back to article Home Depot: Someone's WEAK-ASS password SECURITY led to breach

Hackers gained access to Home Depot's network via a third-party vendor system, according to preliminary results of an investigation into the September mega-breach. Cybercrooks used access to the US retail giants' network gained via ineffective password security at an unnamed third party vendor's system to run a stepping-stone …

  1. chivo243 Silver badge
    Pint

    copy paste error?

    Third parties were also to blame one way or another for third parties for other high-profile breaches against retailer Target and bank JPMorgan.

    Or do I need a pint or two?

    1. petur
      Pint

      Re: copy paste error?

      Use the 'Tips & Corrections' link at the bottom of the article for that, not comments....

      Now I got your pint

    2. Hud Dunlap
      Joke

      Re: copy paste error?

      I think the problem is you have already had a pint or two.

  2. Yet Another Anonymous coward Silver badge

    Add more technology - solved

    If an external company running their HVAC had 1000s of bits of kit connected to the same network that ran the POS machines - the weak passwd wasn't exactlythe problem.

    It's like saying that we have had thefts by our own security guards so we are changing the color of their uniforms.

    1. frank ly Silver badge

      Re: Add more technology - solved

      It's like saying that the toilet cleaners need to store their bleach in the CEO's safe. (Make up your own analogy.) It's cheaper than making a special storage cupboard for them, in the short term anyway.

      1. Yet Another Anonymous coward Silver badge

        Re: Add more technology - solved

        I salute your analogy sir.

    2. Marketing Hack Silver badge
      Facepalm

      Re: Add more technology - solved

      Yes, someone decided to save money by putting building maintenance and customer-facing financial systems on the same network. Only it didn't save money in the end, either Home Depot's or their customers.

      1. Wzrd1

        Re: Add more technology - solved

        As was suggested, rather obliquely above, putting vendor crap onto their own DMZ is trivial.

        Enforcing password complexity within one's enclave is best practices (as is putting foreign things not related to one's day to day business operations on their own DMZ(s)).

        So, what does each instance of breach tell us? Not a damned one of those organizations passed a proper audit.

        Hence, are legally culpable for any damages suffered by consumers injured by their lousy practices.

        Back when I was a system and network administrator, I followed best practices. I did so not for some altruistic reason, I did it simply because I'm lazy and didn't want to have to work recovering from a breach.

        1. Alan Brown Silver badge

          Re: Add more technology - solved

          "Back when I was a system and network administrator, I followed best practices. I did so not for some altruistic reason, I did it simply because I'm lazy and didn't want to have to work recovering from a breach."

          Not to mention that failing to do so may leave you open to legal action AND your liability insurer refusing to pay out.

  3. Anonymous Coward
    Anonymous Coward

    Relying on network security alone - Madness!

    I bet the tills are on an network cable - any one of which could be unplugged to allow the hacker access to the network.

    Also - I call B$ on 'custom malware' - I bet they were running unpatched PCs with out-of-date AV - any old malware would have done.

    And the fact they were able to do privilege escalation also means they were able to very easily either sniff weakly encrypted passwords off the wire, or more likely execute an exploit against a server and scrape the Admin password of there - which more likely than not, was the same account on all servers.

    Muppets.

    1. Alan Brown Silver badge

      Re: Relying on network security alone - Madness!

      "I bet the tills are on an network cable - any one of which could be unplugged to allow the hacker access to the network."

      This is something which repeatedly surprises me (but shouldn't) - seeing POS terminals in large retailers unattended and with the network cable connection sitting in plain sight on the customer side of the device where it's trivial to interfere with it.

      At the very least a locking connector should be used.

  4. Stevie Silver badge

    Bah!

    Anyone remember when cash registers were not connected together using an unfit-for-purpose technology?

    1. Anonymous Coward
      Meh

      Re: Bah!

      Yes they would be the ones that didn't know what a bar code was so the 200,000 items on the shelves had to be priced (and repriced) by hand.

      1. Number6

        Re: Bah!

        The natural firewall in the system should be to have the barcode scanner and associated computer kit attached to the network - the worst that happens here is that customers get charged the wrong price. The checkout operator should then read the total off the screen and enter it into the card-reading system, which is entirely separate from the other network and the customer can verify the amount.

        Of course, they still need a proper security protocol and decent network for the card readers, but there's no reason for all their suppliers to be talking to that network - it's a machine in a locked room with secure access to the card companies for verification and links to all the card readers in the store. The network switch should enforce MAC address validation to raise the bar a bit higher, and I'd even go as far as putting in a mechanism that noted when a terminal goes off-line and requires manual intervention to put it back with a security code. This gives some line of defence against a terminal being unplugged and the MAC cloned - the attacker it still won't get to talk to everything else until another step has been completed.

        Security could be a lot better than it has been to date, and hopefully the big retailers with centrally-managed systems are starting to realise that it's cheaper than dealing with a security breach.

        1. Marketing Hack Silver badge
          Stop

          Re: Bah!

          "hopefully the big retailers with centrally-managed systems are starting to realise that it's cheaper than dealing with a security breach."

          How much do you want to bet that as a group, they (the big retailers) won't realize this?

  5. zen1

    sorry, but

    that's probably going to happen when someone turns over the keys to their security infrastructure, by outsourcing portions of it. outsourcers are forced into unrealistic sla's and implementing policies and security schemes much faster than they should be, and if it's anything like I've seen at some of the large corporations I've worked for, people who haven't been adequately trained are attempting to tune a fairly complex system and hoping that it's all "fire and forget".

    Finally, security infrastructures in large enterprises are not something you just turn on and walk away from. They're very high maintenance and they require appropriate levels of staffing, with people who have a clue and aren't manage by a bunch of fucking bean counters.

  6. Glenn 6

    Wait a tick.. Isn't it the responsibility of the server and not the client to enforce password policies, so the inevitably dumb end-users you're going to have accessing your systems CAN'T use bad passwords?

    1. Anonymous Dutch Coward

      @Glenn 6

      Yes, that. The company giving third parties access also have a responsibility to vet these third parties/make sure they abide by security policies, monitor for security intrusions and actually are responsible (versus their own clients) for everything that is done once logged in with that account.

      But it makes nicer spin if you just repeat "third party" as if it wasn't their own shoddy IT security... it's just that it's not ONLY their own shoddy IT security.

    2. Cynic_999 Silver badge

      It's not necessarily to do with bad passwords. Low-paid employees are often given the means to access a corporate network so that they can do any grunt-work that the suits don't want to do - such as when data entries or system changes becomes urgently necessary on a Sunday evening for example. Low paid employees can usually be bought for an affordable price - and telling someone a password would not make the average person feel terribly guilty about having committed a terrible crime.

  7. Cipher

    This is why cash...

    ...is a good option in many cases. Or a pre-paid debit card for more expenive items, limit what these idiot retailers know about you, limit their (and therefore the crooks) access to your details.

    1. RaidOne

      Re: This is why cash... @Cipher

      Not for me, if I cannot pay by credit card then it defeats the purpose of carrying one. I don't like carrying a lot of cash, and pre-paid debit/credit cards have huge fees.

      While Home Depot's security blunder is inexcusable, at least they did something right: they gave all customers (me included) one year of free credit monitoring, which is handy. At the end of the year, I will change my card.

      1. Alan Brown Silver badge

        Re: This is why cash... @Cipher

        "Not for me, if I cannot pay by credit card then it defeats the purpose of carrying one."

        And if you use a credit card you have automatic cover against fraudulent transactions anyway.

        Not so much with other methods.

  8. Grexican

    So why hasn't the third-party vendor been named?

    1. Marketing Hack Silver badge
      Unhappy

      Its probably some company that makes shovels or doorknobs, or they are a nursery that provides the chrysanthemums that Home Depot's garden department sells. When you have a huge big-box store that sells tens of thousands of items, you hundreds and thousands of suppliers, each of them a potential vulnerability. So given this, I have no idea why a SCM network needs to be so insecure that someone from the shovel supplier can come in through SCM and ultimately infect the POS.

  9. William Boyle

    See Target

    The Target exploit used the same approach by hacking through the HVAC systems that had used an unmodified admin password. Once in the HVAC system, they pretty much were able to get into the rest of the network.

  10. Gene Cash Silver badge

    Nah, the actual problem with Target is that the intrusion alert system yelled for weeks and anyone trained to deal with it had been laid off as "too expensive"

  11. Peter 39

    cobblers

    Having your everyday network traffic on the same network as the POS systems makes as much sense as giving a spare key to the safe with the contract cleaning crew. In every store.

  12. Jin

    Need to cope with "Interference of Memory"

    Using a strong password does help a lot even against the attack of cracking the leaked/stolen hashed passwords back to the original passwords. The problem is that few of us can firmly remember many such strong passwords. We cannot run as fast and far as horses however strongly urged we may be. We are not built like horses.

    At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

  13. david 12 Bronze badge

    2 factor authentication

    "Enterprises should adopt 2 factor authentication for vendors who require access to their corporate networks and applications"

    This. Standard, off the shelf technology. At this stage, failure to use 2 factor authentication for remote access by associated companies isn't surprising, it's just pathetic.

  14. Anonymous Coward
    Anonymous Coward

    And the ultimate lesson learned is...?

    Don't do business at Home Depot. Problem solved.

  15. GarWarner

    Normal Behaviour?

    RE: "Let’s be clear: this is not hacking, this is routine activity that looks like normal behaviour."

    If downloading 53 or 56 million accounts is "normal behaviour" on your network you should fire your security staff and start fresh. Access control is about classification, categorization, and rate of flow. Audit controls should be established that address all three. (1) Do I trust this user for this level of sensitivity, (2) Does the category of data being accessed relate to the role held by this user, (3) Is the volume of data being requested consistent with the roles and responsibilities held by this user.

    If you are exceeding authority in any of those categories via cyber means, you are not performing "normal behaviour" - you are hacking!

    Gary Warner - UAB Computer Forensics

    1. Michael Wojcik Silver badge

      Re: Normal Behaviour?

      I think it's pretty clear from the quote that the most plausible interpretation is that signing on using a valid account and password is "not hacking". That was his point - the initial intrusion wasn't something that could be detected as a breach. (The subsequent privilege elevation and data theft are another story, of course.)

  16. Bob Dole (tm)

    I think its funny that target, hd and others are trying to blame third parties for what is ultimately a problem in their system.

    Keep it up. We know better

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019