Kmart Says Its Payment System Was Hacked

← Back to Stories (view on slashdot.org)

Kmart Says Its Payment System Was Hacked

Posted by timothy on Friday October 10, 2014 @12:05PM from the worst-case-scenario dept.

wiredmikey writes Kmart is the latest large U.S. retailer to experience a breach of its payment systems, joining a fast growing club dealing successful hack attacks. The company said that on Thursday, Oct. 9, its IT team detected that its payment data systems had been breached, and that debit and credit card numbers appear to have been compromised. A company spokesperson told SecurityWeek that they are not able to provide a figure on the number of customers impacted. The spokesperson said that based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by the attackers.

3 of 101 comments (clear)

Min score:

Reason:

Sort:

Re:social security? wtf by MasterOfGoingFaster · 2014-10-10 12:21 · Score: 4, Informative

why would Kmart even have your social security number?
Uh... Employees?

--
Place nail here >+
Also at krebsonsecuritycom by manu0601 · 2014-10-10 12:30 · Score: 4, Informative

Brian Krebs covered it too: http://krebsonsecurity.com/2014/10/malware-based-credit-card-breach-at-kmart/
Re:Does K-Mart use the same stuff as Sears? by Anonymous Coward · 2014-10-11 03:20 · Score: 2, Informative

It would be an accomplishment. Mainframe OSes, AIX, and Solaris have an impeccable record for security these days (before 2000, different story, as Sun was often bashed... but with MS as the absolute focus for the bad guys with OS X and Linux trailing), hacking an AIX box is a lot more difficult than Windows.
1: AIX has trustchk. If the executable isn't signed, it doesn't run. Linux doesn't have this functionality, and has to be done in userland. Even modified libraries won't load. Of course, this functionality is limiting, but for a static system like a cash register, it is useful.
2: AIX has a far better patch install system than anything out there. You can reject a patch and go back to the previous update. No other OS is this possible without restoring or reinstalling. Once confident with a patch, you can commit it and free the space.
3: AIX has both VMs (LPARs) and partitions (WPARs). It is easy to separate applications for defense in depth.
4: SELinux's functionality is far expanded in AIX and Solaris. Solaris 11 has no root user by default. Root is just a schmuck like every other UID. This can be changed, but hacking UID 0 means little. AIX, root can be completely removed to the point where one reboots a LPAR or machine to a service partition for updates, and boots back. This keeps users completely separated and unless there is a way to find a hole to get into kernel space on the POWER architecture, a library attack like Shellshock won't do much, if anything.
All and all, Linux is great, and has made light-years of improvements. But Solaris and AIX have not stood still, and are still ahead as enterprise-grade operating systems. For 99% of use cases, Linux is fine. However, there are items (like the need for ZFS which is at best stitched on Linux) where Solaris and AIX are musts.
Of course, the downside of AIX is that it is IBM, and thus insanely expensive... but you do get what you pay for.