Brian Krebs, intrepid chronicler of the Target breach, has uncovered yet another cog in the criminal gearbox behind Target’s data disaster.
Target lost some 40,000,000 payment card records and 70,000,000 other records featuring the personal information of what the company quaintly calls its “guests.”
We already think we know how the cybercriminals moved data around once they were inside the network.
That part of the attack used a shabbily-coded service process with a hardwired password – as we discussed in the latest Chet Chat podcast. (If you listen below, the Target piece starts at 8’49”.)
But Krebs’s latest article provides a likely-sounding explanation of how the criminals breached the network in the first place.
Rather casually oversimplified, the crooks tailgated the cleaners.
Actually, that wasn’t what happened – neither literally, of course, because the crooks did their dirty work remotely; nor figuratively, because it was supposedly an HVAC company (heating, ventilation and air conditioning), not a cleaning company.
Nevertheless, it was tailgating of a sort, and it might well be a slip-up that could happen in your own organisation.
Having said that, my first thought, on reading Brian’s piece, was that his explanation sounded preposterous.
Why would someone who maintains your aircon need remote access to your network?
Emergency access to the server room, perhaps, to tweak the settings on the plant itself if there’s a snowstorm (or a heatwave) between Christmas and New Year.
But remote access to your whole corporate network?
It turns out, however, that heating and cooling in retail stores aren’t just important services: they’re as vital to opening for business, and taking money off customers, as your cash registers.
More vital, perhaps: if your cash registers are offline at 2am when no-one is shopping, you won’t lose any sales, but if your air conditioning gets out of whack overnight, you might not be able to admit customers to your store at all in the morning.
Apparently, therefore, many HVAC companies have remote access to retail company networks in order to keep their eye out for heating and cooling problems.
That needn’t be a recipe for disaster, but in Target’s case, it sounds as though:
- The third-party company wasn’t required to use any sort of two factor authentication.
- The network used by the third-party company and the network used for retail payments weren’t segregated.
→ Note. Brian Krebs has published an update from the third-party in which the company states that it did not provide HVAC services to Target. Rather, it enjoyed remote access “exclusively for electronic billing, contract submission and project management.” We’re not sure whether that makes lapses (1) and (2) easier or harder to forgive.
If you’re going to let outsiders onto your network, especially if you are admitting them for a specific purpose, rather than as part of a general network management project, you simply can’t afford not to apply the “divide and conquer” principle.
After all, just as you don’t want the aircon guy installing unknown software on your cash registers, you don’t want the payment card chaps messing with your heating and cooling systems, either.
One commonly-heard objection to “divide and conquer” is that it can be complicated and expensive, and makes rapid response harder in an IT emergency.
What you need to watch out for, though, is that by making emergency response easier, you don’t make things easier for intruders at the same time.
If you do, you make it paradoxically more likely that you’ll end up with an emergency to respond to…
Image of perpetual motion gearbox assembly courtesy of Shutterstock.
One of my grandkids used to work for a retail chain…I thought it was very odd that the store’s thermostat control was not local to the store, but from regional office. I wonder just how many chain stores are just as easily compromised? Scary!
It is interesting to note the professional approach these crooks took. Brian Krebs wrote
…
Sources said that between Nov. 15 and Nov. 28 (Thanksgiving and the day before Black Friday), the attackers succeeded in uploading their card-stealing malicious software to a small number of cash registers within Target stores.
Those same sources said the attackers used this time to test that their point-of-sale malware was working as designed.
…
So they tested their software before releasing it. Yes their actions are unacceptable but if the Target IT people had been as professional, this activity, as you have shown, could have been prevented.
That made me smile too – they had a sort of “beta trial”, or so it seems. (I was going to put a smiley there, but perhaps I oughtn’t.)
At my place of employment, we walk any vendors around and they are never alone in our server room or any place the public isn’t allowed. One of them had stated that we were the only place that escorted him around that his company worked with. Including the water treatment centers.
Good on ya!
Isn’t that the argument the NSA has? “it’s easier to respond to emergencies” when really, it just lessens security and opens the door for more of those emergencies to occur?
And who really needs access for project management purposes at 2am?
I would argue that when theses networks are segregated responding to emergencies is easier if you have a professional IT staff and a well designed and documented network.
I can’t believe that a company so large failed to implement any sort of two factor authentication. The only reasons I can think of is the expense factor or the usability. But even those reasons are not fair. Some simple research by their IT department and they could have found several options for 2fa solutions. Maybe now we can trust that companies will take securing our information more seriously.
“Maybe now we can trust that companies will take securing our information more seriously.”
Well, maybe now we can trust that Target will take security “more seriously”, but ALL companies? I hate to admit it, but it’s unlikely. “It can’t happen here” syndrome is pretty deeply entrenched. I mean, how many people do you know who don’t even back up their system drive on a daily basis? To me it’s unthinkable, but to them…well, they don’t even think about it.
Besides, I suspect that most companies’ attitude is that they already take security seriously. I’ll bet that’s what the Target folks believed before this disaster.
The problem is that there’s no uniform, universally accepted definition of what “taking security seriously” means (…uh, notwithstanding the yeoman efforts of NakedSecurity). What’s more, it means something different in different contexts. A nationwide brick and mortar retailer’s security requirements differ from those of a sole proprietorship whose only interface is a website, and those in turn are not identical to best practices for a home computer user.
But whether you meant to or not, you’ve probably stated the nature of the entire security issue in the most fundamental way possible — namely, that the solution is for people — not just companies, but EVERYONE — to take security more seriously. That means knowing what the best security practices are for every level on which they interact with others, or with information systems.
After all, companies are composed of people, and if everyone were thinking about security, the bad guys would have a much tougher time doing their bad stuff.
I think as people in different Management positions move up the ladder and across the different levels with their job functions changing, there may be shifts in how the security is applied. If there is not a continuation of the previous structure, the vulnerabilities may be found.