsewhere that were used to house the stolen data and that could be safely accessed by the suspected perpetrators in Eastern Europe and Russia.

For example, card data stolen from Target’s network was stashed on hacked computer servers belonging to a business in Miami, while another drop server resided in Brazil.

globeauth

Investigators say the United States is currently requesting mutual legal assistance from Brazilian authorities to gain access to the Target data on the server there.

It remains unclear when the dust settles from this investigation whether Target will be liable for failing to adhere to payment card industry (PCI) security standards, violations that can come with hefty fines.

Avivah Litan, a fraud analyst with Gartner Inc., said that although the current PCI standard (PDF) does not require organizations to maintain separate networks for payment and non-payment operations (page 7), it does require merchants to incorporate two-factor authentication for remote network access originating from outside the network by personnel and all third parties — including vendor access for support or maintenance (see section 8.3).

In any case, Litan estimates that Target could be facing losses of up to $420 million as a result of this breach, including reimbursement associated with banks recovering the costs of reissuing millions of cards; fines from the card brands for PCI non-compliance; and direct Target customer service costs, including legal fees and credit monitoring for tens of millions of customers impacted by the breach.

Litan notes these estimates do not take into account the amounts Target will spend in the short run implementing technology at their checkout counters to accept more secure chip-and-PIN credit and debit cards. In testimony before lawmakers on Capitol Hill yesterday, Target’s executive vice president and chief financial officer said upgrading the retailer’s systems to handle chip-and-PIN could cost $100 million.

Target may be able to cover some of those costs through a mesh network of business insurance claims. According to a Jan. 19 story at businessinsurance.com, Target has at least $100 million of cyber insurance and $65 million of directors and officers liability coverage.

Update, Feb. 6, 3:33 p.m. ET: Fazio Mechanical Services just issued an official statement through a PR company, stating that its “data connection with Target was exclusively for electronic billing, contract submission and project management.” Their entire statement is below:

Fazio Mechanical Services, Inc. places paramount importance on assuring the security of confidential customer data and information.  While we cannot comment on the on-going federal investigation into the technical causes of the breach, we want to clarify important facts relating to this matter:

–          Fazio Mechanical does not perform remote monitoring of or control of heating, cooling and refrigeration systems for Target.

–          Our data connection with Target was exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom we manage these processes on a remote basis.  No other customers have been affected by the breach.

–          Our IT system and security measures are in full compliance with industry practices.

Like Target, we are a victim of a sophisticated cyber attack operation.  We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive initiatives that will further enhance the security of client/vendor connections making them less vulnerable to future breaches.


268 thoughts on “Target Hackers Broke in Via HVAC Company

  1. Eric

    I would have thought that two-factor authentication would have been required when there is sensitive data like this on the network.

    1. Tim

      I would ave thought two-factor authentication would have been required end of statement. I don’t think it particularly matters what’s on the network, it’s allowing outside authentication to inside with a single factor.

      That said implication from the updated statement is that the HVAC company was attacked also to get the info. I’d be interested to know if it was just simple phishing or something more complicated.

      1. Lee Church

        I agree. Your post touches on the topic of “all data is sacred” item in my ‘rant’ below.

        The idea that a company decides which of YOUR information is to be protected more than other information is a bit perverse, as described in my ‘rant’ below.

        It’s brings us to the idea that companies are evaluating based on their own interest, not what harm they do to others from the breach.

        I recently went through exactly this with a company handling real estate transactions, which exposed grandmas’s data without even single factor authentication. I was the “Bob”, and I was shocked that the response was that since the real estate agent agreed to the ‘policy page’ then they were not liable, so they didn’t feel they needed to protect that data. Only when I made the argument that grandma didn’t sign it and her lawyers would likely blow right through their ‘policy’ defence should there be a breach, did they take it seriously (that and I mentioned sending brian krebs a bit of info).

        So you are precisely correct, but I would expand that at bit: It presumes that they can predict to end of time which pieces of data were, are and will be useful to a hacker.

        One short example:

        company A: “grandma, your grandson’s name isn’t important”.. ring ring..
        crackling voice on bad connection: “grandma? yeah this is your grandson X, can you wire $, i’m in a pickle and need it quick!”

        Sure grandma is supposed to protect against that, but she doesn’t know that company A set her up! So grandma takes on risk, company A gets increased profit from not protecting her grandson’s name.. sounds like a good deal (for the company).

        It can’t be a model that the IT folks are advocating.. if it is, it’s pretty sad.

        regards,
        Lee

      2. Alexa

        I’m also curious as to what type of attack allowed hackers to gain access. It’s unfortunate that more companies aren’t using some sort of two-factor authentication. I’m glad, in part, that not only should retailers move more quickly to implement strong two factor, but also that any third party or contractor they work with should now be inspired to implement stronger (if any) security measures. By stronger I mean out-of-band – in-band like text-based one time passwords (those six digit codes) won’t cut it. The SMS channel isn’t encrypted so a hacker can easily snag them – good out of band options: Toopher, Duo Security. Toopher is easier to use.

        1. Sulman

          It could be something as simple as a keylogger on a Windows workstation, which could have been compromised by a drive-by malware download.

          It may not have even been targeted; rather the keylog files can be grepped for juicy keywords.

    2. Ron

      2FA is required to remotely access the Card Dataholder Environment (CDE). This is a PCI requirement (Chapter 8 I think). Since Target did maintain PCI compliance, I would assume that they had this in place. Meaning that the credentials used here were used to get access to Target’s network, but not necessarily Target’s POS network.

      So, it stands to reason that this breach was only one part of a chain of breaches leading to compromise of the POS network.

    3. Jim

      Absolutely, as someone who works in the financial industry two factor authentication is always required for sensitive networks. Yet this is simply not enough, firms that manage customer data should be reviewing access logs for administrative access daily. This would ask the question, why is there an administrator remoting in at 2am to install POS terminal software? There are plenty of tools out there to pull these records. Also, how about locking down your firewall so you can only ftp to certain sites or locking down the vendor’s access to a certain IP…lot’s of things missed and two factor authentication just the most glaring.

    4. Aaron

      Who says it wasn’t required? We still do not know how the vendor’s credentials were stolen. It could have been a lost/stolen laptop or complex social engineering attack. In either case, the second factor could have been stolen, along with the username and password. Not all two-factor solutions use dynamic RSA tokens.

  2. Serena

    I never noticed this before, on Target’s web site. It’s probably of no consequence.

    If you shopped at Target between Nov. 27 and Dec. 15, or if you shopped at the Target store in Midwest City, Oklahoma on Dec. 16 and Dec. 17, you should keep a close eye for any suspicious or unusual activity on any credit or debit card accounts that you used while shopping during that time.

    I wonder why Midwest City OK fix was delayed two days.

    1. SeymourB

      It could be a different incident covering just that particular location. For example, thieves could have replaced card readers. Well, a different gang of thieves.

  3. TheSource49

    Cyber security is slowly but surely getting the attention it deserves from the media, best practices are often hard to identify in this field but I would encourage you to read how companies like OPSWAT are leading the way with multi-scanning security applications.

  4. Serena

    The news about the Neiman Marcus breach has been almost non-existent. A news article published Feb 05 says this:

    The computer network at Neiman Marcus was also hit by hackers dating back as far as July. The company notified its customers in January and defended that decision saying it waited to confirm the evidence. The malware was evidently able to capture payment card data in real time, right after a card was swiped, and had sophisticated features that made it particularly difficult to detect, including some that were specifically customized to evade our multilayered security architecture that provided strong protection of our customers’ data and our systems,” Michael Kingston, senior vice president of The Neiman Marcus Group said.

    Same malware? Kind of sounds like it. But I don’t know about Kingston’s “sophisticated features” characterization. The memory scraping seems pretty sophisticated, but the movement of the data isn’t. The hackers were stealing data since July 2013. Wow.

    Target’s IT is catching a lot of flak but at least they caught the theft in after a couple of weeks. And if they hadn’t caught it, how much longer would it have gone on?

  5. JJ

    Here’s how the conversation probably went:

    “You asked for a separate VLAN for the cash registers. We did a business risk evaluation and determined it was too expensive for the benefit.”

    “Then you asked for a separate VLAN for the security cameras and we told you it was too expensive.”

    “And now you’re asking for a separate VLAN for THERMOSTATS?????”

    Remember, almost any risk is acceptable until it happens.

    1. Lee Church

      Your suggestion is one that attempt so segregate users, although you do it by application, one can extend the thinking to ‘customer account’ level, as brokerages do (well, except for folks like MFGlobal 🙂

      So you are starting to touch on the topic of ‘scale’ I discuss in my ‘rant’, but sliced up by application. Given that data from customers flow to different applications, doing it by application will create pathways for larger breaches than customer level segregation.

      I recognize that such segregation is outside the box for folks at the moment, and perhaps will be for many years, but I suspect sooner or later it will gain traction (so i’m planting the seed now).

      regards,
      Lee

      1. JefG

        Sadly, breaking-down by application is a panacea.

        You’re completely ignoring the fact of the 7 layer OSI model.

        Sorry, computer systems are more than just applications. There are the ‘guts’ of the system that are just as accessible as the application layer.

        1. Lee Church

          I agree with you that segregation by app won’t do it. However I think ignoring present limitations is a good idea.

          In other words, to characterize your approach (not to discredit you, but to spur thinking about it in a different way) it is basically “we do it this way because we have an entire ecosystem we built this way” and is just thinking inside too small a box.

          In “Man and Superman”, George Bernard Shaw writes “The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man.”

          I suggest the limits you cite are self-imposed by IT, on IT. We don’t value grandma’s information by mingling it with 100 million others anymore than than we would value her ashes if we mixed them with 100 million folks in the giant urn. Posting guards at the urn, hiding the urn, etc. doesn’t undo the fundamental disrespect to grandma, particularly since the CC transactions that are more highly guarded are more akin to protecting the urn, than protecting grandma.

          I know it’s a stretch for folks, but I do think HOW we think about the value of grandma’s data we don’t consider valuable is important. That’s the ‘respect for grandma’ that i’m referring to here. The historical habit of IT mingling data for efficiency, or aggregating it and selling it (HFT’s hedge funds, etc.) all indicate a disrespect for grandma’s information.

          The momentum of technology seems clear; we MUST have an IT version of the financial crises. Whereas finance gave us risk ‘reduction’ by CDOs, and distributed in many mortgages (the theory being that risk of a CMBS was low because they mingled a bunch of mortgages together), there were only good inside the bell curve. They merely pushed all the risk into the tail events, and the scaled up the consequences. These were very smart folks, in fact the smartest around.

          aggregating, mingling, and any other sort of combination is leverage, just like all those derivatives. They made the scale larger. Yes, some in finance made ‘risk’ smaller to themselves, because they transferred that risk to you and me. We do that in IT with user agreements and legal frameworks, as well as setting grandma up for scammers and hackers (I describe that in another comment on this thread). There is a theory in finance now that ‘risk’ never really disappears, it is really just allocated, transferred (e.g. insurance transfers risk).

          IT folks could learn from the financial disaster, but I suspect information leverage will continue to increase and risk will continue to be shifted to grandma until ‘the big one’.

          After ‘the big one’, we might be able to have folks think about leverage and risk differently, but we are not there yet.

          regards,
          Lee Church

          P.S. as a case example, consider the security feature of providing “when you logged in last”. It is to protect the system from unauthorized access via a human check from grandma. It offers some additional security to a specific system, but let’s the hacker/scammer then have information about grandma’s schedule of logging on. In other words, a security compromise to grandma in exchange for higher security of the specific system. This is an example of shifting risk, and in a unilateral determination that information of when grandma logs on isn’t considered the same value of her account being secure on that system. We have shifted the risk to events exploiting her schedule, which ‘isn’t IT’s problem’ (but IT created it and set grandma up). It’s an example of lack of consideration for data that IT doesn’t feel is important, yet may be of importance to grandma.

          Also note, the aggregation pushed that “login history” to everyone, so person A that doesn’t have events that can be exploited by schedule information is not harmed the same way as person B who perhaps has a regular routine. It’s made the edges uniform, which let’s hacks operate on the aggregated groups. This uniformity of security pushes folks more and more into conformity, which increases scale of impact. In other words, if everyone has to do the same thing to be ‘secure’, then a breach will effect everyone.

          Ultimately I think it’s wise to get out of Taleb’s 4th quadrant (scale and uncertain likelihood ) by working on reducing scale, not just reducing risk of breach events. That’s why I don’t accept the premise that we must keep scaling up, nor do I support shifting the risk to grandma.

          It would be nice to not have Financial Collapse 2.0 (IT version) in order to learn, but I’m not optimistic.

          regards,
          Lee Church

    2. LT

      Target does have separate VLANs for Registers, Security cameras, office computers, registry scanners/kiosks, even a separate VLAN for the coupon printers at the registers. The problem is not lack of VLAN’s, they use them everywhere and each VLAN is configured for exactly the number of devices it needs to support. The problem is somehow lateral movement was allowed that allowed the hackers to enter in through the HVAC system and eventually get to the POS VLAN.

      1. Peter

        Separate VLANs is great, but in the current climate, my cash registers and perhaps even inventory control would be on a *physically separate network* from anything that was internet-accessible.

        Honestly, HVAC on the same physical network as credit card transactions, all running with Windows? How long did they think that would hold up?

        1. Aaron

          How do we know that yet though? People are jumping to conclusions a bit I think. It’s possible that there were proper VLANs in place. The problem is, in complex networks, sometimes systems have legitimate need to interact and multiple different support providers

          What we really need to know is a) what systems were accessed with the vendor credentials, b) was lateral movement used to move into other systems and what credentials were used

          It’s possible they came in using the vendor credentials and were able to only access systems related to the HVAC company’s billing processes. But in most companies, only the business-specific applications and processes are managed by the vendor. The hardware and OS are managed by the customer. So perhaps the vendor credentials enabled them to get to the initial host, which also had Target domain admin credentials used for patch management, monitoring, etc. Next the attackers compromised those domain credentials, and then were able to freely move laterally from there.

          1. SeymourB

            Indeed, that’s probably what the criminals did was come into the initial network, compromise systems on that network until they found one that had access to a new network, then compromise systems on the new network, continuing on until they reached their target. Then they build a reverse chain of access to egress the data from the “secure” network to the internet.

            That’s why the data had multiple hops from the cash register to the file server to another file server to the internet. The Windows XP registers could access a file server, which itself could access another file server, which itself had internet access.

            The problem is I don’t see this happening over the course of a couple days, but with high speed links (and lots of caffeine for the miscreants) I suppose anything is possible.

    3. saucymugwump

      I realize you were being sarcastic, but having worked in corporate environments, I think it happened in one of two ways.

      The first is that the IT manager never asked again after being denied for the cash register VLAN. Managers never bite the hand that feeds them and are adept at reading the political writing on the wall.

      The second — being sarcastic myself — is that the response would always be: “No, we need that money for bonuses for corporate officers.”

      1. EGF TECH MAN

        You’re thinking too far into this…Likely what happened is the HVAC people plugged their stuff in a random switch port (without notifying IT), that happened to be on the POS VLAN/Subnet. Only had to happen in one store, and once access was made to update server that serve POS corporate-wide…

        That is why I’m starting to enable 802.1X on all switch ports now…If layer 2 login credentials or MAC address doesn’t meet what we have on record for the vlan, the port will be on the public WiFi network, complete with captive portal, bandwidth limiting, session time limit, and strict internet filtering.

        1. voksalna

          Ignoring the rest of this thread because do not have much time to write, but from a proper security perspective there is no reason to have ANY USB port available to ANY person, random or not, in any POS network short of, perhaps, truly authenticated proper IT use in a well-locked server room or closet.

        2. voksalna

          Sorry, don’t mean USB (though also USB) — fingers thinking for themselfs today — meant any port, period.

        3. voksalna

          BTW: “If layer 2 login credentials or MAC address doesn’t meet what we have on record for the vlan, the port will be on the public WiFi network, complete with captive portal, bandwidth limiting, session time limit, and strict internet filtering.”

          I would think this is probably also a mistake. Why would you allow it on a public WiFi network, or am I misunderstanding?

        4. LT

          Actually target does limit network ports to trusted MAC addresses. Even ports on the same VLAN cannot be interchanged for a POS machine. Each machine MUST use the one and only port that has been assigned to its MAC address. I remember AP stealing POS patch Ethernet cables from the network closet so they could patch in a new IP camera. This obviously resulted in color coding no longer being correct as well as the register being offline. It also meant we didn’t know which port that register was assigned to in the four or so stacked switches. To fix it we had to give IT the registers MAC address and have them change the switch configuration to get the register back online.

          1. Champ Clark

            I’ve seen similar setup’s on VoIP networks. Unfortunately, most handsets/phones have the MAC nicely displayed on the back of the phone. Even if it’s not, it’s still pretty easy to determine. What I’d then do is “spoof” the MAC address, and using something like “voiphopper” ‘mimic’ the Cisco phone (for example). Same port, same MAC address, etc.

            I’m certainly not saying it’s not worth the effort of setting it up that way. It would help. What would help more (IMHO) would bringing crypto into the mix. So even if I get _on_ the POS network, I still can’t “communicate” with it.

    4. MS

      You are right about Risk v/s Expense.

      Higher Risk = More Controls
      More Controls = Higher Expenses (either technology and/or personals)

    5. Champ Clark

      VLAN’s are for network segregation. VLANs != security. Let’s stop confusing the two. I’ve been involved in VoIP pen-test for years where VLANs are used quite a bit. I have yet to run into a case where “VLAN hopping” was not possible. Sure, it’s possible to make the VLANs much more restricted. It’s also rarely implemented and in some cases (VoIP) breaks the goal/purpose of the network. VLAN security “short falls” have been documented very well (google “VLANs for security”). As long as the traffic is on the same piece of copper, so to speak, there will likely always be an issue.

      Nothing will beat physical network segregation. Unfortunately, that’s not always terribly realistic for some organizations.

  6. Concerned

    I believe there should be a class action suit against the US Credit Card companies. The current state of credit card security is ridiculously bad and 20 years behind. Yet we blame the retailers when a hacker only needs to capture a few digits to get access to your account.

    1. Serena

      I put some of the blame on retailers. For example, one of my credit card numbers was stolen in early 2013. I don’t know how it happened, but the person who stole it purchased expensive items from three different retailers and arranged to pick up the merchandise, of course. Apple was one of the retailers and the only one to flag the purchase as suspicious, and they cancelled it. But the other two, at Best Buy and Sears, went through. This could be completely nipped in the bud if merchants did not allow pickup for online orders. Mail only to the credit card address as verified through the provider. If a person wants to pick up something in the store, make them go to the store to order it. JMO.

      Another point of weakness is the consumer. Several years go another card # was ripped off. I used it at a gas station, payment at the pump was turned off so “helpful” attendant said he’d swipe my card. And swipe it he did, a few days later someone started buying large amounts of gas at other stations not far from the one I’d been at. I was blissfully unaware until I tried to use my card at a department store. If I had not handed my card to the attendant I would not have been a victim of credit card theft. I won’t make that mistake again. Payment at the pump not working? I’ll find another station then.

  7. Lee Church

    Some observations:

    1. all data is ‘sensitive data’
    The idea that there is a single valuation for a piece of data is severely flawed. Any and all data is valuable. That logo on the back of your laptop might not seem ‘sensitive’ to you, but it tells a hacker your hardware profile. That browser ID, or even if you see a browser with ‘incognito’ on.. says something. Put enough of those ‘somethings’ together and the hacker has ‘something’.

    Even old out of service telephone numbers may tell a story. The notion that there is some curve where old data becomes ‘less useful’ is faulty.

    The saying “one man’s trash is another’s treasure” has never been more true with persistent databases.

    2. organization short term self centered perspective provides an edge to exploit.

    Most organizations, individuals, etc. only consider themselves (Is our data secure?). Some think ahead a bit to consider the impact of others on themselves (can we be held liable?). Few are existential (can this in advertantly harm others?). Still fewer consider the perpetual aspect of risk profile projected forward to infinity (if data is kept forever, and there is non-zero risk, the exploit is certain).

    The self centered view creates it’s own issues and relates to assigning what is ‘sensitive’ data, in the current view. For example, aggregating non-user identifiable information to sell to front running HFTs makes sense because grandma’s 401(k) remains nameless in that self-centered view (University of Michigan Survey of Consumers, Freddie Mac system are two examples). And the use of legal framework for protection of the entity, while putting grandma at risk of getting scammed is perfectly ok with the self centered view. Grandma doesn’t get to assign a valuation to the information, nor have any say in her exposure to the risk.

    The edge between companies valuation of the information is also ripe pickings. Company A collect the data and protects it well, except they sell it to company B which doesn’t, or in target’s case, they hire company C. The risk is lot like sexual partners, it’s not just who you sleep with, but who they slept with. Only in this case, grandma is the one that gets the STD, not company A.

    The target hack is CC data, but it’s also slower and quicker moving data breaches, from selling data to HFTs to front run tricked survey respondent’s 401(k)s, pensions, etc. to asset valuation models for hedge funds in housing, or even creating mosaic customer profiles via big data. Those are far less known ‘hacks’ of grandma and her retirement funds/house, etc created by the culture of the self centered corporate perspective.

    These all are a form of Buffett’s Gotrocks family’s hyper helpers, and in the aggregate, net negative. Like credit expansion, when the balloon of exploitation of grandma’s information deflates, as it surely will, it will have consequences and cause more harm.

    All of item 2 above are forms of exploiting the self centered thinking. As did the Target hack in a more acute way (the difference in priorities, value of information – credentials etc, and resultant protection of that information).

    3. data an asset, or a liability?

    The present popular view is data is an asset. It’s really can be viewed as a liability. The information can be thought of as Grandma’s information, which the entity, corporation, etc. borrowed.

    I hear “CC transaction data is sacred”. It’s nice to know that IT folks have appointed themselves to tell grandma what is, and what isn’t ‘sacred’. Given the liability is mainly between the merchant and the banks for CC data, it’s a bit perverse to call CC data sacred while grandma’s other data isn’t.

    What IS sacred is the responsibility to treat all of grandma’s data with care, and return it at the soonest opportunity. Blacking out grandma’s name and raiding her retirement account, while protecting banks and merchants liability is hard to defend.

    4. Are we saving grandma from hacker “peter” only to be robbed by “paul”?

    Doing a better job of protecting grandma from hackers is important, but undermined when the company’s end result is to front running her retirement/pension or using her information to put her at a disadvantage.

    What good is it to warn grandma not to give out information to hackers when the UofM used survey data to front run the markets? What good is it to tell grandma not to fall for the escrow scammer on a real estate deal, when the offer data for her retirement home is fed real time to hedge funds to work against her?

    5. scale

    That question suggests that if IT folks are not careful, they will be creating a bigger disaster in the future, as more retires have to put a bigger strain on SS, welfare and the like. That grinds the economy and the companies that are doing these things down in a spiral. If IT succeeds in creating a bigger mess (that’s the present course), then we are well into Taleb’s 4th quadrant – we have uncertainty in probability within any given time frame (but like Taleb’s turkey, time works against us), and we have added scale. Taleb suggests that the prudent choice is to work on getting out of that scale and uncertainty quadrant. Since the uncertainty is carried forward to infinity, we can only reduce scale.

    Reducing the scale of impact is directly opposed to the corporate analyst call buzzword “economy of scale”, or synergies. Thus, if one takes grandma’s data valuation seriously, one must give up something to economy of scale. Similar to the concept of segregated accounts at a brokerage (not the MFGlobal implementation), separating user data to contain breaches would be ‘safe’. I recognize folks will say “absurd, we need to combine it so we can x, y z”. I would suggest that the rationale for having it in the first place is to ‘serve’ the customer, not ‘exploit’ the customer, right? So as an exercise, think about why your personal data should be mixed with your neighbors in order for the business that has it service your ‘account’. That thought exercise leads one to think that ‘accounts’ should be protected and held with chinese walls, firewalls, etc. separation.

    There are other ways to un-leverage, or un-scale, or compartmentalize the entrusted data (i use that term to mean the data borrowed from grandma). However it’s done though, it should make a breach compromise at most one account. If a company can aggregate the data, then so can a hacker (to paraphrase from the very old “Calculus made Easy” motto).

    And I suggest when scaling is needed there needs to be steps to de-scale as soon as possible.

    summary:

    If folks got this far, congratulations for listening to my ‘rant’.

    The moral of the story is that we had better do a lot better thinking about present and future impact of our choices.

    Note I’ve intentionally stayed away from technical details in hopes of getting some folks who are thinking at a technical level to take a step back from the self centered model, and the present valuation of various datums.

    And since I’ve typed this into a small message box, apologies for typos, grammar and structure ahead of time.

    Brian Krebs seems to be the point man on security of late, and I support his call for a better mechanism for reporting security flaws. Elsewhere on this blog, someone mentioned the quandry of “Bob”, and it’s very true, particularly since “Alice’s company” has the self centered perspective more often than not.

    Whatever the mechanism is though, it needs to be more than a dropbox into a black hole. That would leave “Bob” with undue anquish on whether he has done enough to help protect grandma. It may be a good role for government to have.

    The bottom line is that all data should be treated as sacred. All information, even incorrect information (that salted data can also turn into a liability) can become a piece of information for a hacker to exploit (or an HFT to front run the market with.. eg.. salted card data upsurge, “short VISA!” type of thing).

    As one poster mentioned ‘greyhats, I would add that the folks selling the data to do things like front run via HFT also fall into that category.

    The unfortunate reality is that one can only really be sure of oneself, (the biblical “to thy own self be true”). And long before many of the whitehats, greyhats, and blackhats, were born, Bell Systems’ ken thomspon also emphasized only trusting code you write yourself, . My final advice to the whitehats is please make sure you are whitehats by thinking outside of the self centered model. Grandma would approve.

    Good luck.

    regards,
    Lee Church
    LChurch963@aol.com

    1. voksalna

      I like this comment, well said.

      As far as data valuation I think my ‘point’ where I consider something definitely valuable is: can you ever get the privacy back. In this age, the answer is almost always ‘no, you can never stop this data from being out there once it is out there’ almost without fail, and for this reason, yes, all personal information is valuable and should be protected — and everybody should have the right to say how much of that they want out there. If people want to make mistake of broadcasting lifes on social networks this is their failing. If people try to stay out of databases and can not, this is society’s failing, government’s failing, and the permitting of businesses to practice active predation for profit (I don’t believe this is hyperbole; one should be thinking about what can be done with data; the world is not 100% full of ‘reasonable people who will not violate these standards).

  8. JJ

    “@JJ .. while i agree it’s vital to understand how the data LEFT, IMO it’s also critical to understand how they got IN.. drive-by on a webpage / bad document (pdf, etc.) / social engineering / direct physical connection into the main network”

    I agree and there are a thousand ways for someone to gain access inbound from clicking links to tailgating through the door to bad code to you name it. Your controls probably depend on your industry.

    Virtually every presentation and sales pitch I’ve seen on end user training says that the best you can do is maybe a 5% to 10% failure rate. Taking it down to 5% from 50% certainly is worthwhile because it reduces the number of incidents.

    But all it means is the attacker now has to send 50 emails to a 1000-employee company instead of 2. Big deal.

    I can almost totally control egress with solid technical controls. I can’t do that with ingress. That’s why I’d rather know how egress occurred instead of ingress.

    The primary job of anyone in IT security is to learn from the mistakes of others before they happen to us. The cover-ups just make it worse for everyone else.

    1. Lee Church

      I wonder.. steganography with the security video as the host would be quite elegant, don’t you think?

      or perhaps security or update patches sent to the firewall, DMZ, web server etc. (not quite as elegant, but since they did so much work, i’m sure they put effort into their exit strategy). A TOR connection, and self removal after each transfer would make egress hard to see. The problem of course is the level of control of the network is hard to determine once control is compromised, so egress could be simpler than you think (they disable your protection, leave, and the malware re-enables it to leave no trace.

      Anyway, just some thoughts that your egress post prompted me to think of.

      Wonder if anyone has checked that. I’ve seen quite a lot of steganography focus with cicada 3301, so it might be more plausible than at first thought. Given the transaction type data, and the frames, a few bits in each frame would be hard to outguess or stegdetect. If no egress is found, looking in that direction might be called for.

      and I totally agree, avoiding problems beforehand is preferable. One way to do that is reverse, or invert the problem. How little data does a company need? rather than how much can we collect (I know it’s anathema to big data, aggregated dbs, etc). But it does touch on the data as a liability item in my rant below.

      regards,
      Lee

  9. JJ

    @TheHumanDefense: “Overall years of sitting across the table from Federal OCC auditors, SOCs Auditors, NERC-CIP audits, and all I have seen is the blame game.”

    Health care, local government, transportation, manufacturing, chemicals and finance/banking for me. OCC auditors used to be a bunch of old mainframe types but the current crop is a lot younger and smarter. Most actually have experience outside of mainframes, which is good.

    Read through these two PDFs and you’ll be amazed if you’re used to the OCC of old. A lot of banks are sitting up and taking notice. http://www.ots.treas.gov/news-issuances/news-releases/2014/nr-occ-2014-15.html

    HIPAA was a joke because it had no teeth for twenty years. No one cared. HITECH made anyone smart turn around and gulp. I know of many mega-buck hospital projects that suddenly had business value after the HITECH fines whacked a few companies. 🙂

    I don’t like rules and regulations any more than the next person. But until SOX made senior management put some skin in the game by putting their butts on the line with threats of jail time, it was going nowhere.

    Sometimes you need to smack people in the wallet to get their attention. Oh, well.

    1. Lee Church

      That works for Target, but it also may set up incentive to transfer risk, rather than mitigate it. company A transfers risk by subcontracting company B.

      Sure, after a breach the lawyers argue.. but grandma is still harmed nonetheless.

      As I noted in another post here, i recently heard from a company with a wide open access issue that for that to happen “someone would already have violated our terms of use”. So companies often use ‘policies’ to transfer that risk (in this case it was transferred to the users, who were the ones sending in grandma’s data.).

      This HVAC company might be on the line (looks like not), but with limited resources, these sorts of risk transfer are basically writing checks that they can’t cash. and as usual, grandma takes it on the chin. Companies that take the risk, cut corners to be more efficient, lower cost will put the more conservative run out of business perhaps before they go down themselves. That is not much different than corporate debt and leveraged buyouts.. the companies that kept cash in pension plans were bought out and the plans funded in equities instead of cash, loans made, etc, to pay back the LBO. So companies were forced to become more fragile or cease to exist. A similar model for data security exists today. It’s compounded by big data and persistent databases, which adds scale to the disaster much like leverage did to the financial crises.

      So sure, HITECH fines might be a step in the right direction, but as long as folks are only concerned about their own liability, it will be a giant game of hot potato(e) game, all without consideration of damage to grandma. As you point out they are looking at the fines and not whether they hurt grandma. That’s essentially the problem.

      regards,
      Lee

  10. JJ

    Them most elegant use of steganography I ever heard about happened to a university. Malware on their web server scraped card data and wrote it to the picture of the school’s football team. Everyone who visited the football team’s page unwittingly received a copy of the stolen data, including the criminals. 🙂

    1. lee church

      exactly. so egress leads to a video.. or in your example.. school logo/picture.

      Not finding egress for Target makes me lean towards that direction, yet given the self-cleanup earlier, it’s just as likely if not more so that it was a move and evaporate mechanism which might avoid detection (though putting up products on Target’s website should certainly be looked into).

      I recall a DOD or FBI (all declassified stuff) that speculated on the bad guys using ebay to post a product, then update the pic during the week at a specified time with steganographic encoding. So it’s clear the bad guys are aware of that avenue.

      Given the web presence of Target, and the HVAC’s ingress was via the web portal, it may be more likely than not that the egress was via web portal, but perhaps not the HVAC, as once compromised, egress via target web portal would be a walk in the park and not raise eyebrows.

      anyway.. I would prefer not to discuss the technical possibilities any further if that’s ok.. no offense.. but the fewer the better.. though i’m not a fan of obscurity only, it does have it’s advantages.

      regards,
      Lee

  11. JJ

    @LT, I perform vendor risk assessments and if you’ve never done that on a technical level, I assure you that almost anyone would be even more astounded and cynical than ever. I’ve read SAS 70’s and now SSAE 16’s where they proudly proclaim they use VLANs. But when I ask about access controls between them, the faces go blank. “Why would we want to do that?” is the usual response.

    One banking services company was so proud of their compliance that they had included a Visio of their network topology in their SAS 70. Yes, it had a clearly labeled DMZ VLAN. But you know what? It wasn’t off a firewall; it was on the internal network. “Typo, probably.” I thought. “How sloppy of the auditors.” Nope, not at all.

    You guessed it. They labeled an internal switch “DMZ” and their web servers were sitting on their internal network along with everything else. No ACL’s at all. Auditor response: “VLANs? Check!”

    (Hint: Always ask people if they exported their SSL public and private keys to their IDS/IPS sensors since they run their web sites 100% in SSL. Uncomfortable silence will follow with one of two responses being the norm: “Why would we want to do that? They’re on the web servers.” or “It’s on our road map to add that capability.” The aforementioned banking services company gave the first response. They also were VERY proud of how tight their network was because they had NEVER had a single IPS alert yet it always tested fine. Oh, and they ran IPS in monitor-only mode. Oh, and they were also very proud of their client list which included some of the Top 50 largest banks in the world.)

    Whenever I see that VLANs are being used for access controls, I always ask to see the current day’s logs, the lists themselves (sanitized is fine) and their alerting for violations. I’ve NEVER reviewed a configuration where the VLAN ACL’s are correct or even implemented. Sometimes it starts off being right but as people change and time gets shorter, it’s just easier to open it all up so everything just works. I’m sure this is why PCI 3.0 is requiring a full pen test to prove segmentation.

    And if there is no dedicated security team that reports outside of IT, it’s a given that shortcuts were taken.

    And if the response to “Do you have a dedicated security team, one with no other duties, or is security a part of the server and network administrator duties?” is the latter, just sigh to yourself because they’re going to be a mess.

  12. Felix Lighter

    Why don’t we just have Target give Seal Team #6 $420M and have Seal Team #6 raid all the drop servers and other locations identified for the perpetrators. They could ensure that no one is left alive and the data is recovered.

  13. independent_forever

    What I don’t understand is what HVAC has to do with payment systems and WHY an HVAC contractor cannot monitor equipment itself without needing access to servers and other internal Target systems? I don’t get it and I work in IT and this makes no sense to me unless this HVAC contractor was given access just like a Corporate user with Enterprise admin permissions…that would not make sense to me either and I’ve never heard of granting OUTSIDE people such access to an internal network….regardless of the reason they give. There are plenty of other HVAC monitoring systems and options that would NEVER require this type of configuration and access by a 3rd party person….sad state of IT if this is how they do business…risking customer personal data just to make sure HVAC systems are working OK….dollar savings or not it’s irresponsible any way you slice it…

  14. Lee

    If Target and Neiman Marcus would have had invested in Chip and Pin already, and still had to accept magnetic swipes (Which they would, much like many merchants abroad), this still would have happened! Target and Neiman Marcus and others have made a conscious financial decision to continue to have unencrypted card data somewhere within their environment. I once told a CEO, “if you don’t want to adhere to PCI DSS and you don’t want to spend all this money on security around credit cards, then stop accepting credit cards!” The fact is, Target, Neiman Marcus and others SHOULD HAVE ALREADY spent a fair amount of money implementing End to End Encryption with tokenization, thus practically eliminating card data from their brick and mortar environment. THESE BREACHES WOULD NOT HAVE HAPPENED!!!

  15. YC Richards

    The date on this article is February 14. Did you intend to use today’s date?

  16. Cienki Bolo

    $100 million for upgrading their systems to EMV ?
    How many stores do they have and how many POS systems in each ?

  17. Mark Walker

    A couple of comments touch on the fishy smell regarding HVAC system access conjecture. The Fazio statement:

    Our data connection with Target was exclusively
    for electronic billing, contract submission and
    project management, and Target is the only
    customer for whom we manage these processes on a
    remote basis.

    implies to me the Fazio credentials were for a Target Operations system, not the HVAC system.

    Electronic billing, contract submission and project management don’t sound like HVAC software features.

  18. Jeff Swearingen

    2-factor authentication is exceptionally difficult when dealing with 3rd party vendors. Target likely has hundreds of enterprise technology vendors that require remote access for service and support.

    Hundreds of vendors mean tens of thousands of individual humans that may require access and it’s next to impossible to keep tabs on them, since you will not be the first to find out when one is hired or fired.

    A physical token can be an effective 2nd factor for employees, but issuing one to each individual vendor technician is impractical while expecting them to keep a single token private is unrealistic.

    If you ever visit a vendor’s support center, they could show you a giant key ring full of tokens for each customer. It may also interest you to know your credentials are frequently stored in vendor CRM systems or written on sticky notes affixed to monitors around the world.

    Without igniting a debate about what a second factor could or should be, I would suggest at least restricting vendor access to a specific source IP or manually issuing single use, short term credentials.

    In addition to other methods, we frequently use the vendor’s e-mail domain and an authorization key that can only be sent to that domain as a second factor. It’s not perfect, but it provides a simple, practical second factor that creates an additional level of authentication beyond user name and password.

    The moral of the story is to be to very cautious when issuing network access or privileged credentials to your vendors. They’re a very separate population of users from your employees. Your employees can view a sales report. Your vendors can delete a database, or FTP it overseas.

  19. Bill

    My personal takeaway message from all of this so far is – humility-

    A wise man said “learn not from your own mistakes, but from the mistakes of others.” I know for my own part, it’s easy to think you’ve got a system nailed down, lose your focus and then get *****slapped by some Estonian bit flickers. It’s good to see all of these bright and crafty minds working together, sharing triumphs as well as failures. It’s kind of a shame that it takes a sentinel event like this to brig us all together (and outside of Defcon…ect)

    I’ll be the first to admit that i’ve been owned once or twice. And each time it made me feel lower than dog****. I really don’t feel that you can achieve %100 security. As long as there are humans inside the perimeter, you know, using the network, there will be problems. The best we can do is treat them with respect, educate as best we can and invite them to be part of the security solution. Users feeling empowered goes just as far (or farther) than any box that fits in a 4U enclosure.

    Take it from someone who learned the hard way.

  20. Bill

    Brian,
    Are you planning any KOS style reporting on Sochi? Apparently the situation there is (as one would expect) very bad. Even NBC did a short piece on it: https://www.youtube.com/watch?v=waEeJJVZ5P8

    Basically, the message from NBC is, don’t turn any electronic device on after touching down on Russian soil.

  21. TJ

    I find this appalling. Brian’s former employer The Washington Post just ran an AP story “Hackers may have used Pa. company to hit Target” that gives Brian no attribution whatsoever. In fact, the AP story seemed to be intentionally trying to deemphasize Brian’s work with this statement: Internet security bloggers identified the Sharpsburg, Pa., company as the third-party vendor through which hackers penetrated Target’s computer systems.

    I’ve noticed over and over that both the AP and Reuters rarely if ever credit Brian’s work — when KrebsOnSecurity is clearly their source.

    1. voksalna

      “Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.”

      Brian didn’t discover this. His source told him this — and probably the very source that told WSJ and Reuters how it was breached in the first place. It’s not like he found it through some super secret channel like forum or something and discovered it all by himself. So it is fair to not ‘credit’ him. Not like Brian has not been credited many times for this Target story for things he HAS actually broken. It is possible that the same source told the media sources the origin but they didn’t WANT to make it public because it is a bad idea to make anything like this public until it is fixed. Or did you forget they have other customers.

      1. TJ

        As I pointed out in my comment, the AP (writer Joe Mandak) simply referenced Internet security bloggers. Who are these so-called Internet security bloggers if not Brian Krebs?

        Now let’s compare the AP statement to how Byron Acohido of USA TODAY referred to Brian’s work: In his latest scoop, investigative blogger Brian Krebs makes the case that the Target vendor whose network credentials were used to tap into 110 million customer accounts may have been a heating, ventilation and air conditioning (HVAC) contractor.

        Or how Mathew J. Schwartz of Informationweek referenced it: Investigators from the Secret Service, which is leading the government’s investigation into the Target breach, recently visited the offices of Fazio Mechanical Services, a refrigeration and HVAC (heating, ventilation, and air conditioning) systems provider based in Sharpsburg, Penn., security journalist Brian Krebs first reported Wednesday.

        1. Lee Church

          I think I understand your point.

          I would add that this is similar to what google describes as content farming. I consider it a form of information laundering.

          I’ll go out on a limb here, but I suspect it’s a byproduct of the big data grab. By making the story ‘theirs’ they can privatize it, raising their ‘asset value’.

          Remember, companies are in a race to collect as much IP as possible. Whether patent acquisition, or developing the biggest ‘big data’, the mindset is to capture and convert ownership of as much data as possible. It’s thought that predictive capacity will exploit that ‘big data’ (one could argue that in the aggregate it’s just another Warren Buffett Gotrocks story hyper-helper version).

          It’s arguably at the root of the problem as that push to grab as much data as possible adds scale and increases ‘event risk’. Does the web really need nearly identical copies of Brian’s story out there? Is that really where ‘value’ is added?

          Ownership of the story/data may seem trivial, but it is what allowed University of Michigan to set up what was essentially a front running operation with the survey of consumers.

          Making data private (or taking ownership) allows use of that data for private activities, including trading in the markets and controlling release to less than ‘elite’ users.

          It also effects web traffic, and ad revenue. If they don’t convert as much data as possible, then they become less relevant. So there is a matter of driving web traffic etc. as well.

          It does point to a perverted model, and could well be appalling, depending on one’s subjective evaluation.

          I would fall on the ‘business as usual’ side with this, but I do find it ironic, since it’s about information handling.

          In a world of uniformity, can there be such a thing as an isolated incident?

          regards,
          Lee Church

    2. voksalna

      And while English is not my first language, I do want to make a big nitpick: words like appalling should be saved and used for true travesties and tragedies like genocide and horrific scarring events. Why would you weaken this word so? Abuse of surveillance laws is appalling. Child abuse is appalling. CIA drug running probably appalling. Pol Pot definitely appalling. But this? At most, and I would argue as I have that even this is not the case, perhaps ‘unfair’.

      1. voksalna

        Added: Torture: Appalling. Guantanamo: Appalling. Bad sports referee (spelling?) call? Unfair. Bad sports referee call made for money? Still not appalling; unethical.

      2. saucymugwump

        While I completely agree with you on this subject, don’t waste your breath. Americans (I assume the others are; you aren’t) believe that one of their human rights is hyperbole. Ever notice how many Americans say “Oh my god” or the shortened form “OMG” when in truth the event is only mildly surprising? Did you notice the oligarch, Tom Perkins, who recently compared people complaining about his (and the other members of the 1%) ever-expanding wealth to Nazis killing Jews during WWII? That’s hyperbole!

  22. Captain Craptek

    During the recent data breach hearings it was revealed that The Justice Department first notified Target officials that their security had been compromised. I’ve been searching all day for a clue as to exactly how The Justice Department knew of this. Any info or links would be appreciated.

    1. Al

      I think it was reported that the Justice department was notified of multiple instances of fraudulent usage of cards and the common thread was usage at Target between the specified period of time.

      1. Captain Craptek

        Who notified the Justice Dept? Exactly who is monitoring patterns of CC usage on a worldwide basis? I recently heard that the new Consumer Protection Agency is in possession of all CC accounts and monitors this data for unusual activity. Interestingly, this agency is under Treasury and therefore beyond any congressional oversight. Also, their budget is as black as the CIA’s. I smell a rat.

        1. Bill

          CC,
          “I recently heard that the new Consumer Protection Agency is in possession of all CC accounts and monitors this data for unusual activity.”

          Now that would be a story. Where, if you don’t mind did you pick this up?

    1. Lee Church

      I’m glad you brought up this issue. It’s unfortunate that the focus was on government data collection only and not the private and public/private data collection issue.

      As the article mentions housing data, i’ll mention the freddie mac system sells data to hedge funds (as opposed to fannie mae system). Offer data is on a private enterprise system and is fed near to real time as possible, so it’s possible to front run housing data by buying the data feed on offers (yes, it’s not a complete model, but as with hacking it’s an important part of the mosaic). When I speak of front running grandma in the market, i’m referring these business models that sell data which essentially front runs the market.

      It’s the same model of the UofM survey of consumers. It’s the conversion of these databases to private data for front running, which hearing seemed to avoid. I would guess some want to preserve the front running, yet they object to the government having access, so you hear a very focused complaint, as shown in that article.

      So whether we are transferring risk to grandma by way of hackers, setting her up for scammers, or front running her retirement fund, we are not doing her any favors. With the freddie mac system, they save some system costs upfront, but it’s an illusion. Those savings are illusive because data are valuable enough to fetch more money in the private market. In fact, it’s of greater value (they pocket the profit). Grandma pays the price in identity theft risks, in scammer risks, and in future under performance due to the front running. HFT’s paid millions for a time advantage for that UofM data. That ‘alpha’ came from grandma’s retirement fund.

      Unlike the government’s collection of data, the hackers and private front runners have a much larger moral hazard. These bad actors get to dump their risk on the government (ultimately society). And as with the financial crisis we will all pick up the tab when things go south.

      The persistence of these large databases adds yet another multiplier to the magnitude of scale. This makes the unlikely yet certain breach (non-zero likelihood x infinity time horizon = certainty) have even greater consequence to grandmas the world over.

      The Target breach is a opportunity for InfoSec folks to think about what they are doing, and consider getting out of Taleb’s 4th quadrant (scale and uncertain probability calculation). It’s far wiser to learn prior to a mistake than to keep making bigger bets that are guaranteed to eventually lose.

      That being said, despite being politicized, at least the issue is being discussed.

      The data that is never collected, never stored, and never existed is the easiest to secure. To bring humor to this depressing topic, anyone remember the ‘write only memory (WOM)’ jokes back in the 1970’s?

      regards,
      Lee Church

    2. Captain Craptek

      Thanks for the link CC. Considering the NSA, CFPB, IRS, the new ACA monstrosity, and heaven knows who else, there’s absolutely no certainty of our privacy any more. It’s a hacker’s wet dream and we’re not permitted to know how, when, or even IF any of these systems have been breached! This is why I’m suspicious that Target was revealed primarily for the purpose of diverting public attention from the government investigation of NSA. What a mess.

  23. JJ

    “This is why I’m suspicious that Target was revealed primarily for the purpose of diverting public attention from the government investigation of NSA. What a mess.”

    Funny that you said that. I was wondering if the truly explosive stuff from the Snowden breach would reveal that it was the NSA behind some high-profile breaches, either intentionally or inadvertently, and they were just never fingered or never allowed to be fingered. Maybe some other of their own security imperfections allowed hackers to steal their techniques and use them against companies. Or they had their own Gonzalez’s on the payroll.

    And to put on my conspiracy hat even further, is the real reason behind governments pushing for a cell phone and car “remote kill switch” not for anti-theft but because they saw how effective Twitter and SMS were in the uprisings against other governments? And about those billions of rounds of ammunition purchases by DHS and the Postal Service… 🙂

    On a more serious note, when the physical security folks wanted to just slap some new high-tech gadgets on the regular network, I resisted. They didn’t understand why I wanted to raise their project cost. All it took was one question: “What would happen if someone accessed these systems and used them against us?”

    That question and the article about the casino cameras being used for cheating caused an immediate turn-around in them. It simply was not something they had considered. They now run everything past us and us them. It’s been a great relationship and we’ve both learned a great deal.

    1. voksalna

      “is the real reason behind governments pushing for a cell phone and car “remote kill switch” not for anti-theft but because they saw how effective Twitter and SMS were in the uprisings against other governments?”

      This was the immediate thing that came to mind (though perhaps more dystopian). When something like this is REQUIRED then it is no different from any other backdoor designed for the government or corporate bodies to take advantage of and abuse at will — whether or not that is the “purpose” people think they have in mind when they ask for it is not relevant. It is disturbing when something like this is not even seen as a matter of ownership (which it also is), but has such obvious social control mechanisms but is packaged as ‘good for you’.

      I think about this also in concert with Google’s recent patent (hxxp://http://phandroid.com/2014/01/29/google-mob-sourced-video-patent/) and its recent acquisition of a foremost AI firm (among other things). Which is fun to think about since you due to android’s heavy reliance on and encouragement to use google accounts (and I am sure these are attached to device IDs) for just about everything including free applications (yes there are alternative application stores, but you certainly cannot do much without people putting their apks there). I wish people would realise everything in this world does not exist in its own bubble.

      There is no tin foil hat required for any of this.

  24. Captain Craptek

    JJ said, “And to put on my conspiracy hat even further…”

    It’s hard to take that “hat” off these days. When the Chief Executive of the branch of government overseeing the “faithful execution of the law” lies openly and repeatedly for the express purpose of selling Americans a defective product, (the ACA) how can we believe any government official?

  25. JJ

    Sorry for causing topic drift. One enjoyable thing about this thread is an almost complete lack of politics. Again, my apologies to all.

  26. Captain Craptek

    JJ;

    I’d prefer to leave politics outside the discussion as well. But if we’re intent on protecting ourselves from hacking crooks, we must also consider the crooked hacks in government.

    1. Jim H

      FireEye is a great product IMO and can indeed monitor traffic on a system, and in many cases block.

      HOWEVER..

      unless a baseline was performed as the system was installed, or has been re-run fairly recently, the volume of traffic (thinking outbound here) was most likely within what could be considered -normal- given the time of year it occurred.

      On the “can it block this type of attack” piece, again IMO FireEye is a very good product, but also please consider that unless the ‘attack method’ was ID’d prior to the incident (meaning a known bad PDF, bug, etc.), again IMO, no. Think of this, and most other breaches, similar to a sucker-punch; didn’t see it coming. (How do you find one mosquito when it isn’t painted orange?)

    2. Lee

      FireEye reps just a few weeks ago said to me that their product would have prevented the Target attack. That’s a broad statement that assumes the appliance(s) are deployed across the enterprise at all ingress/egress points and complete coverage was obtained. Their solution not only watches transmissions in and out of your edge, but supposedly scans suspicious files at rest based on heuristics as well, and again supposedly would have ‘detonated’ this malware in a sandboxed area that would tell them that it would perform ‘RAM scraping’ techniques. Thus causing them to block it and add it to their global knowledge base.

      I have no facts or experience with the product to say that it would do all of this, just passing along what was told to me by FireEye themselves.

Comments are closed.