Slashdot Mirror
Target's Data Breach Started With an HVAC Account
Jim Hall writes "Security blogger Krebs reports that Target's data breach started with a stolen HVAC account. Last week, Target said the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now claim that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers. Attackers stole network credentials from Fazio Mechanical Services, then used that to gain access to Target's network. It's not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network."
If Beta was hot grits, then Natalie Portman would be driving Beowulf cluster of HUGOs!
why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network
Because they have just one big unified network for everything. That probably saves them money, unless something really bad were to happen...
Better known as 318230.
Maybe this is why we have the slashdot beta issue, something came in with the HVAC account at dice. It sucks enough that the HVAC system might be to blame.
Time to offend someone
Might as well give HVAC vendors access to the slashdot beta servers so they can destroy it as well.
**NOW WITH LINE BREAKS**
Please post this to new articles if it hasn't been posted yet.
On February 5, 2014, Slashdot announced through a javascript popup that they are starting to "move in to" the new Slashdot Beta design.
Slashdot Beta is a trend-following attempt to give Slashdot a fresh look, an approach that has led to less space for text and an abandonment of the traditional Slashdot look. Much worse than that, Slashdot Beta fundamentally breaks the classic Slashdot discussion and moderation system.
If you haven't seen Slashdot Beta already, open this [slashdot.org] in a new tab. After seeing that, click here [slashdot.org] to return to classic Slashdot.
We should boycott stories and only discuss the abomination that is Slashdot Beta until Dice abandons the project.
We should boycott slashdot entirely during the week of Feb 10 to Feb 17 as part of the wider slashcott [slashdot.org]
Moderators - only spend mod points on comments that discuss Beta
Commentors - only discuss the Beta - Vote up the Fuck Beta stories
Keep this up for a few days and we may finally get the PHBs attention.
There are readers and contributors. Slashdot acknowledges some people as meaningful contributors by allowing them to disable ads. So, yes. We contributors ARE paying to use the site by offering our content. We're not giving the content for free, we get compensated in the form of a site that lives up to our high standards. So, when the compensation fails to be adequate, we must be vocal. We understand that we can stop using the "free" site at any time. We become vocal in hopes it doesn't have to come to that.
Rename the beta site and call it "DiceNews for Dicks". Then load it up with stories about the Deport Justin Beiber Movement http://www.google.com/url?sa=t... and news for Kardashian stories https://www.google.com/search?...
Leave Slashdot alone!
Do you actually pay to use slashdot or are you complaining about a service you use freely that is no longer up to your high standards?
We pay in two ways. Well, three, if you include those that pay directly. But otherwise, we pay by contributing, and we pay by watching ads.
After seeing what the new beta site looks like, in the future "being slashdot'd" will mean being destroyed by someone who does not understand what they are destroying.
Beta sucks
Where do people get this strange notion that the hosters of free services should never receive negative feedback?
They provide the service for free because they want people to use it (usually for ad revenue, though there are other motivations). If people don't like it, they won't use it. Providing negative feedback informs the providers that something is driving users away, which suggests changes that could increase usage, which is ultimately what the provider wants.
Receiving something for free does not negate one's right to complain about it.
Target fucked somewhere between 40 million and 110 million people. DICE is now trying to fuck something south of half a million people.
Cut this shit out. Revert. Take the DICE Marketing department out for a nice big lunch, drinks and all. Then send them home for the weekend. Then undo the damage they've done.
I'm sadly sure that this is an intentional ploy to drive away long-time users ("geeks" and "nerds") who have contributed so much that, like me, they're eligible to disable advertising. What they don't understand is that even if my karma was shit (we don't get numbers anymore, I guess mine would be 50++++++), I'd still be using Ghostery and AdBlock to block the ads without Slashdot's generous option.
Wake up, guys. This is a tech site. The comments make the site. The users make the site. We aren't going to sit around and watch it go to shit. You will have nothing, ZERO left if the beta interface goes into production, except for a few new users who came over from MSNBC.
Writing, wall, see it, hope you have negotiated a nice severance package.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Either A) some IM, email, or trouble ticket system, or B) remote setting of network enabled thermostats and diagnostics of HVAC units remotely. And the submitter can't think of that? Then why post it. And why not segregate the payment system? Uh, cause that costs money to do, and PCIDSS is a fucking stupid thing 99% of the time. It is only used to blame retailers instead of making the Vendors and Card companies design and ensure airtight security, as it should be. Does make one wonder why any retailer POS system should travel on the Intertubes and networkable systems, though, instead of fixed landline. (Yeah, unrealistic, but if the credit card industry won't man up and take responsibility then maybe that's what they should be relegated to.)
This is very true. Please keep the feedback coming. The more constructive, the better.
Believe me, there's no confusion about the immensity of the community's contribution to the site.
There's a lot of hate from Anonymous Coward for critics of beta.
I hope this isn't Dice astroturfing their own site.
There are 1.1... kinds of people.
I have been lurking around here pretty much since Slashdot's inception. I finally felt the need to make an account today to let it be known that I will be joining the Slashdot boycott on February 10-17th. I (and apparently everyone else) made their feedback for the beta when it was introduced. They decided to not listen. This site is truly something special, its community and insightful discussions are completely unmatched. We can't let them ruin it. Join the boycott, a severe drop in traffic should get their attention because apparently our protest is falling upon deaf ears.
NO BETA - Save our community. Boycott Slashdot Feb. 10-17th
This is very true. Please keep the feedback coming. The more constructive, the better.
Kill Slashdot Beta and start from scratch.
That is a constructive suggestion, and absolutely doable.
It doesn't have to be on the same network to easily correlate data.
You pull from many locations to one to correlate data.
Well, aren't you just an entitled little shit.
Do you not understand his argument, or are you really just an asshole? The value of Slashdot that keeps old-timers coming back, and brings new people in, is the content... and virtually all of that content is created and moderated by the users. Yes, the site itself is valuable as well, but only because it enables a certain style of discussion and fosters a particular kind of community, all built around that user content.
When the site no longer enables the discussion and fosters the community that is Slashdot, it ceases having any value. People will leave. The quantity, quality, and very nature of the content will change... and as that continues, more people will leave. Now you're into a potentially unstoppable death spiral, and whatever remains will be just a pale image of the greatness that once existed.
Do you expect us to keep our mouths shut? We don't want to see Slashdot die! Even if an alternative pops up somewhere, it won't have all the history that this site has. Losing all of that will be tragic.
Getting tired of Slashdot... moving to Usenet comp.misc for a while.
Than why are you pulling a microsoft and ignoring your community? Your community /is/ your product. Like microsoft forcing metro with Windows 8 the beta site isnt functional and you insist on ignoring the very hands that feed you. Without your community slashdot is just another has been website.
Do you actually pay to use slashdot or are you complaining about a service you use freely that is no longer up to your high standards?
Well, I provide content by commenting, and I improve the quality of content by moderating. For nothing. Without people like me doing that, Slashdot ceases to exist.
This is very true. Please keep the feedback coming. The more constructive, the better.
I admire you actually coming out and posting, but I'd point out that there has been a plethora of constructive, detailed feedback on the beta already, seemingly to no avail.
But since you asked, I'd recommend:
Keep the Classic Slashdot.
I've emailed them... they ignore... the more they ignore the quicker their downfall.
Ignore your userbase, and you shall have none. If I am ignored much longer, I will leave. Just like I left mashable after their AOL'ed it.
PS. I've been a slashdotter for 7+ years.
No trees were killed in the making of this post; however, many trillions of electrons were horribly inconvenienced.
I can't promise we'll implement every suggestion (indeed, many are contradictory), but we absolutely consider them.
You only need to implement ONE suggestion and everyone will be happy. Let people continue to use Classic interface if they choose. That's all you need to do.
One of my accounts has remote web accessible thermostats and the site share's a single public static IP, but my intranet is split between 3 different lan segments with the POS segment isolated. Looks like it might be NSA preferred level of effective security configuration...
Non compliance is about more than transaction fees. It also who determines pays when there is a breach. If Target is non-compliant, they are 100% responsible for all investigation and remediation costs (as well as any fraud committed using the compromised card numbers). In this case, according to TFA, that's up to $420 million, with only $160 million in insurance. A $260 million write-off probably won't put Target out of business, but it'll sure piss off the shareholders when it shows up in the annual report.
On the other hand, if they are compliant, they're not responsible for any of that.
In general, yes. But the situation should not arise where you have to firewall a vendor's system because it should not be touching your production network in the first place. It's adding risk when it is not necessary.
Yes, it should. You are correct.
But this doesn't have to be between the financial sub-net and the HVAC sub-net. The HVAC system only needs access to a machine that DOES have access to the financial network.
Or access to a machine that has access to a machine that has access to the financial network.
Or access to a machine that has access to a machine that has access to a machine that has ......... the financial network.
It's easier just to keep it off the production network.
The real problem being the fact the US still moronicly uses MagStripe/Pin for payment cards instead of a Chip/Pin system.
The Amarri pray for god, the Caldari pray for profit. the Gallente pray for peace, but the Minmatar pray their ships hol
There is always the approach of calling Dice Holdings. Their telephone number is 212-725-6550.
If only you hadn't wasted all that effort building a broken beta site, and had instead focused on improving the classic site.
Out of interest, what drove the decision to start over with a new layout and code base instead of trying to improve what you had? Is the Classic code really that bad or something? I remember when the mobile site launched and one of the developers listed all the cool technologies they were trying to shoehorn in to it, so it really just seems like a desire to pad their CVs and play with new toys was the main motivation.
Have you considered open sourcing the code again? I'm sure there would be plenty of people willing to improve it for free.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
The whole point of the beta is to get feedback from the community. If we were ignoring you, we would have just flipped the switch and not looked back.
Soul, I know you are in a difficult position, having been told to do spin control for a furious userbase. But you don't have to insult our intelligence. Redirects to beta were going on well before this, and the sentiment hasn't changed. It's been negative from the moment people started getting redirected. Management has been ignoring the users from day one under the notion that they'll like it once they get used to it, and hey, look at how Facebook changes things and people complain, but keep using Facebook.
But your seniors don't seem to understand that this isn't Facebook. This isn't a site for the general population, and it's not irreplaceable nor without intense competition. There are thousands of internet forum sites out there, many of whom have the same target audience. I do not buy the argument for one second that management was ignorant of the poor opinion held of it's new "beta".
I get that they bought the house and now they want to repaint it so it's "theirs", but they've gone too far. Very far too far. They have failed to understand their target audience completely, believing that we're just like any other of the dozens of assets they hold in their portfolio, and it'll homogenize with the rest if they just stay the course.
It won't. They're going to tank their investment and once the users bail, they won't come back. They'll be like the MySpace of the IT world: It was popular at one time, but now it's a ghost website nobody cares about, just another content aggregation website, and not even a particularly valuable one. Nobody wants to see this happen... apparently, except for the senior management. We've spoken clearly, and unequivocably, in every possible way, that this is a bad decision. We've been doing this for days, and have received no indications from these people that they've even noticed.
Do we have to set fire to the facilities they live in? DDoS all their sites? I mean, really, Soulskill... we've exhausted every avenue to let these people know "Hey dudes, train coming. Train. Big train. Honk honk. Motherfucking train, on the mother fucking tracks, coming your way. TRAIN." ... And they seem to be content to just lay there like some drunk and wait for it to run them over.
If this is how it has to be, fine. But at least tell us that if Slashdot goes tits up someone on the Dice board of directors is getting shit-canned... because otherwise, the nerd rage that has built up here is going to find other, less pleasant, ways of extracting their pound of flesh from Dice. If you think the Slashdot Effect on other websites is bad... wait until a hundred thousand pissed off IT people each sitting on massive bandwidth pipes, decide to ping the SS Dice Fail Boat. It will not be pretty.
#fuckbeta #iamslashdot #dicemustdie
By saving money on the monitoring system.
Such a thing only happens when someone put put in the effort to have a monitoring system. It doesn't happen by magic. Easy to set up in many cases but not there unless someone had set it up.