Target's Internal Security Team Warned Management 236
david.emery writes "According to this story, Target's own internal computer security team raised concerns months before the retailer lost millions of credit card numbers in an attack. (Quoting a paywalled story in the Wall Street Journal.) Target's management allegedly 'brushed them off.' 'At least one analyst at the Minneapolis-based retailer wanted to do a more thorough security review of its payment system.' This raises a more general question for the Slashdot community: how many of you have identified vulnerabilities in your company's/client's systems, only to be 'brushed off?' If the company took no action, did they ultimately suffer a breach?"
Posting anonymously for obvious reasons... (Score:5, Interesting)
Yes, there are horrible security flaws where I work. Things as basic as changing passwords on a regular basis have been brought up repeatedly, and the answer is always, "we can't make people do that", or "that's something to keep in mind for the future, but we have more important things to worry about"
customer service portal (Score:5, Interesting)
Years ago I worked for one of the two big American cable companies currently merging. I identified a security flaw in the public facing side of their customer service portal, essentially giving access to all the config files, which contained admin credentials in plain text. I proposed simple solutions, like not allowing directory listings of folders, among others.
They shrugged it off, and to the best of my knowledge, last year the vulnerability was still accesaible
You'd Be Amazed (Score:5, Interesting)
Years ago I worked for a government IT department. A vendor wanted us to try out a product. The device plugs directly into the Internet connection, and monitors every packet, in real time, looking for strings matching an array of string that you provide. We ran queries against our internal databases, and compiled a list of SSNs and CCNs. The vendor programmed that data into their device, which from what I can tell used an FPGA to perform deep packet inspections.
We expected that we might see maybe an email every week or two where someone accidentally sent that kind of information.
First hit occurred 12 seconds after turning the device on.
Second occurred .47 seconds later.
Etc. Etc. Etc.
Within an hour, we had overrun the quota on the network directory where we were logging this data.
We found hundreds of separate systems that were transmitting this kind of data without authorization. We were planning a massive internal sweep to find and fix them all, when the following came down from management:
Shut it down. Remove the device. Destroy all logs, emails, EVERYTHING. Offer the vendor a payment in return for signing an NDA. All employees required to sign secrecy docs (unenforceable at that level of govt, but still.)
I believe this is how the acronym SNAFU came into existence.
Basically, yeah (Score:4, Interesting)
I got my first job in the industry due to that sort of screw-up. A network administrator was "let go" following a server crash and loss of months' worth of data. The backup system hadn't been working. I was hired shortly thereafter to get things back in order.
Now, that would be the end of the story, except that I was good friends with this administrator. The embarrassing subject of his dismissal didn't come up for about three years, but when it did, and I mentioned my surprise at a fairly intelligent guy allowing backups to lapse for that amount of time, he dug up an e-mail he'd sent to the president of the company, cc'ing the head of HR (who was more or less running the show, for some reason), pointing out the various problems they had - their "server," an old workstation, had been running for two years on a three-month evaluation copy of Windows Server 2000, there were no backup tapes working, and so on. The only excuse they could have had was that the backup thing was buried in a page-long list of serious issues. But when it blew up in their faces, they pinned it on the closest available peon. Assholes.
Re: Changing Passwords (Score:2, Interesting)
Places where I've worked that users were required to change their password regularly invariably had the same password but with an incremented number at the end every time they needed to change the password. This allowed them to remember it more easily, be effectively meant they were using the same password.
The more stringent that the password requirements become, the more likely it is that users are going to start writing them down somewhere or trying to come up with workarounds so that they can remember them. And in turn, you have another security issue.
Everywhere I have worked has also have a review of brute force password hacking attempts. :-)
Typical Navy Response (Score:2, Interesting)
As a former US Navy nuclear engineer, I informed management of material and procedural problems related to the nuclear reactor plant on board the USS La Jolla on a weekly basis. Have you ever gone to your boss with a technical manual that perfectly explains the "unexplainable problem" he's having, have him brush you off, and less than a week later that problem destroys a major system, causing millions of dollars in damage and endangering the entire ship? I have. I'm pretty sure none of my complaints were ever addressed except on the one or two occasions where I threatened to bypass management and complain to a newspaper. That's pretty standard Navy leadership. When you're dealing with a culture where everyone starts at the bottom, the best and brightest leave, and whatever's left gets promoted, that's the kind of technical management you get.
Re:in this cases it may be out side vendors / cont (Score:4, Interesting)
Which is a perfect example of incompetence.
Re:Posting anonymously for obvious reasons... (Score:5, Interesting)
I've worked in the physical security field (cameras, key cards, alarm systems, etc.) for the past eight years, and can tell you that Target's HVAC vendor is in no way unusual. I know of a large security vendor that uses the same username/password combination on every every customer that they ever touch, nationwide, and at most of them they are administrators on the security server. At a lot of them they have remote access.