Slashdot Mirror

← Back to Stories (view on slashdot.org)

Target's Internal Security Team Warned Management

Posted by Soulskill on from the they-were-definitely-a-target dept.

david.emery writes "According to this story, Target's own internal computer security team raised concerns months before the retailer lost millions of credit card numbers in an attack. (Quoting a paywalled story in the Wall Street Journal.) Target's management allegedly 'brushed them off.' 'At least one analyst at the Minneapolis-based retailer wanted to do a more thorough security review of its payment system.' This raises a more general question for the Slashdot community: how many of you have identified vulnerabilities in your company's/client's systems, only to be 'brushed off?' If the company took no action, did they ultimately suffer a breach?"

17 of 236 comments (clear)

  1. Posting anonymously for obvious reasons... by Anonymous Coward · · Score: 5, Interesting

    Yes, there are horrible security flaws where I work. Things as basic as changing passwords on a regular basis have been brought up repeatedly, and the answer is always, "we can't make people do that", or "that's something to keep in mind for the future, but we have more important things to worry about"

    1. Re:Posting anonymously for obvious reasons... by ackthpt · · Score: 5, Informative

      Yes, there are horrible security flaws where I work. Things as basic as changing passwords on a regular basis have been brought up repeatedly, and the answer is always, "we can't make people do that", or "that's something to keep in mind for the future, but we have more important things to worry about"

      I've worked at two kinds of places - one, where it was pretty much as you described. The second sort was, upon orientation you are given your accounts and access and told they are your responsibility to use discretely and to notify the appropriate support should you even suspect they have been compromised. Failure, in the second case, was ground for discipline or termination of employment.

      Guess where things went more smoothly and security issues seldom elevated to crisis.

      --

      A feeling of having made the same mistake before: Deja Foobar
    2. Re:Posting anonymously for obvious reasons... by Desler · · Score: 5, Insightful

      You do realize that making people change their passwords all the time simply leads to people using weaker passwords or writing them down, right? This type of policy though up by some self-proclaimed security expert amongst the IT monkeys almost always leads to worse security than not. And you don't even need to take my word for it:

      The downside of changing passwords is that it makes them harder to remember. And if you force people to change their passwords regularly, they're more likely to choose easy-to-remember -- and easy-to-guess -- passwords than they are if they can use the same passwords for many years. So any password-changing policy needs to be chosen with that consideration in mind.

      https://www.schneier.com/blog/...

    3. Re:Posting anonymously for obvious reasons... by plover · · Score: 4, Insightful

      Interesting that you should mention "changing passwords on a regular basis" as a "horrible security flaw". Have you considered that changing passwords generally introduces more risk than it guards against, and doesn't actually have an effect on most actual hack attacks?

      The attacker strikes with whatever credentials he finds, whenever he finds them. The second step of an attack is to create a separate back-door, so that if the first password is changed he's back in anyway. And how does an attacker find credentials? When someone's entering them, which includes changing them, or if someone's handling them. There is often a case when you have people who can't remember their newest recently cycled password who call the Help Desk. The phone drone resets it to something like "ForgottenPassword#1", then voicemails the chump with the temporary password. If a hacker's able to listen to their voicemail, he simply calls in a phony forgotten password request and it's Winner, Winner, Chicken Dinner!

      So what does changing the password every 30 days actually protect against? I suppose if you wrote the password on your blog, then in 31 days you're safe. Of course, if you wrote the password on your blog, I don't think password rotation should be your highest priority for fixing your security issues. Do you honestly think hackers have machines that can crack passwords in 31 days, but not 30? Either he can crack it in an hour or less, or he likely can't crack it at all and won't bother trying.

      Changing passwords periodically was only a good idea when there was one password shared by many people, and you had to exclude your former colleagues. But those days ended back with moats and longbowmen on the castle walls. In these modern days of electronic passwords that are never shared, it's a ritualistic holdover with negative consequences.

      --
      John
    4. Re:Posting anonymously for obvious reasons... by Penguinisto · · Score: 4, Insightful

      Ditto here... once you make the employees know that their screw-ups will end up costing them, they tend to not screw up as much, and tend to report things much, much faster should something go awry.

      That said, the Target penetration wasn't directly caused by a Target employee/user - the bad guys snuck in through a contractor that was given network access that they should have never had. This was more due to lazy architecture/vlan partitioning than it was $random_employee with a bad post-it note habit.

      If anything, the network admins should be facing the barrel before anyone else, followed very closely by most of the security admins, if not simultaneously (excepting the guy who shouted the warning and those who demonstrably supported him; that dude should be promoted post-haste.)

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    5. Re:Posting anonymously for obvious reasons... by davidhoude · · Score: 3, Informative

      The point in changing passwords isn't to change user behavior. It is to ensure that any leaked credentials do not stay valid indefinitely.

    6. Re:Posting anonymously for obvious reasons... by l0n3s0m3phr34k · · Score: 5, Insightful

      At my job, I have three different VPN tokens, and at one time had at least 30 different passwords all over the globe I had to use...ours forces changes at various times, some are 30 days, some 90, some never...depending on the system. RSA admin software had a PIN too. We usually just keep it all in a spreadsheet. If you can't remember a single password...but you also need the Active ID token too. We potentially have deep access into the air line reservation system, although that system is so insanely complicated and cross-platform good luck finding anything of worth haha.

      It's kinda backwards in a way. Retail is always a huge target, the bigger the company the bigger the score. From a security design viewpoint, the "backend" and the "financial" systems should have been physically separated at all times, using some encrypted EDI to exchange whatever (inventory, overstock, per piece price, etc). The credit card terminals should have been "payment only" and not loaded down with all their SHIT like "cash back?" "cure cancer?" "are you sure?" "join our rewards / store card" and wtf other messages I have to tap on your stupid touchscreen a million times just to pay you. Some of them even have ads on them.

      Soon, Walgreens, CVS, Dollar whoever...the more sophisticated we make these terminals where our card touches their system, the more exploitable they will become. It's the slow feature creep, the "we need to upload new ad images at 2:50AM" by developers in a far-off land...pushed forward by managers who just want "shiney bright things" that make us give up even more information, waste our time more, and provide little real actual benefit.

    7. Re:Posting anonymously for obvious reasons... by cusco · · Score: 5, Interesting

      I've worked in the physical security field (cameras, key cards, alarm systems, etc.) for the past eight years, and can tell you that Target's HVAC vendor is in no way unusual. I know of a large security vendor that uses the same username/password combination on every every customer that they ever touch, nationwide, and at most of them they are administrators on the security server. At a lot of them they have remote access.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  2. customer service portal by ironicsky · · Score: 5, Interesting

    Years ago I worked for one of the two big American cable companies currently merging. I identified a security flaw in the public facing side of their customer service portal, essentially giving access to all the config files, which contained admin credentials in plain text. I proposed simple solutions, like not allowing directory listings of folders, among others.

    They shrugged it off, and to the best of my knowledge, last year the vulnerability was still accesaible

  3. Every single company by Tony+Isaac · · Score: 5, Insightful

    There are security concerns in every company, without exception. Obviously, even the NSA itself had inadequate security!

    Yes, many times security concerns are brought up, and brushed off. But this is not necessarily an indication of a problem. Every security risk must be weighed based on the likelihood of occurrence, and the severity of the impact, should it occur. Many of these calculations are inexact, and must be based on incomplete information.

    Should Target have protected themselves better? Probably. But hindsight is 20/20. The difficult part is to anticipate the problems that might occur, without crippling your organization through impossibly tight security.

  4. You'd Be Amazed by The+Other+White+Meat · · Score: 5, Interesting

    Years ago I worked for a government IT department. A vendor wanted us to try out a product. The device plugs directly into the Internet connection, and monitors every packet, in real time, looking for strings matching an array of string that you provide. We ran queries against our internal databases, and compiled a list of SSNs and CCNs. The vendor programmed that data into their device, which from what I can tell used an FPGA to perform deep packet inspections.

    We expected that we might see maybe an email every week or two where someone accidentally sent that kind of information.

    First hit occurred 12 seconds after turning the device on.

    Second occurred .47 seconds later.

    Etc. Etc. Etc.

    Within an hour, we had overrun the quota on the network directory where we were logging this data.

    We found hundreds of separate systems that were transmitting this kind of data without authorization. We were planning a massive internal sweep to find and fix them all, when the following came down from management:

    Shut it down. Remove the device. Destroy all logs, emails, EVERYTHING. Offer the vendor a payment in return for signing an NDA. All employees required to sign secrecy docs (unenforceable at that level of govt, but still.)

    I believe this is how the acronym SNAFU came into existence.

    --

    --- Generation X: The first generation to have SIG lines inferior to their parents... ---
  5. Basically, yeah by Anonymous Coward · · Score: 4, Interesting

    I got my first job in the industry due to that sort of screw-up. A network administrator was "let go" following a server crash and loss of months' worth of data. The backup system hadn't been working. I was hired shortly thereafter to get things back in order.

    Now, that would be the end of the story, except that I was good friends with this administrator. The embarrassing subject of his dismissal didn't come up for about three years, but when it did, and I mentioned my surprise at a fairly intelligent guy allowing backups to lapse for that amount of time, he dug up an e-mail he'd sent to the president of the company, cc'ing the head of HR (who was more or less running the show, for some reason), pointing out the various problems they had - their "server," an old workstation, had been running for two years on a three-month evaluation copy of Windows Server 2000, there were no backup tapes working, and so on. The only excuse they could have had was that the backup thing was buried in a page-long list of serious issues. But when it blew up in their faces, they pinned it on the closest available peon. Assholes.

    1. Re:Basically, yeah by nobuddy · · Score: 5, Informative

      So... where do I know you from?

      You could have described my one and only firing ever, to the word.

      Me: "Boss, Beancounter- this backup system is broken and needs to be fixed. here is a cost breakdown for the fix and a loss analysis for failure to fix. It is genius and incorporates existing links and hardware to minimize cost and implement offsite backups for all sites!"
      Boss: "Shut up and go fix a printer somewhere."

      Fast forward a year- major crash of a POS server. Loss of customer records, $300,000 and 6 months predicted to be spend reconstructing the database from paper records.

      Boss: "You are fired for letting this happen."
      Me: "...."

  6. It's okay to write them down. by khasim · · Score: 3, Insightful

    You do realize that making people change their passwords all the time simply leads to people using weaker passwords or writing them down, right?

    As long as you keep them in your wallet then writing them down is fine.

    You're MUCH more likely to be aware when someone steals your wallet than when someone steals your password. So keep your passwords in your wallet if you cannot remember them.

    Similar for home systems. Keep them safe at home. Criminals breaking into your home to steal stuff are not USUALLY going to be looking for a piece of paper with your passwords on it.

  7. Re:Oh boy... Here we go... by nobuddy · · Score: 4, Informative

    document, document, document. And keep copies where you can get them once you are frog-marched out of the building wearing the scapegoat collar.

  8. Re:in this cases it may be out side vendors / cont by Anonymous Coward · · Score: 4, Interesting

    Which is a perfect example of incompetence.

  9. Re:but when you work with HVAC vendors who sub wor by khasim · · Score: 4, Insightful

    Someone please tell me what HVAC contractors could possibly need to do on a corporate network.

    *raises hand* ooh! ooh! Pick me! Pick me! Been there! Done that!

    Two things:
    1. It's not that they need access to the CORPORATE network. It's that they need access to the INTERNET so that the machinery can report back to the vendor when something starts to go wrong. That's usually in the service agreement. The sooner detected the sooner fixed without problem.

    2. For managers who like to look at stuff. There is usually an internal web server on the HVAC. You go there and it displays things like the temp and the humidity and blah blah blah.

    Thus, dumb managers (I've dealt with them) want them on the corporate network. It's easier for everyone.* Including the crackers who are looking for these exact vulnerabilities.

    *Security people are not included in this definition of "everyone" in this case.