

A First Look at the Target Intrusion, Malware - panarky
http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/

======
bbarn
Sadly, I think the only one who's going to benefit here are credit card
companies. I can almost picture the "Theives are getting more sophisticated,
we're getting more sophisticated than them with the new nano-carbon unobtanium
mastercard" commercials.

I've had my card number fraudulently used twice via what I thought were
reasonably safe websites with large volumes, SSL, etc. I've also had my card
company call me a dozen times when I've bought large gifts or spent a few
hundred dollars at a few stores in a row running errands a mile from home on a
saturday morning. Perhaps some effort should be made towards better detecting
true fraud at scale (i.e, "get rich quick" dvd's being purchased by a few
hundred of your consumers in a short time) rather than what would be a typical
IT dork's every so often spending spree before a holiday.

------
crazytony
I wonder why Target needed full connectivity between their public web servers
and in-store POS devices?

~~~
acomjean
I was wondering the same thing.

But its probably for an "is it in stock in a store near me", which might by
tied into the inventory/ pos system.

~~~
crazytony
you're probably right though it astounds me that this relationship would be
bidirectional eg: web servers can make requests to individual stores.

Security implications aside if it was engineered that way it would make for
highly variable response times and diminished reliability: not only would you
have to make 50+ queries but those queries would have to be across a wan
instead of being colocated.

~~~
heywire
I can't imagine that anyone would design a system in such a way. It would be
far more likely that transaction data would be uploaded to a central database
which tracks store inventory.

------
jessaustin
"POS devices", ha!

Actually, they have my sympathy. Somehow I doubt the POS OS does any sort of
signature verification. We might see that soon, however!

~~~
EvanAnderson
It's likely Windows XP embedded, which doesn't enforce code signing.

I've worked around some Retalix (NCR) POS software (mentioned in the article,
though in Canadian stores) and I can safely say that the security posture of
the software of theirs that I've seen is simply horrible.

Perhaps Target has newer stuff than what I've worked with, but I'm talking
about VB 6 code running in XP embedded using a "database" back-end that
amounts to some Btrieve database files on an SMB share marked "Everyone / Full
Control". Getting remote code execution on the POS machines would be trivial.

~~~
jimueller
In this context, is the POS device the cash register or the CC reader used by
the customer? I was assuming it was the reader device they were referring to,
but it seems like those would run software from the manufacturer, not Target.

I noticed that some Target stores have the Verifone MX925 [1] which seem to
have been installed in the past year.

[1]
[http://www.verifone.com/products/hardware/multimedia/mx-925/](http://www.verifone.com/products/hardware/multimedia/mx-925/)

~~~
EvanAnderson
The Verifone MX800 series, at least, can have Customer-supplied binaries
installed. There's code-signing on the MX800-series devices, but I am aware of
at least one version of the firmware that allows an attacker to get root
access on the device pretty easily via the touchscreen UI and Ethernet port,
assuming that default passwords aren't changed on the device.

------
emgee3
I got a data breach notification saying my data was compromised and here's
your free monitoring blah blah blah. The thing is, I haven't physically been
into a Target for over two years if memory serves, and last time I ordered
online from Target was well before that.

I wonder if there's more that hasn't hit the news, or if Target figured better
safe than sorry on the notifications.

