Security Vendors Self-Censor Target Breach Details 115
Posted
by
samzenpus
from the what-security-breach? dept.
from the what-security-breach? dept.
angry tapir writes "At least three security companies have scrubbed information related to Target from the Web, highlighting the ongoing sensitivity around one of the largest-ever data breaches. How hackers broke into Target and installed malware on point-of-sale terminals that harvested up to 40 million payment card details is extremely sensitive. Now, details that give insight into the attack are being hastily removed or redacted by security companies."
really ? (Score:1)
i hear changing default POS passwords helps
Your data is in everyone else's hands (Score:4, Insightful)
Exactly. The story that still isn't being expressed well is that your data is in the hands of every company you have transactions with.
And so you are entrusting all of them to have top-notch IT (better IT than all hackers interested in targeting them). What are the chances that's the case?
I'd hazard that 10% of companies have good, solid, rigid security policies (and it's the policies that matter much more than the tech, usually). So that implies that 90% of the time you hand out your personal info to someone, it's highly vulnerable.
Just chew on that for a bit. I'd be very interested in hearing proposals for a global solution.
Re:Your data is in everyone else's hands (Score:5, Interesting)
Even if you take every security precaution imaginable, you still remain with a system that can be broken into. I think the idea that you can hold companies criminally liable is a stupid one (and am glad they don't do it) much in the same way that it would be stupid to hold a bank criminally liable in the event of an armed heist.
That said, I think the problem isn't that our systems aren't secure enough, rather the problem is that the way we identify and authenticate is now inadequate.
Let's take credit cards for example: All the person needs to obtain is the numbers written on it, and they can buy things in your name. Unfortunately that means each time you make a purchase with that card, you are handing it over to somebody who can abuse it. We have the technology to avoid this, so why don't we? Something like this would be great:
Make the credit card number be a public key, and the private key is contained ONLY in the card itself using ISO 7816. The bank doesn't even have the private key, only the card itself does. If you want to make a purchase, the merchant generates a random 128-bit number and asks your card to sign it. If it signs it, it has proven its identity, and the merchant can go ahead and bill that card. No internet communication is necessary, so the business can still operate even in the event of a network outage.
If the card is stolen, it can be reported and the merchant can see that its stolen so long as they have network connectivity. Keep existing laws so that the consumer is only liable for up to $50 (most banks already waive that to zero.) Require the merchant to retain the original 128-bit number as well as the signed response to verify that the merchant actually saw the real card and can prove that they didn't fraudulently bill a customer. The card itself stores each 128-bit number and doesn't ever sign the same number twice. If the same 128-bit number happens to be generated twice (this borders upon a statistical impossibility, by the way) then the card is to interpret that as a hack attempt and zero out its private key.
Now if the merchants database is compromised, all the attacker has gained is the public key. They can't sign messages with that, so the information is useless. If another merchant tries to bill based on having a stolen 128-bit number, signed result, and public key, then they'll be caught as being linked to the conspiracy so fast that it'll make their head spin off of its shoulders.
There, you've just defeated about 99.99% of the credit card fraud out there; no more posts spammed to your favorite web boards of people offering to sell credit cards because that information is now useless. All that remains is somebody physically stealing your card and buying gas with it, which could be prevented in 90% of the cases with a PIN system.
Online purchases could easily be done with a $10 USB smart card reader. Add NFC support and your existing smartphone could be the reader.
Set up a similar scheme with social security numbers (the SSA issues smart cards instead,) and identity theft would only exist in stories you tell to your grandkids.
Re:Your data is in everyone else's hands (Score:5, Informative)
(Public key cryptography for credit cards)
I think you've more-or-less described the EMV standard, which is widely used pretty much everywhere except the USA.
http://en.wikipedia.org/wiki/E... [wikipedia.org]
I just bought some food by credit card, and the receipt says:
Visa Credit £6.34
[ICC] **** **** **** 3435
AID: A0000000013039
PAN SEQUENCE: 03
MERCHANT: **41872
AUTH CODE: 146972
PIN Verified
I have a smart card reader for validating online banking transactions, I think the administration and transport costs were probably more than the cost of the reader -- the bank sent it for free. The card has NFC, for low-value transactions (under £20, I think) I can pay contactlessly without a PIN. London is trialling accepting this for train/underground travel, it's already accepted for buses.
My card still has a magnetic strip, but I don't think it's ever been used.
Re: (Score:2)
Re: (Score:2)
I haven't read much on EMV, but from what I heard it just encrypts the account number, but the account number alone is still stored in a merchant database somewhere and can be reused (and doesn't feature non-repudiation.)
Correct me if I'm wrong, of course.
Re: (Score:2)
With a system like I described, you can keep the entire identifier number in your database. In fact, you'd probably want to. That number is useless to any hackers though, and the authentication result is only useful to the merchant you presented the card to. There would be no reason anywhere ever for another merchant to use that number. If they did use it, a red flag would show up at the bank as soon as they tried to bill the account, and they'd have a whole lot of 'splainin to do.
Re: (Score:2)
That would work, though I think 256-bit might be unnecessary. The reason you can have GUID collisions is because GUID (as per the name) assumes globally unique, as in these are numbers that everybody has to share as an identity for every possible thing, from filesystems to a can of beans.
This number is only important to that one card though, which is good for maybe 3 years before it has to be replaced (just like we already do with existing cards.) If the same random number gets used a second time in a diffe
Re: (Score:3)
Absolutely true. Companies these days are like 9th century coastal villages in Europe. Snakeoil vendors are selling magic potions and amulets to the village inhabitants promising to ward off evil. These villages may have some security people. These security people might be diligent and hard working, but when a horde of vikings appear on the horizon there is little or nothing they can do.
We need to withdraw to fortified castles and towns. Centralise our security resources and, instead of making holes all ove
Really? (Score:3)
Re: Really? (Score:3)
Not here. Target's pos pos is homebrew.
Re: (Score:2)
Re: (Score:2)
I bet it ran Windows CE and was connected to a register running Windows CE or XP, which in turn was connected to a Windows server. "RAM dump" as a method for extracting cleartext data is an ingenious misleading of the public, and the genius of that statement is that average people with a little bit of know-how will assume it was a super-sophisticated hardhack on an secret ultra-proprietary system and not some embarassing lack of proper encryption code within the system.
The truth will show that I was right,
Re: (Score:2)
The original hack could have been much easier... Just a well crafted series of 2d bar codes with the right escape characters could be enough to get the first machine, assuming they were not living on the corporate network for months or years.
What actually surprises me about this attack is that it was not better targeted; what is the point of millions of credit cards when you could pick and choose the cards you take at the register? Why go for the credit cards when identity fraud is so easy?
Interestingly, I
Re: (Score:3)
Not all microcontrollers can have their firmware dumped.
Re: (Score:2)
No need. Target had the ability to do remote firmware updates, meaning that a copy of the firmware was being kept on a server somewhere ready to be downloaded and disassembled. Once hacked it was a simple matter of sending it out to all terminals in stores and waiting for the data to roll in.
Re: (Score:2)
Which has absolutely nothing to do with the previous post I replied to. Thank you for your contribution.
Re: (Score:2)
Re: (Score:2)
Oh good (Score:5, Insightful)
Meanwhile, the guys in timbucktooistan can now order the proven exploit kit from their favorite BBS.
Meh.
Re: (Score:2)
Re: (Score:3)
Re:Oh good (Score:5, Insightful)
Re: (Score:2)
Target wasn't following security best practices. They were aware of certain risks and willingly took them.
You're missing the point (Score:2)
There's an easy solution.
Just hire one of those security companies!
Re: (Score:3)
Well, this might make you warm and fuzzy, perhaps it was a NSA hack in POS software so they could track the majority credit card transactions. This information was then passed onto another party who simply did what the hack was designed to do, extra all personal information. Now the question is can the NSA sue for copyright infringement because according to them and the US government the own the personal information of everyone on the planet.
Re: (Score:2)
Because planes and pressure cookers are easier to get your hands on, and fertilizer bombs smell fucking awful during production.
Re: (Score:2)
Target just couldn't handle this any worse (Score:5, Insightful)
If they'd just come out and said "Yes, some evil hax0rs got in to our system and stole lots of cards. Stupid haxors, everyone hates those guys. Here's how they did it, here's what we are doing, and here's some security experts that are helping us," well people would probably be fine with it.
Instead they are being all secretive and it makes people worry. They also are doing shit for notification. I always use my Target card when I shop at Target because it has the best bribes (5% off anything, since they actually run their own bank and don't have to pay payment processing fees on it). I have received zero notifications from Target about the compromise, and no new card. I know my card was hit, since I have friends who shop at the same store using non-Target cards that got notified, but Target hasn't done anything.
I'm not worried, they have to deal with all the fallout of any unauthorized charges and the card can only be used at Target, but it is just extremely bad form. It shows a real lack of care and understand as to the severity of this. It really makes them look bad.
If there's something history has show with regards to people and companies it is that you need to admit you fucked up, even if it wasn't your fault really, and show people how you are making it right. Then, they are happy and forgive. Get all secretive and hostile, and they'll get hostile right back.
Re: Target just couldn't handle this any worse (Score:2)
The card brands call the shots when this much sh!t hits the fan, but, yeah.
Re: (Score:3)
Target's CC-issuing arm also scuttled a 'chip-and-pin' rollout a while back; because the store side was worried about it taking longer at the register, and the 'marketing advantages' that were supposed to have been offered by the additional customer data didn't materialize...
Re:Target just couldn't handle this any worse (Score:5, Funny)
Given that this is at least the second (known) major Target CC breach, anyone who still holds out hope for Target's good faith may have difficulties with empiricism...
Nah dude, no problem with empe... imper... whatever you just said.
Yours,
Joe Average
(does the above illustrates well the level of critical thinking into the consumer mass?)
Re:Target just couldn't handle this any worse (Score:5, Insightful)
No one cares about security until they get hacked.
Re:Target just couldn't handle this any worse: ?? (Score:3, Interesting)
Well, this seems worse: I did an online order with store pickup at Target yesterday, and their Id "requirement" for pickup included scanning some kind of QR/barcode off the back of my driver's license! I could not figure out at first why the clerk was wanting me to take the card out of my wallet see-through holder when most clerks just glance at it for my birth date for buying booze (keep asking for the senior citizen discount, but it's never the right day...), or just to see that my name matches that on
Re: (Score:2)
The 2D barcode also has all that info. See this [turbulence.org] or this [turbulence.org] page to see what's on there.
Re: (Score:2)
OMG! The first time they did that I friggin' flipped. They asked to 'see' my license - I held it up so she could read the birthdate, and the salesperson grabbed it out of my hand and scanned it before I could object. Man, I was pissed! I complained to her, the store manager, and I wrote a letter to HQ. No one understood the privacy implications of them scanning all of that data from my license.
this site has a map [turbulence.org] and a table [turbulence.org] that tells you what's on your license by state. Virginia has a ton of info that I'd
Re: (Score:1)
Florida only uses the magnetic strip, but that site did not say what information that held :(
Re:Target just couldn't handle this any worse (Score:4, Interesting)
Target just couldn't (and can't) handle this FULL-STOP
My guess: the fix is expensive to apply, it will take some time and Target hopes that not-everybody-and-their-dog will know they are still vulnerable.
Because otherwise nobody would buy anything from Target on card any more - which would be quite wise for the potential customers but disastrous for Target.
I think is understandable, when it comes to survival, the "better your mama mourn you than mine" applies. So hush... "jobs are at risks", "share market may crash" and what-not will keep hax0rs happy for a while.
Re: (Score:2)
We could have a fun comparison: TARGET vs TEPCO !
Re:Target just couldn't handle this any worse (Score:4, Informative)
They also are doing shit for notification. I always use my Target card...I have received zero notifications from Target about the compromise, and no new card.
Are you sure? You might want to check you mailbox again, or your spam filters. I've received the following emails from them:
Dec 20 - Letter from Target’s CEO Gregg Steinhafel and Important Notice
Dec 23 - Important Information for our REDcard Holders
Re: (Score:1)
I know my card was hit, since I have friends who shop at the same store using non-Target cards that got notified...
No, you are assuming your information was taken because other people had their information taken at the same store.
Re: (Score:1)
Well I am not sure if I was hit by this, I used my card BF at target, but only heard about the hack from sites like this. BoA if that means anything which I think might cause they suck.
Useless effort (Score:4, Insightful)
If by "don't want to compromise the investigation" they mean "don't want to let the crooks know what we know", they have already failed. Any action to remove material now is simply playing to politics.
Personally, I think the value of publishing the data is higher than not tipping your cards to crooks. They know what they left behind.
Re: (Score:3)
It's not news that mag-stripe systems (with their 'Hey, let's pretend that the stripe data are some kind of secret, and require them for every transaction
Re: (Score:2)
Target's suits are tired of answering questions that continue to place the corporation in a negative light.
Can you imagine what their January sales numbers are going to be?
Wonder Why It keeps Happening? (Score:5, Insightful)
No open resolution of a security breach so that particular vector of attack can be scrutinized by the retail industry and perhaps better guarded against.
Better to control PR damage now than prevent a recurrence.
Re: (Score:3)
I'll guess the reason it keeps happening is because most of these systems are not implemented securely. The POS systems themselves may have security issues but I'm guessing that the communications aren't running over VPN tunnels.
I know Target keeps getting the headlines but wasn't there at least two other major retailers hit by this? Did they all use the same POS or contractor for implementation?
Re: (Score:2)
VPNs can be useful. They should be used to forcibly encrypting traffic as well as only restricting traffic to known sources, destinations, ports, etc.
Some PHBs think encryption like https is good enough and that simply isn't the case. Systems that have no business connecting to the Internet should be explicitly blocked from doing so. Systems that need to transmit data over the Internet for B2B traffic should do it over a VPN connection whenever possible with restrictions. I have seen too many systems gra
Re: (Score:2)
It is for Target management!
What the good guys know will be quoted (inaccurately) on cable news; shoppers and shareholders will find out how badly they're screwed. What the bad guys know stays on obscure forums in .ru.
One thing they are keeping quiet (Score:5, Interesting)
Re:One thing they are keeping quiet (Score:4, Informative)
Maybe. They do have a lot of job openings in Karnataka, Bangalore, India.
https://targetcareers.target.c... [target.com]
Come back OS2 (Score:2)
OS2 was BIG on AMT's to bad IBM dropped out how is eComStation going?
Closing the Barn Door... (Score:5, Informative)
...after all the cows got out.
Day late and a dollar short to worry about BlackPOS. Variants of "Dexter, first documented by Seculert in December 2012, is a Windows-based malware used to steal credit card data from PoS systems."
http://www.arbornetworks.com/a... [arbornetworks.com]
They have had 3 flavors so far:
1.] Stardust (looks to be an older version, perhaps version 1)
2.] Millenium (note spelling)
3.] Revelation (two observed malware samples; has the capability to use FTP to exfiltrate data)
I can buy any of these programs with a Tor browser, an ICQ client and some Bitcoin at any carder site on line.
A little late to be worried about snippets of code.
Re: (Score:1)
Nice Try but no:
http://www.tripwire.com/state-... [tripwire.com]
Surely no one will ever be hacked again! (Score:2)
Credit cards are stupid. (Score:3)
Who in hell thought it was a good idea to use a system where a single piece of information, consisting of just a few bytes, gives someone a blank check to my bank account? There are innumerable ways to concoct something more secure than this, especially these days when computing power (to do encryption) is ubiquitous. Such methods are of course not bulletproof, but they're a hell of a lot better than a guy with a pair of binoculars stealing credit card numbers, or what happened at Target.
Re: (Score:1)
Who in hell thought it was a good idea to use a system where a single piece of information, consisting of just a few bytes, gives someone a blank check to my bank account? There are innumerable ways to concoct something more secure than this, especially these days when computing power (to do encryption) is ubiquitous.
Well, in most of the world, that is the non-USA portion of it, credit cards have moved away from mag stripe to encrypted smartcards known as chip & pin. [wikipedia.org]
Chip & pin isn't perfect, but it'
Re:Credit cards are stupid. (Score:4, Interesting)
Who in hell thought it was a good idea to use a system where a single piece of information, consisting of just a few bytes, gives someone a blank check to my bank account? There are innumerable ways to concoct something more secure than this, especially these days when computing power (to do encryption) is ubiquitous. Such methods are of course not bulletproof, but they're a hell of a lot better than a guy with a pair of binoculars stealing credit card numbers, or what happened at Target.
That was the old security system, they've made it even worse since adding NFC. They dont even need access to your card to get enough information to use it without your knowledge or permission. There's even an app for it for any Android phone with NFC
https://play.google.com/store/apps/details?id=com.samj.CardTest&hl=en [google.com]
NFC on phones have no range due to low power but NFC has max range of 5 metres, so it's just a matter building the right antenna. Even though you wont get the max range of 5 metres, even a radius of 1 metre is enough in a crowded shop.
Also anyone who believes the bank will simply adsorb the cost of the fraud instead of passing it onto you and merchants who'll just pass it back to you (banks are likely to use the merchants, they don't have a choice but to suck up additional fees and look like the bad guy raising prices), well, I have a bridge to sell you.
Re: (Score:3, Informative)
Long before they mutated into debit cards, we had ATM cards with 4-digit PIN codes. The universe of possible codes was small, but the ATM machines of that era did something newer ones generally don't -- they swallowed your card, and didn't give it back to you until you entered the right PIN code. If you entered the wrong PIN code too many times, you didn't get the card back, which stopped most amateur fraudsters in their tracks.
Fast forward a decade to the arrival of debit cards. You still have the same 4-d
Re:Credit cards are stupid. (Score:4, Insightful)
Who in hell thought it was a good idea to use a system where a single piece of information, consisting of just a few bytes, gives someone a blank check to my bank account?
Someone trying to lower the costs of moving money around. The system currently has one big important factor to it, and that's the fact that if anybody tries to break the trust of the big players, the big players won't let them back into the system. So they can have as little security as possible, because of the belief that the desire to continue to do business with the big players will keep everybody in check.
Others (Score:3)
Not too worried about Target and Neiman Marcus. But having several others who haven't owned up to being victims of this is really annoying. And the status being up in the air, coverups being ATTEMPTED etc.
I am not doing the P.O.S. thing for a while. Sticking with cash.
doesnt matter (Score:4, Insightful)
And there are hundreds of people who know this information. Hundreds of people who are no longer with target. If target is anything like the place I worked, they use a lot of contractors (temps). They treat these temps like shit. It's not just devs who know the dirty on target's system, its QA people, network people, support people, ops people.
The cat is out of the bag. Censoring websites isn't going to help target. The info has already spread to places target can't censor. They should focus on fixing their shit. It's going to be expensive.
Pay cash (Score:2)
You don't have this kind of problems if youy just ay cash. I prefer cash, it's anonymous too so companies can't track what you buy (and sell it to your insurance company who might increase your health insurance payments it they can find an excuse (smoker, buy's too much snacks, ...)).
Re: (Score:2)
Re: (Score:2)
I sure hope if this gets modded up it is tagged as Funny.
Copyright DMCA take down (Score:5, Funny)
Run as Credit or use Cash (Score:2)
On the flipside, since this thing with Target has happened, and having read these
POS transactions down, muggings and burglary up (Score:2)
The downside is, if the dickhead in Russia uses your credit card number to order a new iPad, you'll get that money back with only a minor hassle; if your cash is stolen, it's just fucking gone.
How? (Score:3)
How hackers broke into Target and installed malware on point-of-sale terminals...
Forged Telaid work order for an access point out or something. Go in with a tool bag and clipboard, ask for MOD and get keycode to data room (often the store number.)
Do whatever you want after that. They don't know or care what you're doing. Not their job. Need to get to a POS? Just unplug the Ethernet at the patch panel and then go "service" it. Act like you're on a bluetooth talking to NCR while you're at it.
Re:Happy Wednesday from The Golden Girls! (Score:4, Insightful)
From TFA:
Hackers already know the way to do it, or they wouldn't be able to break into Target's databases.
By deleting the info what the so-called 'security companies" are doing is to depriving the legitimate business owners a way to beef up their own security measures by learning from the mistakes of Target.
Re: (Score:2)
read TFA. Target IPs, passwords not helpful (Score:5, Informative)
> By deleting the info what the so-called 'security companies" are doing is to depriving the legitimate
> business owners a way to beef up their own security measures by learning from the mistakes of Target.
I can only guess that you didn't rtfa? Target's IP addresses, passwords, and other details are of little use to any legitimate business beefing up their own security. To secure YOUR network I need YOUR IP addresses, not Target's IP addresses.
They left the information about HOW Target was breached. They redacted victim-specific details like the IPs of specific vulnerable servers.
> Hackers already know the way to do it, or they
> wouldn't be able to break into Target's databases.
99.99% of hackers are not able to break into Target's databases. It would be good to keep it that way.
By deleting the info what the so-called 'security companies" are doing is to depriving the legitimate business owners a way to beef up their own security measures by learning from the mistakes of Target.
Re: (Score:3)
99.99% of hackers are not able to break into Target's databases. It would be good to keep it that way
It would be better to add a few more 9s to that percentage, or even make it 100%.