February 4, 2014

Ever since news broke that thieves stole more than 40 million debit and credit card accounts from Target using a strain of Point-Of-Sale malware known as BlackPOS, much speculation has swirled around unanswered questions, such as how this malware was introduced into the network, and what mechanisms were used to infect thousands of Target’s cash registers.

BLACKPOS copyRecently, I spoke at length with  Tom Arnold and Paul Guthrie, co-founders of PSC, a security firm that consults for businesses on payment security and compliance. In early 2013, these two experts worked directly on a retail data breach that involved a version of BlackPOS. They agreed to talk about their knowledge of this malware, and how the attackers worked to defeat the security of the retail client (not named in this story).

While some of this discussion may be geektacular at times (what I affectionately like to call “Geek Factor 5”), there’s something in here for everyone. Their observations about the methods and approaches used in this attack point to an adversary that is skilled, organized, patient and thorough.

So you first saw BlackPOS at a retailer in early January 2013?

Tom: Yes, it did seem like a game changer at that point because of the way it hooked into the POS system. By that I mean the fact that it hooks into the POS process, and it’s not just a general memory scraper like some people have stated.

Help me understand the distinction between a memory scraper and malware that runs completely in memory?

Tom: Well, it’s very specific. It’s what’s called an inter-process communications hook. If you look at a memory scraper — so if you were to dump the memory on your laptop right now — you would get this big old blob of information and you would have to filter through it to find what you’re looking for. But this [malware] is very specific: It’s very much designed for the POS system it’s running on, because it knows exactly where to hook and where the memory location is going to be when the data it’s looking for is flowing through it. But if you look at what it captures, it captures only the track data [information stored on the magnetic strip on the backs of cards]. So, it’s actually very, very sophisticated and that’s why I think this isn’t just a teenage hacker who put this together in his basement. I think this is a more sophisticated development effort. [HP last week published some interesting, uber-geeky details about the memory behavior of the version of BlackPOS found at Target].

Paul:  It certainly hooks into a specific process, but we did not figure out if it was just good at scraping the memory of that process, or whether it actually altered the process to hook into the code somehow.  That part of the code was obfuscated and not reviewed during the engagement.

What did you think of the iSight paper?

Tom: The iSight paper was good, and what it described was very similar to what we saw in the first variants of BlackPOS. But it didn’t talk about how it appeared on the network or where it came from or how a retailer might defend themselves against it.

In your prior experience with BlackPOS, has it been used against the same POS that Target uses? A source who seemed to have a clue told me that their setup was somewhat homegrown.

Tom: That I don’t know.  I haven’t really looked at what Target uses. With a homegrown system, the problem is if you’re going to build a process hook, you have to have a test environment, you have to know what you’re looking at and what memory addresses to go after, and that’s not exactly something that gets published.

Paul: Target has a homegrown POS.

So you think it’s likely they were using some off-the-shelf equipment and software? Wouldn’t it be enough for the attackers in this case to have obtained a physical point of sale device that was once used at Target?

Tom: If they have one, sure, that would be different. I don’t know if they’re using a commercial product. A lot of the big retailers use commercial products and will customize those with their back end system. But at the front end and what happens at front of the house…a lot of those are just retail off-the-shelf applications. A lot of those retailers, when you have a hard disk that breaks on one of the [checkout] lanes, they’ve got an outsourced service provider of that POS that comes out there with a new hard disk and fixes it.

How do the bad guys break in, and how do they actually get the malware pushed out to the point-of-sale?

Tom:  A lot of the POS systems use whitelisting software of some kind, such as Bit9 or SolidCore. Those two companies are the two you see most out there in the industry.

Paul: It could also come in through the point-of-sale application update process.

By whitelisting, you mean sort of the opposite approach of antivirus, right? As in, if the file or program isn’t approved by the whitelisting software, it simply won’t run on the system?

Tom: The software update processes at a point-of-sale that is running one of those [whitelisting applications] has to come through one of the software update channels and has to be reviewed for the update and approved. And when it’s approved, the whitelisting software says okay this patch is approved to come online.

It’s probably a good idea at this point to make sure we’re defining the terminology in a uniform way. When you think of point-of-sale device, are you talking about the cash register, or the card swipe terminal, or…

Tom: I’m using point-of-sale to mean the payment application that is running on the cash register. The vast majority of those devices, when you check out at the grocery store or large retailer, those are just PCs, and yes they’re mostly running Windows XP or WEPOS as their operating system. But above that, you have what I call the point-of-sale, or the point-of-sale application, and that’s the stuff that the cashier is interfacing with at the time you’re checking out. It’s a software application, running as multiple pieces of software inside the register itself. And whitelisting is put on to protect the register from any sort of unsolicited modification. A lot of the attacks before this [whitelisting became more broadly used] involved where you corrupt a sales clerk to put a USB stick in the cash register and infect the PC with some malware. But by using a whitelisting software, the USB stick will not work and the operations personnel back in the head office will get notified that something isn’t right with that register.

If they get past a whitelisting system, doesn’t that suggest that someone on the inside would have to be involved?

Tom: No, not really. You have to also consider the distribution server that distributes the point-of-sale software.

Paul: Right… three possible ways… it could come through a legitimate update channel, or the retailer was lax in their update procedures, or the attackers hacked the console of the whitelisting software and just whitelisted it themselves.  

So  when you look at a hacked system, what can you determine about the state of the POS software on the affected systems? 

Tom: Well, there can be huge problems if the retail software vendor does not provide  SHA-1 hashes or even MD5 hashes of their software. There would be no way to tell whether what you were receiving had not been tampered with..

How does the update process typically work?

Tom: Basically the retailer would receive notification of a patch, and go off to an outside server and pull it down. Very similar to you getting notified of a patch being available on a Windows machine. Except in these situations, when you’re dealing with critical retail software and installations, patching is very formal process, because uptime and reliability is very important. So they test it. They would install the patch on their internal lab servers, run and test it to verify that everything would run smoothly. Then they would then certify the patch when it was ready to run, and then distribute it to stores 1-5 tonight, and then go 6-10 then next day, or whatever their mechanism was to distribute them. But it would typically take them 2-3 months to finish the distribution to all the stores.

One of the questions still outstanding in the Target breach, which is where did this stuff come from and how did it distribute itself across the network? Do you have insights or best guesses on that? And wouldn’t the mechanism like the one you just described be the most likely way…some kind of POS update mechanism?

Tom: Well, if they were not running whitelisting software…maybe, yes. But you know the other thing was that the malicious software we have dealt with has sort of a worm-like characteristic to it. It would keep trying to worm its way around the organization. If it found itself already installed on a machine, it was bright enough to elect that machine and it would start seeking a way out of the organization. When we looked at this in the past, it was very difficult for us to determine how they tried to exfiltrate the information. I think what they did was…since they could find a host — remember, this is an early variant of what was seen at Target — they sort of elected a machine that became the exfiltration point and started doing the exfiltration. Worked exactly the same way, in that the data was encrypted, and moved off to an exfiltration point, and from there it was pulled off to Mother Russia.

Paul: Once they have a password that works on every system, they can use that to spread the malware. There would be nothing that that would stop a POS device in store 12 from talking to a register in store 23.

What type of encryption did they use?

Paul: RSA-512 bit.

But this information wasn’t encrypted by the point of sale or card swipe device at that point?

Tom: Well, remember this was taken off the memory, so it was encrypted from the card terminal, but when it got internally so the [cash register] could handle it, the system itself would decrypt it, and pass it to another process that used for communications, and then it would go off network to get the authorization. And the process hook would grab the data at the point that it gets decrypted out of memory. Then the malware used its own key to encrypt it.

So at that point are there two parallel streams of data here?

Tom: Yes. One good, one bad. And then the malware itself, would then encrypt that data, and pass it to where it was going to aggregate it from all these infected point-of-sale devices, and then the aggregation server would encrypt it again for exfiltration. So it’s pretty sophisticated stuff.

So the bad guys in the scenario that you describe were double-encrypting their stolen data?

Tom: Yes. And that’s why….a lot of people ask the question, hold on a second. Wouldn’t  intrusion detection systems flag this; if they see credit card numbers floating around the internal network and moving outbound, they classically raise the alarm. Yet no alarms would go off, if  it was encrypted. In the case of Target, it sounds like they were using those encrypted packets to hide from data loss prevention and intrusion detection systems.

Did the forensic report from iSight say the data stolen from them was encrypted in the Target breach? I don’t recall reading that. 

Tom: Well, if they were using BlackPOS, I’m pretty certain it was encrypted. Because, if Target is following PCI best practices, there’s no outbound traffic moving at that point, and I would expect that they would have an intrusion detection system in there, because that would be required. And in that case, the traffic would have become visible as card data leaving the network. Now there’s nothing that says you have to do data loss prevention like that [in the PCI standard] but a lot of big organizations do.

We were never able to figure out how they egressed the data. The only protocols that were allowed outbound were DNS. So if they wrapped the stolen data up in outbound DNS packets, maybe. We never solved that problem, we were still looking when the engagement ended. We could see it was doing a lot of the work, but we couldn’t see it was actually leaving the organization.

How is that even possible? That you would not have been able to see how they offloaded the card data?

Tom: There were a lot of modules inside of BlackPOS that were anti-forensics modules, so it cleaned up a lot after itself. It did look for a specific time window for when it would actually move data. There was a whole timing vector as to when it would turn itself on, and then it would start seeking things. We put the software in a lab, but it never [sent data outbound] so we couldn’t quite figure out how. In my client’s case, the firewall rules outbound were very strict, and we couldn’t figure out how it was getting the data out of the organization.

You said earlier that this malware had something of a worm-like capability. Can you talk more about that?

Tom: The iSight report alluded to this when it said there are a whole bunch of hacking and forensics tools in there, and it really did have everything but the kitchen sink in there in terms of tools. The actual transfer mechanism seemed to be a VBSCript. When it got involved, it would very gently start mapping the network, and so that it became aware of what was in the network with it. And then it would start seeking out other point of sale devices. It was very careful, and it took its time doing this. It would attempt to communicate with those other POS devices. And if one of those devices was already infected, the two would form a handshake and a bond, and the two of them would look for the third, fourth and fifth, and so on.

If it would see like a manager’s laptop, it would try to push itself there, but then when it got to that laptop – if it successfully infected it — and it didn’t see the point of sale software, it would run its anti-forensics software and completely destroy itself, so that there was no trace of it at all. We actually took the software and forced an infection onto one of our test laptops, and it only lived for about 15 seconds before it completely destroyed itself. And then it went through and did a whole bunch of anti-forensics work before it destroyed the anti-forensics module. Very cute program. It cleaned up after itself pretty nicely.

So this is why I think as an old software engineer, I was looking at it saying someone did a lot of work to make this thing run properly, and they did a lot of testing. This is not just one guy. If it is the work of just one guy, he’s absolutely brilliant.

ANALYSIS

From talking with Paul and Tom — and in discussing the Target case with security experts from other retailers — a few things seem clear (these are my personal takeaways, not theirs). Firstly, many retailers only update their point-of-sale systems according to a well-planned schedule (a schedule, by the way, which typically happens well before Black Friday — the busiest and most profitable day of the year for most retailers). As a result, depending on the size of the retailer, that update process can take weeks, even months. Their experience suggests  that whoever broke into Target was inside Target’s network for quite some time before the point-of-sale malware started stealing card data on Nov. 27, 2013.

Secondly, many reporters and readers have been asking what retailers like Target could have and should have been doing from a security perspective. I don’t have much information on what Target or other retailers were or were not doing, but assuming the attackers typically take months to orchestrate and execute these attacks, it stands to reason that more quickly detecting these intrusions would help quite a bit. According to Verizon’s 2013 Data Breach Investigations Report,  66 percent of breaches that Verizon responded to in 2012 took months or more to be detected. Too often, the breaches aren’t even first detected internally. It’s worth noting that Target’s case, the company’s CEO acknowledged being alerted to the breach on Dec. 15 by law enforcement. In the case of the breach at Neiman Marcus, which exposed some 1.1 million credit and debit cards, the company said it learned of the breach on Jan. 1, 2014, although the actual card thefts occurred between July 16 and Oct. 30, 2013.

Finally, I have to wonder how many times this scene played out in 2013: An individual forensics firm analyzes a sophisticated retail breach involving point-of-sale malware – collecting mountains of interesting and useful data about the threats, threat actors and their methods — but at the end of the day has no mechanism by which to share that information with others in the retail and security community. It’s telling that most of the details about the malware and methods used in the Target breach were first published here on this blog.  That’s not a brag: That’s me being incredulous at how the industry as a whole still sucks at sharing important information.

I hope that this interview helps other digital first responders, and that it fosters a more public debate about the malware and miscreants responsible for what appear to be a large number of very similar data breaches that will no doubt continue to come to light this year via additional victim disclosures (willing or otherwise).


149 thoughts on “These Guys Battled BlackPOS at a Retailer

  1. Doug Finley

    Brian, Tom and Paul mention that whitelisting applications such as Bit9 and SolidCore would make it harder for the attackers to succeed. Does anyone know what kind of defenses Target had in place? We know AV is worthless, but what about the other two products?

    1. voksalna

      Doug,

      It’s disingenuous to suggest that AV is worthless — it can indeed have quite a lot of worth (though often it is not used to best effect, and when it should be configured to use heuristics, such as anything should if it is on a network with POS traffic, it almost always is not).

      The best approach is to stop thinking about security as any one thing and consider it (as well as every part of your network and your systems) as an ecosystem or set of ecosystems, which (at best) should be heterogeneous and provide multiple protections at all (or as many as possible) of the applicable areas of the OSI model as possible.

      There is no ‘one fits all’ application or security procedure because there is no ‘one fits all’ network, especially in a large retail environment that often has its own unique setup in every way. That also means advocating or scorning Bit9 or SolidCore on a general basis is a bad idea for any technician, architect, consultant, or systems administrator to do without knowing the intricacies of the specific system, network, and how it all interacts. That’s often how security problems are introduced (at worst) and missed (far more likely).

    2. Guesting

      Something does not sit right with me here…….how were the Target stats ascertained so fast, & sorry if skeptical, in most cases–even though news was front page, it is not normal for the CEO to address this, if ever, or years later. Specifics in whole on breach even though not addressed do not = damages yet. Surprisingly immediate relief by Target to offer free credit protection services (usually comes as a result of a class action lawsuit) for a year is EXTREMELY UNUSUAL. While Target’s reaction was swift and right…IMHO…perhaps the egress of data is hanging with Elvis, and has not left the building. Just my opinion, like the KISS method, keep it simple stupid way of 1 perspective.

  2. Sharona

    All folks are light years ahead of me. I simply offer alternative perspectives to use in your work. Take a look @ Natgeo’s Brain Game on perception & attention. Eye opener on fresh, you will be shocked. Knowledge of those facts might alter one’s thought/analysis/hypothesis, research, etc. on issues herein. A good re-read too is Kevin Mitrick’s older testimony before Congress, on the easiness and simplicity re: these breaches. I think he referred to social reverse engineering. Maybe some clues on this breach or recent breaches, might be too obvious and in front of our eyes, like an Oceans 11 or 12 – world of illusion. Sorry if I am off topic, tryin to help. Tx.

  3. Greg Scott

    re: Voksalna –

    This reply is out of order. Voksalna’s comment came via email yesterday but I still don’t see it in the comments sequence. We’ve been going back and forth about whether publicly disclosing security vulnerabilities is ever a good thing to do.

    Voksalna makes the argument that public disclosure is never right. I think there are proper times for public disclosure and a right way to do it.

    We’ve both presented arguments supporting our positions and Voksalna asked some good, challenging questions in the latest post. But I only see them in my email and not in here. We’re up to 134 or so comments and maybe WordPress, the tool Brian uses for this website, doesn’t handle comment threads well.

    So I will try to quote the questions and then provide the best answers I know how. And apologies again for this being out of order.

    > So those few times I accidentally found US government or
    > military sites with poor configuration or known vulnerable
    > software completely by accident and informed them and then I
    > did not go back to check to see if they were fixed — that was
    > wrong of me?

    Yes.

    If those sites held important secrets and you accidently stumbled across a vulnerability, you had a duty to report it up the chain of command. It is extraordinarily difficult to get the attention of anyone with the US Government and many of them have ego issues and don’t want to listen to outsiders. But you still have a duty to pursue every possible avenue to make sure they know about the vulnerability. Make a pest out of yourself until somebody acknowledges the issue and does something about it.

    Whether publishing those vulnerabilities or otherwise publicly disclosing them makes sense, you must wrestle with your conscious on that. Sometimes it makes sense, sometimes not. Realize that if you accidently found the vulnerability, you must assume real bad guys also found it and are exploiting it. So – as a last resort after trying to warn the responsible people – it might make sense to publicly disclose it to protect other innocent people. It’s a judgment call and a difficult decision.

    > Do you believe that Adria Richards had the right to release
    > your PII? Isn’t that a crime too according to your definitions?

    We’ve already talked about Adria Richards. Just one clarification. She did not release any information. She stumbled across an old copy of the Norm Coleman for US Senate campaign website and found an Excel spreadsheet with personal information about donors wide open to the public. She posted a screenshot of the directory listing on her website. She did not download the spreadsheet. Wikileaks subsequently downloaded the spreadsheet and emailed all the contacts listed inside, including me.

    Details on the Norm Coleman case here:
    http://www.infrasupport.com/how-a-gross-it-security-lapse-hurt-a-us-senate-campaign/

    **In this instance** Wikileaks performed a public service. Note the highlighting around **in this instance**.

    I will not defend what Wikileaks did later with Bradley Manning and US Government secrets. And I will not defend what Ed Snowden did. Both of those were wrong. In Snowden’s case, wrong piled on top of other wrong. The NSA crossed lines it should not have crossed. Snowden could have followed a better path to deal with that problem, but he chose instead to devote his career to do it the wrong way. He hurt many people and I believe he caused more harm than good.

    All that said – there are times when public disclosure of a vulnerability makes sense.

    I am OK keeping this discussion here if you want and if Brian is OK with it. But we may run into problems with WordPress keeping all the comments in order.

    – Greg

    1. voksalna

      Comments have not been in any order this whole time for me. Part of the problem is that the awaiting moderation posts get missed because they backdate to when the comment was originally written.

      I can not properly do any more replies this morning (tonight for you I am guessing), but one thing has stood out to me that I do want to address which is you say that Snowden had other ‘ways’ but as a contractor, he did not — in fact he had no right to even bring it to a ‘superiour’, and all of his superiours knew anyway and sanctioned the abuse (at the contractor and at the government of the USA itself).

      Of course if he were a government employee he still would not have successfully been able to whistleblow according to what are called the ‘proper guidelines’ but he would have had a proper standing to at least get fired and have his name smeared and life ruined if he tried to sue. There is no correct, proper, or safe way to whistleblow and that is built into the system that he exposed, as is the secrecy, deception, and manipulation.

      What the US is doing is directly, not even subtly but directly similar to child abuse and wife beating, but with the US citizen and the citizens of the rest of the world the abuse victims, and it all starts with ‘do not tell’ — as almost all bad things do that limit peoples’ freedoms and ruin their lifes.

      As I have said before, I do not have an issue with America on the whole (and I am probably on databases for being outspoken about these subjects; the fact that this bothers me itself also bothers me but I have seen first-hand what happens when unpopular opinions are spoken against those in power) except for the fact that it is the responsibility of Americans to set the limits of what the American government can or can not do to its own people, as well as to the rest of the world. And yet it is hard to blame the people of the USA when at present the USA has the best psychological operations capabilities of any country in the history of the modern world. I don’t believe it is deliberate malice on the part of the average American (on the part of politicians is a different subject; this is about power not ‘terrorism’). But that does not make your people harmless if you are the only ones in any position to truly change the way things work.

      It is ‘wrong’ because they say it is wrong, and that, intrinsically, itself is wrong. The subject should be human rights. And on that subject many countries are failing miserably, but that does not mean it should be a fight to be in first place to abuse power (I will not speak anything more that could be ‘political’).

      If you can not see what is done as an abuse of power… I am not sure what to say.

      I am trying to figure out who it was that *Snowden* harmed, as you put it. And then I wonder about how you came to believe such things, or what your motives for believing such things might be when drones kill may innocent people freely on other countrys’ soil by some strange sort of ‘edict’ and so on. This portion of this conversation has become pointless and I will not try to change your mind, but I wonder if you will believe these same things 3 or 5 or 10 years from now, and I wonder what your news sources might be, and if maybe you are just too distant or disconnected from the effects of these acts in the first place, which themselfs are criminal.

      I have some mixed feelings about some other “whistleblowers” and I have very strong views on loyalty (which I realise according to some people was broken — but there is a higher morality at times), but Snowden told the world of crimes — gross, horrendous crimes, against everybody. I am not a hero worshiper either; Snowden is ‘just a person’ to me like most other people — just a braver one than most, and with better priorities than many.

    2. voksalna

      Or in much shorter terms: If this were something any other country in the world did and the US was not invited to the party, the US and every other country would have sanctioned this government, called it oppressive, ‘invaded’ it (“freed it!”) and “introduced a capitalistic democracy based on negative liberty to free the people”. What the US can do freely and others can join in on, when done by any other place, is considered despotic and terroristic. Which is why I keep saying “One standard”. Tearing a place down to make money does not count as freeing it by the way, and neither does destroying its economy or disrespecting every other persons’ beliefs or cultures. 🙂

      1. Greg Scott

        Voksalna, the more of you I read, the more I respect your opinions and perspective. I have a good friend who is a web developer in Kiev, Ukraine and I wish I had the money to visit your side of the world more often.

        Please do not think I am defending the abuses of the NSA. Those were wrong. But what Snowden did was also wrong. And if I am reading the news correctly, he purposely positioned himself at a subcontractor company. He manipulated his own career over several years and put himself in that position.

        If Snowden wanted to be a whistle-blower, why steal millions of documents? Why not secretly leak only a few to a trusted news source? Why run a social engineering scam against his own coworkers and use others’ passwords to steal secrets?

        I’m sure the NSA leaders assured themselves they did all their spying with the most pure of intentions – to stop another 9/11. But we all know what happens when government becomes too invasive – maybe you more than anyone as a former Soviet citizen.

        So I will not defend the NSA abuses. But I also will not defend what Snowden did. Two wrongs do not make it right.

        BTW, I said there is a proper time and place for disclosure. I did not say that everything should be disclosed. At least I hope I did not say that.

        You indirectly mentioned Stuxnet. Brilliant programming and it worked for a time against Iran. But stupid policy. How can anyone be so arrogant to believe their malware will not sooner or later be exposed? Apparently the Iranians sent samples to an antivirus company for analysis and the A/V guys decompiled it. So now Stuxnet is in the public domain. The genie is out of the bottle.

        The good folks at the NSA need to realize that smart people also work in the private sector. In today’s reality, given that Stuxnet is out there and bad guys are modifying it, it only makes sense that everyone have the same tools so they can defend against it.

        1. SJ

          Was Stuxnet written entirely in ASM? I doubt it. Even if you decompile it, you’re going to get something worse than ASM. People who code at the bare metal still use macros and features bolted on to machine code instructions to make it tolerable to use. They can take ideas from Stuxnet, but it’s not theirs to reuse with no effort. My 2c.

    3. voksalna

      Sorry one more thing and then I must go. Many of these programs are the governments buying and using and creating and sponsoring 0day and malware and botnets and backdoor insertion and deliberate weakening of crypto standards and deliberate insertion of vulnerabilities into open source code and taking over random peoples machines while appearing to be ‘hackers’ and using false flag operations, and so forth.

      Maybe I am just stupid ex-USSR idiot, but I am confused, Greg, why is full disclosure about THIS a bad thing? I thought bugs should be OPEN? (I will redact the rest of this comment now as it may be too specific).

      1. Greg Scott

        I put together a detailed reply to this a while ago and I just noticed the reply ended up a couple of posts above. Search for “February 15, 2014 at 10:07 am”. Hopefully *this* post ends up in right spot.

        > Maybe I am just stupid ex-USSR idiot…

        Dude, I’m just a stupid American idiot. FWIW, the ex-USSR people I’ve met are all smarter than me. I had the advantage of growing up in the best system in the world. Not perfect, but better than behind the former iron curtain. You had to overcome a bazillion obstacles and survive in a system more corrupt than the one in which I grew up.

        This isn’t just hype. I know many people from your side of the world fluent with my language. But I am not fluent with yours. I am amazed at some of the innovations I’ve seen from individual people who still must overcome a crazy institutional system.

        So don’t call yourself that name any more because I’ve read your stuff and you’re better than that. 🙂

  4. Greg Scott

    By the way – Target’s headquarters is in Minneapolis. So looking at yesterday’s Minneapolis Star/Tribune (Feb. 13, 2014), I see a prominent article describing how an HVAC contractor penetrated Target’s systems. And the major source – why, none other than Krebs on Security.

    It’s an amazing example of the sorry state of traditional journalism today. Reporters for the newspaper in the same city as Target’s headquarters are unable or unwilling to do their own homework about significant events concerning a major company in their own hometown. Instead, somebody at the Star/Tribune probably found this blog, assigned a reporter to make some phone calls, and they published a weak story several days after it appeared here.

    No wonder newspaper circulation is dropping. Kudos Brian. You’re in front of the new wave.

    – Greg

    1. voksalna

      I am not surprised, as many or most journalists have been “laid off” and most stories are rewritten stories from syndicated sources like Reuters. No staff. It is hard to blame journalism for this even though it seems like one should. One probably should blame people for not supporting proper journalism enough for that paper to be able to pay proper reporters to do investigative journalism like the US was known to do some few decades ago when it was ‘prestigious’: before the ‘web’. The money goes to people who talk about Bieber and trash.

  5. Greg Scott

    Woops – this was sloppy and wrong from my comment a couple days ago:

    > …article describing how an HVAC contractor penetrated Target’s systems.

    Of course, that should have said “…article describing how stolen credentials from an HVAC contractor penetrated Target’s systems.”

    – Greg

Comments are closed.