back to article Fridge vendor pegged as likely source of Target breach

A Maryland refrigeration contractor has confirmed its connection to the data breach of retail giant Target. Fazio Mechanical Services said that it is currently working with Target to investigate a breach on its systems which investigators believe could have been the precursor to the attack on Target point-of-sale (POS) systems …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Even based upon what Fazio had access to on the Target network, the POS network should have been isolated all the way from the store to the back-end servers at Target.

9
0
Silver badge

Woulda', Shoulda', Coulda. But it wasn't. How many more of these very expensive lessons will take before people (and the companies they work for) learn?

The question I have is why did Fazio have that kind of access for the services they were providing? And if they did have a need for that access why weren't they audited? Or at least watched?

6
1

- and a contractor's credentials should probably have given very limited access. But of course, privilegde escalation attacks are quite a lot easier to find for most systems.

4
0
Anonymous Coward

the POS network should have been isolated all the way from the store to the back-end servers at Target

It's generally considered Very Good Practice (™) to fully segregate the financial processes of any organisation - and payment systems should have been a subnet of that. In addition, the subcontractor (aka an untrusted 3rd party) should have been on a DMZ, not on the core network.

Translated this means there were at least THREE layers of protection missing, not just one.

I have but a few questions:

1 - who audited this? I think clients have a right to know which Big Name Consultancy signed off on their approach to security. I don't know if Target have any type of security accreditation, but both OCTAVE and ISO 27001 would require decent segregation, and the POS network should normally be subject to PCI compliance checks to be able to accept credit card payments.

2 - why has a contractor access to the full network instead of a DMZ?

3 - how many more uncontrolled backdoors does Target have? This sort of breach indicates it needs a redesign of the infrastructure, but there is also the problem that a successfully executed APT strategy of this nature may have also left behind some "help" to do it all again. They have the choice between network segment isolation or examining every machine connected to the network for trojans, and even with segmentation I'd put up some network intrusion detectors.

Bad, very, very bad.

9
0
Anonymous Coward

> Woulda', Shoulda', Coulda. But it wasn't.

Are you privy to the details of the case, or just declaring them guilty until proven otherwise?

> How many more of these very expensive lessons will take before people (and the companies they work for) learn?

How about your own business or organisation? How sure are you that you're not living in a glass house?

Just saying... sometimes you win and sometimes you lose, but even so it doesn't necessarily mean you've put up a bad fight.

1
4
Bronze badge

I've always hated the term 'DMZ' in relation to networks

It causes Security engineers to think in terms of having just three networks: Internal, external and a section in-between when modern technology requires thinking in much finer grained terms. With modern OS's supporting virtual interfaces* you should have dozens, even hundreds of separate networks.

What should have happened when they brought the partner on board was to have set up a specific VLAN and subnet for them that connected to virtual NICs on the servers they needed with listeners configured for access to the data and commands they needed to get it or modify it. If something requires a different set of security rules, it should have its own network.

The last network I designed used hundreds of individual network, each web server cluster had 2 private networks and connection to at least 2 other purpose-built networks: 1 external connection to the back-end of the load-balancer shared only among public web servers, a second shared network used only for management of the internet-facing machines (only interface that allowed ssh/sftp access), a third interface only connected between the web servers to sync application data and user state, and finally the last one was set up only for the servers to connect back into the database servers where the listener was configured to only allow connections to the specific DB the web servers needed and further restricted it by limiting what commands could be passed through.

Of course each network also had an IP or two available for packet-capture systems for debugging and performance monitoring (much easier to debug applications when you can just pull the stats from the interface rather than having to filter everything)

*either through the virtualization platform on a virtual server or through the OS (UNIX-like systems and the VLAN interface, Windows and the HW manufacturer's drivers) on physical boxes.

2
4
Anonymous Coward

Anyone inclined to disagree with the above, please state why.

0
0
Silver badge

"How many more of these very expensive lessons will take before people (and the companies they work for) learn?"

How much you got?

In other words, never. The cloud, by definition, is vulnerable and with billions to be stolen, the efforts to steal it will never stop. Especially given the cheap, skinflint Scrooge nature and Kafaka bureaucracy of large corporations.

1
0

Re: I've always hated the term 'DMZ' in relation to networks

The DMZ concept is the core fault here and the people who went after these cards knew it. They also know they can get inside other retail networks, and find at least one machine somewhere that isn't doing what it should and hop vlans into something else. Every vlan isolation system I have ever looked into at depth could be breached and often with simply things like mac-flooding which was the 1st attack on the isolation so long ago. I use Juniper SSG-140s loaded up with 8 port cards that look more like switches but nearly every host is in its very own zone and the DNZ zone should gone away two decades ago. The retailers are not going to be providing physically isolated networks simply because of the cost all that coper and its 100 meter limits which don't go far in a store so they are stuck with over priced fiber converters or wifi. If the PCI Security Standards Council isn't very careful, there will be far more wifi networks with far more data and far more doors. The amount of data flowing in a modern relater is increasing as the POS systems are used as time clocks, the cameras want to log POS transactions, the POS system needs to activate an prepay card, the POS system needs to record a mobile phone sale, the thermostats need to know how busy the store is, the fridges need to know how hot it is outside, the blue tooth sniffer needs to send the POS a coupon code, the alarm system needs to talk to the VOIP system, the electronics department needs internet for demos, the distributors need to phone home, the auto, pharmacy, eyeglasses and hearing aid centers all needs to send records. I don't think the network infrastructure will be getting any leaner anytime soon.

0
2
Anonymous Coward

Re: I've always hated the term 'DMZ' in relation to networks

I think there is a difference between "a" DMZ and "the" DMZ. People who think in terms of "the" DMZ do indeed lack depth in their security thinking, but the idea of "a" DMZ is applying the concept of segregation, which is the point made earlier.

Nobody with even the slightest interest in doing the job right would consider hooking up a 3rd party to the core network a sane idea - that went out of the window at the same time as having just one DMZ - so there are some serious questions to be asked here.

As for segregating everything, though, I can give you one answer why that is sometimes not done: maintenance and control overhead. If your answer to that is "but I can control that from a central place" you have just indicated a new APT target, and therein lies the rub. At that point you0re no better than a vendor who promises you data encryption which is in realityall based on one key :)

2
0
Silver badge
Facepalm

POS network -- or POS security standard?

..and the POS network should normally be subject to PCI compliance checks to be able to accept credit card payments.

It is subject to PCI compliance.

Unfortunately, "the current PCI standard (PDF) does not require organizations to maintain separate networks for payment and non-payment operations (page 7)"

(Krebs on Security Article http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/ -- link to PCI standard preserved from source.)

1
0

Dear Sir,

KISS... dozens or hundreds of networks?

In your mind, then, string theory solves the problem to form one theory that covers both quantum and relativity?

The best solutions are always simple, yet elegant.

Regards,

Guus

2
0
Paris Hilton

Target Lied

First of all would like to say Target did not accept responsibility for the breach until forced to do so,

then changed the story about who and what had been breached multiple times ,

We as customers believe when we check out at a store we have no worry ,

and we shouldn't we are told it is secure over and over again which is not true

I believe Target is liable for the breach I don't care if it was their vendor backdoor bull or what have you

when it is all said and done we the customers will pay the price for the losses caused by

the breach at our banks at the stores that allow this to happen ,

we are told oh you have no liability for fraud yeah ok ,what about the payments returned ,the od fees

the inability to access our bank accounts, who pays us as consumers for our time and aggravation

and explaining it was a breach well who is at fault? accept responsibility for hell sakes

I believe the consumers should be rewarded for this inconvenience.

It is Fraud short and Simple No excuses should be tolerated by any consumer

when a business or government or a bank has a loss we pay the price the consumer

So Stand up People Together and Make a difference in How you are Protected and refuse to pay the price for it .

0
1
Bronze badge

Re: I've always hated the term 'DMZ' in relation to networks

'If your answer to that is "but I can control that from a central place" you have just indicated a new APT target, and therein lies the rub.'

You seem to have missed the point. In most networks, anyone inside the company could be launching point for attack, my point is to reduce the number of possible targets. I would rather have the IT department's systems and working harder to protect them than having to worry about the thousand other machines in the company that can access the management interfaces of the critical servers.

Also your comparison to a company that only has a single key is flawed in that I can replace my machines whenever I want and it wouldn't affect a damn thing, where a key needs to be replaced everywhere.

0
0
Anonymous Coward

POS network

says it all.

6
0

Re: POS network

Sorry, didn't quite hear you ....

Did you say "Point of Sale" or "Piece of Shit" ?

I'm sure the latter is probably outside your normal vocab Target ......

2
3
Bronze badge

Re: POS network

"I'm sure the latter is probably outside your normal vocab Target"

I wouldnt say that. I'm sure they are more than familiar with the quality of product they sell.

0
0
Silver badge

Energy Star

The company, which normally specializes in installing and servicing refrigeration systems for supermarket locations, said that its systems were standards-compliant

But what about their computers?

3
0
Bronze badge
FAIL

What about their bloody computers?

Warehouses work on the principle of piling them high and chucking them out the door.

They treat their staff like dogshit. I know nothing about the company but I'll bet a weeks income that they are sacking staff every day, running their IT on the lowest common denominator and that means they will be using rubbish servers and training server servants to be afraid to make noises.

The in-house network will be struggling on pdas using flat batteries and its upkeep will be reflected in everything that goes down the pipe, literally and figuratively.

7
1
Silver badge

Re: What about their bloody computers?

Yup. Target are cheap box-shifters, just a step above Walmart. Their clientele are the people that don't want to deal with the crack-whores and welfare-mums-with-army-of-kids at Walmart, but who still don't want to part with any money.

I'm sure their security budget was of the "does it cost anything? then no, we don't need it" type.

2
1
Silver badge
FAIL

Huh?

"The company, which normally specializes in installing and servicing refrigeration systems for supermarket locations"

And this has WHAT to do with customer transactions?

Raises questions like - how many other third-party companies had potential access to the same data, and did any of them access it for reasons beyond their mandate, and how well (if at all) was such access vetted and controlled? (In reality, not the PR friendly version)

Icon for Target, the reason ought to be painfully obvious.

2
2
Silver badge

Re: Huh?

Large commercial systems (refrigeration, HVAC, etc) for large commercial stores (and buildings, factories, etc) are often networked for telemetry and troubleshooting.

The vendor's ID was stolen and used to compromise that store's system which in turn led to the penetration of the national system.

That's what.

So how's that cloud thing working for ya?

1
0
Silver badge

How many others could be compromised?

"The security researcher cited sources within the investigation in reporting that the firm had been found to be the source of the credentials used by the attackers."

"The company...said that...no other customers were affected by the breach."

These two statements don't seem to balance very well.

4
0
Bronze badge
WTF?

process...

I am reminded of the phrase "security is a process not a state".

I am curious to know, with the knowledge of hindsight, when the breach *could* have been detected.

The analogy I think I am developing is along the lines of "it's a bit draughty in here....?"

P.

1
0

Day late?

Can you spell "a day late, and a dollar short"? My wife's credit card was compromised, and only becuase it was American Express was this caught. They have superior (to most credit card operators) fraud detection software, and caught this situation. She didn't lose a cent, and she has a new AMEX card as a result... Thankfully she did not use her debit card, otherwise she would have been out of some serious money!

1
0
Silver badge

Material Constants

So, I'm an engineer. A fairly well respected engineer actually. I own one of the worlds finest and most advanced design, engineering and manufacturing companies specializing in ultra high tolerance bespoke equipment. We've got an enormous client portfolio across many, many industries. We get into some strange things.

I'm not saying that to brag, but to (hopefully) qualify what follows.

As an engineer you can only think so far out. You've got your requirements, you've got to figure out how to meet them. The world is far too broad to examine every detail of every possibility. It's actually really, really bad practice to consider too many variables. If it meets the specs you just ignore most everything else.

Pursuing seemingly impossible specs quickly leads you into into the murky territory where design principals are abstracted so far they don't really make much sense anymore. You get into absurdly complex things where you can almost break the laws of physics. You create things so unnatural looking it's kind of nauseating. Precision has drawbacks though. Those truly bizarre things meet your specs, but only those specs and only in controlled conditions. Change absolutely anything and the millions of dollars you just lost are the best possible outcome.

What I'm getting at is that we're fine with the world not working exactly how we think it should. You go far enough and even basic principals are invalid. In truth, absolutely nothing in our universe is a true constant. Everything is plastic, dynamic and unpredictable when you go past a certain point. The whole isn't actually the sum of all its parts. The whole is how you perceive its parts. That is absolute. Universal. Eternal. Cannot change or be changed. There is only one exception to that rule. In all of the universe there is only one true constant and that is: When something goes wrong you can always take comfort in the fact the refrigerator company is responsible. Always.

I should clarify. I will devote the rest of my life to pinning absolutely everything on the refrigerator company. That's just too fucking good to not use wherever and whenever possible.

4
1
Anonymous Coward

Re: Material Constants

Even though you can accept that there are some variables you will at best a moderate grip on, if you're one of the finest you also have an ethos that you will do your best to gain control insofar that is economically feasible.

In the case of Target, we're talking about VERY basic fundamentals that were not in place. Simple functional network segregation, not allowing 3rd parties access to the crown jewels, a POS network (which is in itself a 3rd party platform) that seems to have been slapped together without much attention to PCI demands, accessible client details which enabled the construction of full profiles for ID theft - it's the equivalent of you not frequently calibrating your QA kit.

Amusing as your use of the fridge company would be, it won't fly as YOU are responsible for protecting against what 3rd parties can do. In other words, Target may blame a 3rd party for a backdoor, but it's Target that had the responsibility of protection and control.

There are really no viable excuses for Target. For an organisation with THAT many clients the events simply proclaim negligence.

2
2
Bronze badge

Re: Material Constants

"In other words, Target may blame a 3rd party for a backdoor, but it's Target that had the responsibility of protection and control."

Which is why Target is pointing fingers at the HVAC company, in an attempt to at least share the burden of litigation.

But, that will be of limited efficacy, as Target will end up litigating against the HVAC company to attempt to recover damages, the HVAC company will defend itself by reminding the jury that Target had the penultimate responsibility for protection and control.

Looking at this situation, as an information security professional, I lack enough detailed information to make a fully informed determination, but it most certainly does look damning for Target.

As an American whose daughter was shopping in the middle of that massive breach, I can only say, "Bloody hell"!

One ponders if a simple misspelling in job qualifications was made.

After all, if boffin is instead spelt buffoon...

Sorry, had to lighten the mood a bit.

0
0
Anonymous Coward

Re: Material Constants

"design principals", "basic principals"

Principles.

0
0
Silver badge

Re: Material Constants

See, they've gotten to you. The refrigerator company wants you to accept responsibility. Destabilizing a country or company by creating internal doubt and eroding resources through second guessing is a time honored strategy. People have been using those tools for ages and ages since they were first developed by the refrigerator companies of thousands of years ago.

But seriously, I hear what you're saying, and you're right, as far as you go. Unfortunately you've stopped at the same place as so very many monarchs, dictators, military commanders and corporate executives before you, so you're in good company. If your two errors weren't common we would have a Queen of the US instead of an endless procession of used car salesmen for Presidents.

- Your first error is simply a lack of knowledge. Regardless of what you are defending, or how you choose to defend it, primary defenses rarely fail. If they do fail, it is generally because they were neutralized from behind. Most security breaches occur due to the smallest, most basic things. The design and typically large resource budgets of primary defenses make frontal assaults on them wholly unjustifiable beyond simple scouting, door knob rattling if you will, and amateurs.

Even classic defenses, like big walls are generally invulnerable. Siege engines were more about maintaining troop cohesion and discipline and preventing boredom (bored armies are really dangerous). If you got lucky and knocked a wall down that's great, but nobody really expected that to happen. Almost inevitably, the enemy gets through because a door didn't close properly or the key labeled 'Front Castle Gate' fell out of someone's pocket when they slipped out to have a tumble in the hay with the General's daughter. All that cool stuff in movies and books is, mostly, shit. Watching catapults launch rocks at the enemies walls is way more entertaining than watching a guy forget to pull a door closed or the refrigerator company patch in to your customer database.

With thousands of years of alarmingly consistent failures you'd think people would catch on. But no luck yet. Everybody is always making their walls taller or the moat wider and deeper. Even super high security places have scads of highly insecure things going on everyday. Undocumented and unsanctioned activities, processes and procedures that are rarely found out unless something bad happens.

Your second error isn't nearly as fun as your first. You are assuming that having responsibility or authority in a situation gives you control in that situation. That's 100% incorrect and is down to nothing more interesting than hubris. An overvaluation of your knowledge, abilities and control. You, like everyone else are busy watching the walls for the comically oversized threat that would be required to breach your primary defenses. But it ain't coming. The mouse that will cause your elephants to stampede, and knock down your gates from the inside, rode in on an apple cart three weeks ago.

I'm not saying defenses are a waste of time, not at all. I'm saying continuos upgrading of already invulnerable defenses consumes resources that could be used to check door locks and do key counts. Everybody will know if the comically oversized enemy of your dreams shows up, advanced notice won't be necessary and what you've got is what you've got, there won't be time to make adjustments then anyway. Leave your daughters ex-boyfriend on the wall to catch arrows and warn of an enemies approach.

You'd best leave your dreams of gloriously repulsing a super powerful enemy on your pillow and get to rattling doorknobs, because that's where the real threat is going to get inside. You think you've got the fundamentals covered but you simply do not know what goes on when you aren't looking. Staff (or refrigerator companies) are doing things that completely undermine your security. Your walls are safe. Get back down there and lock the fucking service door. It's going to be unlocked.

0
0
Silver badge
Terminator

Clearly, Smart Fridges are a bad idea!

It'll be a cold day in Hell (Grand Cayman) before I let my fridge see the internet!

3
0
Gold badge
WTF?

So contractor -->Suppliers system --> stores core systems -->POS system

Clearly a highly technical security process that no mere CTO or Board member could possibly be expected to understand, right?

Now the obvious question is was this a slip by Target that let their supplier (and therefor their contractor) absurd levels of access or do all Target suppliers enjoy this level as SOP?

I don't know.

But if I were a Target customer I'd want to find out.

0
0
Bronze badge

Re: So contractor -->Suppliers system --> stores core systems -->POS system

Let's try a different model, just for giggles.

The contractor came in and did the work. They logged onto networked assets and logged out again.

Somehow, those credentials became available to a criminal, who logged into those assets and did the dirty work.

No same VLAN scenario, but an asset availability issue.

What still isn't known was, was the initial entry physically on premises? Was the initial entry external?

In short, was there a criminal working for the contractor? Was malware installed on contractor equipment, such as a notebook computer?

I've done my share of security evaluation. I've done more than my share of information security protection.

To be honest, this avenue was incredibly well planned. It wasn't the usual picking of the lowest hanging fruit.

It's as likely that Target had most of what is expected in segmented network protection in place, IDS/IPS in place and a ducks in a row, only to be banged by a zero day exploit that was employed in a precisely timed manner. It's less likely that Target simply ignored all security precautions that are common in today's networks.

It's also likely that Target skimped in expense in network security, nearly everyone does, even the US DoD for some installations (I was on two that suffered from budgets too short for full implementation of requirements). One isn't being cheap, one performs a risk analysis and works from there.

And no, I'm not defending Target. I'm simply saying, there *really* is insufficient information to make an educated assessment of what happened.

And still, bloody hell...

Because, as I recall, the criminal or an associate apparently was asking around on how to crack the crypto protecting the data itself.

We might finally find out once the litigation is finished.

I'm just glad that I'm not one of the security officers for Target, that was a lot of overtime recovering from the breach and even more answering a lot of hard questions.

What stinks about this is that companies won't divulge the full details of a breach, as they're trying to protect themselves against litigation. That weakens all.

2
0
Silver badge

@Wzrd1: Two points

Because, as I recall, the criminal or an associate apparently was asking around on how to crack the crypto protecting the data itself.

I think that was a red herring. An article I saw indicated that it was the POS terminals themselves that were compromised. The bad guys were reading the data right from the devices getting both card numbers and in some cases PINs associated with the account numbers (debit cards).

What stinks about this is that companies won't divulge the full details of a breach, as they're trying to protect themselves against litigation.

That's one possible reason. At the moment, I'm not doing support work in the commercial sector. Instead we've got rigorous reporting standards for all incidents. (Sometimes insane interpretations of said standards like the nitwit who wanted all "McAfee stopped this virus" reports forwarded as individual incidents to the central handling agency, but that's a whole other kettle of fish.) Usually these things take weeks to work their way through the process. At the end of which I've gotten such unsatisfactory directives as "use standard procedures to correct the issue" and the occasional clear directive "wipe the drive with DoD 5220.22-M compliant software." The scariest one was when the security guy said "Some of these incidents will never be closed. And you'll never be told why, because the directive is coming from way, way up the food chain and potentially involves national security." But the one thing I've never seen is a clear description of how an incident evolved, because that's now considered sensitive information that can't be disclosed because it might leak to the bad guys.

0
0
Anonymous Coward

virtual networks

And VLans arent much of a solution. Im not sure about virtual networks using the likes of esx but there are plenty of tools out there that can help with vlan traversal. Decent uncluttered logging with an alerting system would help as well.

Complete physical separation is best surely. Or revoking credentials on a regular basis triggering a physical request when access is required again rather than free unfettered access.

Where the malware is concerned...are the POS systems not regulalry maintained?

Im no expert on retail tech but it must be possible to use something like deep freeze to help fight that stuff off. One reboot and the system is back to a clean config. POS systems run Windows dont they?

0
0
Silver badge

Re: virtual networks

On a commercial system like Target runs, I expect the refrigeration company is constantly monitoring and tweaking stuff. So the access would never expire. And since it is constant monitoring, you'll also want it to be remotely accessible. Yes, there probably is a more secure remote access system (real two factor comes to mind), but usually not thought about and not cheap in terms of your typical IT budget for such an operation.

No, most POS systems are fire and forget. The install is done once and only visited when broken or upgraded. Sure there is inventory and configuration data that gets regularly updated, but that's not quite the same thing as getting your monthly Windows patches.

The POS equipment itself is as likely to be non-Windows as Windows. The reporting and managing software is likely to be Windows, but given the news reports, that isn't what was compromised. It was the actual physical card readers or at least the data stream from the card reader to the PC before the encryption was applied. This was a serious hack that should be sending shivers down the spines of every IT security worker in the retail sector. Yes, Target might (and that isn't proven yet) have had some security lapses. But whoever perpetrated this likely used the mechanisms normally used to update the readers to deploy their malware. That is, they turned at least part of the security infrastructure against itself.

0
0
This topic is closed for new posts.

Forums