[Security News] Target store hacks caused by stolen HVAC employee login credentials

O

octoberasian

2[H]4U
Joined
Oct 13, 2007
Messages
4,082
from KrebsonSecurity.
via Gizmodo.

Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.

...

It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.
“To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software,” the source said. “This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.”
Click to expand...
Rough sketch how this happened based on what I've read in the article and the news so far since this was reported.

target_data_breach.jpg

Question for the security experts on [H]ardForum:

  1. For those that work for large companies like Target, is it typical for them to cut costs over improving security? Is it typically cheaper to remotely accessing a system to monitor and maintain a remote system instead of hiring and sending a technician there to personally check on it?
  2. Is Target wholly at fault here for not securing their system or providing a separate network for third-part vendors and companies? At fault for consolidating all systems on one network system?
  3. What are your thoughts on this data breach?
 
I'll just say this.
I had to provide outside VPN access as well as create an AD account for our HVAC vendor.
I was told how I had to name the account and what password the vendor wanted to use. Neither of which conformed to our internal best practices or standards.

I was also unable to implement any ACL's on the VPN access because the vendor might need to VPN in from anywhere.

I brought my concerns up to management about how the username/password was unsecure, how the connection from the outside was not locked down. I was flat out told to drop my concerns. The A/C units in the buildings were more of a concern than security. Plus, if we locked things down then the vendor might have trouble fixing a problem remotely. (heaven forbid)

So yeah, a lot of companies see security as a hindrance to everything.
 
At the company I work for we watch vendors like a hawk. If an HVAC employee needs to perform routine maintainence, they must sign into a logbook and provide photo ID. The receptionist then phones our department and we meet them at the door. Their visit must also be approved by either the Systems Manager or IT director. While they work in the server room we must maintain eyes on them at all times. All these actions are recorded by security cameras. We take these precautions for security and "oops I knocked something loose".
 
radgoos said:
At the company I work for we watch vendors like a hawk. If an HVAC employee needs to perform routine maintainence, they must sign into a logbook and provide photo ID. The receptionist then phones our department and we meet them at the door. Their visit must also be approved by either the Systems Manager or IT director. While they work in the server room we must maintain eyes on them at all times. All these actions are recorded by security cameras. We take these precautions for security and "oops I knocked something loose".
Click to expand...
I wish I worked at a place that took things seriously.

A telco repair guy shows up at one of our sites with a butt set and a smile and the receptionist lets him go wherever he wants. The site director even lets them into our IT closets. (all this without notifying us btw)
 
cyr0n_k0r said:
I wish I worked at a place that took things seriously.

A telco repair guy shows up at one of our sites with a butt set and a smile and the receptionist lets him go wherever he wants. The site director even lets them into our IT closets. (all this without notifying us btw)
Click to expand...

These also seem to be the companies that ask me "What can we do to improve our security?". The first suggestion I make is to not grant every Tom, Dick, and Harry access without first verifying who they are. To answer octoberasian's question, yes it's very common for large companies to have very lax and even sometimes non-existent security policies. Cyr0n_k0r is absolutely right about the lack of concern over real security, but if it inconveniences a vendor or management person, it's a completely unreasonable concern.
 
octoberasian said:
  1. For those that work for large companies like Target, is it typical for them to cut costs over improving security? Is it typically cheaper to remotely accessing a system to monitor and maintain a remote system instead of hiring and sending a technician there to personally check on it?
  2. Is Target wholly at fault here for not securing their system or providing a separate network for third-part vendors and companies? At fault for consolidating all systems on one network system?
  3. What are your thoughts on this data breach?
Click to expand...

1. Yes. Granted, I can only speak for the corporations I've worked at, but it's very common for the PHBs to cut security to save the budget. It usually boils down to (in)competence; They'll see a line item they don't understand, nor understand the benefit thereof, so it's an easy choice. Especially given the costs often involved with doing security right.

This may also be symptomatic of the corporate culture at target, and how they view IT. Where IT is a "respected member of the team", security tends to be given higher precedence. Where IT is treated like a cost that no one understands, security is often poor ( well, among other things ).

2. Target is wholly at fault. Proper security practice is to isolate your critical traffic, giving access only where a need exists. Allowing an outside, third party to access ANYTHING that touches payments? Profoundly stupid. I wouldn't even give that kind of access to the payment vendor except on a per-need basis.

3. From what little I know of Target's IT culture, this will happen again. Oh, they'll fix this flaw and get things squared away there for a little while, but IT doesn't seem to be respected there. Which means something else will open up and they'll get nailed again.
 
Last edited:
radgoos said:
At the company I work for we watch vendors like a hawk. If an HVAC employee needs to perform routine maintainence, they must sign into a logbook and provide photo ID. The receptionist then phones our department and we meet them at the door. Their visit must also be approved by either the Systems Manager or IT director. While they work in the server room we must maintain eyes on them at all times. All these actions are recorded by security cameras. We take these precautions for security and "oops I knocked something loose".
Click to expand...

We don't have the time to do this because we don't have the man power to sit and babysit someone for hours while tickets and projects pile up. I push security as much as I can but, as it is with all things, there's trade-offs.
 
That is a *REALLY* big gap between "Internet" and "Target Servers" in your diagram...
 
cyr0n_k0r said:
I'll just say this.
I had to provide outside VPN access as well as create an AD account for our HVAC vendor.
I was told how I had to name the account and what password the vendor wanted to use. Neither of which conformed to our internal best practices or standards.

I was also unable to implement any ACL's on the VPN access because the vendor might need to VPN in from anywhere.

I brought my concerns up to management about how the username/password was unsecure, how the connection from the outside was not locked down. I was flat out told to drop my concerns. The A/C units in the buildings were more of a concern than security. Plus, if we locked things down then the vendor might have trouble fixing a problem remotely. (heaven forbid)

So yeah, a lot of companies see security as a hindrance to everything.
Click to expand...


That's pretty much it in a nutshell. Everyone wants to take security seriously until it can possibly cost them $0.01 on some analyst's spreadsheet, then they channel their inner Monte Python and scream "Run away!! Run away!!".
 
DragonNOA1 said:
We don't have the time to do this because we don't have the man power to sit and babysit someone for hours while tickets and projects pile up. I push security as much as I can but, as it is with all things, there's trade-offs.
Click to expand...

That's the attitude everywhere until a hundred million credit cards are stolen. Then you could have paid a dozen people to cup the vendor's balls while he worked.
 
You must log in or register to reply here.
Back
Top