Target Credit Card Data Was Sent To a Server In Russia 137
angry tapir writes "The stolen credit card numbers of millions of Target shoppers took an international trip — to Russia. A peek inside the malicious software that infected Target's POS (point-of-sale) terminals is revealing more detail about the methods of the attackers as security researchers investigate one of the most devastating data breaches in history. Findings from two security companies show the attackers breached Target's network and stayed undetected for more than two weeks. Over two weeks, the malware collected 11GB of data from Target's POS terminals. The data was first quietly moved to another server on Target's network and then transmitted in chunks to a U.S.-based server that the attackers had hijacked. Logs from that compromised server show the data was moved again to a server based in Russia starting on Dec. 2."
A related article at Wired points out that Target suffered a similar breach in 2005, and apparently didn't learn its lesson.
Re: It could have been worse... (Score:0, Interesting)
Considering that all of the servers in question run on vSphere with NFS LUNs mapped against a NetApp, snapshotted hourly and off-sited nightly, the wiping of servers while painful wouldn't be "that bad".
Also, the server VMs RHEL, updated regularly while the POS Terminals are Netbooted WinPE with a very old Java version.
And the NSA Missed All Of This? (Score:5, Interesting)
Where's our protection from Russian financial terrorists? Were the NSA employees in charge distracted by their Starbucks carmel macchiatos at the time this was coming down?
A clear instance of international crime/terrorism and NSA was asleep at the wheel.
Re: POS (Score:5, Interesting)
I am curious regarding your information. Got source?
Last I'd heard, the expected sum of lawsuits, settlements, fines, etc. would be WELL over $100mil (as in several times that). Apparently, for reference, a similar breach, TJ Maxx, ended up being closer to $200mil.
Furthermore, it seems Target was self-insured for this. So it isn't quite correct to think they will glibly had this bill to an insurer - they ARE their own insurer.
PCI compliance? (Score:5, Interesting)
Re: POS (Score:5, Interesting)
Re: POS (Score:5, Interesting)
They might care, but I can bet their solution will be more bureaucracy rather than better technology. There are likely IT people within the company that see the problems and know how to fix them but they will be ignored. CxO types hate those annoying IT people that are always complaining about security. They will bring in a solution sold by a slick sales person at a major company.
Re:And the NSA Missed All Of This? (Score:4, Interesting)
I keep asking myself why the NSA isn't more involved in large-scale financial fraud considering their ample abilities to sample international data networks and their likely considerable focus on Russia and the involvement of shady financial transactions in funding terrorism.
In the case of Russia specifically, I would expect the NSA to be heavily involved in monitoring Russian hackers given the shadowy nexus of hackers, organized crime, ex-KGB agents, and the current FSB.
It largely doesn't matter (Score:4, Interesting)
I'm not going to defend Target for being embarrassingly sloppy, however, no matter how you look at it, it largely doesn't matter:
a) It's a business decision to invest in cyber-insurance or cyber-security, they picked insurance. As technical people, we like technical solutions, but maybe insurance was the right choice.
b) If a consumer gets hit by a fraudulent cc charge, they don't eat the charge. They call their cc issuer and the issuer eats the charge. That is in part what your double digit interest rate is paying for.
c) Everyone gets credit monitoring. If the credit monitoring is not snake oil, then it'll catch cc fraud that's not a direct result of this Target screw up. This may actually be a benefit. People who were dimly aware of how the cc system works will become informed. This is probably a net positive here.
d) Awareness is raised about POS security; other companies who are running the similarly secured systems may be motivated to fix it. Another net positive.
The only people getting screwed are Target (for operating a shit system) and/or the cc issuers (for permitting Target to run a shit system).
Re:PCI compliance? (Score:4, Interesting)
it's like SOX and HIPAA
you do a lot of work "certifying' that things work according to someone's checklist and repeat next year
they are nothing more than jobs programs for auditors and a get out of jail free card for everyone involved
Re:Limiting outbound access to servers is too toug (Score:4, Interesting)