If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Krebs On Security)   Target hackers got in through the ventilation system, bypassed security that went from suck to blow   (krebsonsecurity.com) divider line 74
    More: Followup, Target, HVAC, BJ's Wholesale Club, credit monitoring, Gartner Inc., default password, legal assistance, FTP  
•       •       •

8339 clicks; posted to Main » on 05 Feb 2014 at 10:11 PM (28 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



74 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

First | « | 1 | 2 | » | Last | Show all
 
2014-02-05 08:43:56 PM
It's not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.

It's not that the computer was on the same network - I'm venturing an educated guess that the HVAC monitoring server was in the same Windows domain as the rest of the servers at Target and not segmented off, because admins get farking lazy or Target just hired incompetents.  The HVAC company remote users probably had local admin on the monitoring server so they could "update their software." Once the hackers had an in they could monitor for the inevitable moment when another lazy admin with domain privileges logged in, likely to troubleshoot an issue for the HVAC guys, and then the free-for-all started.
 
2014-02-05 09:08:58 PM

Lsherm: It's not that the computer was on the same network - I'm venturing an educated guess that the HVAC monitoring server was in the same Windows domain as the rest of the servers at Target and not segmented off, because admins get farking lazy or Target just hired incompetents.  The HVAC company remote users probably had local admin on the monitoring server so they could "update their software." Once the hackers had an in they could monitor for the inevitable moment when another lazy admin with domain privileges logged in, likely to troubleshoot an issue for the HVAC guys, and then the free-for-all started.


I work for company that installs these types of systems and I work on the software end of it. When I deal with IT people they are usually accommodating but many of them are "lazy" or have too much on their plate. I run into it a lot in the K-12 market. When I ask for remote access I also ask for a VPN. Schools usually give us a publicly accessible RDP connection and aren't real strict on user names and passwords.
 
2014-02-05 09:25:13 PM
25.media.tumblr.com
 
2014-02-05 09:38:43 PM
...and was surrounded by assholes!
 
2014-02-05 09:59:46 PM
The Deus Ex games have taught me that even the toughest security can be bypassed via the ventilation system.
 
2014-02-05 10:13:25 PM

zamboni: ...and was surrounded by assholes!


images3.wikia.nocookie.net
He's my cousin, sir!
 
2014-02-05 10:13:32 PM
I knew it was an inside job.
 
2014-02-05 10:16:25 PM
He's going down there.

/I wouldn't
 
2014-02-05 10:21:47 PM

Confabulat: The Deus Ex games have taught me that even the toughest security can be bypassed via the ventilation system.


Or Jeffries tubes
 
2014-02-05 10:24:18 PM
very cloak and dagger
 
2014-02-05 10:24:31 PM
I don't get it.   Say you get access to the payment network via your credential legitimately obtained by an HVAC contractor.  OK, fine.  You find some way to snoop/scoop up all traffic on the network.  OK, fine.  Makes sense, doesn't surprise me in the least.

But why on earth is that data you've scooped up not protected by strong encryption?  Is there another layer here not described in the article?  Were they pushing a new firmware to the actual card readers that they manipulated to send them plaintext?  If so, why didn't the anti-tampering measures I believed to be implemented at the hardware level in those devices work?
 
2014-02-05 10:24:32 PM
It's also a constant battle within the company. As an IT director, I get requests on my table all the time, just most recently "Oh we just installed this million dollar sugar grinding system, and we need you to give it access to connect to the ERP system, so we can have stock status." Never mind that maybe it could have been mentioned to me during the planning phase of the system, instead of when everything was already installed.

Last time I told the guy no, he went to the CEO and complained about me and said that I was causing the company to fail a third party audit...
 
2014-02-05 10:27:18 PM
i1353.photobucket.com
Laverne's Dad opened a new business.
 
2014-02-05 10:28:42 PM
If only Frank Whaley and Jennifer Connelly were there to stop them.

3.bp.blogspot.com
 
2014-02-05 10:29:20 PM
Fortunately, I used that foldy papery stuff instead my credit card the last time I was Target.
 
2014-02-05 10:30:52 PM

Pavia_Resistance: Lsherm: It's not that the computer was on the same network - I'm venturing an educated guess that the HVAC monitoring server was in the same Windows domain as the rest of the servers at Target and not segmented off, because admins get farking lazy or Target just hired incompetents.  The HVAC company remote users probably had local admin on the monitoring server so they could "update their software." Once the hackers had an in they could monitor for the inevitable moment when another lazy admin with domain privileges logged in, likely to troubleshoot an issue for the HVAC guys, and then the free-for-all started.

I work for company that installs these types of systems and I work on the software end of it. When I deal with IT people they are usually accommodating but many of them are "lazy" or have too much on their plate. I run into it a lot in the K-12 market. When I ask for remote access I also ask for a VPN. Schools usually give us a publicly accessible RDP connection and aren't real strict on user names and passwords.


I've faced the other extreme of the problem.  Vendors wanting access to a Windows server to do maintenance and I said "Okay, fine let me set up a VPN for you".  Their reply was "WAHHHH! NO VPNS ARRRGH."  Well, okay, no maintenance.  Then the CEO called and ordered me to do a simple port-forwarded RDP session with "Admin" and a very guessable password.
 
2014-02-05 10:32:39 PM
"Our password is GUEST? Man, our security sucks!"
 
2014-02-05 10:35:50 PM

DarthBart: Then the CEO called and ordered me to do a simple port-forwarded RDP session with "Admin" and a very guessable password.


You know, this should have gone into the "CEOs deserve their pay!" thread we had today.
 
2014-02-05 10:36:14 PM

finnished: It's also a constant battle within the company. As an IT director, I get requests on my table all the time, just most recently "Oh we just installed this million dollar sugar grinding system, and we need you to give it access to connect to the ERP system, so we can have stock status." Never mind that maybe it could have been mentioned to me during the planning phase of the system, instead of when everything was already installed.

Last time I told the guy no, he went to the CEO and complained about me and said that I was causing the company to fail a third party audit...


I know Java update like mad and almost nobody can keep up but is amazing how many "smart controllers" managing dumb devices like HVAC systems require things like local admin rights, Windows XP, Java 6 and IE8.

Why? Because they made their nut selling you the 6 figure hardware and installation.
 
2014-02-05 10:36:46 PM

finnished: It's also a constant battle within the company. As an IT director, I get requests on my table all the time, just most recently "Oh we just installed this million dollar sugar grinding system, and we need you to give it access to connect to the ERP system, so we can have stock status." Never mind that maybe it could have been mentioned to me during the planning phase of the system, instead of when everything was already installed.

Last time I told the guy no, he went to the CEO and complained about me and said that I was causing the company to fail a third party audit...


I used to get this a lot in the former global hotel company I worked for.

Except a little worse.  Here's one example.

F&B person: Hi, is this IT?  Oh, ok, we have the open table vendor people in here, and they want you to open xx port so they can remote access.

Me: er...did you at all follow any protocol and why I am I getting a call they day the vendor is here asking me to open ports on our network to the public internet?

F&B person: Well they told me they do this all the time and it's not a problem...

Me: Well, it certainly isn't my problem, here is the form your manager needs to fill out, which details the steps for allowing vendors into the properties, and here are the required IT documents, and the proper protocol for IT working with vendors, you can expect this to be remedied once we have decided we can accommodate them.

F&B person: But we wanted to start taking reservations tonight!


facepalm.

BTW each and every department head was WELL aware of IT policy.  Yet, they all seem to "forget".  Then it's up to IT to bust ass getting shiat done, so as to not "negatively affect revenue"  or, in the words of a self entitled hotel flunky: "Are you telling me that you're impeding me from doing my job?"
 
2014-02-05 10:39:24 PM

Pavia_Resistance: Lsherm: It's not that the computer was on the same network - I'm venturing an educated guess that the HVAC monitoring server was in the same Windows domain as the rest of the servers at Target and not segmented off, because admins get farking lazy or Target just hired incompetents.  The HVAC company remote users probably had local admin on the monitoring server so they could "update their software." Once the hackers had an in they could monitor for the inevitable moment when another lazy admin with domain privileges logged in, likely to troubleshoot an issue for the HVAC guys, and then the free-for-all started.

I work for company that installs these types of systems and I work on the software end of it. When I deal with IT people they are usually accommodating but many of them are "lazy" or have too much on their plate. I run into it a lot in the K-12 market. When I ask for remote access I also ask for a VPN. Schools usually give us a publicly accessible RDP connection and aren't real strict on user names and passwords.


I have two system types I use: a virtual session to a locked down machine. That machine can only communicate with predefined IPs. No internet access. Access to that virtual session can only be achieved through two factor authentication.

The second is a VRF (non-routable to the internal network, traffic from those IPs is specifically dropped) vendor vlan. Firewall access only to specific IPs in the vendor VLAN.

Oh yeah, it's all logged by three different pieces of hardware.
 
2014-02-05 10:40:12 PM
i.ytimg.com

"Out of order?!" - "Fark! Even in the future, nothing works!"
 
2014-02-05 10:44:33 PM

skiingfark: I don't get it.   Say you get access to the payment network via your credential legitimately obtained by an HVAC contractor.  OK, fine.  You find some way to snoop/scoop up all traffic on the network.  OK, fine.  Makes sense, doesn't surprise me in the least.

But why on earth is that data you've scooped up not protected by strong encryption?  Is there another layer here not described in the article?  Were they pushing a new firmware to the actual card readers that they manipulated to send them plaintext?  If so, why didn't the anti-tampering measures I believed to be implemented at the hardware level in those devices work?


Krebs said they pushed out software updates to the point of sale machines (the card readers) that sent the data to spot hubs around the world where it could be picked up.  If you get to the point where you can deploy software to the POS machines, then encryption is no longer a factor.  You've intercepted it before the encryption takes place.
 
2014-02-05 10:46:45 PM

tripleseven: finnished: It's also a constant battle within the company. As an IT director, I get requests on my table all the time, just most recently "Oh we just installed this million dollar sugar grinding system, and we need you to give it access to connect to the ERP system, so we can have stock status." Never mind that maybe it could have been mentioned to me during the planning phase of the system, instead of when everything was already installed.

Last time I told the guy no, he went to the CEO and complained about me and said that I was causing the company to fail a third party audit...

I used to get this a lot in the former global hotel company I worked for.

Except a little worse.  Here's one example.

F&B person: Hi, is this IT?  Oh, ok, we have the open table vendor people in here, and they want you to open xx port so they can remote access.

Me: er...did you at all follow any protocol and why I am I getting a call they day the vendor is here asking me to open ports on our network to the public internet?

F&B person: Well they told me they do this all the time and it's not a problem...

Me: Well, it certainly isn't my problem, here is the form your manager needs to fill out, which details the steps for allowing vendors into the properties, and here are the required IT documents, and the proper protocol for IT working with vendors, you can expect this to be remedied once we have decided we can accommodate them.

F&B person: But we wanted to start taking reservations tonight!


facepalm.

BTW each and every department head was WELL aware of IT policy.  Yet, they all seem to "forget".  Then it's up to IT to bust ass getting shiat done, so as to not "negatively affect revenue"  or, in the words of a self entitled hotel flunky: "Are you telling me that you're impeding me from doing my job?"


I install HVAC controls and I would love for once to get an IT manager to give me a form to fill out and a list of security practices. Of course most firms IT department is "that guy we call when the computer breaks." Most of the time I just insist on a standalone DSL line for my equipment so I don't even touch their network so can't be blamed when something like this hack happens.
 
2014-02-05 10:51:12 PM

skiingfark: But why on earth is that data you've scooped up not protected by strong encryption?  Is there another layer here not described in the article?  Were they pushing a new firmware to the actual card readers that they manipulated to send them plaintext?  If so, why didn't the anti-tampering measures I believed to be implemented at the hardware level in those devices work?


One problem follows the next.  If the organization's front door network security is lazy or haphazard that organization probably isn't keen on internal security either.

I'm betting this data was probably in a format and storage area that would turn your hair white if you saw it.  Like it's in the local public share of the PC of "Janet From Marketing" who has a million CSV files with names, passwords, and credit card numbers row by row.

A major problem with security on a large scale is that "Janet From Marketing" isn't paid to give a frak about the security of this data, she's paid to get results from her department or station, and she's under immense pressure to do so.  Encryption or weird formats would just get in the way.
 
2014-02-05 10:52:31 PM

ElectromechanicalBrick: I install HVAC controls and I would love for once to get an IT manager to give me a form to fill out and a list of security practices. Of course most firms IT department ...


The guy who installed ours, which is a whole climate control system controlling dozen or so zones, with remote access, was surprised that I didn't just give it free access to the internet. At first he was kind of annoyed, because obviously things wouldn't work at first. I started with everything blocked, and then opened up services and ports to the outside world, as needed. Of course it took time.
 
2014-02-05 10:54:21 PM

ElectromechanicalBrick: tripleseven: finnished: It's also a constant battle within the company. As an IT director, I get requests on my table all the time, just most recently "Oh we just installed this million dollar sugar grinding system, and we need you to give it access to connect to the ERP system, so we can have stock status." Never mind that maybe it could have been mentioned to me during the planning phase of the system, instead of when everything was already installed.

Last time I told the guy no, he went to the CEO and complained about me and said that I was causing the company to fail a third party audit...

I used to get this a lot in the former global hotel company I worked for.

Except a little worse.  Here's one example.

F&B person: Hi, is this IT?  Oh, ok, we have the open table vendor people in here, and they want you to open xx port so they can remote access.

Me: er...did you at all follow any protocol and why I am I getting a call they day the vendor is here asking me to open ports on our network to the public internet?

F&B person: Well they told me they do this all the time and it's not a problem...

Me: Well, it certainly isn't my problem, here is the form your manager needs to fill out, which details the steps for allowing vendors into the properties, and here are the required IT documents, and the proper protocol for IT working with vendors, you can expect this to be remedied once we have decided we can accommodate them.

F&B person: But we wanted to start taking reservations tonight!


facepalm.

BTW each and every department head was WELL aware of IT policy.  Yet, they all seem to "forget".  Then it's up to IT to bust ass getting shiat done, so as to not "negatively affect revenue"  or, in the words of a self entitled hotel flunky: "Are you telling me that you're impeding me from doing my job?"

I install HVAC controls and I would love for once to get an IT manager to give me a form to fill out and a list of security practices. Of course most firms IT department ...


I guess that would depend on the client.  Yes, I actually work for an IT outsourcing company now where I am that "IT guy who shows up when things break".  Even thus, I try (as best as I can, it's a little hard when you're a vendor yourself) to instill into these companies any sort of IT policy.  So, I can understand.  I always tell my clients, "Use me as your technology advocate, it's what you pay us for".  Some do, some don't.

However, at aforementioned half a billion dollar a year in revenue hotel company, there were hard set IT policies, that pretty much everyone at the property level ignored.

We had a GM, who let a farking guest use their workstation (while logged in as the GM) to check their e-mail.

When that particular ball of shiat hit the fan, the GM's response was "well, the business center PC's were down, and I will always take care of my guests"

Yeah, that was a tough and touchy conversation to have.
 
2014-02-05 10:58:27 PM

lasercannon: If only Frank Whaley and Jennifer Connelly were there to stop them.

[3.bp.blogspot.com image 596x253]


My god I forgot how hot she was in that movie...
 
2014-02-05 10:59:49 PM

tripleseven: finnished: It's also a constant battle within the company. As an IT director, I get requests on my table all the time, just most recently "Oh we just installed this million dollar sugar grinding system, and we need you to give it access to connect to the ERP system, so we can have stock status." Never mind that maybe it could have been mentioned to me during the planning phase of the system, instead of when everything was already installed.

Last time I told the guy no, he went to the CEO and complained about me and said that I was causing the company to fail a third party audit...

I used to get this a lot in the former global hotel company I worked for.

Except a little worse.  Here's one example.

F&B person: Hi, is this IT?  Oh, ok, we have the open table vendor people in here, and they want you to open xx port so they can remote access.

Me: er...did you at all follow any protocol and why I am I getting a call they day the vendor is here asking me to open ports on our network to the public internet?

F&B person: Well they told me they do this all the time and it's not a problem...

Me: Well, it certainly isn't my problem, here is the form your manager needs to fill out, which details the steps for allowing vendors into the properties, and here are the required IT documents, and the proper protocol for IT working with vendors, you can expect this to be remedied once we have decided we can accommodate them.

F&B person: But we wanted to start taking reservations tonight!


facepalm.

BTW each and every department head was WELL aware of IT policy.  Yet, they all seem to "forget".  Then it's up to IT to bust ass getting shiat done, so as to not "negatively affect revenue"  or, in the words of a self entitled hotel flunky: "Are you telling me that you're impeding me from doing my job?"


I always say: 'My job is to make your job possible while keeping us out of the news.'

Set up a vendor VRF, specifically block access to your internal network. Use multiple firewalls to log and control access (drop everything from Vendor that even wanders over in the general direction of your network) overall. Don't forget to setup your logging, at least one in a separate network range and AD tree.

Juniper has an ok VPN right now. Don't forget the two-factor auth, (PhoneFactor is reasonably popular) and DMVPN might not be a terrible thing. Best of all using DOT1X and a Cisco WLC you can use certificate authorities to control access while using a separate pipe off the router for guest. They can't even see the multiple networks. Still recommend keeping vendor separate from guest.

ISE (Cisco Identity Services Engine) allows device profiling and will actively kick anything it doesn't 'know' off the network. ISE isn't perfect but it'll stop 98% of idiots when setup properly. The fun thing is that it can usually tell when somebody tries to clone MAC addresses, example would be cloning wireless device macs.

Of course these are blanket suggestions, not tailored to your environment at all. Good starting points, but your bosses have to be willing to put in the money in training and man hours to get it up and running properly.

That's the stickler. The last place I helped setup had dual DC's, dual UCS Chassis running ISE in each, full certificate authority with TACACS+, RADIUS, DOT1X, mixed firewalls, and more. Much of it was upgrades to what they had, and boyo, it was a pretty penny by the time the bill came due. Oh and it took just shy of 2 years to get it all setup. The training alone took six months to compete.
 
2014-02-05 11:00:38 PM

bighairyguy: Fortunately, I used that foldy papery stuff instead my credit card the last time I was Target.


"Foldy papery stuff?"  You mean napkins?
 
2014-02-05 11:13:22 PM

italie: lasercannon: If only Frank Whaley and Jennifer Connelly were there to stop them.

[3.bp.blogspot.com image 596x253]

My god I forgot how hot she was in that movie...




You would probably enjoy the movie she made right after that one...The Hot Spot.

3.bp.blogspot.com
 
2014-02-05 11:15:20 PM
I'm not saying that there's a certain, large retail store that stores credit card transactions on their registers all day long and uploads them at night.

I'm also not saying that those transactions are encrypted with a password that changes daily.

And I'm CERTAINLY not saying that one of the developers gave me a spreadsheet with the daily passwords just so I wouldn't have to bug him every time one of the registers went tits up.

Because if someone DID have information like that, they could do something like this.

/Why, yes, the developer WAS located in India, why do you ask?
//He didn't even bother to password protect the spreadsheet either...it's like they WANT access to our financials...
 
2014-02-05 11:16:26 PM

inglixthemad: I always say: 'My job is to make your job possible while keeping us out of the news.'

Set up a vendor VRF, specifically block access to your internal network. Use multiple firewalls to log and control access (drop everything from Vendor that even wanders over in the general direction of your network) overall. Don't forget to setup your logging, at least one in a separate network range and AD tree.

Juniper has an ok VPN right now. Don't forget the two-factor auth, (PhoneFactor is reasonably popular) and DMVPN might not be a terrible thing. Best of all using DOT1X and a Cisco WLC you can use certificate authorities to control access while using a separate pipe off the router for guest. They can't even see the multiple networks. Still recommend keeping vendor separate from guest.

ISE (Cisco Identity Services Engine) allows device profiling and will actively kick anything it doesn't 'know' off the network. ISE isn't perfect but it'll stop 98% of idiots when setup properly. The fun thing is that it can usually tell when somebody tries to clone MAC addresses, example would be cloning wireless device macs.

Of course these are blanket suggestions, not tailored to your environment at all. Good starting points, but your bosses have to be willing to put in the money in training and man hours to get it up and running properly.

That's the stickler. The last place I helped setup had dual DC's, dual UCS Chassis running ISE in each, full certificate authority with TACACS+, RADIUS, DOT1X, mixed firewalls, and more. Much of it was upgrades to what they had, and boyo, it was a pretty penny by the time the bill came due. Oh and it took just shy of 2 years to get it all setup. The training alone took six months to compete.


Sounds great, but the business really wants to know how we do all that without spending money or replacing the 10 year old equipment that is working just fine.  Also, when you implement this on the existing equipment, it should not entail any extra labor hours beyond the normal 40 hours that is already allotted.  Also, we need to exempt the top level executives from any changes at all in the way they authenticate because they just really learned the current system and you can trust them to keep the data safe anyway.
 
2014-02-05 11:18:45 PM

inglixthemad: stuff



This thread is enlightening. I just finished my AAS and will be looking for a job, and I didn't realize how utterly lax most companies are with this stuff since I come from a military background mostly. I'll be keeping some of these comments in mind...

Also 'Janet from Marketing' should never ever ever have more information than a name and basic contact info, from what I was taught. My database professor would go through the roof...
 
2014-02-05 11:28:05 PM

wingnut396: Sounds great, but the business really wants to know how we do all that without spending money or replacing the 10 year old equipment that is working just fine.  Also, when you implement this on the existing equipment, it should not entail any extra labor hours beyond the normal 40 hours that is already allotted.  Also, we need to exempt the top level executives from any changes at all in the way they authenticate because they just really learned the current system and you can trust them to keep the data safe anyway.


The last company I did contract work for took the exact opposite approach. Security, security, security. If they locked a CEO or VP out of a share, well then guess what those CEOs/Vps get to do? Fill out network access requests and wait for approval just like everyone else.

It was so refreshing to see a security team actually do SECURITY and refuse to bend to inter-office politics.

Of course, it sucked when the engineering team got locked out, but hey - we got paid by the hour, so go ahead...make me unproductive for a couple days. My rent still gets paid. :)
 
2014-02-05 11:31:05 PM

wingnut396: inglixthemad: I always say: 'My job is to make your job possible while keeping us out of the news.'

Set up a vendor VRF, specifically block access to your internal network. Use multiple firewalls to log and control access (drop everything from Vendor that even wanders over in the general direction of your network) overall. Don't forget to setup your logging, at least one in a separate network range and AD tree.

Juniper has an ok VPN right now. Don't forget the two-factor auth, (PhoneFactor is reasonably popular) and DMVPN might not be a terrible thing. Best of all using DOT1X and a Cisco WLC you can use certificate authorities to control access while using a separate pipe off the router for guest. They can't even see the multiple networks. Still recommend keeping vendor separate from guest.

ISE (Cisco Identity Services Engine) allows device profiling and will actively kick anything it doesn't 'know' off the network. ISE isn't perfect but it'll stop 98% of idiots when setup properly. The fun thing is that it can usually tell when somebody tries to clone MAC addresses, example would be cloning wireless device macs.

Of course these are blanket suggestions, not tailored to your environment at all. Good starting points, but your bosses have to be willing to put in the money in training and man hours to get it up and running properly.

That's the stickler. The last place I helped setup had dual DC's, dual UCS Chassis running ISE in each, full certificate authority with TACACS+, RADIUS, DOT1X, mixed firewalls, and more. Much of it was upgrades to what they had, and boyo, it was a pretty penny by the time the bill came due. Oh and it took just shy of 2 years to get it all setup. The training alone took six months to compete.

Sounds great, but the business really wants to know how we do all that without spending money or replacing the 10 year old equipment that is working just fine.  Also, when you implement this on the existing equipment, it should not entail any extra labor hours beyond the normal 40 hours that is already allotted.  Also, we need to exempt the top level executives from any changes at all in the way they authenticate because they just really learned the current system and you can trust them to keep the data safe anyway.


I won't work in that environment. You hire me to do security, you tell me how secure you want it. I tell you how much it costs and how many standards it meets. The above meets DoD and HIPPA requirements when setup properly. We also don't exempt anyone, but PhoneFactor isn't a big deal for two-factor auth.

Sure, you can do cheaper. How much of a chance do you want to take that your company will be in the news like Target? There are no shortcuts in security. There are levels of risk, because even the best security can be defeated.
 
2014-02-05 11:44:22 PM

ladyfortuna: inglixthemad: stuff


This thread is enlightening. I just finished my AAS and will be looking for a job, and I didn't realize how utterly lax most companies are with this stuff since I come from a military background mostly. I'll be keeping some of these comments in mind...

Also 'Janet from Marketing' should never ever ever have more information than a name and basic contact info, from what I was taught. My database professor would go through the roof...


I deal with a lot of insurers and military contractors. Usually it's a matter of updating, but I had to do a whole reorg one time. Anyway, if you're in networking:

My suggestion: Paid Internship at a larger company. Get a sense of scale! A multinational company that has a large network and experienced people. Look for a place that won't pigeon hole you (you're stuck doing one of the following: layer 2, layer 3, F5 VIPs, you handle the 7K's, et al.) but give you some breadth. Your job is to help multiple groups.

Oh, and CCNA R&S, CCNA+Security, and CCNA Wireless to start. Not because it's so important to your learning, but it'll get you a good leg up in the when the stupid robot 'reads' your resume.
 
2014-02-06 12:03:52 AM

Lsherm: skiingfark: I don't get it.   Say you get access to the payment network via your credential legitimately obtained by an HVAC contractor.  OK, fine.  You find some way to snoop/scoop up all traffic on the network.  OK, fine.  Makes sense, doesn't surprise me in the least.

But why on earth is that data you've scooped up not protected by strong encryption?  Is there another layer here not described in the article?  Were they pushing a new firmware to the actual card readers that they manipulated to send them plaintext?  If so, why didn't the anti-tampering measures I believed to be implemented at the hardware level in those devices work?

Krebs said they pushed out software updates to the point of sale machines (the card readers) that sent the data to spot hubs around the world where it could be picked up.  If you get to the point where you can deploy software to the POS machines, then encryption is no longer a factor.  You've intercepted it before the encryption takes place.


Not necessarily.  There are units like these:
http://www.magtek.com/V2/products/secure-card-reader-authenticators/ ma gnesafe-mini.asp

They encrypt the card in the reader hardware so the POS box only gets the encrypted stream off the card.  The card reader only has the public key and you store the private key only on the receiver server end.  Not perfect but lowers the attack footprint significantly.
 
2014-02-06 12:07:44 AM

baorao: finnished: It's also a constant battle within the company. As an IT director, I get requests on my table all the time, just most recently "Oh we just installed this million dollar sugar grinding system, and we need you to give it access to connect to the ERP system, so we can have stock status." Never mind that maybe it could have been mentioned to me during the planning phase of the system, instead of when everything was already installed.

Last time I told the guy no, he went to the CEO and complained about me and said that I was causing the company to fail a third party audit...

I know Java update like mad and almost nobody can keep up but is amazing how many "smart controllers" managing dumb devices like HVAC systems require things like local admin rights, Windows XP, Java 6 and IE8.

Why? Because they made their nut selling you the 6 figure hardware and installation.


Not only that....go into any big box store and ask "why is it so farking hot in your store? It's 103 outside? An answer I often get (and the same in reverse if it's -2F outside,) Is..."Our corporate office controls the temp remotely". Thanks hon, you already gave out how your networks operate. Just doing your job right? People give out WAY too much information on anything.
 
2014-02-06 12:09:11 AM

ladyfortuna: Also 'Janet from Marketing' should never ever ever have more information than a name and basic contact info, from what I was taught. My database professor would go through the roof...


In the classroom, reality is dictated by your professor, a professional with more education and experience in the field than the entire IT staff of many small to medium-sized companies.

In a corporation, reality is dictated by your CEO, directors, and other middle-managers whose sole IT experience is playing Farmville, who think "security" is replacing the letter o with zero in "passw0rd", and who knows that if you don't cooperate with their idiotic demands, there's a long line of lazy IT guys waiting at the door who would be more than happy to send the entire financial database in excel format, unencrypted, to their personal Gmail address, which is also used by their spouse and teenage children.

/I refused
//I was fired, she wasn't
///Same company ended up in the news six months later due to "hackers" stealing thousands of credit card numbers...
 
2014-02-06 12:12:42 AM

Confabulat: The Deus Ex games have taught me that even the toughest security can be bypassed via the ventilation system.


Sam Fisher and Gordon Freeman look on approvingly.
 
2014-02-06 12:26:29 AM
I skimmed the posts and didn't see anyone sticking up for the network or OS guys so I'll postulate on their behalf: just last Q1 they submitted a detailed plan to fully segregate retail operations and data but were turned down by their evil, smelly boss so that the company could save exactly $5.
 
2014-02-06 12:39:22 AM

morg: I skimmed the posts and didn't see anyone sticking up for the network or OS guys so I'll postulate on their behalf: just last Q1 they submitted a detailed plan to fully segregate retail operations and data but were turned down by their evil, smelly boss so that the company could save exactly $5.


Didn't blame'em but I won't exonerate them either.

You don't need a ton of hardware to setup a good VRF that'll stop 99% of thieves. A vendor should be cutoff from your machines, completely. Did the upper levels give them the support they needed? Probably not.

The trick is I'm not in the shop to say it which group was the lazy douchebags.
 
2014-02-06 12:45:24 AM

MrPleasant: Not necessarily.  There are units like these:
http://www.magtek.com/V2/products/secure-card-reader-authenticators/ ma gnesafe-mini.asp

They encrypt the card in the reader hardware so the POS box only gets the encrypted stream off the card.  The card reader only has the public key and you store the private key only on the receiver server end.  Not perfect but lowers the attack footprint significantly.


Given the breadth of the Target breach, do you think they were using those?
 
2014-02-06 01:08:06 AM

tripleseven: "Are you telling me that you're impeding me from doing my job?"


No, I'm telling you that you failed to do your job.

/Sorry, but a lack of planning on your part does not constitute an emergency on mine.
 
2014-02-06 01:15:02 AM

SteakMan: tripleseven: "Are you telling me that you're impeding me from doing my job?"

No, I'm telling you that you failed to do your job.

/Sorry, but a lack of planning on your part does not constitute an emergency on mine.


Not sure if trolling....

I suppose you failed to read my entire post.n
 
2014-02-06 01:17:46 AM

tripleseven: SteakMan: tripleseven: "Are you telling me that you're impeding me from doing my job?"

No, I'm telling you that you failed to do your job.

/Sorry, but a lack of planning on your part does not constitute an emergency on mine.

Not sure if trolling....

I suppose you failed to read my entire post.n


Not at all, that's how I would have responded to the douche :)
 
2014-02-06 01:19:12 AM

zamboni: ...and was surrounded by assholes!


www.albinoblacksheep.com
 
2014-02-06 01:27:25 AM

SteakMan: tripleseven: SteakMan: tripleseven: "Are you telling me that you're impeding me from doing my job?"

No, I'm telling you that you failed to do your job.

/Sorry, but a lack of planning on your part does not constitute an emergency on mine.

Not sure if trolling....

I suppose you failed to read my entire post.n

Not at all, that's how I would have responded to the douche :)


nice.
 
2014-02-06 01:28:42 AM
FTFA: upgrading the retailer's systems to handle chip-and-PIN could cost $100 million.

If this malware got the unencrypted info by scraping RAM, I imagine that CaP might not have helped.

/I don't know much about CaP
 
Displayed 50 of 74 comments

First | « | 1 | 2 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report