Attacks/Breaches
2/6/2014
10:30 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Target Breach: HVAC Contractor Systems Investigated

Hackers may have used access credentials stolen from refrigeration and HVAC system contractor Fazio Mechanical Services to gain remote access to Target's network.

20 Great Ideas To Steal In 2013
20 Great Ideas To Steal
(Click image for larger view.)

Did the attackers behind the Target breach hack their way in using access credentials stolen from the retailer's environmental systems contractor?

Investigators from the Secret Service, which is leading the government's investigation into the Target breach, recently visited the offices of Fazio Mechanical Services, a refrigeration and HVAC (heating, ventilation, and air conditioning) systems provider based in Sharpsburg, Penn., security journalist Brian Krebs first reported Wednesday. Officials at Fazio reportedly confirmed -- but otherwise declined to comment on -- the Secret Service visit.

According to unnamed sources cited by Krebs, investigators now believe that Target's attackers first accessed the retailer's network on November 15, 2013, using access credentials that they'd stolen from Fazio Mechanical Services. Theoretically, those access credentials allowed attackers to gain a beachhead inside Target's network, and from there access and infect other Target systems, such as payment processing and point-of-sale (POS) checkout systems.

As of Thursday, Fazio's website was temporarily inaccessible, "due to the site owner reaching his/her bandwidth limit," an error message read. But according to a cached version of the website, the firm serves as a refrigeration and HVAC contractor, and was also responsible for "renovation and new refrigeration systems" at Target stores in Hilliard, Ohio, and Columbia, Md., and for similar projects at a variety of other facilities, including various Shop 'n Save, Trader Joe's, and Whole Foods stores.

Why might Fazio Mechanical Services have had access to Target's network? The answer is because Target -- like any other organization that manages a relatively modern store, factory, or office building -- likely relies on refrigeration and HVAC systems that can be remotely managed by a third party. These contractors monitor and adjust environmental controls. In supermarkets, they also keep a close watch on refrigeration systems.

[Data breaches are taking place is just about every industry. Read Texas Hospital Discloses Huge Breach.]

"HVACs are IP-addressable appliances now, which means they have network access and logins," Dwayne Melancon, CTO of Tripwire, said in an emailed statement. Accordingly, "it wouldn't be unusual for contractors to have an HVAC login," to be able to remotely manage settings, or troubleshoot related device or network problems.

Questions relating to the Target hack will no doubt now center on the security processes in place at Fazio, as well as the controls in place at Target, which -- per Payment Card Industry Data Security Standards (PCI-DSS) regulations -- is liable for any of its third-party contractors' security shortcomings. Notably, PCI requires that merchants "incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties."

One challenge when granting remote access to a third party, however, is that multiple employees may have access to those login credentials. "Technology vendors aren't your typical remote users," said Jeff Swearingen, CEO of SecureLink, which sells remote-access security software, in an emailed statement. "One vendor may have thousands of technicians that require access on a revolving basis. Login credentials issued to Todd on Tuesday may be used by Wendy on Wednesday, and so on."

Which raises questions: Did Target secure Fazio's access to its network using two-factor authentication? What level of network access did Target grant to Fazio, and was Target actively monitoring that access? Finally, were Target's HVAC appliances located on an isolated network segment that should have prevented attackers from accessing other network-connected systems? Asked those questions via email Thursday, Target spokesperson Molly Snyder responded: "Because this is a very active and ongoing investigation, I don't have any additional details at this time."

While the exact details of the attack have yet to be disclosed, the results are well known: Hackers stole 40 million credit and debit cards, as well as personal information on 70 million Target customers.

Target initially said that attackers stole that data between November 27 and December 15, when the discount retailer discovered the malware infection. But this week, Target chief financial officer John Mulligan said in a Senate Judiciary Committee hearing that the malware persisted undetected on 25 more checkout systems until December 18, resulting in the compromise of less than 150 more credit card numbers.

The news that Fazio Mechanical Services is now being eyed by investigators comes after Target disclosed last week that its breach involved stolen third-party vendor credentials. At the time, some reports focused on BMC Software as being the unnamed third party in question.

But BMC Software, which sells BladeLogic and other types of software, has vigorously denied that charge. In a statement issued last week, BMC noted that two supposed clues from the Target breach seen by security researchers -- a file named "bladelogic.exe" that tied to the POS malware used, as well as attackers' use of a password supposedly mentioned in official BMC documentation -- had nothing to do with BMC.

"BMC has confirmed that the password mentioned in the press is not a BMC-generated password," BMC Software said in a statement. In addition, it also cited a McAfee study, which reported that the POS malware's reference to "bladelogic" was only "a method of obfuscation." In other words, the developers behind the malware appear to have disguised their attack code and related processes with names which, upon casual inspection, would look innocuous.

"At this point, there is nothing to suggest that BMC BladeLogic or BMC Performance Assurance has a security flaw or was compromised as part of this attack," said BMC.

Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant? Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls. (Free registration required.)

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
awinter015
50%
50%
awinter015,
User Rank: Apprentice
3/11/2014 | 10:26:01 AM
Anyone ever hear about VLANs?
The idea that a contractor was on a shared network with other systems is mind-boggling.  The technology to segement networks and limit access of users has been around for years.  Even in small environments we segment customers from one another, accounting systems from general systems, etc.  So if we can do it as a small IT Service provider - why cant the big guys do it?

 

 
mak63
50%
50%
mak63,
User Rank: Apprentice
2/9/2014 | 10:10:52 PM
Re: answers
I couldn't agree with Mr Gezelter and you more.

As someone on the informationweek staff recently told me: "live and learn" Too bad the customers will suffer the most for something that could've been avoided.
Michael Endler
100%
0%
Michael Endler,
User Rank: Apprentice
2/8/2014 | 5:01:22 PM
Re: answers
"As isolated as a driver in Los Angeles in the rush hour. Again, because we know about the breach, the answer is that the HVAC appliances were not iisolated as they should have been."


This seems like the big failing. Bob Gezelter alluded to it in his post too:

"There is simply no reason why the network access granted to an HVAC contractor for monitoring HVAC equipment should have included access to the production transactional data network. Being somewhat speculative, the POS terminals and supporting systems should have been in a separate network compartment, with an encrypted tunnel connecting the store-located systems to the transactional back end systems serving the corporation."


I can't see why the HVAC techs were connected to a network that included Target's customer data.
mak63
50%
50%
mak63,
User Rank: Apprentice
2/8/2014 | 12:28:31 AM
answers
Did Target secure Fazio's access to its network using two-factor authentication?

Probably I'm wrong for saying this, but if the credentials were stolen, what difference would have made how many level of authentication you had in place?

What level of network access did Target grant to Fazio?

There was a breach, so the answer is clear to me. Pretty much all what the hackers needed.

Were Target's HVAC appliances located on an isolated network segment that should have prevented attackers from accessing other network-connected systems?

As isolated as a driver in Los Angeles in the rush hour. Again, because we know about the breach, the answer is that the HVAC appliances were not iisolated as they should have been.

 
mak63
100%
0%
mak63,
User Rank: Apprentice
2/8/2014 | 12:09:09 AM
Re: The Internet of...
@Somedude8

If the antivirus fails to detect a malware in the microwave, we're doom, dooom and we'll also get sick for eating uncooked food. Luckyly the TV will know this and will recommend Alka-Seltzer or something like that.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/7/2014 | 10:13:52 AM
Re: The Internet of...
How many hops from an HVAC system to a cash register? The Internet of Things is going to be a hoot.
Bob Gezelter
100%
0%
Bob Gezelter,
User Rank: Apprentice
2/7/2014 | 8:39:51 AM
Compartmented Networks are important; Access should require "Need to Know"
Sadly, the reported pathology is a represents a long-solved problem. Since the mid-1990's, it has been well-understood that protecting devices connected to a network requires more than a single level of protection. The access limitations to different groups of systems cannot be implemented by a single set of firewall rules. This was noted in my Security on the Internet chapter in the 1995 Computer Security Handbook, 3rd Edition (Hutt, Bosworth, and Hoyt; Wiley). My 2008 presentation on Compartmented Networks from the 11th New York State Cybersecurity Conference described how to implement and use such networks.

There is simply no reason why the network access granted to an HVAC contractor for monitoring HVAC equipment should have included access to the production transactional data network. Being somewhat speculative, the POS terminals and supporting systems should have been in a separate network compartment, with an encrypted tunnel connecting the store-located systems to the transactional back end systems serving the corporation.


Such a network topology greatly limits the ways in which a critical system can be compromised.


- Bob Gezelter, http://www.rlgsc.com; Contributing Editor, Computer Security Handbook (3rd, 4th, 4th, and 6th Editions)
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Strategist
2/6/2014 | 5:48:36 PM
Breach of outside consultant opened up Pacific NW National Labs
It was an outside, off-premises researcher whose computer workstation was compromised that gave hackers access to the Pacific Northwest National Labs in its July 2011 security breach. It's very hard for a good IT organization to know what all of its contractors are doing.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/6/2014 | 3:58:48 PM
Re: The Internet of...
This really demonstrates that the convergence of physical security with IT security has defintely arrived... Be warned!
Somedude8
50%
50%
Somedude8,
User Rank: Apprentice
2/6/2014 | 1:10:54 PM
The Internet of...
The Internet of Everything is a Security Risk!

Soon comes the day where I might get malware on my shower head because I didn't update the antivirus on my microwave oven, which spread to my tablet when I turned on the shower from downstairs using the tablet, which spread to my TV when I used the tablet as a remote control. Suddenly, I am seeing ads for V1@GRA scrolling across the bottom of the TV while watching Netflix.

Good thing the anti virus on my home security system is telling me that it protected me from 7,419 new threats since I last turned on the alarm.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web