Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security

Target's Data Breach Started With an HVAC Account 232

Posted by samzenpus from the sneaking-in dept.
Jim Hall writes "Security blogger Krebs reports that Target's data breach started with a stolen HVAC account. Last week, Target said the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now claim that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers. Attackers stole network credentials from Fazio Mechanical Services, then used that to gain access to Target's network. It's not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network."
This discussion has been archived. No new comments can be posted.

Target's Data Breach Started With an HVAC Account More

Target's Data Breach Started With an HVAC Account

Comments Filter:

  • Analytics (Score:2, Interesting)

    by Etherwalk ( 681268 ) on Thursday February 06, 2014 @05:24PM (#46178427)

    They probably have it all on one network so they can easily correlate the data. HVAC settings will influence purchases and a smart store is dynamically setting temperature to maximize sales volume, although within certain constraints.

  • I kinda think the Beta is awesome. (Score:2, Interesting)

    by gdek ( 202709 ) on Thursday February 06, 2014 @05:37PM (#46178583)

    I honestly don't understand what the fuss is about.

  • Re:Network segmentation (Score:5, Interesting)

    by chipschap ( 1444407 ) on Thursday February 06, 2014 @06:50PM (#46179419)

    My guess is because IT is not given control over security, not listened to and told to "just do it" when they try to point out the security problems during planning.

    I was once the security advisor at a Large Place. A senior manager came to me and said, I want to forward all my email to Gmail so I can read it at home. (Much of it was sensitive stuff.) He said, "what do you advise?" I said, obviously, not to do it as it presented unacceptable risk, forwarding internal sensitive email to an external source beyond our control. He replied, "OK, I asked you the question, document that, will you? I can't help it if you gave the wrong answer" and he went ahead and set up forwarding. Actually, had someone set it up because he was clueless about how to do it.

  • Re:"...as we migrate our audience..." (Score:4, Interesting)

    by girlintraining ( 1395911 ) on Thursday February 06, 2014 @08:07PM (#46180405)

    The whole point of the beta is to get feedback from the community. If we were ignoring you, we would have just flipped the switch and not looked back.

    Soul, I know you are in a difficult position, having been told to do spin control for a furious userbase. But you don't have to insult our intelligence. Redirects to beta were going on well before this, and the sentiment hasn't changed. It's been negative from the moment people started getting redirected. Management has been ignoring the users from day one under the notion that they'll like it once they get used to it, and hey, look at how Facebook changes things and people complain, but keep using Facebook.

    But your seniors don't seem to understand that this isn't Facebook. This isn't a site for the general population, and it's not irreplaceable nor without intense competition. There are thousands of internet forum sites out there, many of whom have the same target audience. I do not buy the argument for one second that management was ignorant of the poor opinion held of it's new "beta".

    I get that they bought the house and now they want to repaint it so it's "theirs", but they've gone too far. Very far too far. They have failed to understand their target audience completely, believing that we're just like any other of the dozens of assets they hold in their portfolio, and it'll homogenize with the rest if they just stay the course.

    It won't. They're going to tank their investment and once the users bail, they won't come back. They'll be like the MySpace of the IT world: It was popular at one time, but now it's a ghost website nobody cares about, just another content aggregation website, and not even a particularly valuable one. Nobody wants to see this happen... apparently, except for the senior management. We've spoken clearly, and unequivocably, in every possible way, that this is a bad decision. We've been doing this for days, and have received no indications from these people that they've even noticed.

    Do we have to set fire to the facilities they live in? DDoS all their sites? I mean, really, Soulskill... we've exhausted every avenue to let these people know "Hey dudes, train coming. Train. Big train. Honk honk. Motherfucking train, on the mother fucking tracks, coming your way. TRAIN." ... And they seem to be content to just lay there like some drunk and wait for it to run them over.

    If this is how it has to be, fine. But at least tell us that if Slashdot goes tits up someone on the Dice board of directors is getting shit-canned... because otherwise, the nerd rage that has built up here is going to find other, less pleasant, ways of extracting their pound of flesh from Dice. If you think the Slashdot Effect on other websites is bad... wait until a hundred thousand pissed off IT people each sitting on massive bandwidth pipes, decide to ping the SS Dice Fail Boat. It will not be pretty.

Slashdot Top Deals

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (5) All right, who's the wiseguy who stuck this trigraph stuff in here?

Close