Posts Tagged: Molly Snyder

Sep 15

Inside Target Corp., Days After 2013 Breach

In December 2013, just days after a data breach exposed 40 million customer debit and credit card accounts, Target Corp. hired security experts at Verizon to probe its networks for weaknesses. The results of that confidential investigation — until now never publicly revealed — confirm what pundits have long suspected: Once inside Target’s network, there was nothing to stop attackers from gaining direct and complete access to every single cash register in every Target store.

targetsmashAccording to an internal corporate report obtained by KrebsOnSecurity, Target commissioned the study “in anticipation of litigation” from banks that might join together to sue the retailer in a bid to recoup the costs of reissuing cards to their customers. Last week, a federal judge cleared those claims to go forward in a class action suit.

The Verizon assessment, conducted between December 21, 2013 to March 1, 2014, notably found “no controls limiting their access to any system, including devices within stores such as point of sale (POS) registers and servers.”

The report noted that Verizon consultants were able to directly communicate with point-of-sale registers and servers from the core network. In one instance, they were able to communicate directly with cash registers in checkout lanes after compromising a deli meat scale located in a different store.

Verizon’s findings lend credence to the working theory about how hackers initially broke into Target. In February 2014, KrebsOnSecurity was the first to report that investigators had zeroed in on the source of the breach: Fazio Mechanical, a small heating and air conditioning firm in Pennsylvania that worked with Target and had suffered its own breach via malware delivered in an email. In that intrusion, the thieves managed to steal the virtual private network credentials that Fazio’s technicians used to remotely connect to Target’s network.

Verizon’s report offers a likely playbook for how the Target hackers used that initial foothold provided by Fazio’s hack to push malicious software down to all of the cash registers at more than 1,800 stores nationwide.

Target spokesperson Molly Snyder would neither confirm nor deny the authenticity of the documents referenced in this report, but she maintained that Target has made great strides and is now an industry leader on cybersecurity.

“We’ve brought in new leaders, built teams, and opened a state-of-the-art cyber fusion center,” Snyder said. “We are proud of where we stand as a company and will be absolutely committed to being a leader on cybersecurity going forward.”

Snyder said Target believes “that sharing accurate and actionable information – with consumers, policy makers, and even other companies and industries – will help make all of us safer and stronger,” she said in an emailed statement. “Sometimes that means providing information directly to consumers, other times that means sharing information about possible industry threats with other companies or through our participation in the Financial Services and Retail Information Sharing and Analysis Centers (ISACs), and sometimes that means working with law enforcement. What we don’t think it means is continuing to rehash a narrative that is nearly two years old.”

A high-level graphic showing the various routes that Verizon penetration testers were able to use to get all the way down to Target's cash registers in 2013 and 2014.

A high-level graphic showing the various routes that Verizon penetration testers were able to use to get all the way down to Target’s cash registers in 2013 and 2014.


The report notes that “while Target has a password policy, the Verizon security consultants discovered that it was not being followed. The Verizon consultants discovered a file containing valid network credentials being stored on several servers. The Verizon consultants also discovered systems and services utilizing either weak or default passwords. Utilizing these weak passwords the consultants were able to instantly gain access to the affected systems.”

Default passwords in key internal systems and servers also allowed the Verizon consultants to assume the role of a system administrator with complete freedom to move about Target’s sprawling internal network.

“The Verizon security consultants identified several systems that were using misconfigured services, such as several Microsoft SQL servers that had a weak administrator password, and Apache Tomcat servers using the default administrator password,” the report observes. “Through these weaknesses, the Verizon consultants were able to gain initial access to the corporate network and to eventually gain domain administrator access.”

Within one week, the security consultants reported that they were able to crack 472,308 of Target’s 547,470 passwords (86 percent) that allowed access to various internal networks, including;,;;;;; and Continue reading →

Feb 14

Target Hackers Broke in Via HVAC Company

Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.

hvachooverSources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.

Fazio president Ross Fazio confirmed that the U.S. Secret Service visited his company’s offices in connection with the Target investigation, but said he was not present when the visit occurred. Fazio Vice President Daniel Mitsch declined to answer questions about the visit. According to the company’s homepage, Fazio Mechanical also has done refrigeration and HVAC projects for specific Trader Joe’s, Whole Foods and BJ’s Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia and West Virginia.

Target spokeswoman Molly Snyder said the company had no additional information to share, citing a “very active and ongoing investigation.”

It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.

“To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software,” the source said. “This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.”

Continue reading →