On Thursday, Dec. 19, 2013, Target revealed that data from 40 million of its customers’ credit and debit card accounts had been accessed by hackers. I’d like to discuss how and why this happened. But before I do, I want to make it clear that I’m not singling out Target as having done anything wrong. I’m using what happened to them simply to illustrate the kind of situation many companies are facing—even those with very good security systems and personnel.
In terms of its significance to an entire industry, the data breach at Target (like those at Neiman Marcus, Sally Beauty, etc. See “World’s Greatest Data Breaches”) is to retail networking what Hurricane Katrina was to the insurance industry: A once-in-a-hundred-years-event that motivates an industry to take a new look at how it does business. And this was an expensive event: Retail industry experts say the cost of the Target breach will be somewhere between $500,000,000 and $1,000,000,000.
The crux of the issues is that, in the words of another industry expert, Target “did not do enough to wall off its payment systems from the rest of its network.” As I said in Part 1, network segmentation is not an easy thing to accomplish—even with a crack security team. Exactly how hackers used this “Achilles Heel” to access Target’s POS network is very instructive.
It all began with a phishing attack, an email fraud method in which the hacker sends out a legitimate-looking mass email in an attempt to get people to disclose personal and financial information. Once attackers have had time to comb through the list of people who have “bitten” on the email scam, they choose their first victim. (See https://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/)
Once the hackers identified the HVAC company, they stole its network access credentials and used them to gain access to the Target network.
From there, the hackers used a technique that's commonly talked about among penetration testers called a “pivot.” Once the hacker gains access, they scan the network and look for vulnerable entry points into other systems. They find one vulnerable system, and compromise it. Once on that network, they search for other vulnerable entry points into other networks, and so goes the cycle until they reach something of value. Having gained entry via the HVAC system, the hackers were able to maneuver around the internal network until they got onto the vendor EDI network. From there they reached the POS network and used a customized version of Black POS to scrape Target memory.
It is useful to point out that the piece of malware the hackers used to gain entry has been around for quite a while. If hackers can use existing tools to breach a well-protected network like this, then we as IT professionals need to accept the fact that there may be no perfect prevention, no perfect firewall, no perfect antivirus. If we want to do a better job of protecting our networks, we need to consider other approaches.
In my next post, I’ll talk about how parallel networking represents one such promising new direction in network security.