HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
I was just going to go with "they're a bunch of morons," but I guess there is a little more to it than that.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Here's How Target Was Breached
- Thread starter HardOCP News
- Start date
- Joined
- Aug 20, 2006
- Messages
- 13,000
Erm yeah, HVAC firms are going to get viruses. If this leads to Target leaking 110 million CC numbers this is far more Target's fault than the HVAC contractor. That's like blaming the 3 yr old for getting into the cookie jar when you left it on the floor.
There still isn't any real proof of this. Krebs speculates that Active Directory could have been the link. Others speculate it's because the attackers had access to various intranet sites that gave them a map on how to get inside.
So lets say the HVAC was the way into the intranet. use info from there to impersonate a real user and then use those credentials to VPN into the payment network.
Betaboy1983
[H]ard|Gawd
- Joined
- Dec 31, 2008
- Messages
- 1,264
I speculated it was some high ranking personnel who was doing some dumb, bored executive type of things (ya know, trying to stay away from the darn pr0n, and things like that) with his feet on the desk. Or someone slightly lower ranking was in on it.
octoberasian
2[H]4U
- Joined
- Oct 13, 2007
- Messages
- 4,082
My post from the Network & Security Forum:
http://hardforum.com/showthread.php?t=1805175
(Comes with a silly rough sketch how it happened.)
http://hardforum.com/showthread.php?t=1805175
(Comes with a silly rough sketch how it happened.)
Well it really depends on what your definition of what the 'same network' is. You should have independent routing domains (i.e. VRF) defined for such occurrences where a firewall policy fails you, at least there isn't even a route to get there (or more likely return).
I tend to agree with some of the other sentiments on here that it was most likely a multi facted information grab to get the treasure map so to speak. I have seen it time and time again, it is amazing what sensitive information compartmentalized IT departments will leave laying around from other disciplines. IP addresses of domain controllers, DN/CN info from the AD domain in clear text for AAA configuration policies, etc.
Of course, it also could have been a contractor breach through whomever Target used to setup their merchant processing for the red card. I haven't seen too many people explore that avenue.
I haven't read exactly what he means by Active Directory being the link, but if you're referring just to authentication then that's at least plausible. Generally speaking though you're not going to get too far in a well setup environment even if you happen to know a few valid AD passwords... That almost seems backwards, because in order to get deep enough into things you would have to already have a way in to even be able to authenticate against AD.
It's a few paragraphs down in the article
<snip>
I know that the Ariba system has a back end that Target administrators use to maintain the system and provide vendors with login credentials, [and] I would have to speculate that once a vendor logs into the portal they have active access to the server that runs the application, the source said. Most, if not almost all, internal applications at Target used Active Directory (AD) credentials and Im sure the Ariba system was no exception. I wouldnt say the vendor had AD credentials but that the internal administrators would use their AD login to access the system from inside. This would mean the sever had access to the rest of the corporate network in some form or another....
In fairness to Target, if they thought their network was properly segmented, they wouldnt have needed to have two-factor access for everyone, Litan said. But if someone got in there and somehow escalated their Active Directory privileges like you described, that might have [bridged] that segmentation. </snip>
They had access to the HVAC shop for two months before moving on to target, and they originally gained access via email malware. Phishing is a major problem for plenty of large corporations and if the attacker is smart can take a long time to discover. I highly doubt that the problem was that security was so lax, it's was that they were able to get enough info to successfully take over the correct accounts.
I used to do a lot of work for small HVAC companies (outsourced IT). To some, IT is last on their list of priorities.
Can't blame them but you can't totally remove them from the blame either as they don't have adequate IT to manage this stuff
They (HVAC companies) are cheap and will use what they can to get by. A lot of small companies I worked with weren't going to put up the money to get the Pro version of anything.
Can't blame them but you can't totally remove them from the blame either as they don't have adequate IT to manage this stuff
They (HVAC companies) are cheap and will use what they can to get by. A lot of small companies I worked with weren't going to put up the money to get the Pro version of anything.
Outamyhead
Supreme [H]ardness
- Joined
- Jan 3, 2008
- Messages
- 4,263
An external service provider had a login to the company intranet?
Who gives an external company access to an internal network, and where is the encryption key generator to confirm the authentication, to allow access to something so sensitive?
Who gives an external company access to an internal network, and where is the encryption key generator to confirm the authentication, to allow access to something so sensitive?
Yeah, you can blame them. This HVAC company should be crushed as an example to small vendors everywhere to get their shit together, or get a real job.
All this networking stuff is utter bullshit anyway. The whole problem would have been solved by Target by employing a secretary for 30K to send and process paper bills.
For those of you who work in large corporations with well funded and secure IT departments and systems who may not have experience with smaller companies, I can tell you that the practices by that HVAC company are woefully commonplace. I can guarantee that if you went to Fazio you would see a system of hacked-together or refurbished PCs, probably grey-and-black Dell dimensions, running unupdated Windows XP home. They don't have antivirus and if they do there is no procedure in place to run manual scans or update virus definitions. While there is absolutely nothing wrong with Malwarebytes (it's actually a fantastic program) it has no business being on an enterprise level machine, and people don't know it's a manual program, not an automatic one.
For these reasons I believe the initial method of intrusion was social engineering; either a phone call or email explicity asking for credentials. It's just so easy. Pick a small business out of the phone book and call them up claiming to be their IT support. It would take no more than 3 companies before you would find a receptionist who would gladly give you remote access to fix some problem she's been having with printing, web browsing, etc.
For these reasons I believe the initial method of intrusion was social engineering; either a phone call or email explicity asking for credentials. It's just so easy. Pick a small business out of the phone book and call them up claiming to be their IT support. It would take no more than 3 companies before you would find a receptionist who would gladly give you remote access to fix some problem she's been having with printing, web browsing, etc.
*THIS
The "IT company" servicing the HVAC has their hands tied on what they can do based on the budget the HVAC has allocated. Majority of the time it's not even enough for one new PC. Shortcuts are made and things are made to work even when it's not the correct way to do it. PCI compliance is thrown out the window because they don't know what "PCI" even means.
Big time. We do a lot of IT for companies just such as this, and I warn them again and again that their practices WILL get them into trouble at some point. I tell them what I can do to up their security, most of it being only a few hours onsite, and I get shot down by accounting. I have started to document all of this, and it is getting to the point where I am going to type up a disclaimer saying they have been warned, and make them sign it.
As you should. Otherwise something happens and they get fined or sued and then come back to you stating that you did not warn them.
I haven't read up on this, but was the information being transmitted to the 3rd party? If so shouldn't Target have had real time monitoring on its payment processing channel for any outside connection? I work for a financial institution and although I'm not in IT because of my position I get calls at 3am when Creative Suite tries to update... and thats accessing a server that has nothing important on it...how did they not catch this? Unless they were gathering the information in batch files on a external drive I don't get it.