Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Target Compromised Via Its HVAC Contractor's Network Credentials

Attackers compromised credentials for a third party and were off to the races -- leaving a key concept of network security in the dust

In the movies, the sight of a burglar sneaking into a building through an air duct is not uncommon. But a hacker compromising credentials belonging to a HVAC company? Not so much.

Yet that appears to be what happened in the Target breach late last year. In this case, hackers are believed to have stolen network credentials belonging to Fazio Mechanical Services, a provider of refrigeration and HVAC systems, and used them to ultimately compromise Target's point-of-sale systems with malware.

In a statement, the company says its data connection with Target was "exclusively for electronic billing, contract submission and project management," and that it does not remotely monitor or control heating, cooling, and refrigeration systems for Target.

"Like Target, we are a victim of a sophisticated cyber attack operation," according to the company. "We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive initiatives that will further enhance the security of client/vendor connections making them less vulnerable to future breaches."

If theft of user credentials from Fazio is at fault, then the breach has just shined a light on a key concept of network security: segmentation.

"Attackers do not always break into your computer network using exploit code," says Tom Cross, director of security research at Lancope. "In this case, the attackers reportedly used a valid login and password, and they logged right in. Many organizations aren't prepared to defend themselves against that kind of attack scenario -- they are looking for traditional attacks, and they cannot identify a situation where a 'valid' user on the network is behaving anomalously and might be compromised."

Interestingly, segmenting payment systems from other systems on the network is not part of the requirements of the Payment Card Industry Data Security Standard , something people have argued about for years, Gartner analyst Avivah Litan notes.

"Frankly, I think their hands-off approach, which does include gentle guidance, makes sense here," she says. "Companies with large networks know they have to segment their cardholder data environment because otherwise their entire network is in scope of the PCI audit. So this is generally where retailers and other card accepting companies start. And in a way, the less prescription from PCI on this the better because this is an area where technology advanced quickly."

"There are lots of things you do to segment a network -- i.e., firewalls, IPS, DLP, strong access controls ... I'm sure they did that. They just must have missed a hole or two," she says. "It's tough -- very tough -- to secure thousands of [endpoints]."

Nevertheless, organizations that have opened their businesses and networks to third parties have to understand the risk associated with allowing users from outside of the company to access internal resources, says Mike Denning, senior vice president and general manager of CA Technologies' security business. Companies need to segregate groups of users and treat vendors, employees, and their access privileges differently and ensure their network architecture is built to prevent unauthorized access into other systems.

"They also have to understand the scope of control they have around a contractor is not as strong as an internal employee," Denning says. "For example, there is no control over the contractor’s IT system or its best practices for security."

While network segmentation may not be stressed in PCI, checking logs is [section 10.6]. Analyzing log data should have alerted Target to what was happening, argues security researcher Vinny Troia, founder of Night Lion Security. Point-of-sale terminals and IT systems at Target can probably generate gigabytes of data per day. But an abundance of log data is not justification for ignoring the logs, says Troia.

"My personal experience has shown me that a major problem with many organizations today is that security always takes a back seat to finance," he says. "Without a mature risk or governance program in place, security usually does not have representation in the executive boardroom and is often pushed aside for the sake of cutting costs or rapid progress. In every situation where I have witnessed executives sacrifice security at the start of a process or program for the sake of saving money, the cost of retrofitting security into an existing solution often ends up costing considerably more to implement."

"That lack of structure and governance within organizations is why I believe that chips within credit cards will inevitably fail," Troia adds. "If we rush to implement credit cards with encrypted data, companies will [be able to] rely on the encryption of the cards, rather than the security of their own systems. Every time money is spent developing an unbreakable solution, it is inevitably broken -- remember Sony’s copy protection being cracked with a marker? If we switch the focus of security to these new cards, it will just create an even bigger hole once the encryption is broke."

In congressional testimony (PDF) Feb. 4, Target CFO John Mulligan said that the company is undertaking an end-to-end review of entire network and will make any appropriate security enhancements.

"We had in place multiple layers of protection, including firewalls, malware detection software, intrusion detection and prevention capabilities and data loss prevention tools," Mulligan says in his testimony. "We perform internal and external validation and benchmarking assessments. And, as recently as September 2013, our systems were certified as compliant with the Payment Card Industry Data Security Standards."

"To prevent this from happening again, none of us can go it alone," he continues. "We need to work together. Updating payment card technology and strengthening protections for American consumers is a shared responsibility and requires a collective and coordinated response. On behalf of Target, I am committing that we will be an active part of that solution."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
2/10/2014 | 7:34:40 PM
re: Target Compromised Via Its HVAC Contractor's Network Credentials
I agree with problem identified with putting chips in credit cards. Has anyone thought about using PKI from the card to the bank? So my card has a pubic and private certificate inside of it. I would connect the card to the merchant's reader where an encrypted tunnel would be built between the reader and the bank. The PAN and PIN would be sent over this tunnel encrypted. The merchant would only see a response from the bank that the transaction was approved. The only audit would be on the readers. This model breaks down for online purchases where card holders could either purchase home readers or banks would use cell phones or email for two factor authentication.
User Rank: Apprentice
2/13/2014 | 10:06:38 PM
re: Target Compromised Via Its HVAC Contractor's Network Credentials
Anyone at Target ever hear of vlans? Lets just put the entire stores networked devices on one connected switch said no one ever. Probably had the hvac, lrt's, pdt's, registers, workstations, store servers all on one network. Dumb. AP's camera systems are probably all tied in there too. Dumb.
User Rank: Apprentice
3/7/2014 | 5:18:33 AM
re: Target Compromised Via Its HVAC Contractor's Network Credentials
All the major retailer use Software Automation to push updates from the corporate data center to the individual store servers to the POS equipment. Although many block ports (e.g. 3389), the ability of the corporate data center to manage machines remotely always allows access. Corporations (run by managers) place more emphasis on loss prevention by low level employees and customers than the great magnifying effect of errors by upper management.
User Rank: Apprentice
3/7/2014 | 5:20:04 AM
re: Target Compromised Via Its HVAC Contractor's Network Credentials
Fazio wasn't involved in Nieman Marcus exploit. The skeptic in me sees Fazio as misdirection "bread crumbs".
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.