Security Vendors Self-Censor Target Breach Details

angry tapir writes "At least three security companies have scrubbed information related to Target from the Web, highlighting the ongoing sensitivity around one of the largest-ever data breaches. How hackers broke into Target and installed malware on point-of-sale terminals that harvested up to 40 million payment card details is extremely sensitive. Now, details that give insight into the attack are being hastily removed or redacted by security companies."

Oh good

[gamanimatron]

Without details about the attack vector and attacker behavior during and after the breach, we're left with "Well, someone broke in to their servers using [redacted] and then they did [redacted]." Totally frickin' useless for me when trying to secure our sites: "There's this horrible emerging threat that can fry your brand overnight, but we won't tell you what it is or give enough details for you to defend against it."

Meanwhile, the guys in timbucktooistan can now order the proven exploit kit from their favorite BBS.

Meh.

Re:Oh good

[abirdman]

I agree 100%. The security companies who advise the likes of Target aren't talking about the whole exploit-- indeed, are pro-actively hiding the details-- because they don't want to explain how their hideously expensive security best practices were utterly pwned by some foreigners who weren't interested in any of their acronyms. These security guys are like Stratfor-- pugnacious, pistol-packing, ex-military folk who think computer security is just a variation on any other kind of security detail, and are prepared to sell the hell out of their ideas, even when they can't secure their own passwords.

Target just couldn't handle this any worse

[Sycraft-fu]

If they'd just come out and said "Yes, some evil hax0rs got in to our system and stole lots of cards. Stupid haxors, everyone hates those guys. Here's how they did it, here's what we are doing, and here's some security experts that are helping us," well people would probably be fine with it.

Instead they are being all secretive and it makes people worry. They also are doing shit for notification. I always use my Target card when I shop at Target because it has the best bribes (5% off anything, since they actually run their own bank and don't have to pay payment processing fees on it). I have received zero notifications from Target about the compromise, and no new card. I know my card was hit, since I have friends who shop at the same store using non-Target cards that got notified, but Target hasn't done anything.

I'm not worried, they have to deal with all the fallout of any unauthorized charges and the card can only be used at Target, but it is just extremely bad form. It shows a real lack of care and understand as to the severity of this. It really makes them look bad.

If there's something history has show with regards to people and companies it is that you need to admit you fucked up, even if it wasn't your fault really, and show people how you are making it right. Then, they are happy and forgive. Get all secretive and hostile, and they'll get hostile right back.

Re:Target just couldn't handle this any worse

[c0lo]

Given that this is at least the second (known) major Target CC breach, anyone who still holds out hope for Target's good faith may have difficulties with empiricism...

Nah dude, no problem with empe... imper... whatever you just said.

Yours,
Joe Average

(does the above illustrates well the level of critical thinking into the consumer mass?)

Re:Target just couldn't handle this any worse

[phantomfive]

No one cares about backups until their hard drive crashes.
No one cares about security until they get hacked.

Wonder Why It keeps Happening?

[rmdingler]

Now you know.

No open resolution of a security breach so that particular vector of attack can be scrutinized by the retail industry and perhaps better guarded against.

Better to control PR damage now than prevent a recurrence.

Re:Happy Wednesday from The Golden Girls!

[Taco+Cowboy]

From TFA:

... Now, details that give insight into the attack are being hastily removed or redacted by security companies Security through obscurity at play ?

Hackers already know the way to do it, or they wouldn't be able to break into Target's databases.

By deleting the info what the so-called 'security companies" are doing is to depriving the legitimate business owners a way to beef up their own security measures by learning from the mistakes of Target.

One thing they are keeping quiet

is that it was an inside job. Basically, Target offshored the work, and now they are trying to figure out who released this virus. Getting India to cooperate is hard to do.

Re:One thing they are keeping quiet

[pcwhalen]

Maybe. They do have a lot of job openings in Karnataka, Bangalore, India.

https://targetcareers.target.c...

Closing the Barn Door...

[pcwhalen]

...after all the cows got out.

Day late and a dollar short to worry about BlackPOS. Variants of "Dexter, first documented by Seculert in December 2012, is a Windows-based malware used to steal credit card data from PoS systems."

http://www.arbornetworks.com/a...

They have had 3 flavors so far:
1.] Stardust (looks to be an older version, perhaps version 1)
2.] Millenium (note spelling)
3.] Revelation (two observed malware samples; has the capability to use FTP to exfiltrate data)

I can buy any of these programs with a Tor browser, an ICQ client and some Bitcoin at any carder site on line.

A little late to be worried about snippets of code.

Your data is in everyone else's hands

[Toe,+The]

Exactly. The story that still isn't being expressed well is that your data is in the hands of every company you have transactions with.

And so you are entrusting all of them to have top-notch IT (better IT than all hackers interested in targeting them). What are the chances that's the case?

I'd hazard that 10% of companies have good, solid, rigid security policies (and it's the policies that matter much more than the tech, usually). So that implies that 90% of the time you hand out your personal info to someone, it's highly vulnerable.

Just chew on that for a bit. I'd be very interested in hearing proposals for a global solution.

Re:Your data is in everyone else's hands

[AlphaWolf_HK]

Even if you take every security precaution imaginable, you still remain with a system that can be broken into. I think the idea that you can hold companies criminally liable is a stupid one (and am glad they don't do it) much in the same way that it would be stupid to hold a bank criminally liable in the event of an armed heist.

That said, I think the problem isn't that our systems aren't secure enough, rather the problem is that the way we identify and authenticate is now inadequate.

Let's take credit cards for example: All the person needs to obtain is the numbers written on it, and they can buy things in your name. Unfortunately that means each time you make a purchase with that card, you are handing it over to somebody who can abuse it. We have the technology to avoid this, so why don't we? Something like this would be great:

Make the credit card number be a public key, and the private key is contained ONLY in the card itself using ISO 7816. The bank doesn't even have the private key, only the card itself does. If you want to make a purchase, the merchant generates a random 128-bit number and asks your card to sign it. If it signs it, it has proven its identity, and the merchant can go ahead and bill that card. No internet communication is necessary, so the business can still operate even in the event of a network outage.

If the card is stolen, it can be reported and the merchant can see that its stolen so long as they have network connectivity. Keep existing laws so that the consumer is only liable for up to $50 (most banks already waive that to zero.) Require the merchant to retain the original 128-bit number as well as the signed response to verify that the merchant actually saw the real card and can prove that they didn't fraudulently bill a customer. The card itself stores each 128-bit number and doesn't ever sign the same number twice. If the same 128-bit number happens to be generated twice (this borders upon a statistical impossibility, by the way) then the card is to interpret that as a hack attempt and zero out its private key.

Now if the merchants database is compromised, all the attacker has gained is the public key. They can't sign messages with that, so the information is useless. If another merchant tries to bill based on having a stolen 128-bit number, signed result, and public key, then they'll be caught as being linked to the conspiracy so fast that it'll make their head spin off of its shoulders.

There, you've just defeated about 99.99% of the credit card fraud out there; no more posts spammed to your favorite web boards of people offering to sell credit cards because that information is now useless. All that remains is somebody physically stealing your card and buying gas with it, which could be prevented in 90% of the cases with a PIN system.

Online purchases could easily be done with a $10 USB smart card reader. Add NFC support and your existing smartphone could be the reader.

Set up a similar scheme with social security numbers (the SSA issues smart cards instead,) and identity theft would only exist in stories you tell to your grandkids.

Re:Your data is in everyone else's hands

[xaxa]

(Public key cryptography for credit cards)

I think you've more-or-less described the EMV standard, which is widely used pretty much everywhere except the USA.

http://en.wikipedia.org/wiki/E...

I just bought some food by credit card, and the receipt says:
Visa Credit £6.34
[ICC] **** **** **** 3435
AID: A0000000013039
PAN SEQUENCE: 03
MERCHANT: **41872
AUTH CODE: 146972

PIN Verified

I have a smart card reader for validating online banking transactions, I think the administration and transport costs were probably more than the cost of the reader -- the bank sent it for free. The card has NFC, for low-value transactions (under £20, I think) I can pay contactlessly without a PIN. London is trialling accepting this for train/underground travel, it's already accepted for buses.

My card still has a magnetic strip, but I don't think it's ever been used.

read TFA. Target IPs, passwords not helpful

[raymorris]

> By deleting the info what the so-called 'security companies" are doing is to depriving the legitimate
> business owners a way to beef up their own security measures by learning from the mistakes of Target.

I can only guess that you didn't rtfa? Target's IP addresses, passwords, and other details are of little use to any legitimate business beefing up their own security. To secure YOUR network I need YOUR IP addresses, not Target's IP addresses.

They left the information about HOW Target was breached. They redacted victim-specific details like the IPs of specific vulnerable servers.

> Hackers already know the way to do it, or they
> wouldn't be able to break into Target's databases.

99.99% of hackers are not able to break into Target's databases. It would be good to keep it that way.

By deleting the info what the so-called 'security companies" are doing is to depriving the legitimate business owners a way to beef up their own security measures by learning from the mistakes of Target.

Copyright DMCA take down

[flyingfsck]

Actually, the hackers filed a DMCA takedown to protect their user names and passwords.