Forgot your password?
typodupeerror
Security

Security Vendors Self-Censor Target Breach Details 115

Posted by samzenpus
from the what-security-breach? dept.
angry tapir writes "At least three security companies have scrubbed information related to Target from the Web, highlighting the ongoing sensitivity around one of the largest-ever data breaches. How hackers broke into Target and installed malware on point-of-sale terminals that harvested up to 40 million payment card details is extremely sensitive. Now, details that give insight into the attack are being hastily removed or redacted by security companies."
This discussion has been archived. No new comments can be posted.

Security Vendors Self-Censor Target Breach Details

Comments Filter:
  • by pcwhalen (230935) <pcwhalen@gmail.COLAcom minus caffeine> on Wednesday January 22, 2014 @09:41PM (#46042517) Journal

    ...after all the cows got out.

    Day late and a dollar short to worry about BlackPOS. Variants of "Dexter, first documented by Seculert in December 2012, is a Windows-based malware used to steal credit card data from PoS systems."

    http://www.arbornetworks.com/a... [arbornetworks.com]

    They have had 3 flavors so far:
    1.] Stardust (looks to be an older version, perhaps version 1)
    2.] Millenium (note spelling)
    3.] Revelation (two observed malware samples; has the capability to use FTP to exfiltrate data)

    I can buy any of these programs with a Tor browser, an ICQ client and some Bitcoin at any carder site on line.

    A little late to be worried about snippets of code.

  • by pcwhalen (230935) <pcwhalen@gmail.COLAcom minus caffeine> on Wednesday January 22, 2014 @10:01PM (#46042587) Journal

    Maybe. They do have a lot of job openings in Karnataka, Bangalore, India.

    https://targetcareers.target.c... [target.com]

  • by LordKronos (470910) on Wednesday January 22, 2014 @10:55PM (#46042871) Homepage

    They also are doing shit for notification. I always use my Target card...I have received zero notifications from Target about the compromise, and no new card.

    Are you sure? You might want to check you mailbox again, or your spam filters. I've received the following emails from them:

    Dec 20 - Letter from Target’s CEO Gregg Steinhafel and Important Notice
    Dec 23 - Important Information for our REDcard Holders

  • by raymorris (2726007) on Wednesday January 22, 2014 @11:18PM (#46042963)

    > By deleting the info what the so-called 'security companies" are doing is to depriving the legitimate
    > business owners a way to beef up their own security measures by learning from the mistakes of Target.

    I can only guess that you didn't rtfa? Target's IP addresses, passwords, and other details are of little use to any legitimate business beefing up their own security. To secure YOUR network I need YOUR IP addresses, not Target's IP addresses.

    They left the information about HOW Target was breached. They redacted victim-specific details like the IPs of specific vulnerable servers.

    > Hackers already know the way to do it, or they
    > wouldn't be able to break into Target's databases.

    99.99% of hackers are not able to break into Target's databases. It would be good to keep it that way.

    By deleting the info what the so-called 'security companies" are doing is to depriving the legitimate business owners a way to beef up their own security measures by learning from the mistakes of Target.

  • by Anonymous Coward on Thursday January 23, 2014 @12:47AM (#46043283)

    Long before they mutated into debit cards, we had ATM cards with 4-digit PIN codes. The universe of possible codes was small, but the ATM machines of that era did something newer ones generally don't -- they swallowed your card, and didn't give it back to you until you entered the right PIN code. If you entered the wrong PIN code too many times, you didn't get the card back, which stopped most amateur fraudsters in their tracks.

    Fast forward a decade to the arrival of debit cards. You still have the same 4-digit PIN code, but that's OK, because it's STRICTLY for entering after the ATM swallows your card and holds it hostage. If you used it as a credit card, they had to make an impression, and would usually ID you.

    Fast forward another decade. Ohshit, the internet happened. Merchants now accept the card as payment without a physical impression or signature (otherwise they couldn't do online transactions), and they also let you pay by debit instead of credit. Oh, wait a minute... you still have a 4-digit PIN code (usually, with the option to make it 100 times stronger by adding 2 more digits, but still pretty weak). You also use the PIN code when registering for online banking, or using bank by phone.

    And anyone with about a hundred bucks to spend on eBay can now build a mag stripe writer suitable for making custom cards with. The only thing that prevents street thugs from writing their own mag stripes & embossing their own custom credit cards is the fact that the Secret Service goes after anybody selling real-looking blank cards and throws the book at them.

    Oh, the holograms? Pfffft. Pure security theatre. When's the last time you EVER saw somebody in a retail establishment scrutinize the hologram, or even look like they even noticed or cared whether a card has one? The holograms aren't there to help store clerks identify potentially-fraudulent cards... there there to make it easier to prosecute criminals caught with a box full of blanks cards without embossing or printing.

    Oh, and anybody can go to Wikipedia and figure out that the first 4-6 digits of the card identify the bank, and the last digit is an error correction code... so that 16-digit number really has 9-11 digits, 90% of whose permutations are by definition invalid courtesy of the Luhn algorithm. And unlike 30 years ago, if you have good credit, your bank will probably allow the account to be overdrawn by several thousand dollars before they actually quit approving transactions, since they're probably charging $30-50 in penalties for each transaction that they approve while the account balance is negative.

    So you see, the problem isn't that the original designers cooked up an insecure way of doing business. In its day, it satisfied the security needs of the banks and retailers just fine. Unfortunately, over the past 30 years, the context and nature of debit card use have changed enough to break all of the original assumptions.

  • by xaxa (988988) on Thursday January 23, 2014 @05:41AM (#46044359)

    (Public key cryptography for credit cards)

    I think you've more-or-less described the EMV standard, which is widely used pretty much everywhere except the USA.

    http://en.wikipedia.org/wiki/E... [wikipedia.org]

    I just bought some food by credit card, and the receipt says:
    Visa Credit £6.34
    [ICC] **** **** **** 3435
    AID: A0000000013039
    PAN SEQUENCE: 03
    MERCHANT: **41872
    AUTH CODE: 146972

    PIN Verified

    I have a smart card reader for validating online banking transactions, I think the administration and transport costs were probably more than the cost of the reader -- the bank sent it for free. The card has NFC, for low-value transactions (under £20, I think) I can pay contactlessly without a PIN. London is trialling accepting this for train/underground travel, it's already accepted for buses.

    My card still has a magnetic strip, but I don't think it's ever been used.

What this country needs is a dime that will buy a good five-cent bagel.

Working...