Target Credit Card Data Was Sent To a Server In Russia

angry tapir writes "The stolen credit card numbers of millions of Target shoppers took an international trip — to Russia. A peek inside the malicious software that infected Target's POS (point-of-sale) terminals is revealing more detail about the methods of the attackers as security researchers investigate one of the most devastating data breaches in history. Findings from two security companies show the attackers breached Target's network and stayed undetected for more than two weeks. Over two weeks, the malware collected 11GB of data from Target's POS terminals. The data was first quietly moved to another server on Target's network and then transmitted in chunks to a U.S.-based server that the attackers had hijacked. Logs from that compromised server show the data was moved again to a server based in Russia starting on Dec. 2." A related article at Wired points out that Target suffered a similar breach in 2005, and apparently didn't learn its lesson.

Re: It could have been worse...

[Anonymous Coward]

Considering that all of the servers in question run on vSphere with NFS LUNs mapped against a NetApp, snapshotted hourly and off-sited nightly, the wiping of servers while painful wouldn't be "that bad".

Also, the server VMs RHEL, updated regularly while the POS Terminals are Netbooted WinPE with a very old Java version.

And the NSA Missed All Of This?

[littlewink]

Where's our protection from Russian financial terrorists? Were the NSA employees in charge distracted by their Starbucks carmel macchiatos at the time this was coming down?

A clear instance of international crime/terrorism and NSA was asleep at the wheel.

Re: POS

[ChromaticDragon]

I am curious regarding your information. Got source?

Last I'd heard, the expected sum of lawsuits, settlements, fines, etc. would be WELL over $100mil (as in several times that). Apparently, for reference, a similar breach, TJ Maxx, ended up being closer to $200mil.

Furthermore, it seems Target was self-insured for this. So it isn't quite correct to think they will glibly had this bill to an insurer - they ARE their own insurer.

PCI compliance?

[NynexNinja]

Target suffered similar data theft in 2005, and now again in 2013. By storing cardholder information, CVV's and (worst) PIN's in the clear, they obviously are not PCI DSS compliant. If this happened to any other retailer, Visa would revoke their PCI compliance status. If nothing happens regarding their PCI compliance status, what does it say about PCI compliance in general? PCI compliance is nothing but a joke, not to be taken seriously. Why even go through the work and trouble to get PCI DSS certified if companies like Target can flout the rules and get away without any penalties.

Re: POS

[Megane]

The thing that bugs me most is that they were on a network that was routed to the entire internet. Yeah, I don't think a POS terminal needs to be able to check Google or Facebook, much less "chernyykhod.ru". Even simply putting them on a VLAN with a very restrictive firewall to the public internet would have avoided the problem. And a RFC-1918 network doesn't count if it's behind a NAT router, since these packets went outbound from the POS. Belt and suspenders.

Re: POS

[Anonymous Coward]

They might care, but I can bet their solution will be more bureaucracy rather than better technology. There are likely IT people within the company that see the problems and know how to fix them but they will be ignored. CxO types hate those annoying IT people that are always complaining about security. They will bring in a solution sold by a slick sales person at a major company.

Re:And the NSA Missed All Of This?

[swb]

I keep asking myself why the NSA isn't more involved in large-scale financial fraud considering their ample abilities to sample international data networks and their likely considerable focus on Russia and the involvement of shady financial transactions in funding terrorism.

In the case of Russia specifically, I would expect the NSA to be heavily involved in monitoring Russian hackers given the shadowy nexus of hackers, organized crime, ex-KGB agents, and the current FSB.

It largely doesn't matter

[Kardos]

I'm not going to defend Target for being embarrassingly sloppy, however, no matter how you look at it, it largely doesn't matter:

a) It's a business decision to invest in cyber-insurance or cyber-security, they picked insurance. As technical people, we like technical solutions, but maybe insurance was the right choice.

b) If a consumer gets hit by a fraudulent cc charge, they don't eat the charge. They call their cc issuer and the issuer eats the charge. That is in part what your double digit interest rate is paying for.

c) Everyone gets credit monitoring. If the credit monitoring is not snake oil, then it'll catch cc fraud that's not a direct result of this Target screw up. This may actually be a benefit. People who were dimly aware of how the cc system works will become informed. This is probably a net positive here.

d) Awareness is raised about POS security; other companies who are running the similarly secured systems may be motivated to fix it. Another net positive.

The only people getting screwed are Target (for operating a shit system) and/or the cc issuers (for permitting Target to run a shit system).

Re:PCI compliance?

[alen]

it's like SOX and HIPAA
you do a lot of work "certifying' that things work according to someone's checklist and repeat next year

they are nothing more than jobs programs for auditors and a get out of jail free card for everyone involved

Re:Limiting outbound access to servers is too toug

[trybywrench]

Unless I'm reading it wrong you're basically disabling webservices like making a SOAP call to a third party on behalf of the connecting user-agent. That's a non-starter for just about all companies that have at least one business partner.