Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Target Compromised Via Its HVAC Contractor's Network Credentials

Attackers compromised credentials for a third party and were off to the races -- leaving a key concept of network security in the dust

In the movies, the sight of a burglar sneaking into a building through an air duct is not uncommon. But a hacker compromising credentials belonging to a HVAC company? Not so much.

Yet that appears to be what happened in the Target breach late last year. In this case, hackers are believed to have stolen network credentials belonging to Fazio Mechanical Services, a provider of refrigeration and HVAC systems, and used them to ultimately compromise Target's point-of-sale systems with malware.

In a statement, the company says its data connection with Target was "exclusively for electronic billing, contract submission and project management," and that it does not remotely monitor or control heating, cooling, and refrigeration systems for Target.

"Like Target, we are a victim of a sophisticated cyber attack operation," according to the company. "We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive initiatives that will further enhance the security of client/vendor connections making them less vulnerable to future breaches."

If theft of user credentials from Fazio is at fault, then the breach has just shined a light on a key concept of network security: segmentation.

"Attackers do not always break into your computer network using exploit code," says Tom Cross, director of security research at Lancope. "In this case, the attackers reportedly used a valid login and password, and they logged right in. Many organizations aren't prepared to defend themselves against that kind of attack scenario -- they are looking for traditional attacks, and they cannot identify a situation where a 'valid' user on the network is behaving anomalously and might be compromised."

Interestingly, segmenting payment systems from other systems on the network is not part of the requirements of the Payment Card Industry Data Security Standard , something people have argued about for years, Gartner analyst Avivah Litan notes.

"Frankly, I think their hands-off approach, which does include gentle guidance, makes sense here," she says. "Companies with large networks know they have to segment their cardholder data environment because otherwise their entire network is in scope of the PCI audit. So this is generally where retailers and other card accepting companies start. And in a way, the less prescription from PCI on this the better because this is an area where technology advanced quickly."

"There are lots of things you do to segment a network -- i.e., firewalls, IPS, DLP, strong access controls ... I'm sure they did that. They just must have missed a hole or two," she says. "It's tough -- very tough -- to secure thousands of [endpoints]."

Nevertheless, organizations that have opened their businesses and networks to third parties have to understand the risk associated with allowing users from outside of the company to access internal resources, says Mike Denning, senior vice president and general manager of CA Technologies' security business. Companies need to segregate groups of users and treat vendors, employees, and their access privileges differently and ensure their network architecture is built to prevent unauthorized access into other systems.

"They also have to understand the scope of control they have around a contractor is not as strong as an internal employee," Denning says. "For example, there is no control over the contractor’s IT system or its best practices for security."

While network segmentation may not be stressed in PCI, checking logs is [section 10.6]. Analyzing log data should have alerted Target to what was happening, argues security researcher Vinny Troia, founder of Night Lion Security. Point-of-sale terminals and IT systems at Target can probably generate gigabytes of data per day. But an abundance of log data is not justification for ignoring the logs, says Troia.

"My personal experience has shown me that a major problem with many organizations today is that security always takes a back seat to finance," he says. "Without a mature risk or governance program in place, security usually does not have representation in the executive boardroom and is often pushed aside for the sake of cutting costs or rapid progress. In every situation where I have witnessed executives sacrifice security at the start of a process or program for the sake of saving money, the cost of retrofitting security into an existing solution often ends up costing considerably more to implement."

"That lack of structure and governance within organizations is why I believe that chips within credit cards will inevitably fail," Troia adds. "If we rush to implement credit cards with encrypted data, companies will [be able to] rely on the encryption of the cards, rather than the security of their own systems. Every time money is spent developing an unbreakable solution, it is inevitably broken -- remember Sony’s copy protection being cracked with a marker? If we switch the focus of security to these new cards, it will just create an even bigger hole once the encryption is broke."

In congressional testimony (PDF) Feb. 4, Target CFO John Mulligan said that the company is undertaking an end-to-end review of entire network and will make any appropriate security enhancements.

"We had in place multiple layers of protection, including firewalls, malware detection software, intrusion detection and prevention capabilities and data loss prevention tools," Mulligan says in his testimony. "We perform internal and external validation and benchmarking assessments. And, as recently as September 2013, our systems were certified as compliant with the Payment Card Industry Data Security Standards."

"To prevent this from happening again, none of us can go it alone," he continues. "We need to work together. Updating payment card technology and strengthening protections for American consumers is a shared responsibility and requires a collective and coordinated response. On behalf of Target, I am committing that we will be an active part of that solution."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/7/2014 | 5:20:04 AM
re: Target Compromised Via Its HVAC Contractor's Network Credentials
Fazio wasn't involved in Nieman Marcus exploit. The skeptic in me sees Fazio as misdirection "bread crumbs".
User Rank: Apprentice
3/7/2014 | 5:18:33 AM
re: Target Compromised Via Its HVAC Contractor's Network Credentials
All the major retailer use Software Automation to push updates from the corporate data center to the individual store servers to the POS equipment. Although many block ports (e.g. 3389), the ability of the corporate data center to manage machines remotely always allows access. Corporations (run by managers) place more emphasis on loss prevention by low level employees and customers than the great magnifying effect of errors by upper management.
User Rank: Apprentice
2/13/2014 | 10:06:38 PM
re: Target Compromised Via Its HVAC Contractor's Network Credentials
Anyone at Target ever hear of vlans? Lets just put the entire stores networked devices on one connected switch said no one ever. Probably had the hvac, lrt's, pdt's, registers, workstations, store servers all on one network. Dumb. AP's camera systems are probably all tied in there too. Dumb.
User Rank: Apprentice
2/10/2014 | 7:34:40 PM
re: Target Compromised Via Its HVAC Contractor's Network Credentials
I agree with problem identified with putting chips in credit cards. Has anyone thought about using PKI from the card to the bank? So my card has a pubic and private certificate inside of it. I would connect the card to the merchant's reader where an encrypted tunnel would be built between the reader and the bank. The PAN and PIN would be sent over this tunnel encrypted. The merchant would only see a response from the bank that the transaction was approved. The only audit would be on the readers. This model breaks down for online purchases where card holders could either purchase home readers or banks would use cell phones or email for two factor authentication.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.