Slashdot Mirror

← Back to Stories (view on slashdot.org)

Target's Data Breach Started With an HVAC Account

Posted by samzenpus on from the sneaking-in dept.

Jim Hall writes "Security blogger Krebs reports that Target's data breach started with a stolen HVAC account. Last week, Target said the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now claim that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers. Attackers stole network credentials from Fazio Mechanical Services, then used that to gain access to Target's network. It's not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network."

12 of 232 comments (clear)

  1. Network segmentation by Dan+East · · Score: 5, Insightful

    why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network

    Because they have just one big unified network for everything. That probably saves them money, unless something really bad were to happen...

    --
    Better known as 318230.
    1. Re:Network segmentation by bjwest · · Score: 4, Insightful

      My guess is because IT is not given control over security, not listened to and told to "just do it" when they try to point out the security problems during planning. Butt you can bet your ass they're the one blamed when all hell breaks in.

      --

      --- Keep the choice with the user..
    2. Re:Network segmentation by mlts · · Score: 4, Insightful

      In most companies, someone poking around would have their access clamped shut by an internal IPS, with SMS messages going out to admins via the IDS.

      I'm sure there has to be a perfectly justifiable way to explain this, but almost any corporate network tends to be well segmented, with finance being the most locked down of any area [1]. Unless the internal fabric got compromised, this shouldn't have happened unless it was an attack with a lot of collusion from parties inside the organization.

      [1]: One place I worked at had the machines in finance completely disconnected from the Internet, and were separated from each other (no file sharing possible unless going through the company servers.) If people wanted to browse the Web, they used Citrix receivers and a terminal server, which was configured to not let files in or out. Said machines were not just locked down via AD, but used both BitLocker (to keep the machines from being booted from other media) and DeepFreeze [2] to help ensure that if malware did get on the boxes, it wouldn't persist. All data was stored on remote machines. So far, AFIAK, these precautions did a good job at keeping bad guys out.

      [2]: DeepFreeze isn't 100%, but it does come in handy as an additional tool for a locked down environment to keep things clean.

      #insert

    3. Re: Network segmentation by TWX · · Score: 5, Insightful

      HVAC now relies on controls that are themselves Ethernet devices. Those devices in turn need to be reachable over the computer network, and a third-party HVAC company that is paid to monitor and service the air conditioning will need access to those HVAC controllers and to EMS (Energy management system) controllers to do their work. Since the devices are components on the network that can authenticate via 802.1X, they'll need credentials both to be on the network and to allow that third party to VPN into the network to monitor them.

      The stupid part is that the HVAC controllers were not vlanned off to their own segment, only connected to HVAC-monitoring computers and a VPN gateway for just this function, but given how congested IDFs are and how expensive the staff is to continually maintain vlans and associated ports, I'm not surprised at all that this happened.

      --
      Do not look into laser with remaining eye.
    4. Re:Network segmentation by aaarrrgggh · · Score: 5, Insightful

      No, it is that proper security is really hard to do, especially when you deal with third parties that need to access portions of the network that management also needs to access. It doesn't help when the third party has one company account, and a reasonably high turnover rate of employees.

      I used to have a rolodex of access cards for different clients and sites. Many companies required a different card for each building. Then this magical internet came along and they merged all of the security systems into central corporate security. Like magic I only needed one card for each client, locked down to specific areas I needed access in different building. Then... they had a problem. I couldn't get into the building to help out. It wasn't the end of the world, but the project manager I was working for ended up giving me all access to keep it from happening again. It took two years for a corporate security audit to call me and ask why the hell I needed "ring zero access" or whatever they called it. Up until that I had cash vault access for whatever stupid reason.

      The bigger and more distributed organizations get, and the deeper the tree is on the contractors they work with, the more it becomes impossible to manage security without paying a huge efficiency penalty.

      Sorry to get so off-topic; aren't we supposed to be talking about how miserable the beta.slashdot.org site is? Completely unusable; are there any other competing websites that could resurrect the old slashcode?

  2. Re:"...as we migrate our audience..." by dmomo · · Score: 4, Insightful

    There are readers and contributors. Slashdot acknowledges some people as meaningful contributors by allowing them to disable ads. So, yes. We contributors ARE paying to use the site by offering our content. We're not giving the content for free, we get compensated in the form of a site that lives up to our high standards. So, when the compensation fails to be adequate, we must be vocal. We understand that we can stop using the "free" site at any time. We become vocal in hopes it doesn't have to come to that.

  3. "Been slashdot'd" takes on a whole new meaning... by QuietLagoon · · Score: 4, Insightful

    After seeing what the new beta site looks like, in the future "being slashdot'd" will mean being destroyed by someone who does not understand what they are destroying.

  4. Re:"...as we migrate our audience..." by Anonymous Coward · · Score: 2, Insightful

    Where do people get this strange notion that the hosters of free services should never receive negative feedback?

    They provide the service for free because they want people to use it (usually for ad revenue, though there are other motivations). If people don't like it, they won't use it. Providing negative feedback informs the providers that something is driving users away, which suggests changes that could increase usage, which is ultimately what the provider wants.

    Receiving something for free does not negate one's right to complain about it.
     

  5. Slashdot Beta by ShaunC · · Score: 5, Insightful

    Target fucked somewhere between 40 million and 110 million people. DICE is now trying to fuck something south of half a million people.

    Cut this shit out. Revert. Take the DICE Marketing department out for a nice big lunch, drinks and all. Then send them home for the weekend. Then undo the damage they've done.

    I'm sadly sure that this is an intentional ploy to drive away long-time users ("geeks" and "nerds") who have contributed so much that, like me, they're eligible to disable advertising. What they don't understand is that even if my karma was shit (we don't get numbers anymore, I guess mine would be 50++++++), I'd still be using Ghostery and AdBlock to block the ads without Slashdot's generous option.

    Wake up, guys. This is a tech site. The comments make the site. The users make the site. We aren't going to sit around and watch it go to shit. You will have nothing, ZERO left if the beta interface goes into production, except for a few new users who came over from MSNBC.

    Writing, wall, see it, hope you have negotiated a nice severance package.

    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  6. Re:"...as we migrate our audience..." by Soulskill · · Score: 4, Insightful

    Receiving something for free does not negate one's right to complain about it.

    This is very true. Please keep the feedback coming. The more constructive, the better.

  7. Re:"...as we migrate our audience..." by wjwlsn · · Score: 4, Insightful

    Well, aren't you just an entitled little shit.

    Do you not understand his argument, or are you really just an asshole? The value of Slashdot that keeps old-timers coming back, and brings new people in, is the content... and virtually all of that content is created and moderated by the users. Yes, the site itself is valuable as well, but only because it enables a certain style of discussion and fosters a particular kind of community, all built around that user content.

    When the site no longer enables the discussion and fosters the community that is Slashdot, it ceases having any value. People will leave. The quantity, quality, and very nature of the content will change... and as that continues, more people will leave. Now you're into a potentially unstoppable death spiral, and whatever remains will be just a pale image of the greatness that once existed.

    Do you expect us to keep our mouths shut? We don't want to see Slashdot die! Even if an alternative pops up somewhere, it won't have all the history that this site has. Losing all of that will be tragic.

    --
    Getting tired of Slashdot... moving to Usenet comp.misc for a while.
  8. Re:"...as we migrate our audience..." by PvtVoid · · Score: 3, Insightful

    Do you actually pay to use slashdot or are you complaining about a service you use freely that is no longer up to your high standards?

    Well, I provide content by commenting, and I improve the quality of content by moderating. For nothing. Without people like me doing that, Slashdot ceases to exist.