
Target Hackers Broke in via HVAC Company - panarky
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
======
reeses
One of the key parts of this for consumers to keep in mind is that this is a
_massive_ PCI violation. Target neglected many of the most basic requirements
in terms of network segmentation and data protection. Target is a large tier-
one retailer. They had 3rd party audits to "guarantee" PCI compliance.

However, the 3rd party is usually a single 'auditor' who interviews the staff
and looks at the network diagrams provided by the IT department. This
information may be inaccurate to the point that it may not even exist.

The focus in these audits is almost always ecommerce. I'm sure Target's
ecommerce site has been scoped very thoroughly. Almost _every_ retailer is
just as exposed. While every client I've worked with has (by the time I left)
been PCI compliant on the ecommerce side, the internal networks are often
completely flat, even across global locations. SOX is a joke as a result, as
there is no separation of concerns.

~~~
maxerickson
What lessons beyond "Even major retailers have serious security problems"
should a consumer be worried about here?

I don't know much about PCI compliance, but I don't get the idea that it is
something I should have to worry about as a user of a credit card.

~~~
derekp7
The lesson is to have more than one credit card, because eventually the one
you use regularly will be compromised -- even if you only use it at physical
locations. And when it is compromised, you will have to get a replacement,
which is an inconvenience (hence the need for a second card). Oh, and keep an
eye on your statements. And if you use a debit card, you may be worse off --
when it is compromised, you will have bills bouncing until you can get it
straightened out. Even more of an inconvenience.

If you use a debit card, go to your bank and have them turn off the "feature"
that lets you overdraft (and get charged a $35.00 fee each time). Set up a
separate account (one that doesn't have a debit card), to use for all your
bill payments, so at least that doesn't get behind if your main account is
cleaned out.

~~~
mr337
Seems like this was overlooked a little, but one could always use cash.

I understand the reasons why cash can be inconvenient, but I doubt it it less
hassle then dealing with a bank/CC company over fraudulent charges, associated
overdraft fees, and all the crap.

Now eCommerce transactions over the web is a different story.

~~~
hga
Indeed; that's what I do for everything local that less than, say, $750, and
it's remarkably worry free. No privacy issues either, no one has any idea
exactly what I buy locally.

------
fragsworth
The way credit cards are designed should be illegal. They are basically a
piece of plain text that can be used by anyone to purchase things from
someone's account.

It's basically the worst security you could possibly have for one of the
highest-risk systems (direct access to money) that exist.

People need to be angry at the credit card industry for designing such an
insecure system, not Target. There are plenty of online payment systems that
work far, far better than credit cards that cannot, by design, ever have user
account information stolen from a retailer.

~~~
cynwoody
What you say is true.

However, it doesn't really matter. Despite all the hue and cry, credit card
fraud losses run in the single-digit basis point range as a fraction of
transaction volume and around 1.2% as a fraction of issuer expenses.† Losses
due to uncollectible debt (the "charge-off rate") are much higher, at around
three or four percent in 2013 (but 10.9% in the second quarter of 2010).††

The pain point isn't financial. It's the bad publicity when breaches occur and
the nagging fear is that losses could suddenly get out of hand due to some
unanticipated vulnerability.

†[http://web.archive.org/web/20091229101826/http://www.sas.com...](http://web.archive.org/web/20091229101826/http://www.sas.com/news/analysts/mercator_fraud_1208.pdf)

††[http://www.federalreserve.gov/releases/chargeoff/chgallsa.ht...](http://www.federalreserve.gov/releases/chargeoff/chgallsa.htm)

~~~
fragsworth
So this means we're effectively _all_ paying 1.2% extra (indirectly through
retailer's credit card fees) to accept these fraud losses. But you have to add
to that some amount for overhead of dealing with fraud reports, and the
expense of required security practices in order to be PCI compliant, which is
entirely a result of the plain-text nature of credit cards. It probably
results in 1.5-2% extra to all purchases, entirely hidden to consumers.

And, from your own citation, on average, 10% of Americans are victims of
credit card fraud and 7% of debit card fraud - this probably results in about
16% of Americans total if you assume both groups are random samples of the
population.

If you've ever dealt with credit card fraud, you'd know that it's an ordeal
that can be a huge pain in the ass. It can take many hours of your own time,
and time from your card issuer. The cost isn't just directly financial, it's
the overhead that comes as a result of the fraud.

I am certain that if given the choice, nearly everyone would take a 1.5%
discount on all of their purchases if they had to do two-factor authentication
on all of them in exchange.

~~~
patio11
_I am certain that if given the choice, nearly everyone would take a 1.5%
discount on all of their purchases if they had to do two-factor authentication
on all of them in exchange._

Do you have a trusted friend or family member who is not a technologist? Ask
if you can watch them a) sign up for 2FA for their bank and b) complete one
end-to-end transaction using 2FA.

You may, in response to this short anthropological study, revise your estimate
that nearly everyone would gladly use 2FA for every purchase.

(Additionally, merchants wouldn't be thrilled about any system which makes it
difficult for their customers to spend money. If the Stripe API had a field
for require_two_factor_authentication I'd set it to "false" or "are you
freaking kidding me? no!" simply because I _know_ that will cost me more in
lost transactions than I lose to CC fraud.)

------
jauer
This doesn't surprise me.

From what I've seen on the provider side HVAC (and access control) companies
want their devices right on the Internet. If you push them they'll deal with
being behind NAT with a port forward but mention using a VPN and that's too
much work for them.

Ask them about security and they hand wave and say it is secure because it is
a "appliance" or "controller" as if that magically protects them.

This is changing somewhat as vendors move to a "phone home to the cloud"
approach instead of direct access so they can get in on the revenue stream
between the end user and the dealer. This removes the direct exposure to the
internet but the local/insider threat remains.

------
fidotron
I for one welcome the fantastic security enabled by the Internet of Things.

~~~
stakent
This already started.

TV receivers broadcasting metadata about files on devices connected to the
LAN.

Routers allowing anonymous access over ftp to the disks connected to them.

Routers protected on the WAN side with factory set passwords.

Kettles and irons equipped with wifi and looking for open networks to
broadcast something to the world.

(Smart)phones with broadband processors with DMA access to the applications
processor's memory.

Computers, tablets and game consoles equipped conveniently with cameras and
microphones.

We live in the future, do we like this or not.

~~~
toomuchtodo
I have seen TV broadcast equipment with SNMP and web interfaces exposed on
public internet addresses. Days ago.

------
chatmasta
Curious: What are the ethical implications for the thieves? They effectively
stole from a giant, multinational corporation, and inconvenienced consumers.
At the end of the day, no consumer lost money from this. I wonder how this
differentiation affects the consciences of the thieves, who are probably
sitting on quite a large pile of money right now...

(I hope this comment doesn't show up in a background check..)

~~~
gergles
Consumers have not lost money directly, but they certainly will lose it in
higher interchange fees, interest rates, store prices, and all the other tiny
components that make up the American payment infrastructure.

------
jessaustin
_It’s not immediately clear why Target would have given an HVAC company
external network access..._

~~~
jauer
When you reach a certain size of HVAC system it is common for the dealer to
regularly service the system and proactively monitor it. This requires access
to the controllers to see a pump has failed, coolant pressure dropped, etc.

They should have ordered a stand-alone Internet connection for such things but
probably figured they'd save the money and use the existing network
connection.

~~~
ericcumbee
Really all they would need is a VLAN and a proper set of ACLs.

~~~
jessaustin
It's almost as if, at some size, a company's "internal" network should be
considered no more secure than the internet itself. Defense at the perimeter
only is flawed, especially when the perimeter is the only thing protecting
cash registers that update with unsigned firmware. One wouldn't connect such a
client directly to the internet, so neither should one connect it directly to
a network shared by millions of devices at 1700 stores.

~~~
bdunbar
> It's almost as if, at some size, a company's "internal" network should be
> considered no more secure than the internet itself.

Exactly this.

I realized this a few years ago, at a previous employer. We had _excellent_
security at the firewall boundary.

Inside the network gave me cause for concern. Once could plug into any port,
in any building, get an IP address and ping anything on our network.

And how good was site security at a given location? Who knew, really.

When your server's security depends on J. Random Employee not allowing tail-
gaters at the back door ... you got problems.

------
mikegioia
Wow, I'm more surprised that they had $100M "cyber" insurance.

~~~
patio11
So if I check my actual policy documents, it's described as a "Data Breach
Expense And Regulatory Defense Coverage rider to your Errors and Omissions
Policy." But hey, computers are involved, so the news media would probably
call that my cyberinsurance.

------
mdaniel
Is it common and responsible to name the source of the credential leak like
that? I can imagine that maybe other retailers would want to know that
information, but I can also imagine the investigation is continuing and thus
the opportunity exists for the story to become more complex.

~~~
brown9-2
Other retailers should be less concerned about if they have done business with
_this vendor_ than they should be able letting any vendor have insecure access
to their network.

------
mathattack
This kind of reminds me of the original Wall Street movie, where Charlie Sheen
broke into companies via their cleaning service, and then stole inside
information.

------
benkillin
This is a non cached link that appears to still function:

[http://krebsonsecurity.com/2014/02/target-hackers-broke-
in-v...](http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-
company/#more-24698)

------
panarky
Edit: The article is back up now.

\---

The article has disappeared. Here's the text of the first part of the post
from Google cache.

[http://webcache.googleusercontent.com/search?q=cache:mG2INOj...](http://webcache.googleusercontent.com/search?q=cache:mG2INOjNyFUJ:krebsonsecurity.com/+&cd=2&hl=en&ct=clnk&gl=us)

Feb 14 Target Hackers Broke in Via HVAC Company

Last week, Target told reporters at The Wall Street Journal and Reuters that
the initial intrusion into its systems was traced back to network credentials
that were stolen from a third party vendor. Sources now tell KrebsOnSecurity
that the vendor in question was a refrigeration, heating and air conditioning
subcontractor that has worked at a number of locations at Target and other top
retailers.

Sources close to the investigation said the attackers first broke into the
retailer’s network on Nov. 15, 2013 using network credentials stolen from
Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration
and HVAC systems.

Fazio president Ross Fazio confirmed that the U.S. Secret Service visited his
company’s offices in connection with the Target investigation, but said he was
not present when the visit occurred. Fazio Vice President Daniel Mitsch
declined to answer questions about the visit. According to the company’s
homepage, Fazio Mechanical also has done refrigeration and HVAC projects for
specific Trader Joe’s, Whole Foods and BJ’s Wholesale Club locations in
Pennsylvania, Maryland, Ohio, Virginia and West Virginia.

Target spokeswoman Molly Snyder said the company had no additional information
to share, citing a “very active and ongoing investigation.”

It’s not immediately clear why Target would have given an HVAC company
external network access, or why that access would not be cordoned off from
Target’s payment system network. But according to a cybersecurity expert at a
large retailer who asked not to be named because he did not have permission to
speak on the record, it is common for large retail operations to have a team
that routinely monitors energy consumption and temperatures in stores to save
on costs (particularly at night) and to alert store managers if temperatures
in the stores fluctuate outside of an acceptable range that could prevent
customers from shopping at the store.

“To support this solution, vendors need to be able to remote into the system
in order to do maintenance (updates, patches, etc.) or to troubleshoot
glitches and connectivity issues with the software,” the source said. “This
feeds into the topic of cost savings, with so many solutions in a given
organization. And to save on head count, it is sometimes beneficial to allow a
vendor to support versus train or hire extra people.”

Continue reading →

~~~
PhasmaFelis
It appears to be back up now. It returned right around 3:40PM EST.

------
benmarks
And, evidently, they've broken into Krebsonsecurity.com to delete this.

~~~
a3n
Go up one level in the URL.

------
blueskin_
This reminds me of the vulnerable Google HVAC last year.

------
dzhiurgis
Finally someone to blame...

