Slashdot Mirror
Target's Internal Security Team Warned Management
david.emery writes "According to this story, Target's own internal computer security team raised concerns months before the retailer lost millions of credit card numbers in an attack. (Quoting a paywalled story in the Wall Street Journal.) Target's management allegedly 'brushed them off.' 'At least one analyst at the Minneapolis-based retailer wanted to do a more thorough security review of its payment system.' This raises a more general question for the Slashdot community: how many of you have identified vulnerabilities in your company's/client's systems, only to be 'brushed off?' If the company took no action, did they ultimately suffer a breach?"
Yes, there are horrible security flaws where I work. Things as basic as changing passwords on a regular basis have been brought up repeatedly, and the answer is always, "we can't make people do that", or "that's something to keep in mind for the future, but we have more important things to worry about"
Years ago I worked for one of the two big American cable companies currently merging. I identified a security flaw in the public facing side of their customer service portal, essentially giving access to all the config files, which contained admin credentials in plain text. I proposed simple solutions, like not allowing directory listings of folders, among others.
They shrugged it off, and to the best of my knowledge, last year the vulnerability was still accesaible
This has all the hallmarks of the beginnings of a civil suit for negligence, and if it can be proven that the flags were raised based on actual break-ins and were ignored, possibly criminal negligence. The only place in Target I'd want to be right now is in their legal office - they're gonna be putting in some overtime soon.
There are security concerns in every company, without exception. Obviously, even the NSA itself had inadequate security!
Yes, many times security concerns are brought up, and brushed off. But this is not necessarily an indication of a problem. Every security risk must be weighed based on the likelihood of occurrence, and the severity of the impact, should it occur. Many of these calculations are inexact, and must be based on incomplete information.
Should Target have protected themselves better? Probably. But hindsight is 20/20. The difficult part is to anticipate the problems that might occur, without crippling your organization through impossibly tight security.
There is there problem they are fairly computer illiterate, I've dealt with many FBI computer forensic specialists whatever's that are dumbfounded by a .tgz, unix line endings. Hire out of the Secret Service they understand computers.
No sir I dont like it.
Stupid cookie-cutter MBA pindicks.
They were the jocks in school who got ahead because of their aggro and ego, but not their brains.
Guess what? They're now our bosses.
Years ago I worked for a government IT department. A vendor wanted us to try out a product. The device plugs directly into the Internet connection, and monitors every packet, in real time, looking for strings matching an array of string that you provide. We ran queries against our internal databases, and compiled a list of SSNs and CCNs. The vendor programmed that data into their device, which from what I can tell used an FPGA to perform deep packet inspections.
We expected that we might see maybe an email every week or two where someone accidentally sent that kind of information.
First hit occurred 12 seconds after turning the device on.
Second occurred .47 seconds later.
Etc. Etc. Etc.
Within an hour, we had overrun the quota on the network directory where we were logging this data.
We found hundreds of separate systems that were transmitting this kind of data without authorization. We were planning a massive internal sweep to find and fix them all, when the following came down from management:
Shut it down. Remove the device. Destroy all logs, emails, EVERYTHING. Offer the vendor a payment in return for signing an NDA. All employees required to sign secrecy docs (unenforceable at that level of govt, but still.)
I believe this is how the acronym SNAFU came into existence.
--- Generation X: The first generation to have SIG lines inferior to their parents... ---
I got my first job in the industry due to that sort of screw-up. A network administrator was "let go" following a server crash and loss of months' worth of data. The backup system hadn't been working. I was hired shortly thereafter to get things back in order.
Now, that would be the end of the story, except that I was good friends with this administrator. The embarrassing subject of his dismissal didn't come up for about three years, but when it did, and I mentioned my surprise at a fairly intelligent guy allowing backups to lapse for that amount of time, he dug up an e-mail he'd sent to the president of the company, cc'ing the head of HR (who was more or less running the show, for some reason), pointing out the various problems they had - their "server," an old workstation, had been running for two years on a three-month evaluation copy of Windows Server 2000, there were no backup tapes working, and so on. The only excuse they could have had was that the backup thing was buried in a page-long list of serious issues. But when it blew up in their faces, they pinned it on the closest available peon. Assholes.
This is a frequent occurrence. I used to get upset about it. These days I have seen enough of these exact type of situations blow up that I am content to document my observations, report them to the appropriate people (always a direct supervisor), and then move on with my life. When things blow up, I am covered.
Situations like this are why, although I understand security, I will never work in a security position. There is too much risk and liability, and not enough support.
I'm sure that Target will address the issue by firing all of the management that brushed off the security researcher's concerns and will promote that security researcher to the head of a new task forced aimed at increasing their security and give him a huge pay increase (and maybe a pony).
When you have lot's of outsourcing / contracting / subcontracting they don't want to pay the costs of doing stuff right no they want fast / cheap.
Places where I've worked that users were required to change their password regularly invariably had the same password but with an incremented number at the end every time they needed to change the password. This allowed them to remember it more easily, be effectively meant they were using the same password.
The more stringent that the password requirements become, the more likely it is that users are going to start writing them down somewhere or trying to come up with workarounds so that they can remember them. And in turn, you have another security issue.
Everywhere I have worked has also have a review of brute force password hacking attempts. :-)
As long as you keep them in your wallet then writing them down is fine.
You're MUCH more likely to be aware when someone steals your wallet than when someone steals your password. So keep your passwords in your wallet if you cannot remember them.
Similar for home systems. Keep them safe at home. Criminals breaking into your home to steal stuff are not USUALLY going to be looking for a piece of paper with your passwords on it.
As a former US Navy nuclear engineer, I informed management of material and procedural problems related to the nuclear reactor plant on board the USS La Jolla on a weekly basis. Have you ever gone to your boss with a technical manual that perfectly explains the "unexplainable problem" he's having, have him brush you off, and less than a week later that problem destroys a major system, causing millions of dollars in damage and endangering the entire ship? I have. I'm pretty sure none of my complaints were ever addressed except on the one or two occasions where I threatened to bypass management and complain to a newspaper. That's pretty standard Navy leadership. When you're dealing with a culture where everyone starts at the bottom, the best and brightest leave, and whatever's left gets promoted, that's the kind of technical management you get.
So they get their own network that does not touch the production network.
Probably just a *DSL/cable from a local ISP.
With a firewall that you control. Heavily locked down. No need for them to hit Facebook from the HVAC, is there? No need for inbound access from 99.9% of the IP addresses out there, is there?
Then paint it and label it and make sure no one else can touch it. Use super-glue on the ports.
document, document, document. And keep copies where you can get them once you are frog-marched out of the building wearing the scapegoat collar.
Which is a perfect example of incompetence.
*raises hand* ooh! ooh! Pick me! Pick me! Been there! Done that!
Two things:
1. It's not that they need access to the CORPORATE network. It's that they need access to the INTERNET so that the machinery can report back to the vendor when something starts to go wrong. That's usually in the service agreement. The sooner detected the sooner fixed without problem.
2. For managers who like to look at stuff. There is usually an internal web server on the HVAC. You go there and it displays things like the temp and the humidity and blah blah blah.
Thus, dumb managers (I've dealt with them) want them on the corporate network. It's easier for everyone.* Including the crackers who are looking for these exact vulnerabilities.
*Security people are not included in this definition of "everyone" in this case.
I was the responsible IT manager, over all devs. admins, ops and security.
Reviewed all contracts and implementations, upon taking over the job.
Discovered some seriously, bad stuff.
Developed plan to *quietly*, discretely, repair over short time period.
"Rebury the bodies"
Turned out the responsible party was the CEO's favorite, "baby shark".
Got cardboard boxed. Out day after board presentation.
So it goes.
Interesting point:
All of those devs, techs and security people who moan about the lack of management support?
How many of you have ever supported or somehow defended *any* manager who tried to help you, to do the right thing?
Speaking personally, I would guess ... None of you. "Not my problem" attitude, up and down.
Maybe you have all been luckier.
(R)ule in Hell or (S)erve in Heaven [R]?
They probably have several people who can do that. It requires some expertise but not a lot.
Of course they have people who CAN do that. The better question is - do any of those people have the political clout to require Target to spend money and inconvenience managers and "essential" vendors to prevent a "theoretical" security attack.
If your children ever found out how lame you are, they'd murder you in your sleep