Attacks/Breaches
2/7/2014
04:48 PM
Connect Directly
RSS
E-Mail
50%
50%

Target Compromised Via Its HVAC Contractor's Network Credentials

Attackers compromised credentials for a third party and were off to the races -- leaving a key concept of network security in the dust

In the movies, the sight of a burglar sneaking into a building through an air duct is not uncommon. But a hacker compromising credentials belonging to a HVAC company? Not so much.

Yet that appears to be what happened in the Target breach late last year. In this case, hackers are believed to have stolen network credentials belonging to Fazio Mechanical Services, a provider of refrigeration and HVAC systems, and used them to ultimately compromise Target's point-of-sale systems with malware.

In a statement, the company says its data connection with Target was "exclusively for electronic billing, contract submission and project management," and that it does not remotely monitor or control heating, cooling, and refrigeration systems for Target.

"Like Target, we are a victim of a sophisticated cyber attack operation," according to the company. "We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive initiatives that will further enhance the security of client/vendor connections making them less vulnerable to future breaches."

If theft of user credentials from Fazio is at fault, then the breach has just shined a light on a key concept of network security: segmentation.

"Attackers do not always break into your computer network using exploit code," says Tom Cross, director of security research at Lancope. "In this case, the attackers reportedly used a valid login and password, and they logged right in. Many organizations aren't prepared to defend themselves against that kind of attack scenario -- they are looking for traditional attacks, and they cannot identify a situation where a 'valid' user on the network is behaving anomalously and might be compromised."

Interestingly, segmenting payment systems from other systems on the network is not part of the requirements of the Payment Card Industry Data Security Standard , something people have argued about for years, Gartner analyst Avivah Litan notes.

"Frankly, I think their hands-off approach, which does include gentle guidance, makes sense here," she says. "Companies with large networks know they have to segment their cardholder data environment because otherwise their entire network is in scope of the PCI audit. So this is generally where retailers and other card accepting companies start. And in a way, the less prescription from PCI on this the better because this is an area where technology advanced quickly."

"There are lots of things you do to segment a network -- i.e., firewalls, IPS, DLP, strong access controls ... I'm sure they did that. They just must have missed a hole or two," she says. "It's tough -- very tough -- to secure thousands of [endpoints]."

Nevertheless, organizations that have opened their businesses and networks to third parties have to understand the risk associated with allowing users from outside of the company to access internal resources, says Mike Denning, senior vice president and general manager of CA Technologies' security business. Companies need to segregate groups of users and treat vendors, employees, and their access privileges differently and ensure their network architecture is built to prevent unauthorized access into other systems.

"They also have to understand the scope of control they have around a contractor is not as strong as an internal employee," Denning says. "For example, there is no control over the contractor’s IT system or its best practices for security."

While network segmentation may not be stressed in PCI, checking logs is [section 10.6]. Analyzing log data should have alerted Target to what was happening, argues security researcher Vinny Troia, founder of Night Lion Security. Point-of-sale terminals and IT systems at Target can probably generate gigabytes of data per day. But an abundance of log data is not justification for ignoring the logs, says Troia.

"My personal experience has shown me that a major problem with many organizations today is that security always takes a back seat to finance," he says. "Without a mature risk or governance program in place, security usually does not have representation in the executive boardroom and is often pushed aside for the sake of cutting costs or rapid progress. In every situation where I have witnessed executives sacrifice security at the start of a process or program for the sake of saving money, the cost of retrofitting security into an existing solution often ends up costing considerably more to implement."

"That lack of structure and governance within organizations is why I believe that chips within credit cards will inevitably fail," Troia adds. "If we rush to implement credit cards with encrypted data, companies will [be able to] rely on the encryption of the cards, rather than the security of their own systems. Every time money is spent developing an unbreakable solution, it is inevitably broken -- remember Sony’s copy protection being cracked with a marker? If we switch the focus of security to these new cards, it will just create an even bigger hole once the encryption is broke."

In congressional testimony (PDF) Feb. 4, Target CFO John Mulligan said that the company is undertaking an end-to-end review of entire network and will make any appropriate security enhancements.

"We had in place multiple layers of protection, including firewalls, malware detection software, intrusion detection and prevention capabilities and data loss prevention tools," Mulligan says in his testimony. "We perform internal and external validation and benchmarking assessments. And, as recently as September 2013, our systems were certified as compliant with the Payment Card Industry Data Security Standards."

"To prevent this from happening again, none of us can go it alone," he continues. "We need to work together. Updating payment card technology and strengthening protections for American consumers is a shared responsibility and requires a collective and coordinated response. On behalf of Target, I am committing that we will be an active part of that solution."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
shjacks55
50%
50%
shjacks55,
User Rank: Apprentice
3/7/2014 | 5:20:04 AM
re: Target Compromised Via Its HVAC Contractor's Network Credentials
Fazio wasn't involved in Nieman Marcus exploit. The skeptic in me sees Fazio as misdirection "bread crumbs".
shjacks55
50%
50%
shjacks55,
User Rank: Apprentice
3/7/2014 | 5:18:33 AM
re: Target Compromised Via Its HVAC Contractor's Network Credentials
All the major retailer use Software Automation to push updates from the corporate data center to the individual store servers to the POS equipment. Although many block ports (e.g. 3389), the ability of the corporate data center to manage machines remotely always allows access. Corporations (run by managers) place more emphasis on loss prevention by low level employees and customers than the great magnifying effect of errors by upper management.
Chris Yannella
50%
50%
Chris Yannella,
User Rank: Apprentice
2/13/2014 | 10:06:38 PM
re: Target Compromised Via Its HVAC Contractor's Network Credentials
Anyone at Target ever hear of vlans? Lets just put the entire stores networked devices on one connected switch said no one ever. Probably had the hvac, lrt's, pdt's, registers, workstations, store servers all on one network. Dumb. AP's camera systems are probably all tied in there too. Dumb.
AccessServices
50%
50%
AccessServices,
User Rank: Apprentice
2/10/2014 | 7:34:40 PM
re: Target Compromised Via Its HVAC Contractor's Network Credentials
I agree with problem identified with putting chips in credit cards. Has anyone thought about using PKI from the card to the bank? So my card has a pubic and private certificate inside of it. I would connect the card to the merchant's reader where an encrypted tunnel would be built between the reader and the bank. The PAN and PIN would be sent over this tunnel encrypted. The merchant would only see a response from the bank that the transaction was approved. The only audit would be on the readers. This model breaks down for online purchases where card holders could either purchase home readers or banks would use cell phones or email for two factor authentication.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0914
Published: 2014-07-30
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management f...

CVE-2014-0915
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

CVE-2014-0947
Published: 2014-07-30
Unspecified vulnerability in the server in IBM Rational Software Architect Design Manager 4.0.6 allows remote authenticated users to execute arbitrary code via a crafted update site.

CVE-2014-0948
Published: 2014-07-30
Unspecified vulnerability in IBM Rational Software Architect Design Manager and Rational Rhapsody Design Manager 3.x and 4.x before 4.0.7 allows remote authenticated users to execute arbitrary code via a crafted ZIP archive.

CVE-2014-2356
Published: 2014-07-30
Innominate mGuard before 7.6.4 and 8.x before 8.0.3 does not require authentication for snapshot downloads, which allows remote attackers to obtain sensitive information via a crafted HTTPS request.

Best of the Web
Dark Reading Radio