Attacks/Breaches
2/7/2014
04:48 PM
Connect Directly
RSS
E-Mail
50%
50%

Target Compromised Via Its HVAC Contractor's Network Credentials

Attackers compromised credentials for a third party and were off to the races -- leaving a key concept of network security in the dust

In the movies, the sight of a burglar sneaking into a building through an air duct is not uncommon. But a hacker compromising credentials belonging to a HVAC company? Not so much.

Yet that appears to be what happened in the Target breach late last year. In this case, hackers are believed to have stolen network credentials belonging to Fazio Mechanical Services, a provider of refrigeration and HVAC systems, and used them to ultimately compromise Target's point-of-sale systems with malware.

In a statement, the company says its data connection with Target was "exclusively for electronic billing, contract submission and project management," and that it does not remotely monitor or control heating, cooling, and refrigeration systems for Target.

"Like Target, we are a victim of a sophisticated cyber attack operation," according to the company. "We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive initiatives that will further enhance the security of client/vendor connections making them less vulnerable to future breaches."

If theft of user credentials from Fazio is at fault, then the breach has just shined a light on a key concept of network security: segmentation.

"Attackers do not always break into your computer network using exploit code," says Tom Cross, director of security research at Lancope. "In this case, the attackers reportedly used a valid login and password, and they logged right in. Many organizations aren't prepared to defend themselves against that kind of attack scenario -- they are looking for traditional attacks, and they cannot identify a situation where a 'valid' user on the network is behaving anomalously and might be compromised."

Interestingly, segmenting payment systems from other systems on the network is not part of the requirements of the Payment Card Industry Data Security Standard , something people have argued about for years, Gartner analyst Avivah Litan notes.

"Frankly, I think their hands-off approach, which does include gentle guidance, makes sense here," she says. "Companies with large networks know they have to segment their cardholder data environment because otherwise their entire network is in scope of the PCI audit. So this is generally where retailers and other card accepting companies start. And in a way, the less prescription from PCI on this the better because this is an area where technology advanced quickly."

"There are lots of things you do to segment a network -- i.e., firewalls, IPS, DLP, strong access controls ... I'm sure they did that. They just must have missed a hole or two," she says. "It's tough -- very tough -- to secure thousands of [endpoints]."

Nevertheless, organizations that have opened their businesses and networks to third parties have to understand the risk associated with allowing users from outside of the company to access internal resources, says Mike Denning, senior vice president and general manager of CA Technologies' security business. Companies need to segregate groups of users and treat vendors, employees, and their access privileges differently and ensure their network architecture is built to prevent unauthorized access into other systems.

"They also have to understand the scope of control they have around a contractor is not as strong as an internal employee," Denning says. "For example, there is no control over the contractor’s IT system or its best practices for security."

While network segmentation may not be stressed in PCI, checking logs is [section 10.6]. Analyzing log data should have alerted Target to what was happening, argues security researcher Vinny Troia, founder of Night Lion Security. Point-of-sale terminals and IT systems at Target can probably generate gigabytes of data per day. But an abundance of log data is not justification for ignoring the logs, says Troia.

"My personal experience has shown me that a major problem with many organizations today is that security always takes a back seat to finance," he says. "Without a mature risk or governance program in place, security usually does not have representation in the executive boardroom and is often pushed aside for the sake of cutting costs or rapid progress. In every situation where I have witnessed executives sacrifice security at the start of a process or program for the sake of saving money, the cost of retrofitting security into an existing solution often ends up costing considerably more to implement."

"That lack of structure and governance within organizations is why I believe that chips within credit cards will inevitably fail," Troia adds. "If we rush to implement credit cards with encrypted data, companies will [be able to] rely on the encryption of the cards, rather than the security of their own systems. Every time money is spent developing an unbreakable solution, it is inevitably broken -- remember Sony’s copy protection being cracked with a marker? If we switch the focus of security to these new cards, it will just create an even bigger hole once the encryption is broke."

In congressional testimony (PDF) Feb. 4, Target CFO John Mulligan said that the company is undertaking an end-to-end review of entire network and will make any appropriate security enhancements.

"We had in place multiple layers of protection, including firewalls, malware detection software, intrusion detection and prevention capabilities and data loss prevention tools," Mulligan says in his testimony. "We perform internal and external validation and benchmarking assessments. And, as recently as September 2013, our systems were certified as compliant with the Payment Card Industry Data Security Standards."

"To prevent this from happening again, none of us can go it alone," he continues. "We need to work together. Updating payment card technology and strengthening protections for American consumers is a shared responsibility and requires a collective and coordinated response. On behalf of Target, I am committing that we will be an active part of that solution."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
shjacks55
50%
50%
shjacks55,
User Rank: Apprentice
3/7/2014 | 5:20:04 AM
re: Target Compromised Via Its HVAC Contractor's Network Credentials
Fazio wasn't involved in Nieman Marcus exploit. The skeptic in me sees Fazio as misdirection "bread crumbs".
shjacks55
50%
50%
shjacks55,
User Rank: Apprentice
3/7/2014 | 5:18:33 AM
re: Target Compromised Via Its HVAC Contractor's Network Credentials
All the major retailer use Software Automation to push updates from the corporate data center to the individual store servers to the POS equipment. Although many block ports (e.g. 3389), the ability of the corporate data center to manage machines remotely always allows access. Corporations (run by managers) place more emphasis on loss prevention by low level employees and customers than the great magnifying effect of errors by upper management.
Chris Yannella
50%
50%
Chris Yannella,
User Rank: Apprentice
2/13/2014 | 10:06:38 PM
re: Target Compromised Via Its HVAC Contractor's Network Credentials
Anyone at Target ever hear of vlans? Lets just put the entire stores networked devices on one connected switch said no one ever. Probably had the hvac, lrt's, pdt's, registers, workstations, store servers all on one network. Dumb. AP's camera systems are probably all tied in there too. Dumb.
AccessServices
50%
50%
AccessServices,
User Rank: Apprentice
2/10/2014 | 7:34:40 PM
re: Target Compromised Via Its HVAC Contractor's Network Credentials
I agree with problem identified with putting chips in credit cards. Has anyone thought about using PKI from the card to the bank? So my card has a pubic and private certificate inside of it. I would connect the card to the merchant's reader where an encrypted tunnel would be built between the reader and the bank. The PAN and PIN would be sent over this tunnel encrypted. The merchant would only see a response from the bank that the transaction was approved. The only audit would be on the readers. This model breaks down for online purchases where card holders could either purchase home readers or banks would use cell phones or email for two factor authentication.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.