Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Security

Target's Data Breach Started With an HVAC Account 232

Posted by samzenpus
from the sneaking-in dept.
Jim Hall writes "Security blogger Krebs reports that Target's data breach started with a stolen HVAC account. Last week, Target said the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now claim that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers. Attackers stole network credentials from Fazio Mechanical Services, then used that to gain access to Target's network. It's not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network."
This discussion has been archived. No new comments can be posted.

Target's Data Breach Started With an HVAC Account

Comments Filter:
  • Slashcott (Score:1, Informative)

    by Anonymous Coward on Thursday February 06, 2014 @05:09PM (#46178269)
    Please post this to new articles if it hasn't been posted yet.

    On February 5, 2014, Slashdot announced through a javascript popup that they are starting to "move in to" the new Slashdot Beta design.

    Slashdot Beta is a trend-following attempt to give Slashdot a fresh look, an approach that has led to less space for text and an abandonment of the traditional Slashdot look. Much worse than that, Slashdot Beta fundamentally breaks the classic Slashdot discussion and moderation system.

    If you haven't seen Slashdot Beta already, open this [slashdot.org] in a new tab. After seeing that, click here [slashdot.org] to return to classic Slashdot.

    We should boycott stories and only discuss the abomination that is Slashdot Beta until Dice abandons the project.
    We should boycott slashdot entirely during the week of Feb 10 to Feb 17 as part of the wider slashcott [slashdot.org]

    Moderators - only spend mod points on comments that discuss Beta
    Commentors - only discuss Beta http://slashdot.org/recent [slashdot.org] [slashdot.org] - Vote up the Fuck Beta stories

    Keep this up for a few days and we may finally get the PHBs attention.

    Discussion of Beta: http://slashdot.org/firehose.pl?op=view&id=56395415 [slashdot.org]
    Discussion of where to go if Beta goes live: http://slashdot.org/firehose.pl?op=view&type=submission&id=3321441 [slashdot.org]
    Alternative Slashdot: altslashdot.org [altslashdot.org]
  • by Anonymous Coward on Thursday February 06, 2014 @05:09PM (#46178271)

    http://slashdot.org/?nobeta=1

    Use it while you can, because they say they're gonna take it away soon.

  • Re:FUCK BETA (Score:5, Informative)

    by synapse7 (1075571) on Thursday February 06, 2014 @05:11PM (#46178305)

    **NOW WITH LINE BREAKS**

    Please post this to new articles if it hasn't been posted yet.

      On February 5, 2014, Slashdot announced through a javascript popup that they are starting to "move in to" the new Slashdot Beta design.

      Slashdot Beta is a trend-following attempt to give Slashdot a fresh look, an approach that has led to less space for text and an abandonment of the traditional Slashdot look. Much worse than that, Slashdot Beta fundamentally breaks the classic Slashdot discussion and moderation system.

      If you haven't seen Slashdot Beta already, open this [slashdot.org] in a new tab. After seeing that, click here [slashdot.org] to return to classic Slashdot.

      We should boycott stories and only discuss the abomination that is Slashdot Beta until Dice abandons the project.
      We should boycott slashdot entirely during the week of Feb 10 to Feb 17 as part of the wider slashcott [slashdot.org]

      Moderators - only spend mod points on comments that discuss Beta
      Commentors - only discuss the Beta - Vote up the Fuck Beta stories

      Keep this up for a few days and we may finally get the PHBs attention.

  • by arth1 (260657) on Thursday February 06, 2014 @05:25PM (#46178437) Homepage Journal

    Do you actually pay to use slashdot or are you complaining about a service you use freely that is no longer up to your high standards?

    We pay in two ways. Well, three, if you include those that pay directly. But otherwise, we pay by contributing, and we pay by watching ads.

  • by Soulskill (1459) Works for Slashdot on Thursday February 06, 2014 @05:42PM (#46178649) Homepage

    Believe me, there's no confusion about the immensity of the community's contribution to the site.

  • by arth1 (260657) on Thursday February 06, 2014 @05:49PM (#46178729) Homepage Journal

    This is very true. Please keep the feedback coming. The more constructive, the better.

    Kill Slashdot Beta and start from scratch.
    That is a constructive suggestion, and absolutely doable.

  • by onyxruby (118189) <`ten.tsacmoc' `ta' `yburxyno'> on Thursday February 06, 2014 @05:52PM (#46178783)

    Than why are you pulling a microsoft and ignoring your community? Your community /is/ your product. Like microsoft forcing metro with Windows 8 the beta site isnt functional and you insist on ignoring the very hands that feed you. Without your community slashdot is just another has been website.

  • by Soulskill (1459) Works for Slashdot on Thursday February 06, 2014 @06:02PM (#46178887) Homepage

    Than why are you pulling a microsoft and ignoring your community?

    The whole point of the beta is to get feedback from the community. If we were ignoring you, we would have just flipped the switch and not looked back.

    I can't promise we'll implement every suggestion (indeed, many are contradictory), but we absolutely consider them.

  • by gallondr00nk (868673) on Thursday February 06, 2014 @06:06PM (#46178925)

    This is very true. Please keep the feedback coming. The more constructive, the better.

    I admire you actually coming out and posting, but I'd point out that there has been a plethora of constructive, detailed feedback on the beta already, seemingly to no avail.

    But since you asked, I'd recommend:

    Keep the Classic Slashdot.

  • Slashdot Beta sucks (Score:5, Informative)

    by Adeptus_Luminati (634274) on Thursday February 06, 2014 @06:10PM (#46178969)

    I've emailed them... they ignore... the more they ignore the quicker their downfall.

    Ignore your userbase, and you shall have none. If I am ignored much longer, I will leave. Just like I left mashable after their AOL'ed it.

    PS. I've been a slashdotter for 7+ years.

  • by Spy Handler (822350) on Thursday February 06, 2014 @06:13PM (#46179011) Homepage Journal

    I can't promise we'll implement every suggestion (indeed, many are contradictory), but we absolutely consider them.

    You only need to implement ONE suggestion and everyone will be happy. Let people continue to use Classic interface if they choose. That's all you need to do.

  • by SrLnclt (870345) on Thursday February 06, 2014 @06:31PM (#46179223)
    Modern HVAC controls are much more than thermostats. There are typically resets for supply air temperatures based on outside air conditions and time of day, and boiler water temperature setbacks based outside air conditions. Fan and pump systems can get feedback from the positions of dampers/valves throughout the system, and the VFD can slow down to minimize energy usage based on the feedback from the worst-case zone in real time. The list goes on, but all of this energy optimizing relies on lots of real time data, and the easiest way to do this is on an ethernet network.

    Many large clients, particularly those with multiple locations like school districts or big box stores will hire a controls company, and pay them a bunch of money to save a target dollar amount or percentage amount on their energy costs. This is typically done through an online interface to monitor multiple locations simultaneously, and keep them all operating the same way. The user doesn't typically care how the contractor sets this up, they just want the savings. The cheaper the contractor can get to the target the more money he makes, which can lead to corner cutting by the contractor.

    Some people (government, some Universities) tend to make the controls sub-contractors install a second, independent TCP/IP network for their equipment. But this security comes at a cost premium, particularly in existing buildings that already have a network in place for their computer needs. Most places I have seen don't bother with this due to the cost and the general availability of network connections in today's world. If the security is setup properly this shouldn't be needed, but we all know how often proper security is overlooked.

According to the latest official figures, 43% of all statistics are totally worthless.

Working...