
Ex-Employees Say Home Depot Left Data Vulnerable - jrochkind1
http://www.nytimes.com/2014/09/20/business/ex-employees-say-home-depot-left-data-vulnerable.html
======
lgleason
We have two issues here which are both bad.

One, big corporates that don't take the appropriate steps because of
incompetence, corporate inertia and a lack of consequences. People who say
something are not taken seriously and the good ones leave.

The other, has to do with startups, who are dealing with sensitive
information, who do not take the appropriate steps to secure it because they
would rather win the VC lottery. Putting customers data at risk is ok if they
can get their payday.

I have personally observed two startups that have done this.

One was a startup working in the identity management and protection space
logging sensitive information in plain text on their servers and bringing them
down to unsecured local dev boxes for debugging. When I asked them about it
they said they knew what they were doing was wrong but didn't feel like it was
a big deal. From their point of view they didn't think they were a target. Of
course they also didn't feel that it was worth the cost.

The other was a banking startup that was storing Social Security Numbers and
account details that would allow direct access to bank accounts on Heroku
PostgreSql databases. Once again when I brought it to their attention, making
the product look good for the next round of funding was more important than a
customer having their bank account cleared out or having their identity
stolen. Incidentally many of the developers for this banking application had
come from a large established Accounting company and didn't seen anything
wrong with what they were doing.

What this really comes down to are ethics. Is it ethical to cut a corner and
save money on development if it means that a data breach of our system could
lead to possibly significant financial consequences to our customers?

I personally try to adhere to the ACM code of ethics
[http://www.acm.org/about/code-of-ethics](http://www.acm.org/about/code-of-
ethics) . But unlike the field of medicine where even the worst doctor has
been vetted by a committee of professionals we have no bodies that evaluate
the character of people in our field nor a oath like the Hippocratic oath that
is an automatic piece of the training.

If more engineers were willing to say no and even quit over poor security
practices I'll bet you security would be taken more seriously.

~~~
morgante
> We have two issues here which are both bad.

Sorry, where does anything in this article mention startups?

------
ROFISH
Things like this just means we should really bring out something that doesn't
expose the magic 16 digits of "charge me anything" to the world. Tokenization
schemes like Apple Pay go a long way to securing the general public in an easy
to use way.

------
georgeoliver
So what's the chance one number out of the 50+ million will be used
fraudulently? 1%? 10%?

~~~
ams6110
I've already received notice from Discover that they are sending me a new
card. They didn't mention Home Depot but did say that my current card had the
potential to be used fraudulently.

If the card companies can issue new cards quickly enough they can contain the
damage. 50 million is a lot though.

------
enraged_camel
Things like this will continue to happen as long as the government insists on
slapping companies on the wrist with small fines, which most of the time is a
tiny portion of their annual profits.

My solution: hold the executive management directly liable for all security
breaches that compromise customer data. Send a few of them to jail and you
will suddenly see other companies treat information security with the
seriousness it deserves.

(Most corporate CEOs make millions of dollars a year on top of an untold
number of perks. It's time for them to start earning it.)

~~~
ufmace
In this particular case, what is the justification for the Government fining
them? Did the customers lose something that they were not adequately
compensated for by existing system? Exactly who would we be protecting?

To me, this sounds like a matter to be handled between the banks, card
processors, and Home Depot.

------
johnny5
What I don't understand about these massive breaches is that once a pattern
has been established all the cards get flagged... right? Which greatly
increases the likelihood of subsequent transactions being flagged on the spot,
which makes the risk of being caught much greater. Wouldn't the hackers and
their clients be better served by much smaller batches of credit cards that
aren't clearly from the same breach?

~~~
meowface
You're right, but they do it in a sneaky way to try and avoid that.

The Russian/Ukrainian rings that hit Target and Home Depot (and various other
companies) gathered the cards in secret over many months, while not actually
using or selling any of them. Then once they feel like they've gathered enough
cards to compensate them for their time, or if they feel like they'll lose
access or get caught in the near future, they dump them in bulk batches.
Generally these breaches, and the company that was breached, get discovered
after the very first dump batch. The banks who issue the credit cards can
often figure out what store was breached if they're given a random sample of
1000 or so credit cards; they just correlate the cardholder locations with the
stores in the area, and see what store has the most overlap. Often bank
security personnel are some of the first to buy the credit card dumps. In
fact, this is how Home Depot and Target both found out they were even breached
at all: the banks ran their analytics on the dumps and informed them.

After the first batch is released, the subsequent batches are usually less
likely to work, but sometimes the banks will just issue notices saying "you
recently shopped at Home Depot, please check your account statement" instead
of blanket disabling all the cards. In those cases, staggering the dumps in
batches increases the overall fraud gain.

You can learn more about these kinds of tactics on Brian Krebs' blog:
[http://krebsonsecurity.com/](http://krebsonsecurity.com/)

~~~
rdl
Probably the most strategic way to use 50mm credit cards would be to use them
destructively, rather than just for direct gain. (All of this is illegal as
well as immoral, but just presented so people can develop countermeasures)

Know that using the credit cards will cause the accounts to get frozen, which
will cause decreased purchasing; it will also scare people away from those
stores, and possibly from purchasing in general.

A nation state could do this for disruption directly; Russia could filter the
50mm cards to find cards belonging to US people (or just assume home depot =
usa), and intentionally cause transactions requiring replacement. Do this on
the last week before xmas, or black friday, or some other strategic time.

A criminal organization could use the breach to manipulate the stock market --
either directly (shares in the breached company tank, although this doesn't
happen to a very large extent), or by blocking cards used at one merchant in
particular, raise the sales of a competitor indirectly.

There's also straight extortion -- we'll sell these back to you and go away
IFF you pay us.

~~~
meowface
Interesting tactic, and I could definitely see it being employed by an
intelligence agency, but it's unlikely the fraudsters would be able to see any
significant monetary gain from it. As you alluded, Home Depot's stock didn't
decrease that much, and it bounced back shortly afterwards.

Some of the fraudsters and criminals are politically motivated to an extent,
especially with the recent US sanctions against Russia (the codename for the
Home Depot card dump is "American Sanctions"), which you can read more about
here: [http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-
ma...](http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-
target/) The POS malware even has some not so subtle anti-American images
embedded within it.

But that said, they care about the money above all else. The rest is just a
little added motivation.

------
rbc
It does sound like a Home Depot's management may have failed to practice due
care in protecting their customers credit card data. That will be perceived as
a failure of corporate governance and expose the company to charges of
negligence. I'm surprised they let it go on this long. It seems like there
will be a material effect on the companies operations now...

------
UnoriginalGuy
One thing I haven't seen the popular media take Home Depot to task on is: Why
didn't they review their security after the Target breach?

The Target thing was announced in December last year. Home Depot had between
then and April-May to do a full review and see if they too were vulnerable.
Not only did they fail to do that, but they failed to find this issue for 5
additional months(!).

I liken it to being a miner, watching the canary die, and then continue to
work. Then you're shocked _shocked_ that there was poisonous gas in the mine
when you "found out" hours later.

I just looked up "Gross negligence" (per corporate law) and this seems to
wholly fit. This is almost textbook Gross negligence but yet not a single
prosecutor in the US has gone after Home Depot, why is that?

In fact it seems like Home Depot will walk away from this almost cost-free, no
fines, no prosecution, no significant costs (the "free monitoring" is stupidly
inexpensive, plus nobody actually utilises it), and only minor negative PR.

Maybe states should just fine companies 10c for every Credit or Debit Card
number lost. That's a 5.6 mil fine for Home Depot, maybe then they'd take it
more seriously.

~~~
wdr1
> One thing I haven't seen the popular media take Home Depot to task on is:
> Why didn't they review their security after the Target breach?

?

It's right there in the article:

"After the Target theft, Home Depot’s chief executive, Frank Blake, assembled
a team to determine how to protect the company’s network from a similar
attack, said one person briefed on the project. In January, Home Depot brought
experts in from Voltage Security, a data security company in California, these
people said. By April, the company started introducing in some of its stores
enhanced encryption that scrambled payment information the moment a card was
swiped.

"But criminals were already deep in Home Depot’s systems. By the time the
company learned on Sept. 2 from banks and law enforcement that it had been
breached, hackers had been stealing millions of customers’ card information,
unnoticed for months. The rollout of the company’s new encryption was not
completed until last week."

------
jessaustin
_...more than a dozen systems handling customer information were not assessed
and were off limits to much of the security staff._

This sort of decision is made at an executive level. There must have been
multiple reports that included a record of the decision. PCI is a joke.

------
asdfologist
"They say many companies do not even know they have been breached."

This is the scariest fact of the whole article. We hear about Sony, Target,
Home Depot, etc. on the news, but how many others are out there that we don't
know about? Dozens? Hundreds?

------
untilHellbanned
Bitcoin and cryptocurrencies should really be capitalizing on the nightmare PR
of all these credit card thefts at major retailers. This is way worse than the
transaction fee argument.

~~~
ufmace
And how would they go about capitalizing on the bad PR, considering that
Bitcoin security is far, far worse than even the sloppiest credit card system?
Virtually every business dealing in Bitcoin has been hacked, and this
basically always results in the full balance of their bitcoins being stolen
and the attacker getting away with it clean.

The credit card system has its issues, but even these massive thefts of
numbers generally lead to no financial losses for customers and modest losses
for banks and retailers, and the attackers often do get tracked and caught.
The biggest complaint on here is that the losses are not high enough to
convince these companies to pay serious attention to security.

------
Pxtl
So how did the malware get onto these machines in the first place? Why is a
POS system running unexpected binaries?

~~~
Spooky23
Like most companies, client support is a real shitshow, with the most junior
employees and fewest resources.

------
Istof
Since you can't prove a negative; Any proof that Home Depot benefited from
this?

------
wfjackson
Here's an article with more details.

[http://www.dailytech.com/Appalling+Negligence+DecadeOld+Wind...](http://www.dailytech.com/Appalling+Negligence+DecadeOld+Windows+XPe+Holes+Led+to+Home+Depot+Hack/article36517.htm)

Looks like they were still using Windows XP embedded instead of moving to
Windows 7 embedded.

~~~
withinrafael
Heads up: Windows XP != Windows XP Embedded. Extended support for XPE has not
ended yet.

[http://support.microsoft.com/lifecycle/search/default.aspx?a...](http://support.microsoft.com/lifecycle/search/default.aspx?alpha=Windows+XP+embedded&Filter=FilterNO)

------
norespectei388
0\. Did Govt BUY or contract with the COMPANY? yes or no 1\. Can employees SUE
FOR BIG MONIES under qui tam law?

2\. IS IT EASY TO FIND A LAWYER and GOVT agency and 'partners' who DO MOST OF
THE WORK (other whisleblowers are RICH) in helping the GOVT to sue the
COMPANY? yes or no

3\. got an entire group? ex-employees? do not plan on working for COMPANY
AGAIN?

4\. Employee in I.T., computers, security, etc DONT GET NO RESPECT?

5\. Employees could be WHISTLEBLOWERS and when the GOVT and you and partners
WIN, then the 99% ninety nine percent win?

Yes, I a worker. Yes, I paid taxes. Yes, COMPANY got all sorts of tax
loopholes, Management got golf club memberships and perks and benefits.

Yes, see books by David Cay Johnston about tax loopholes and 'structures.'

------
xnull2guest
[https://en.wikipedia.org/wiki/Victim_blaming](https://en.wikipedia.org/wiki/Victim_blaming)

Seriously. Defending cyber infrastructure is hard. Incredibly hard. If you
only play defense you lose. Always. 100% of the time. Nuclear facilities and
critical infrastructure get hacked when they aren't even connected to the
broader internet. Our software stacks are built insecure from the ground up.

And what's the threat model you want to Home Depot to protect you against?
Hackers coming in directly from the internet? Hackers coming in from a
contractor (like Target)? Hackers breaching their corporate datacenters?
Attackers that gain access to the production line? Attackers that return goods
after they've been infected? Attackers that phish for access to employees or
with PDF malware as job applications? Leaving infected CDs, harddrives, and
USB sticks near the company HQ of the business they buy their point of sales
device from? Creating rouge access points or using femto cells to gain access
to company devices? Hacking into home devices of employees? Attackers planting
backdoors into the hardware at the manufacturing level? Attackers guessing
weak passwords that employees configured? From these attacks applied to
vendors and partners? From attackers that compromise tools used by employees
hosted on C|NET and others (like sysinternals)? There's a million ways in.
Point of sales devices are just one way adversaries could collect this data.

Security researchers have been crying that the internet has no clothes for
decades. The internet is a wild west without vigilantes. It's been designed
weak from the start. Adversarial-tolerant design costs far, far more than
fault-tolerant design does.

Wall Street was hacked. The Department of Defense is routinely hacked. The
_NSA_ has been hacked.

This isn't Home Depot's fault. Everyone gets hacked. Everyone.

~~~
bobzimuta
Please don't bring social justice theory into a factual discussion of a
company's missteps and negligence that resulted in a serious breach of its
systems.

~~~
xnull2guest
Because it's not relevant?

I argue it is. There's no way Home Depot could have prevented this. If they
took every step suggested by every article and every comment in this 'factual
discussion' they would have been owned another way. And it would have received
a tirade of similar articles and similar comments about what it should have
done to protect its data another way.

Hindsight and backwards engineering security suggestions is easy. But it isn't
productive to the overall posture of cyber security. I guess it depends on
what scope of the discussion you find interesting. The root or the symptom.

~~~
bdamm
I completely agree with you. It's quite amusing to see this time and time
again; 'security' folks then say "oh, it's Target/Home Depot/Heartland
Payment/Apple/Adobe/Yahoo's fault"

There's an easily identifiable pattern here. Security is not economically
feasible. Cyber security breaches are like industrial accidents or freak acts
of nature, and they should be treated that way. Insurance, OSHA, inspectors,
training. This problem is not going to go away.

Specifically for credit cards, banks could do a lot to solve the problem by
removing the plaintext identity value that is a credit card number. As an
engineering discipline, we can do a great deal to remove the high-value
targets from flowing through many hands.

~~~
pbhjpbhj
> _Security is not economically feasible_ //

Isn't it that others bear the cost of company's security lapses - except for
good will - and so they don't really care beyond the legislated need to care?
Are these companies making a loss?

It certainly sounds like Home Depot just thought that it wouldn't happen to
them and so they could cheap it out - not pay for intrusion detection, not pay
to have systems scanned for known vulnerabilities (I'm reading between the
lines of the OP article a bit here), not paying for security updates like
current anti-virus.

~~~
xnull2guest
Companies lose huge amounts of money, much of it from PR with customers, when
they are hacked. The recent EBay hack for example lost the company huge
amounts of money (remember seeing but haven't had luck finding the numbers
online).

But you're only thinking about customer retailers.

Many companies need to keep their intellectual property, source code, designs
and trade secrets safe from hackers and competitors. Intel is a great example
of a company that dominates an industry purely due to IP. Chinese companies
(and government) sponsored hackers would love to utilize 12 nm transistor
technology to outcompete Intel. I can't help but to wonder what Intel
microcode update keys would sell for.

Brazilian PETROBRAS lost billions of dollars when they got hacked by the NSA
and as a result lost offshore oil drill location auctions.

There's also 'outsider trading'. Intimate knowledge of what financial
decisions companies and states are going to make is big money
([http://tinyurl.com/l834xou](http://tinyurl.com/l834xou)).

Finally, there's stealing money directly from corporate accounts (Axis Bank).
A recent example are the thefts of large numbers of bitcoins from bitcoin
trading companies. Often hackers abuse automated clearing house systems to
transfer data between accounts and siphon small quantities across large swaths
of time/transactions ([http://www.bankinfosecurity.com/ach-fraud-payroll-hack-
drain...](http://www.bankinfosecurity.com/ach-fraud-payroll-hack-
drains-217k-a-3980)).

Then there's political hacking. The Chinese government stole Israel's Iron
Dome defense system specifications. What does that 'cost'? It's hard to
calculate. There are countless examples where state actors steal designs from
defense contracting companies.

