Forgot your password?
typodupeerror
Security

Target's Data Breach Started With an HVAC Account 232

Posted by samzenpus
from the sneaking-in dept.
Jim Hall writes "Security blogger Krebs reports that Target's data breach started with a stolen HVAC account. Last week, Target said the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now claim that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers. Attackers stole network credentials from Fazio Mechanical Services, then used that to gain access to Target's network. It's not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network."
This discussion has been archived. No new comments can be posted.

Target's Data Breach Started With an HVAC Account

Comments Filter:
  • by sinij (911942)
    If Beta was hot grits, then Natalie Portman would be driving Beowulf cluster of HUGOs!
  • by Dan East (318230) on Thursday February 06, 2014 @05:08PM (#46178247) Homepage Journal

    why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network

    Because they have just one big unified network for everything. That probably saves them money, unless something really bad were to happen...

    • by bjwest (14070) on Thursday February 06, 2014 @05:12PM (#46178313)
      My guess is because IT is not given control over security, not listened to and told to "just do it" when they try to point out the security problems during planning. Butt you can bet your ass they're the one blamed when all hell breaks in.
      • by aaarrrgggh (9205) on Thursday February 06, 2014 @05:56PM (#46178827)

        No, it is that proper security is really hard to do, especially when you deal with third parties that need to access portions of the network that management also needs to access. It doesn't help when the third party has one company account, and a reasonably high turnover rate of employees.

        I used to have a rolodex of access cards for different clients and sites. Many companies required a different card for each building. Then this magical internet came along and they merged all of the security systems into central corporate security. Like magic I only needed one card for each client, locked down to specific areas I needed access in different building. Then... they had a problem. I couldn't get into the building to help out. It wasn't the end of the world, but the project manager I was working for ended up giving me all access to keep it from happening again. It took two years for a corporate security audit to call me and ask why the hell I needed "ring zero access" or whatever they called it. Up until that I had cash vault access for whatever stupid reason.

        The bigger and more distributed organizations get, and the deeper the tree is on the contractors they work with, the more it becomes impossible to manage security without paying a huge efficiency penalty.

        Sorry to get so off-topic; aren't we supposed to be talking about how miserable the beta.slashdot.org site is? Completely unusable; are there any other competing websites that could resurrect the old slashcode?

      • by chipschap (1444407) on Thursday February 06, 2014 @06:50PM (#46179419)

        My guess is because IT is not given control over security, not listened to and told to "just do it" when they try to point out the security problems during planning.

        I was once the security advisor at a Large Place. A senior manager came to me and said, I want to forward all my email to Gmail so I can read it at home. (Much of it was sensitive stuff.) He said, "what do you advise?" I said, obviously, not to do it as it presented unacceptable risk, forwarding internal sensitive email to an external source beyond our control. He replied, "OK, I asked you the question, document that, will you? I can't help it if you gave the wrong answer" and he went ahead and set up forwarding. Actually, had someone set it up because he was clueless about how to do it.

      • by maz2331 (1104901)

        I call shenanigans. This type of breach shouldn't be remotely possible if the cardholder data environment (CDE) was behind a proper firewall as per the PCI specifications. That means that anything that stores card data has a VERY short whitelist of what it may communicate with, and then only on the bare-minimum of ports. And no, just a VLAN won't cut it there. All of the registers, card readers, internal servers, switches, etc on which the card data flows are required to be firewalled both inbound and o

    • Analytics (Score:2, Interesting)

      by Etherwalk (681268)

      They probably have it all on one network so they can easily correlate the data. HVAC settings will influence purchases and a smart store is dynamically setting temperature to maximize sales volume, although within certain constraints.

      • by Nos. (179609)

        It doesn't have to be on the same network to easily correlate data.
        You pull from many locations to one to correlate data.

    • by mlts (1038732) on Thursday February 06, 2014 @05:26PM (#46178453)

      In most companies, someone poking around would have their access clamped shut by an internal IPS, with SMS messages going out to admins via the IDS.

      I'm sure there has to be a perfectly justifiable way to explain this, but almost any corporate network tends to be well segmented, with finance being the most locked down of any area [1]. Unless the internal fabric got compromised, this shouldn't have happened unless it was an attack with a lot of collusion from parties inside the organization.

      [1]: One place I worked at had the machines in finance completely disconnected from the Internet, and were separated from each other (no file sharing possible unless going through the company servers.) If people wanted to browse the Web, they used Citrix receivers and a terminal server, which was configured to not let files in or out. Said machines were not just locked down via AD, but used both BitLocker (to keep the machines from being booted from other media) and DeepFreeze [2] to help ensure that if malware did get on the boxes, it wouldn't persist. All data was stored on remote machines. So far, AFIAK, these precautions did a good job at keeping bad guys out.

      [2]: DeepFreeze isn't 100%, but it does come in handy as an additional tool for a locked down environment to keep things clean.

      #insert

      • by Bigbutt (65939)

        When I worked at IBM, management of the IDS for the IRS was outsourced to India.

        [John]

    • I have gone through this exact same "logic" at places where I've worked. It's impossible to explain to some people that ... while the person putting in X may be completely honest you are depending upon that person to have as good security practices as you have.

      Except that that person does not have any idea of what network security is. Or computer security.

      But it will make it easier if vendors X, Y and Z have remote access to their systems which are on the production network.

      It will be more difficult if we h

      • and wouldn't that be the purpose of ACL's and firewalls? you can share the same physical network but with proper ACL's you shouldn't be able to access the financial segment of the network from the hvac segment.

        what purpose does any of the hvac machines need on the financial side of the network? any traffic going between the two (in either direction!) should be blocked and send up red flags.

        • by DarkOx (621550)

          Sure you can put ACLs are switch ports and you can do layer two firewalls; in general you don't. Usually if you have a switch that can do ACLs you have a switch that can also do routing, so you can segment the network as well for little cost. That segment makes the broadcast domains smaller. Usually that leads to better performance. If you are doing layer 2 firewalls its usually in the data center. Doing it on the plant floor would probably just create lots a problems for protocols like ARP, and if it

        • by khasim (1285)

          and wouldn't that be the purpose of ACL's and firewalls?

          In general, yes. But the situation should not arise where you have to firewall a vendor's system because it should not be touching your production network in the first place. It's adding risk when it is not necessary.

          what purpose does any of the hvac machines need on the financial side of the network? any traffic going between the two (in either direction!) should be blocked and send up red flags.

          Yes, it should. You are correct.

          But this doesn't have to

    • by mythosaz (572040)

      It's not even necessarily that. The HVAC may or may not have had access into the "real" system, but it, at minimum, allowed them a foothold from which to perform penetration testing .

      I remember implementing a change to our security because a chain that broke ultimately because some local SQL express SA accounts were open (on workstations, with 3rd party products that required local SQL express), which allowed further and further enumeration that ultimately ended with the discovery of a domain admin's crede

  • by Bob the Super Hamste (1152367) on Thursday February 06, 2014 @05:09PM (#46178267) Homepage
    Maybe this is why we have the slashdot beta issue, something came in with the HVAC account at dice. It sucks enough that the HVAC system might be to blame.
    • well, even if they swapped plus and minus on the power supply or turned the switch from SUCK to BLOW, I'm not sure it would improve the beta, any.

      • by sconeu (64226)

        So, if I understand you correctly, you are saying that Dark Helmet designed the Slashdot Beta?

    • by kolbe (320366)

      At least Target didn't change their website after fucking up so badly

  • by jdastrup (1075795) on Thursday February 06, 2014 @05:09PM (#46178279)
    Might as well give HVAC vendors access to the slashdot beta servers so they can destroy it as well.
  • The weakest link won't be the shiny titanium front door.

  • by Junior Samples (550792) on Thursday February 06, 2014 @05:18PM (#46178371)

    Rename the beta site and call it "DiceNews for Dicks". Then load it up with stories about the Deport Justin Beiber Movement http://www.google.com/url?sa=t... [google.com] and news for Kardashian stories https://www.google.com/search?... [google.com]

    Leave Slashdot alone!

  • Watch 'Community' on NBC. You'll see that the HVAC people are the hidden power in our civilization. Be very afraid.

  • turn of javascript for slashdot.org, fsdn.com, googleadservices.com and truste.com.

    problem solved.

  • by QuietLagoon (813062) on Thursday February 06, 2014 @05:26PM (#46178445)
    After seeing what the new beta site looks like, in the future "being slashdot'd" will mean being destroyed by someone who does not understand what they are destroying.
    • by wjwlsn (94460)

      I was thinking something similar, but it was more like being destroyed by the very community that you were trying to court... out of an unwillingness to heed the warnings from that same community.

  • Did the software have fixed passwords / users?

    Some software needs an fixed login to work.

  • Slashdot Beta (Score:5, Insightful)

    by ShaunC (203807) on Thursday February 06, 2014 @05:33PM (#46178531)

    Target fucked somewhere between 40 million and 110 million people. DICE is now trying to fuck something south of half a million people.

    Cut this shit out. Revert. Take the DICE Marketing department out for a nice big lunch, drinks and all. Then send them home for the weekend. Then undo the damage they've done.

    I'm sadly sure that this is an intentional ploy to drive away long-time users ("geeks" and "nerds") who have contributed so much that, like me, they're eligible to disable advertising. What they don't understand is that even if my karma was shit (we don't get numbers anymore, I guess mine would be 50++++++), I'd still be using Ghostery and AdBlock to block the ads without Slashdot's generous option.

    Wake up, guys. This is a tech site. The comments make the site. The users make the site. We aren't going to sit around and watch it go to shit. You will have nothing, ZERO left if the beta interface goes into production, except for a few new users who came over from MSNBC.

    Writing, wall, see it, hope you have negotiated a nice severance package.

    • by kolbe (320366)

      So what you are saying here is that slashdot is fucking more people than DICE and Target combined? Cowboy Neal needs to verify this... I think the number is higher.

  • Either A) some IM, email, or trouble ticket system, or B) remote setting of network enabled thermostats and diagnostics of HVAC units remotely. And the submitter can't think of that? Then why post it. And why not segregate the payment system? Uh, cause that costs money to do, and PCIDSS is a fucking stupid thing 99% of the time. It is only used to blame retailers instead of making the Vendors and Card companies design and ensure airtight security, as it should be. Does make one wonder why any retailer
    • by SrLnclt (870345) on Thursday February 06, 2014 @06:31PM (#46179223)
      Modern HVAC controls are much more than thermostats. There are typically resets for supply air temperatures based on outside air conditions and time of day, and boiler water temperature setbacks based outside air conditions. Fan and pump systems can get feedback from the positions of dampers/valves throughout the system, and the VFD can slow down to minimize energy usage based on the feedback from the worst-case zone in real time. The list goes on, but all of this energy optimizing relies on lots of real time data, and the easiest way to do this is on an ethernet network.

      Many large clients, particularly those with multiple locations like school districts or big box stores will hire a controls company, and pay them a bunch of money to save a target dollar amount or percentage amount on their energy costs. This is typically done through an online interface to monitor multiple locations simultaneously, and keep them all operating the same way. The user doesn't typically care how the contractor sets this up, they just want the savings. The cheaper the contractor can get to the target the more money he makes, which can lead to corner cutting by the contractor.

      Some people (government, some Universities) tend to make the controls sub-contractors install a second, independent TCP/IP network for their equipment. But this security comes at a cost premium, particularly in existing buildings that already have a network in place for their computer needs. Most places I have seen don't bother with this due to the cost and the general availability of network connections in today's world. If the security is setup properly this shouldn't be needed, but we all know how often proper security is overlooked.
  • I honestly don't understand what the fuss is about.

  • Because the /. beta can't even properly suck on my nuts :(

    Chances are, you're behind a firewall or proxy, or clicked the Back button to accidentally reuse a form. Please try again. If the problem persists, and all other options have been tried, contact the site administrator.

    • by bobbied (2522392)

      If the problem persists, and all other options have been tried, contact the site administrator.

      Hello?

  • Dice can't see it, since they are new here (he he)...

    The most loyal long time most avid readers of Slashdot, are not trolling the site, in protest of the failed beta. Never thought I would see the day ...

    Where is GNAA, Natalie Portman grits, and frist prost when you need them!

    Let me explain ...

    I have been a regular visitor to Slashdot for around 15 years. For that, I get the checkbox to disable ads, though I browse with Javascript disabled so my browser does not slow down.

    I come here for the discussions, an

    • by aaarrrgggh (9205)

      There is always the approach of calling Dice Holdings. Their telephone number is 212-725-6550.

  • I have been lurking around here pretty much since Slashdot's inception. I finally felt the need to make an account today to let it be known that I will be joining the Slashdot boycott on February 10-17th. I (and apparently everyone else) made their feedback for the beta when it was introduced. They decided to not listen. This site is truly something special, its community and insightful discussions are completely unmatched. We can't let them ruin it. Join the boycott, a severe drop in traffic should g
  • common user / pass are easier to work with and manage when you are dealing with contracts / subs even more so in an area like hvac where the workers are not IT people and you have field work that can get subbed out to local firms now giving each tech there own login can be hard to keep track of and you have to deal with lock outs do to expiring passwords as they may need to use them day to day.

  • It's not immediately clear why Target would have given an HVAC company external network access,..

    They probably have access to the network because the heating and AC for the stores is centrally controlled, like it is at Walmart, for instance. That's not a suprise. ... or why that access would not be cordoned off from Target's payment system network."

    This is definitely the bigger question. PCI is pretty clear about this. My next question is, how did they pass the audit?

  • Slashdot Beta sucks (Score:5, Informative)

    by Adeptus_Luminati (634274) on Thursday February 06, 2014 @06:10PM (#46178969)

    I've emailed them... they ignore... the more they ignore the quicker their downfall.

    Ignore your userbase, and you shall have none. If I am ignored much longer, I will leave. Just like I left mashable after their AOL'ed it.

    PS. I've been a slashdotter for 7+ years.

    • You've a lower UID than me and I'm sitting at 13y. I've provided feedback, months ago when this was alpha and again yesterday when they made this announcement.

      Beta is def better than alpha was. Commenting is infinitely better on Beta than Alpha. But it's STILL incredibly backward compared to Classic. Slashdot is literally the only site (besides dedicated forums) where comments are worth doing. I suspect what's happening is Alpha was shit, developers feel like they've addressed the problems in Beta but peopl

  • But then Beta was switched on and I quickly turned away. :(

  • One of my accounts has remote web accessible thermostats and the site share's a single public static IP, but my intranet is split between 3 different lan segments with the POS segment isolated. Looks like it might be NSA preferred level of effective security configuration...

  • I get that Target might've forced their IT department to take the cheap way out and forgo a nice, isolated building management system. That's out of their control.

    But how could they not notice the spike in network traffic as data was being sent to the hackers?

    They should know how much bandwidth their terminals are chewing up on average, how many transactions are occurring, approximately how much data should be crossing the network per transaction and have an eye out for a sudden burst of outgoing data headi

    • by dbIII (701233)

      But how could they not notice the spike in network traffic as data was being sent to the hackers?

      By saving money on the monitoring system.

      They should know how much bandwidth their terminals are chewing up on average ...

      Such a thing only happens when someone put put in the effort to have a monitoring system. It doesn't happen by magic. Easy to set up in many cases but not there unless someone had set it up.

Vax Vobiscum

Working...