Security Firms Breaks Down What Went Wrong With Target Breach - HotHardware
Security Firms Breaks Down What Went Wrong With Target Breach

Security Firms Breaks Down What Went Wrong With Target Breach

Although news about Target’s huge data breach broke almost two months ago, the post-mortem has persisted, and a security firm has posted a detailed breakdown of what went wrong. The story is unnerving, to say the least, as it’s not so much about system-wide failures or anything so big as it is about how all it takes for a body with so many moving parts to fall apart is one weak link and some good old-fashioned phishing.

It’s already been established that the breach appears to have emanated from a malware email phishing attack on a Pennsylvania HVAC company called Fazio Mechanical that contracts with Target. The thief made off with network credentials that Target had issued the company using what was likely the password-swiping Citadel malware.

target

KrebsOnSecurity reported that Fazio Mechanical was using the free version of Malwarebytes Anti-Malware for protection, which was problematic because the free version doesn’t have real-time protection--only on-demand malware scanning.

Once the cybercriminals had those network credentials, it was all downhill. They accessed Ariba, the third-party payment system that Target uses for contractors, as well as Target’s Partners Online and Property Development Zone Portal.

KrebsOnSecurity spoke to an unnamed former member of Target’s network security who speculated that the hackers may have then used a backdoor to gain entry to Target’s own systems. “I know that the Ariba system has a back end that Target administrators use to maintain the system and provide vendors with login credentials, [and] I would have to speculate that once a vendor logs into the portal they have active access to the server that runs the application,” said the source.

Target charge it
Image Source: Flickr (MikeKalasnik)

The fact that it was Fazio Mechanical that turned out to be the weak link in the chain is probably ultimately coincidental, as the company was likely one of many that were caught up in a shotgun blast-style email phishing effort. The hackers--and anyone else--likely uncovered a public Target web page that lists many of the companies Target contracts with as well as a page that details how to submit work orders. Microsoft Excel documents on the page contain metadata including the Windows username of the person who last edited a given file as well as an easily decipherable code for the server location where the file resides. That information would have made it easier for the hackers to finish harvesting and moving the pilfered data.

Again, what’s most disturbing about this case is that the hackers were able to launch a phishing attack using what is essentially publicly available data. And even if those vendor lists and work order submission instructions were password-protected, that’s information that all vendors who work with Target would know, so it’s not like that information would be terribly difficult to come by.

True, Fazio Mechanical should have had better malware protection, and it’s possible that Target payment system was not completely in compliance with PCI security standards, but given the above, how many major companies are vulnerable to the same type of attack?
-1
+ -

Seth - it sounds like you work for Target and or Fazio. This will in all likely hood put Target out of business and you are soft pedaling it, like it is standard in the business to have lax security.

0
+ -

Nnnnnope. You're missing the point(s).

1) It's way too easy for a determined hacker to acquire the necessary data to perform an attack like this on virtually any company.

2) Even with stringent security measures, phishing can circumvent almost anything, because humans have the keys and humans can be tricked into giving the keys to a criminal.

There's a larger issue here than just Target or Fazio. No one's saying they did everything right (in the case of Fazio, they definitely screwed up), but it could have been a hack on just about any big company via any number of that company's contractors.

Also, if you think this will put Target out of business, you must live on a different planet than the rest of us or something.

0
+ -

Well, they are self insured, only have about 1.2 billion in reserve to cover this thing and they have no customers.

0
+ -

He may have a point. I haven't been to Target since I heard of the breach, and I don't plan to either.

Any company that can't keep data secure ~all of the time~ has no business with my card's information on their servers. They offered me a years worth of free credit security and I took it, but I don't plan on shopping with them again for a long, long time.

0
+ -

Target isn't going anywhere... Let's not kid ourselves. Sure their reputation has been affected but people will forget and it will be back to business as usual.

I'm wondering why an HVAC company was issued credentials with so much access on the network.

Contractors should be in a totally separate OU and be set to expire very shortly after being issued.

Login or Register to Comment
Post a Comment
Username:   Password: