Slashdot Mirror
Security Vendors Self-Censor Target Breach Details
angry tapir writes "At least three security companies have scrubbed information related to Target from the Web, highlighting the ongoing sensitivity around one of the largest-ever data breaches. How hackers broke into Target and installed malware on point-of-sale terminals that harvested up to 40 million payment card details is extremely sensitive. Now, details that give insight into the attack are being hastily removed or redacted by security companies."
Without details about the attack vector and attacker behavior during and after the breach, we're left with "Well, someone broke in to their servers using [redacted] and then they did [redacted]." Totally frickin' useless for me when trying to secure our sites: "There's this horrible emerging threat that can fry your brand overnight, but we won't tell you what it is or give enough details for you to defend against it."
Meanwhile, the guys in timbucktooistan can now order the proven exploit kit from their favorite BBS.
Meh.
cogito ergo dubito
If they'd just come out and said "Yes, some evil hax0rs got in to our system and stole lots of cards. Stupid haxors, everyone hates those guys. Here's how they did it, here's what we are doing, and here's some security experts that are helping us," well people would probably be fine with it.
Instead they are being all secretive and it makes people worry. They also are doing shit for notification. I always use my Target card when I shop at Target because it has the best bribes (5% off anything, since they actually run their own bank and don't have to pay payment processing fees on it). I have received zero notifications from Target about the compromise, and no new card. I know my card was hit, since I have friends who shop at the same store using non-Target cards that got notified, but Target hasn't done anything.
I'm not worried, they have to deal with all the fallout of any unauthorized charges and the card can only be used at Target, but it is just extremely bad form. It shows a real lack of care and understand as to the severity of this. It really makes them look bad.
If there's something history has show with regards to people and companies it is that you need to admit you fucked up, even if it wasn't your fault really, and show people how you are making it right. Then, they are happy and forgive. Get all secretive and hostile, and they'll get hostile right back.
If by "don't want to compromise the investigation" they mean "don't want to let the crooks know what we know", they have already failed. Any action to remove material now is simply playing to politics.
Personally, I think the value of publishing the data is higher than not tipping your cards to crooks. They know what they left behind.
No open resolution of a security breach so that particular vector of attack can be scrutinized by the retail industry and perhaps better guarded against.
Better to control PR damage now than prevent a recurrence.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
From TFA:
Hackers already know the way to do it, or they wouldn't be able to break into Target's databases.
By deleting the info what the so-called 'security companies" are doing is to depriving the legitimate business owners a way to beef up their own security measures by learning from the mistakes of Target.
Muchas Gracias, Señor Edward Snowden !
is that it was an inside job. Basically, Target offshored the work, and now they are trying to figure out who released this virus. Getting India to cooperate is hard to do.
...after all the cows got out.
Day late and a dollar short to worry about BlackPOS. Variants of "Dexter, first documented by Seculert in December 2012, is a Windows-based malware used to steal credit card data from PoS systems."
http://www.arbornetworks.com/a...
They have had 3 flavors so far:
1.] Stardust (looks to be an older version, perhaps version 1)
2.] Millenium (note spelling)
3.] Revelation (two observed malware samples; has the capability to use FTP to exfiltrate data)
I can buy any of these programs with a Tor browser, an ICQ client and some Bitcoin at any carder site on line.
A little late to be worried about snippets of code.
Pay no attention to the man behind the curtain with all your metadata.
Well, this seems worse: I did an online order with store pickup at Target yesterday, and their Id "requirement" for pickup included scanning some kind of QR/barcode off the back of my driver's license! I could not figure out at first why the clerk was wanting me to take the card out of my wallet see-through holder when most clerks just glance at it for my birth date for buying booze (keep asking for the senior citizen discount, but it's never the right day...), or just to see that my name matches that on a CC, but before I understood what he was doing, he held the back up to his register screen. So now I need to call the DMV to ask just how much PII I just let Target dump into their leaky DB to hand out to the hackers.
Although the cat is likely out of the bag, there will be no more of those online/in-store pickup deals with those bozos!
Exactly. The story that still isn't being expressed well is that your data is in the hands of every company you have transactions with.
And so you are entrusting all of them to have top-notch IT (better IT than all hackers interested in targeting them). What are the chances that's the case?
I'd hazard that 10% of companies have good, solid, rigid security policies (and it's the policies that matter much more than the tech, usually). So that implies that 90% of the time you hand out your personal info to someone, it's highly vulnerable.
Just chew on that for a bit. I'd be very interested in hearing proposals for a global solution.
> By deleting the info what the so-called 'security companies" are doing is to depriving the legitimate
> business owners a way to beef up their own security measures by learning from the mistakes of Target.
I can only guess that you didn't rtfa? Target's IP addresses, passwords, and other details are of little use to any legitimate business beefing up their own security. To secure YOUR network I need YOUR IP addresses, not Target's IP addresses.
They left the information about HOW Target was breached. They redacted victim-specific details like the IPs of specific vulnerable servers.
> Hackers already know the way to do it, or they
> wouldn't be able to break into Target's databases.
99.99% of hackers are not able to break into Target's databases. It would be good to keep it that way.
By deleting the info what the so-called 'security companies" are doing is to depriving the legitimate business owners a way to beef up their own security measures by learning from the mistakes of Target.
I have done large scale POS stuff. Probably at least the same scale or bigger than target. This was done by someone who knows target's system. Not necessarily someone on the inside but someone who knows inside information. Nothing top secret, just general info on how stuff works.
And there are hundreds of people who know this information. Hundreds of people who are no longer with target. If target is anything like the place I worked, they use a lot of contractors (temps). They treat these temps like shit. It's not just devs who know the dirty on target's system, its QA people, network people, support people, ops people.
The cat is out of the bag. Censoring websites isn't going to help target. The info has already spread to places target can't censor. They should focus on fixing their shit. It's going to be expensive.
Who in hell thought it was a good idea to use a system where a single piece of information, consisting of just a few bytes, gives someone a blank check to my bank account? There are innumerable ways to concoct something more secure than this, especially these days when computing power (to do encryption) is ubiquitous. Such methods are of course not bulletproof, but they're a hell of a lot better than a guy with a pair of binoculars stealing credit card numbers, or what happened at Target.
That was the old security system, they've made it even worse since adding NFC. They dont even need access to your card to get enough information to use it without your knowledge or permission. There's even an app for it for any Android phone with NFC
https://play.google.com/store/apps/details?id=com.samj.CardTest&hl=en
NFC on phones have no range due to low power but NFC has max range of 5 metres, so it's just a matter building the right antenna. Even though you wont get the max range of 5 metres, even a radius of 1 metre is enough in a crowded shop.
Also anyone who believes the bank will simply adsorb the cost of the fraud instead of passing it onto you and merchants who'll just pass it back to you (banks are likely to use the merchants, they don't have a choice but to suck up additional fees and look like the bad guy raising prices), well, I have a bridge to sell you.
Calling someone a "hater" only means you can not rationally rebut their argument.
Long before they mutated into debit cards, we had ATM cards with 4-digit PIN codes. The universe of possible codes was small, but the ATM machines of that era did something newer ones generally don't -- they swallowed your card, and didn't give it back to you until you entered the right PIN code. If you entered the wrong PIN code too many times, you didn't get the card back, which stopped most amateur fraudsters in their tracks.
Fast forward a decade to the arrival of debit cards. You still have the same 4-digit PIN code, but that's OK, because it's STRICTLY for entering after the ATM swallows your card and holds it hostage. If you used it as a credit card, they had to make an impression, and would usually ID you.
Fast forward another decade. Ohshit, the internet happened. Merchants now accept the card as payment without a physical impression or signature (otherwise they couldn't do online transactions), and they also let you pay by debit instead of credit. Oh, wait a minute... you still have a 4-digit PIN code (usually, with the option to make it 100 times stronger by adding 2 more digits, but still pretty weak). You also use the PIN code when registering for online banking, or using bank by phone.
And anyone with about a hundred bucks to spend on eBay can now build a mag stripe writer suitable for making custom cards with. The only thing that prevents street thugs from writing their own mag stripes & embossing their own custom credit cards is the fact that the Secret Service goes after anybody selling real-looking blank cards and throws the book at them.
Oh, the holograms? Pfffft. Pure security theatre. When's the last time you EVER saw somebody in a retail establishment scrutinize the hologram, or even look like they even noticed or cared whether a card has one? The holograms aren't there to help store clerks identify potentially-fraudulent cards... there there to make it easier to prosecute criminals caught with a box full of blanks cards without embossing or printing.
Oh, and anybody can go to Wikipedia and figure out that the first 4-6 digits of the card identify the bank, and the last digit is an error correction code... so that 16-digit number really has 9-11 digits, 90% of whose permutations are by definition invalid courtesy of the Luhn algorithm. And unlike 30 years ago, if you have good credit, your bank will probably allow the account to be overdrawn by several thousand dollars before they actually quit approving transactions, since they're probably charging $30-50 in penalties for each transaction that they approve while the account balance is negative.
So you see, the problem isn't that the original designers cooked up an insecure way of doing business. In its day, it satisfied the security needs of the banks and retailers just fine. Unfortunately, over the past 30 years, the context and nature of debit card use have changed enough to break all of the original assumptions.
Who in hell thought it was a good idea to use a system where a single piece of information, consisting of just a few bytes, gives someone a blank check to my bank account?
Someone trying to lower the costs of moving money around. The system currently has one big important factor to it, and that's the fact that if anybody tries to break the trust of the big players, the big players won't let them back into the system. So they can have as little security as possible, because of the belief that the desire to continue to do business with the big players will keep everybody in check.
Actually, the hackers filed a DMCA takedown to protect their user names and passwords.
Excuse me, but please get off my Pennisetum Clandestinum, eh!