Target's Data Breach Started With an HVAC Account

Jim Hall writes "Security blogger Krebs reports that Target's data breach started with a stolen HVAC account. Last week, Target said the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now claim that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers. Attackers stole network credentials from Fazio Mechanical Services, then used that to gain access to Target's network. It's not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network."

Network segmentation

[Dan+East]

why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network

Because they have just one big unified network for everything. That probably saves them money, unless something really bad were to happen...

Re: Network segmentation

[TWX]

HVAC now relies on controls that are themselves Ethernet devices. Those devices in turn need to be reachable over the computer network, and a third-party HVAC company that is paid to monitor and service the air conditioning will need access to those HVAC controllers and to EMS (Energy management system) controllers to do their work. Since the devices are components on the network that can authenticate via 802.1X, they'll need credentials both to be on the network and to allow that third party to VPN into the network to monitor them.

The stupid part is that the HVAC controllers were not vlanned off to their own segment, only connected to HVAC-monitoring computers and a VPN gateway for just this function, but given how congested IDFs are and how expensive the staff is to continually maintain vlans and associated ports, I'm not surprised at all that this happened.

Re:Network segmentation

[aaarrrgggh]

No, it is that proper security is really hard to do, especially when you deal with third parties that need to access portions of the network that management also needs to access. It doesn't help when the third party has one company account, and a reasonably high turnover rate of employees.

I used to have a rolodex of access cards for different clients and sites. Many companies required a different card for each building. Then this magical internet came along and they merged all of the security systems into central corporate security. Like magic I only needed one card for each client, locked down to specific areas I needed access in different building. Then... they had a problem. I couldn't get into the building to help out. It wasn't the end of the world, but the project manager I was working for ended up giving me all access to keep it from happening again. It took two years for a corporate security audit to call me and ask why the hell I needed "ring zero access" or whatever they called it. Up until that I had cash vault access for whatever stupid reason.

The bigger and more distributed organizations get, and the deeper the tree is on the contractors they work with, the more it becomes impossible to manage security without paying a huge efficiency penalty.

Sorry to get so off-topic; aren't we supposed to be talking about how miserable the beta.slashdot.org site is? Completely unusable; are there any other competing websites that could resurrect the old slashcode?

Re:Network segmentation

[chipschap]

My guess is because IT is not given control over security, not listened to and told to "just do it" when they try to point out the security problems during planning.

I was once the security advisor at a Large Place. A senior manager came to me and said, I want to forward all my email to Gmail so I can read it at home. (Much of it was sensitive stuff.) He said, "what do you advise?" I said, obviously, not to do it as it presented unacceptable risk, forwarding internal sensitive email to an external source beyond our control. He replied, "OK, I asked you the question, document that, will you? I can't help it if you gave the wrong answer" and he went ahead and set up forwarding. Actually, had someone set it up because he was clueless about how to do it.

HVAC vendor has network access to the POS system?

[jdastrup]

Might as well give HVAC vendors access to the slashdot beta servers so they can destroy it as well.

Re:"...as we migrate our audience..."

[arth1]

Do you actually pay to use slashdot or are you complaining about a service you use freely that is no longer up to your high standards?

We pay in two ways. Well, three, if you include those that pay directly. But otherwise, we pay by contributing, and we pay by watching ads.

Slashdot Beta

[ShaunC]

Target fucked somewhere between 40 million and 110 million people. DICE is now trying to fuck something south of half a million people.

Cut this shit out. Revert. Take the DICE Marketing department out for a nice big lunch, drinks and all. Then send them home for the weekend. Then undo the damage they've done.

I'm sadly sure that this is an intentional ploy to drive away long-time users ("geeks" and "nerds") who have contributed so much that, like me, they're eligible to disable advertising. What they don't understand is that even if my karma was shit (we don't get numbers anymore, I guess mine would be 50++++++), I'd still be using Ghostery and AdBlock to block the ads without Slashdot's generous option.

Wake up, guys. This is a tech site. The comments make the site. The users make the site. We aren't going to sit around and watch it go to shit. You will have nothing, ZERO left if the beta interface goes into production, except for a few new users who came over from MSNBC.

Writing, wall, see it, hope you have negotiated a nice severance package.