Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/7/2014
12:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Details Of Home Depot Attack Reminiscent Of Target's Breach

A massive payment card breach this year resulted when hackers gained access to its network using a third-party vendor's login, the retailer says, and 53 million email accounts were exposed.

Home Depot's statement Thursday that the criminals who stole payment card from its networks this year gained access using a third-party vendor's stolen credentials suggests the breach was very similar to the one at Target last year.

The stolen credentials alone did not provide access to the company's point of sale systems, Home Depot said in a press release. The retailer provided fresh details of its investigation of a breach that exposed data on 56 million credit and debit cards.

The hackers escalated their access privileges to work their way through Home Depot's network and deploy "unique, custom-built malware" on its self-checkout systems in the US and Canada, the home improvement company said.

In addition to the previously disclosed theft of credit and debit card data, Home Depot said the criminals accessed files containing 53 million email addresses belonging to Home Depot customers. Though the files did not contain passwords, payment card information, or any other sensitive personal information, the company is notifying affected customers.

From its description, the Home Depot breach seems eerily similar to the one reported by Target last year. In Target's case, the data theft happened when attackers gained access to its payment network using login credentials stolen from a vendor that provided heating ventilation and air conditioning services to the retailer.

Security vendors have repeatedly held up that breach as an example of the dangers companies face in allowing business partners, suppliers, and other third parties to access their networks. Many have cited the breach as a prime example of why companies need to have controls for ensuring that all third-party access is properly restricted and segmented.

Avivah Litan, an analyst at Gartner, says the fact that Home Depot allowed an almost identical breach to happen highlights the need for retailers to respond sooner to such issues.

"The hackers have a set script on how to hack a large retailer -- and they continue to follow it with some modifications," Litan said in an email interview. "The Home Depot and Target breaches used the same techniques every step of the way. It's too bad that the attacked organizations or potential victim organizations are not agile enough to build appropriate defenses in time."

The fact that the hackers went after both payment card data and email accounts shows that criminals have begun going directly after consumers, as well, she said.

[In the end, it may have been a foreshadowing of sorts: The team assigned to squeeze potentially sensitive information from Home Depot employees in cold calls during this year's Social Engineering Capture the Flag (SECTF) competition at DEF CON 22 won the famed contest. Read Home Depot, Other Retailers Get Social Engineered.]

Tom Bain, senior vice president at security CounterTack, says retailers have often tended to overlook the supply chain of partners, customers, and vendors connecting to their networks. Retailers need to get a better grasp on who is being granted access to their networks and why.

"There are just simply too many gaps along the entire supply chain," he said in an email. "For example, if suppliers are using handheld devices to process orders, the wireless connection is at risk because encryption isn't up to par or being used at all."

Richard Stiennon, chief research analyst at IT-Harvest, says breaches like the one at Home Depot also highlight the need for companies to get a better handle on privileged account management.

"Privileged accounts, of the type used by vendors of technology products to provide maintenance and support, are a rampant problem in the enterprise," Stiennon said in an email exchange.

Every organization should review the presence of those types of accounts and apply controls such as two-factor authentication, source IP or domain restrictions, and even restricted time windows for access to prevent incidents like the one at Home Depot.

"Of course the root cause of the spate of retailer breaches is point of sale terminals that are out of date, improperly configured, and inadequately protected," he said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mighty_archemedes
50%
50%
mighty_archemedes,
User Rank: Apprentice
11/11/2014 | 7:54:29 PM
Re: Why are they keeping this info????
As I understand it (not that Home Depot has been especially forthcoming about it), the infected machines were POS because the malware acted much like a keylogger. After a card is swiped, the information is maintained long enough to interface with a bank, determine its validity, and make the transaction. The malware must have copied the data during that time (with a middleman approach) and sent it off to an external database, stockpiling credit card data before being harvested months later.


Generally I agree with you, there are all kinds of faults in retail cybersecurity, and Home Depot was particularly bad about it. It's hard to say how they're doing now, but recording someone's credit information is a violation of personal space and security. However, for this attack it seems to be irrelevant; the fault was elsewhere.
MichaelZ455
50%
50%
MichaelZ455,
User Rank: Apprentice
11/10/2014 | 5:34:42 PM
Why are they keeping this info????
This may be a really dumb question but nobody seems to be asking it. Why does {insert any company here} keep this information on file at all?  Shouldn't the consumer be the one who decides whether they are going to do business with a company in the future?  It is not like I leave my wallet at teh grocery store after I pay cash for my groceries, "just in case I will shop there again", but isn't that what we are doing?  To the best of my knowledge the credit transactions go like this:  

 

1.  Get total Sale

2.  Customer Swipes card

3. Approval code is retrieved from Credit card issuer

4. Customer puts card back in wallet and leaves.


Where in this process is it prudent to keep information on file?  The approval code is all the merchant needs.  I know this because I used to scratch off my credit card number when I saw it on the paper receipts which I handed back to the merchant.  More than once did I have conversations with merchants' managers and such but I was always vindicated and allowed to leave.  Florida had a law on the books a while back about this but now it is rare to see this haoppen so I know the credit card number is irrelevant after the transaction is completed.

 

Maybe they  (the merchants) should give us consumers a choice whether or not to keep this very personal information on file, eh?
Some Guy
50%
50%
Some Guy,
User Rank: Moderator
11/10/2014 | 11:56:44 AM
Target's Answer - New Card Readers
So I noticed that Target has replaced all their card readers at their POS registers (at least where I live; don't know if it was system-wide). It's hard to say if that makes it any more secure, or if they are just going for a PR stunt. Conversely, it will be a lot more expensive for Home Depot to replace all their self-service registers. And no substitute for getting up to date on best practices; e.g., whitelisting apps would have prevented the Target breach. No idea if either Target or Home Depot (or UPS) have deployed even that level of protection.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
11/10/2014 | 3:08:10 AM
SECTF is the Model
Year after year SECTF is my favorite event for a couple reasons.  First, my life is buried in tech and once in a while it's nice to be reminded that human interaction is a powerful thing, and second, the results of these events are a reminder that the most dangerous threat to cyber security is often a social - not a tech - hack.

It's remarkably easy to walk up with all the right gear and a half-assed ID and get access to computers, and other secure items.  I once stopped for a soda at CVS geared up on my way to work and the manager mistook me for a tech they were expecting.  Were I malicious, I could have taken ownership that day.

Make no mistake: if social skills are not in your arsenal, you're in trouble, as a cyber criminal or white hatter alike.  Even tech professionals can be caught unawares.  Don't let it happen to you - bone up and be prepared; question everyone, doubly-analyze each email and key an ear out for odd phone calls your co-workers might be taking.  

And maybe watch a SECTF or two - incredibly educational.  
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5531
PUBLISHED: 2020-02-17
Mitsubishi Electric MELSEC C Controller Module and MELIPC Series MI5000 MELSEC-Q Series C Controller Module(Q24DHCCPU-V, Q24DHCCPU-VG User Ethernet port (CH1, CH2): First 5 digits of serial number 21121 or before), MELSEC iQ-R Series C Controller Module / C Intelligent Function Module(R12CCPU-V Ethe...
CVE-2020-7252
PUBLISHED: 2020-02-17
Unquoted service executable path in DXL Broker in McAfee Data eXchange Layer (DXL) Framework 6.0.0 and earlier allows local users to cause a denial of service and malicious file execution via carefully crafted and named executable files.
CVE-2020-9024
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time) scripts.
CVE-2020-9025
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script.
CVE-2020-9026
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected.