Slashdot Mirror

← Back to Stories (view on slashdot.org)

Target's Data Breach Started With an HVAC Account

Posted by samzenpus on from the sneaking-in dept.

Jim Hall writes "Security blogger Krebs reports that Target's data breach started with a stolen HVAC account. Last week, Target said the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now claim that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers. Attackers stole network credentials from Fazio Mechanical Services, then used that to gain access to Target's network. It's not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network."

20 of 232 comments (clear)

  1. Network segmentation by Dan+East · · Score: 5, Insightful

    why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network

    Because they have just one big unified network for everything. That probably saves them money, unless something really bad were to happen...

    --
    Better known as 318230.
    1. Re:Network segmentation by bjwest · · Score: 4, Insightful

      My guess is because IT is not given control over security, not listened to and told to "just do it" when they try to point out the security problems during planning. Butt you can bet your ass they're the one blamed when all hell breaks in.

      --

      --- Keep the choice with the user..
    2. Re:Network segmentation by mlts · · Score: 4, Insightful

      In most companies, someone poking around would have their access clamped shut by an internal IPS, with SMS messages going out to admins via the IDS.

      I'm sure there has to be a perfectly justifiable way to explain this, but almost any corporate network tends to be well segmented, with finance being the most locked down of any area [1]. Unless the internal fabric got compromised, this shouldn't have happened unless it was an attack with a lot of collusion from parties inside the organization.

      [1]: One place I worked at had the machines in finance completely disconnected from the Internet, and were separated from each other (no file sharing possible unless going through the company servers.) If people wanted to browse the Web, they used Citrix receivers and a terminal server, which was configured to not let files in or out. Said machines were not just locked down via AD, but used both BitLocker (to keep the machines from being booted from other media) and DeepFreeze [2] to help ensure that if malware did get on the boxes, it wouldn't persist. All data was stored on remote machines. So far, AFIAK, these precautions did a good job at keeping bad guys out.

      [2]: DeepFreeze isn't 100%, but it does come in handy as an additional tool for a locked down environment to keep things clean.

      #insert

    3. Re: Network segmentation by TWX · · Score: 5, Insightful

      HVAC now relies on controls that are themselves Ethernet devices. Those devices in turn need to be reachable over the computer network, and a third-party HVAC company that is paid to monitor and service the air conditioning will need access to those HVAC controllers and to EMS (Energy management system) controllers to do their work. Since the devices are components on the network that can authenticate via 802.1X, they'll need credentials both to be on the network and to allow that third party to VPN into the network to monitor them.

      The stupid part is that the HVAC controllers were not vlanned off to their own segment, only connected to HVAC-monitoring computers and a VPN gateway for just this function, but given how congested IDFs are and how expensive the staff is to continually maintain vlans and associated ports, I'm not surprised at all that this happened.

      --
      Do not look into laser with remaining eye.
    4. Re:Network segmentation by aaarrrgggh · · Score: 5, Insightful

      No, it is that proper security is really hard to do, especially when you deal with third parties that need to access portions of the network that management also needs to access. It doesn't help when the third party has one company account, and a reasonably high turnover rate of employees.

      I used to have a rolodex of access cards for different clients and sites. Many companies required a different card for each building. Then this magical internet came along and they merged all of the security systems into central corporate security. Like magic I only needed one card for each client, locked down to specific areas I needed access in different building. Then... they had a problem. I couldn't get into the building to help out. It wasn't the end of the world, but the project manager I was working for ended up giving me all access to keep it from happening again. It took two years for a corporate security audit to call me and ask why the hell I needed "ring zero access" or whatever they called it. Up until that I had cash vault access for whatever stupid reason.

      The bigger and more distributed organizations get, and the deeper the tree is on the contractors they work with, the more it becomes impossible to manage security without paying a huge efficiency penalty.

      Sorry to get so off-topic; aren't we supposed to be talking about how miserable the beta.slashdot.org site is? Completely unusable; are there any other competing websites that could resurrect the old slashcode?

    5. Re:Network segmentation by chipschap · · Score: 5, Interesting

      My guess is because IT is not given control over security, not listened to and told to "just do it" when they try to point out the security problems during planning.

      I was once the security advisor at a Large Place. A senior manager came to me and said, I want to forward all my email to Gmail so I can read it at home. (Much of it was sensitive stuff.) He said, "what do you advise?" I said, obviously, not to do it as it presented unacceptable risk, forwarding internal sensitive email to an external source beyond our control. He replied, "OK, I asked you the question, document that, will you? I can't help it if you gave the wrong answer" and he went ahead and set up forwarding. Actually, had someone set it up because he was clueless about how to do it.

  2. Maybe this is why we have the beta by Bob+the+Super+Hamste · · Score: 4, Funny

    Maybe this is why we have the slashdot beta issue, something came in with the HVAC account at dice. It sucks enough that the HVAC system might be to blame.

    --
    Time to offend someone
  3. HVAC vendor has network access to the POS system? by jdastrup · · Score: 5, Funny

    Might as well give HVAC vendors access to the slashdot beta servers so they can destroy it as well.

  4. Re:FUCK BETA by synapse7 · · Score: 4, Informative

    **NOW WITH LINE BREAKS**

    Please post this to new articles if it hasn't been posted yet.

      On February 5, 2014, Slashdot announced through a javascript popup that they are starting to "move in to" the new Slashdot Beta design.

      Slashdot Beta is a trend-following attempt to give Slashdot a fresh look, an approach that has led to less space for text and an abandonment of the traditional Slashdot look. Much worse than that, Slashdot Beta fundamentally breaks the classic Slashdot discussion and moderation system.

      If you haven't seen Slashdot Beta already, open this [slashdot.org] in a new tab. After seeing that, click here [slashdot.org] to return to classic Slashdot.

      We should boycott stories and only discuss the abomination that is Slashdot Beta until Dice abandons the project.
      We should boycott slashdot entirely during the week of Feb 10 to Feb 17 as part of the wider slashcott [slashdot.org]

      Moderators - only spend mod points on comments that discuss Beta
      Commentors - only discuss the Beta - Vote up the Fuck Beta stories

      Keep this up for a few days and we may finally get the PHBs attention.

  5. Re:"...as we migrate our audience..." by dmomo · · Score: 4, Insightful

    There are readers and contributors. Slashdot acknowledges some people as meaningful contributors by allowing them to disable ads. So, yes. We contributors ARE paying to use the site by offering our content. We're not giving the content for free, we get compensated in the form of a site that lives up to our high standards. So, when the compensation fails to be adequate, we must be vocal. We understand that we can stop using the "free" site at any time. We become vocal in hopes it doesn't have to come to that.

  6. Re:"...as we migrate our audience..." by arth1 · · Score: 5, Informative

    Do you actually pay to use slashdot or are you complaining about a service you use freely that is no longer up to your high standards?

    We pay in two ways. Well, three, if you include those that pay directly. But otherwise, we pay by contributing, and we pay by watching ads.

  7. "Been slashdot'd" takes on a whole new meaning... by QuietLagoon · · Score: 4, Insightful

    After seeing what the new beta site looks like, in the future "being slashdot'd" will mean being destroyed by someone who does not understand what they are destroying.

  8. Slashdot Beta by ShaunC · · Score: 5, Insightful

    Target fucked somewhere between 40 million and 110 million people. DICE is now trying to fuck something south of half a million people.

    Cut this shit out. Revert. Take the DICE Marketing department out for a nice big lunch, drinks and all. Then send them home for the weekend. Then undo the damage they've done.

    I'm sadly sure that this is an intentional ploy to drive away long-time users ("geeks" and "nerds") who have contributed so much that, like me, they're eligible to disable advertising. What they don't understand is that even if my karma was shit (we don't get numbers anymore, I guess mine would be 50++++++), I'd still be using Ghostery and AdBlock to block the ads without Slashdot's generous option.

    Wake up, guys. This is a tech site. The comments make the site. The users make the site. We aren't going to sit around and watch it go to shit. You will have nothing, ZERO left if the beta interface goes into production, except for a few new users who came over from MSNBC.

    Writing, wall, see it, hope you have negotiated a nice severance package.

    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  9. Re:"...as we migrate our audience..." by Soulskill · · Score: 4, Insightful

    Receiving something for free does not negate one's right to complain about it.

    This is very true. Please keep the feedback coming. The more constructive, the better.

  10. Re:"...as we migrate our audience..." by arth1 · · Score: 4, Informative

    This is very true. Please keep the feedback coming. The more constructive, the better.

    Kill Slashdot Beta and start from scratch.
    That is a constructive suggestion, and absolutely doable.

  11. Re:"...as we migrate our audience..." by wjwlsn · · Score: 4, Insightful

    Well, aren't you just an entitled little shit.

    Do you not understand his argument, or are you really just an asshole? The value of Slashdot that keeps old-timers coming back, and brings new people in, is the content... and virtually all of that content is created and moderated by the users. Yes, the site itself is valuable as well, but only because it enables a certain style of discussion and fosters a particular kind of community, all built around that user content.

    When the site no longer enables the discussion and fosters the community that is Slashdot, it ceases having any value. People will leave. The quantity, quality, and very nature of the content will change... and as that continues, more people will leave. Now you're into a potentially unstoppable death spiral, and whatever remains will be just a pale image of the greatness that once existed.

    Do you expect us to keep our mouths shut? We don't want to see Slashdot die! Even if an alternative pops up somewhere, it won't have all the history that this site has. Losing all of that will be tragic.

    --
    Getting tired of Slashdot... moving to Usenet comp.misc for a while.
  12. Re:"...as we migrate our audience..." by gallondr00nk · · Score: 4, Informative

    This is very true. Please keep the feedback coming. The more constructive, the better.

    I admire you actually coming out and posting, but I'd point out that there has been a plethora of constructive, detailed feedback on the beta already, seemingly to no avail.

    But since you asked, I'd recommend:

    Keep the Classic Slashdot.

  13. Slashdot Beta sucks by Adeptus_Luminati · · Score: 4, Informative

    I've emailed them... they ignore... the more they ignore the quicker their downfall.

    Ignore your userbase, and you shall have none. If I am ignored much longer, I will leave. Just like I left mashable after their AOL'ed it.

    PS. I've been a slashdotter for 7+ years.

    --
    No trees were killed in the making of this post; however, many trillions of electrons were horribly inconvenienced.
  14. Re:"...as we migrate our audience..." by Spy+Handler · · Score: 4, Informative

    I can't promise we'll implement every suggestion (indeed, many are contradictory), but we absolutely consider them.

    You only need to implement ONE suggestion and everyone will be happy. Let people continue to use Classic interface if they choose. That's all you need to do.

  15. Re:Why HVAC contractor has network access by SrLnclt · · Score: 4, Informative

    Modern HVAC controls are much more than thermostats. There are typically resets for supply air temperatures based on outside air conditions and time of day, and boiler water temperature setbacks based outside air conditions. Fan and pump systems can get feedback from the positions of dampers/valves throughout the system, and the VFD can slow down to minimize energy usage based on the feedback from the worst-case zone in real time. The list goes on, but all of this energy optimizing relies on lots of real time data, and the easiest way to do this is on an ethernet network.

    Many large clients, particularly those with multiple locations like school districts or big box stores will hire a controls company, and pay them a bunch of money to save a target dollar amount or percentage amount on their energy costs. This is typically done through an online interface to monitor multiple locations simultaneously, and keep them all operating the same way. The user doesn't typically care how the contractor sets this up, they just want the savings. The cheaper the contractor can get to the target the more money he makes, which can lead to corner cutting by the contractor.

    Some people (government, some Universities) tend to make the controls sub-contractors install a second, independent TCP/IP network for their equipment. But this security comes at a cost premium, particularly in existing buildings that already have a network in place for their computer needs. Most places I have seen don't bother with this due to the cost and the general availability of network connections in today's world. If the security is setup properly this shouldn't be needed, but we all know how often proper security is overlooked.