Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Target Ignored Data Breach Alarms
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
Ritu_G
50%
50%
Ritu_G,
 User Rank: Moderator
7/11/2018 | 4:54:43 AM
Re: Deactivation of FireEye's Automatic Response
Their security system specialists obviously need to resit for their security courses and tests. Due to their poor choice of defense mechanisms on that fateful day, things had turned out like how the retailer wouldn't have anticipated them to. This is a costly mistake that the team could refer to as a learning point. Having invested so much for their security system setup, the retailer obviously had greater expectations of the team and they had most likely anticipated such an incident to hit them.
Ritu_G
50%
50%
Ritu_G,
 User Rank: Moderator
7/11/2018 | 4:54:11 AM
Re: Deactivation of FireEye's Automatic Response
Their security system specialists obviously need to resit for their security courses and tests. Due to their poor choice of defense mechanisms on that fateful day, things had turned out like how the retailer wouldn't have anticipated them to. This is a costly mistake that the team could refer to as a learning point. Having invested so much for their security system setup, the retailer obviously had greater expectations of the team and they had most likely anticipated such an incident to hit them.
rradina
50%
50%
rradina,
 User Rank: Apprentice
3/24/2014 | 3:19:56 PM
Re: Deactivation of FireEye's Automatic Response
It certainly does.  My last employer has been using it since ~2004/5 -- before McAfee bought Solidcore.  Back then the employer was flagged for not having virus protection on their POS systems.  We had to constantly ask for a compensating control.  That left me with a poor impression of the PCI rules and those who conducted the audits.  It's similar when calling a support line that isn't staffed by trained and experienced resources.  They cannot truly understand problems.  They can only read a script and follow a yes/no logic tree.
Duke_Bauer
50%
50%
Duke_Bauer,
 User Rank: Apprentice
3/24/2014 | 12:03:15 PM
Re: Deactivation of FireEye's Automatic Response
I believe this solution exists (McAfee Solidcore)
pfretty
50%
50%
pfretty,
 User Rank: Apprentice
3/19/2014 | 4:04:28 PM
Happens far too often
Unfortunate, but the fact that they ignored the warning signs isn't a surprise. There is a dramatic need for a shift in culture. One would think the cost alone would be enough. On average attacks cost companies $11.6 million according to the 2013 HP Ponemon Cost of Cyber Crime report (http://www.hpenterprisesecurity.com/ponemon-study-2013).

Peter Fretty (j.mp/pfrettyhp)
rradina
50%
50%
rradina,
 User Rank: Apprentice
3/18/2014 | 11:54:26 AM
Re: Deactivation of FireEye's Automatic Response
Locking them down assumes an OS security exploit was not used to install the malware.  I think it's been established Target's POS uses Windows.  I'll even go further and make an assumption that it's probably XP.

I'm not aware of any XP built-in solution to prevent a security hole being exploited to install malware.  If it's a remote attack vector, it'll typically involve a network service of some kind.  Most services generally have escalated privileges and if compromised, the hacker can almost always use them to gain root access.  

What Windows needs is a helper that monitors via read/write hooks and compares all file-system changes on system/software components with a dictionary made on the original system's image.  If anything is found out of spec, an alert is issued and the processes that use the corrupt image are terminated.  Further, such a helper also needs to scan DLLs and applications IN MEMORY to make sure they too are appropriate.  If not, the processes are terminated.  If an new process begins that's tied to an executable that's not part of the original image, it's terminated before it even finishes loading into memory.

Such products exist for XP and had they been using them, it would have been really tough to infect their POS systems even if a USB thumb drive was inserted.  Hackers would first have to figure out how to disable that software before exploiting the system.  Unfortunately this would require hacking the system so the protection mechanism can be hacked.  It's a chicken and egg scenario.  Certainly not foolproof but arguably difficult enough to perhaps convince them a company using such protection is not low hanging fruit.
SaneIT
50%
50%
SaneIT,
 User Rank: Apprentice
3/18/2014 | 8:43:30 AM
Re: Deactivation of FireEye's Automatic Response
You would think that the POS terminals would be locked down as tightly as possible.  It's not like your cashiers should be installing anything on them but not knowing all the details it is possible that the application used the name of a Windows service or application.  
PaulS681
50%
50%
PaulS681,
 User Rank: Apprentice
3/17/2014 | 7:16:26 PM
unacceptable
It just keeps getting worse for Target. To now know they had the systems in place that could have stopped this breach if they just used the system correctly is unacceptable. This just goes to show you that the best systems are rendered useless id people don't use them correctly.
rradina
50%
50%
rradina,
 User Rank: Apprentice
3/17/2014 | 5:33:00 PM
Re: Deactivation of FireEye's Automatic Response
They should respond manually.  If the product constantly cries wolf, either the alert config needs review or the product needs to be replaced.  If that's not an option then they should push the alerts to Splunk and mine the noise for credible events that correlate with other intrusion events (assumes firewalls and other stuff are pushed to Splunk).  My point was automated responses might be tolerated for devices that aren't customer facing but you do not want call center devices, bank ATMs or POS systems downed by a false alarm that automatically removes a vital component.

As a side note, I still don't understand why a POS system could have ANYTHING new installed on it outside of planned events.  They shoud use white list protection or an OS that won't run unsigned apps (like IOS, Android or Windows RT).
hho927
50%
50%
hho927,
 User Rank: Guru
3/17/2014 | 2:25:10 PM
Block botnets
Target IT dept fail many ways. 1) If Target blocked all connections to botnet centers, the malware could not send data out. 2) The HVAC vendor said they didn't monitor Target remotely, why did Target give them a corp/network account? 3) Target should not give that account full access to the POS. 4) Security,access auditing was ignored. 5) Ignored alarms. 6) POS should have a seperate network. Target tried to save money here.
Page 1 / 3   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...