If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Washington Post)   Target CEO resigns in order to spend more time with his disgrace   (washingtonpost.com) divider line 70
    More: Obvious, Target CEO, CEO, Target, Brian Sozzi, CEO resigns, CEO Gregg Steinhafel, breaching experiment, fallout  
•       •       •

5553 clicks; posted to Business » on 05 May 2014 at 1:13 PM (19 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



70 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

First | « | 1 | 2 | » | Last | Show all
 
2014-05-05 11:47:43 AM
Well, Bye.
 
2014-05-05 11:50:27 AM
They're opening a new Target by me.

No, this is not exciting news considering most new commercial construction is either a bank, a chain store or a damn chik-fil-a.
 
2014-05-05 12:08:32 PM
I guess that means he's....


.... way off the target.


YEAHHHHHHHHHHHHHHHHHHHHHHHHHHHHhh
 
2014-05-05 12:28:55 PM

DanZero: I guess that means he's....


.... way off the target.


YEAHHHHHHHHHHHHHHHHHHHHHHHHHHHHhh


i1.kym-cdn.com

it's funny because it's Tommy Lee Jones looking over his glasses and not David Caruso
 
2014-05-05 12:55:34 PM
Finally, a headline that tells the truth.
 
2014-05-05 01:02:45 PM
Please don't upvote accurate headlines. We have a culture around here that needs protectin'
 
2014-05-05 01:17:59 PM
Well played, Subby.
 
2014-05-05 01:18:04 PM
Hmm, looks like they're going external for CEO candidates.  I wonder how that will shake up the other C-level folks.
 
2014-05-05 01:19:27 PM
i1268.photobucket.com
 
2014-05-05 01:21:31 PM
That's what he gets for being born feet first.
 
2014-05-05 01:24:33 PM

uncleacid: That's what he gets for being born feet first.


But it was all so simple then.
 
2014-05-05 01:25:30 PM
Figured he'd be out in less than a year
 
2014-05-05 01:26:31 PM
Do they actually know how this happened/continues happening? The breaches, not the CEOs resigning. I have seen several speculations, but nothing definitive.
 
2014-05-05 01:29:07 PM
Target CEO resigns in order to spend more time with his disgrace $9,262,907.
 
2014-05-05 01:30:25 PM
My closest family member (can't name) who is one of the top ten people in the world for IT security (from way back in the days of Project Athena) regularly curses CEOs and Boards for how little they're willing to Budget or Invest in any kind of Security relative to Networks, hardware, software, etc.

Tales told me are .. scary. Basically, Steinhafel is the norm, not the exception and we're all fooked.
 
2014-05-05 01:32:54 PM
hey guys, this is the highest level employee at target to resign so far.

Grade A journalism right there.
 
2014-05-05 01:33:01 PM
i60.tinypic.com
 
2014-05-05 01:33:08 PM
Target CEO resigns in order to spend more time with his disgrace disguise.
 
2014-05-05 01:33:45 PM
"A lot of people think the most important skill set of a CEO is hiring competent executives."
 
2014-05-05 01:35:26 PM

Ivo Shandor: Target CEO resigns in order to spend more time with his disgrace $9,262,907.


There we go.  Make a mess, get a huge bonus.  Oh, the life of a downtrodden CEO.
 
2014-05-05 01:35:54 PM
They could have a data breach everyday which includes my personal information and I would still shop there over walmart.
 
2014-05-05 01:37:14 PM

Ivo Shandor: Target CEO resigns in order to spend more time with his disgrace $9,262,907.


He would have made more if he was fired.

How is that right?
 
2014-05-05 01:38:42 PM

DarkVader: Ivo Shandor: Target CEO resigns in order to spend more time with his disgrace $9,262,907.

There we go.  Make a mess, get a huge bonus.  Oh, the life of a downtrodden CEO.


You should read shareholders' agreements.  Many have clauses such as

"If an executive resigns or is fired from their position, they will have $x given to them as compensation".

Ha ha ha ha ha!
 
2014-05-05 01:40:33 PM
hammettman: Target CEO resigns in order to spend more time with his disgrace disguise.

cdn.splitsider.com

Well, duh.
 
2014-05-05 01:42:31 PM

Jclark666: "A lot of people think the most important skill set of a CEO is hiring competent executives."


Its one of the many skills.  In this case he kept the old executives.  The former CIO was there for decades.  Who essentially had a revolving door policy for InfoSec people.
 
2014-05-05 01:45:13 PM

roc6783: Do they actually know how this happened/continues happening? The breaches, not the CEOs resigning. I have seen several speculations, but nothing definitive.


In Target's case, looks like it was through a remote connection for HVAC control that was tied to the point of sale systems.  Essentially, just enough access to drop a targeted virus on the cash registers, and grab the card info as it's scanned.

It's really hard to prevent something like this, given that the POS systems have to be interconnected, and have to have a hole somewhere that gets to the internet - and yes, they have to for the level of functionality they wanted.  You can't run a web operation and tie in-store purchases to web accounts if you don't have some sort of link.
 
2014-05-05 02:00:30 PM
I'd still rather deal with target than Walmart.
 
2014-05-05 02:03:26 PM

roc6783: Do they actually know how this happened/continues happening? The breaches, not the CEOs resigning. I have seen several speculations, but nothing definitive.


Cost Based Accounting.  IT/IT Security do not bring cash into the company, so they are listed as costs, and departments are ranked according how much money they "make" compared to other departments. IT then charges other departments for their services, but there is no "customer" to charge when you want to upgrade the company's security.

So not only did this happen in the past, but it won't stop until the "brains" behind American business realize that putting a dollar value on everything the company does is just plain stupid.
 
2014-05-05 02:07:50 PM

DarkVader: roc6783: Do they actually know how this happened/continues happening? The breaches, not the CEOs resigning. I have seen several speculations, but nothing definitive.

In Target's case, looks like it was through a remote connection for HVAC control that was tied to the point of sale systems.  Essentially, just enough access to drop a targeted virus on the cash registers, and grab the card info as it's scanned.

It's really hard to prevent something like this, given that the POS systems have to be interconnected, and have to have a hole somewhere that gets to the internet - and yes, they have to for the level of functionality they wanted.  You can't run a web operation and tie in-store purchases to web accounts if you don't have some sort of link.


No, it's not really hard. HVAC has no business whatsoever being on a network (VLAN or subnet) that talks to the POS, the POS should have extremely limited incoming holes punched for pushing updates, and the inventory servers should be talking through application gateways.
 
2014-05-05 02:10:37 PM

Clemkadidlefark: My closest family member (can't name) who is one of the top ten people in the world for IT security (from way back in the days of Project Athena) regularly curses CEOs and Boards for how little they're willing to Budget or Invest in any kind of Security relative to Networks, hardware, software, etc.

Tales told me are .. scary. Basically, Steinhafel is the norm, not the exception and we're all fooked.


I'm guessing you've already said enough that anyone really knowledgeable about the IT security community knows exactly who you're talking about.

Hint: any time you talk about someone in the top 10 of any important field or subculture, you've identified that person.  Each of those worlds are too small and it only takes a couple of details, like what project their history extends back to and that they have a regular habit of badmouthing company heads.

/I know a world I can't name in a certain planetary system, but I can tell we will attempt no landing on it.  Any other world, yes, but land on this one and we're all fooked.
 
2014-05-05 02:12:41 PM
I left Target corporate about a year before the breach.  That place has been a farking mess for years.
 
2014-05-05 02:21:19 PM
Data ... prepare to be breached.

l.wigflip.com
 
2014-05-05 02:21:31 PM
I wonder how many millions this poor bastard had to settle for.
 
2014-05-05 02:22:37 PM

DarkVader: roc6783: Do they actually know how this happened/continues happening? The breaches, not the CEOs resigning. I have seen several speculations, but nothing definitive.

In Target's case, looks like it was through a remote connection for HVAC control that was tied to the point of sale systems.  Essentially, just enough access to drop a targeted virus on the cash registers, and grab the card info as it's scanned.

It's really hard to prevent something like this, given that the POS systems have to be interconnected, and have to have a hole somewhere that gets to the internet - and yes, they have to for the level of functionality they wanted.  You can't run a web operation and tie in-store purchases to web accounts if you don't have some sort of link.


Maybe in some alternate universe where firewalls, vlans, and proxies don't exist.
 
2014-05-05 02:30:49 PM

brimed03: Clemkadidlefark: My closest family member (can't name) who is one of the top ten people in the world for IT security (from way back in the days of Project Athena) regularly curses CEOs and Boards for how little they're willing to Budget or Invest in any kind of Security relative to Networks, hardware, software, etc.

Tales told me are .. scary. Basically, Steinhafel is the norm, not the exception and we're all fooked.

I'm guessing you've already said enough that anyone really knowledgeable about the IT security community knows exactly who you're talking about.

Hint: any time you talk about someone in the top 10 of any important field or subculture, you've identified that person.  Each of those worlds are too small and it only takes a couple of details, like what project their history extends back to and that they have a regular habit of badmouthing company heads.

/I know a world I can't name in a certain planetary system, but I can tell we will attempt no landing on it.  Any other world, yes, but land on this one and we're all fooked.


It's really more of a moon than a world, isn't it? Or were you fudging one of the details in order to protect the party-in-question?
 
2014-05-05 02:35:42 PM

chrylis: DarkVader: roc6783: Do they actually know how this happened/continues happening? The breaches, not the CEOs resigning. I have seen several speculations, but nothing definitive.

In Target's case, looks like it was through a remote connection for HVAC control that was tied to the point of sale systems.  Essentially, just enough access to drop a targeted virus on the cash registers, and grab the card info as it's scanned.

It's really hard to prevent something like this, given that the POS systems have to be interconnected, and have to have a hole somewhere that gets to the internet - and yes, they have to for the level of functionality they wanted.  You can't run a web operation and tie in-store purchases to web accounts if you don't have some sort of link.

No, it's not really hard. HVAC has no business whatsoever being on a network (VLAN or subnet) that talks to the POS, the POS should have extremely limited incoming holes punched for pushing updates, and the inventory servers should be talking through application gateways.


That's fine in theory.  Much harder in practice.  VLANs and subnets are virtual walls which means that most of the time they do not stop even a casual hacker.  If I've managed to leapfrog into your network through a third party company do you think I can't get around some weird subnetting scheme or VLAN configuration?

You're also speaking much like someone who's only tool is a hammer; not everything is about a network config.  In today's world you cannot harden the network and expect to be safe.  You have to harden every single endpoint as well.  Of course once you've done that, remote management becomes a biatch which in many cases is a tradeoff not worth the security advantage.

The fact is, Target already had what you suggest.  Their security was much better and much more seriously managed than all of the armchair quarterbacks seem to think.
 
2014-05-05 02:49:15 PM
I wonder how much of this had to do with the poorly executed Canada expansion. I know it doesn't get the same hype as the security breach, but still.. that was a cluster from the get-go.
 
2014-05-05 02:57:17 PM

roc6783: Do they actually know how this happened/continues happening? The breaches, not the CEOs resigning. I have seen several speculations, but nothing definitive.


Because security, and IT in general, for non tech companies is a cost.  Its overhead.  Its something that gets in the way of making money. It must be reduced to the least cost possible.  So as long as you have some sort of audit to 'prove' its all good, that is what matters. Your ass is covered.

Estimates make it look like this guy will be leaving with around a $25 million dollar or so severance package.  And since he is a CEO with sure rare talent that they command such lofty compensation packages, he'll be back running something else before too long I'm sure.

In the end, he's still loaded.  He'll likely get another executive role somewhere else to make sure he remains loaded.  What difference did it make to him personally to have this data breach?
 
2014-05-05 02:58:37 PM

Mr. Eugenides: chrylis: DarkVader: roc6783: Do they actually know how this happened/continues happening? The breaches, not the CEOs resigning. I have seen several speculations, but nothing definitive.

In Target's case, looks like it was through a remote connection for HVAC control that was tied to the point of sale systems.  Essentially, just enough access to drop a targeted virus on the cash registers, and grab the card info as it's scanned.

It's really hard to prevent something like this, given that the POS systems have to be interconnected, and have to have a hole somewhere that gets to the internet - and yes, they have to for the level of functionality they wanted.  You can't run a web operation and tie in-store purchases to web accounts if you don't have some sort of link.

No, it's not really hard. HVAC has no business whatsoever being on a network (VLAN or subnet) that talks to the POS, the POS should have extremely limited incoming holes punched for pushing updates, and the inventory servers should be talking through application gateways.

That's fine in theory.  Much harder in practice.  VLANs and subnets are virtual walls which means that most of the time they do not stop even a casual hacker.  If I've managed to leapfrog into your network through a third party company do you think I can't get around some weird subnetting scheme or VLAN configuration?

You're also speaking much like someone who's only tool is a hammer; not everything is about a network config.  In today's world you cannot harden the network and expect to be safe.  You have to harden every single endpoint as well.  Of course once you've done that, remote management becomes a biatch which in many cases is a tradeoff not worth the security advantage.

The fact is, Target already had what you suggest.  Their security was much better and much more seriously managed than all of the armchair quarterbacks seem to think.


There's actually a very easy way to do it.  (Also need to define what "it" is.  If it = tie in-store purchases to a Target account)  All you need to do is use a unique member identifier other than a credit card number.  Most places nowadays use telephone numbers (which is also bad, for privacy issues).

But the easy way to do it would be to completely isolate the POS terminal's functionality into two separate computers (albeit right next to one another, possibly in the same presentation at a POS) on two physically different networks.  One for the card swipe and clearinghouse network connection (card reader device), and the other with all the other info (bill of sale, coupons, customer ID info, receipts, etc).  If you wanted to be super secure you'd want the customer/clerk to manually punch (via a keypad at the card reader device) in the total cost to be packaged with the card data + send to the clearinghouse.  An electronic solution (have the first POS device with the bill of sale send the total cost over a network connection to the card reader device) may defeat your security.  If you had some type of 1-way local proprietary bus setup between the card reader device and the extra POS device, you might be able to pull something off without the keypad.
 
2014-05-05 03:01:42 PM

chrylis: No, it's not really hard. HVAC has no business whatsoever being on a network (VLAN or subnet) that talks to the POS, the POS should have extremely limited incoming holes punched for pushing updates, and the inventory servers should be talking through application gateways.


What I had heard was that it was a little more complicated.  The HVAC system was open to the internet, and the system account used by the monitoring software had a default password, which let the attackers into the network.  From there, they couldn't access the POS systems directly, but they could access the server that rolled out updates.  The broke into that (probably using the same monitoring system credentials), and from there pushed malware back to the POS systems.
 
2014-05-05 03:02:01 PM
More like, "By guys. Have fun cleaning up the mess. I have enough money and you are not paying me enough to clean it up."
 
2014-05-05 03:09:03 PM

jjorsett: I wonder how many millions this poor bastard had to settle for.



Looks like it'll be as much as $26M http://www.startribune.com/business/257978161.html
 
2014-05-05 03:13:26 PM

dolphkhan: I wonder how much of this had to do with the poorly executed Canada expansion. I know it doesn't get the same hype as the security breach, but still.. that was a cluster from the get-go.


Should have started there as they did in the US. Start in a small area (Minnesota) and gradually expand out. They spread out too many stores (without a lot of product) when they should have started small
 
2014-05-05 03:15:45 PM

udhq: I left Target corporate about a year before the breach.  That place has been a farking mess for years.


This. I left a store about the same time, not corporate, but the last few years before I left it was an increasingly absurd number of "cost-cutting" measures that eventually seriously demoralized the staff and made it impossible to keep the store to the standards they expected. I still talk to old co-workers and it's only gotten worse. People upthread hit the nail on the head when they said if it doesn't directly make the store money, they're not going to spend any time or money on it. More like Wal-Mart each and every day, and it pains me to say that.
 
2014-05-05 03:27:16 PM
was it HIS idea to open a whole bunch of farking new stores (eg Canada) during an absolutely nightmarish retail period.....?

if so , no bonus for you
 
2014-05-05 03:27:36 PM
Hey, I'll come be your new CEO. I can talk out my ass.
 
2014-05-05 03:37:04 PM

Clemkadidlefark: My closest family member (can't name) who is one of the top ten people in the world for IT security (from way back in the days of Project Athena) regularly curses CEOs and Boards for how little they're willing to Budget or Invest in any kind of Security relative to Networks, hardware, software, etc.

Tales told me are .. scary. Basically, Steinhafel is the norm, not the exception and we're all fooked.


Heard a story that concerned me the other day about the security...or lack thereof...regarding computerized medical equipment.

Stuff like unchangeable hard-coded "passwords" set to 1234...
 
2014-05-05 03:40:46 PM

fang06554: chrylis: No, it's not really hard. HVAC has no business whatsoever being on a network (VLAN or subnet) that talks to the POS, the POS should have extremely limited incoming holes punched for pushing updates, and the inventory servers should be talking through application gateways.

What I had heard was that it was a little more complicated.  The HVAC system was open to the internet, and the system account used by the monitoring software had a default password, which let the attackers into the network.  From there, they couldn't access the POS systems directly, but they could access the server that rolled out updates.  The broke into that (probably using the same monitoring system credentials), and from there pushed malware back to the POS systems.


Because giving a random teenage hacker control over your heating and air conditioning is such a good idea...
 
2014-05-05 03:52:29 PM

davynelson: was it HIS idea to open a whole bunch of farking new stores (eg Canada) during an absolutely nightmarish retail period.....?

if so , no bonus for you


That happened before the breech
 
2014-05-05 03:56:04 PM
PunGent:  Because giving a random teenage hacker control over your heating and air conditioning is such a good idea...

Of course not - it was a pretty stupid idea.  The reason, AFAIK, was so the HVAC company could monitor the temperature of the stores for cost savings, etc.  Better info here: http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-c o mpany/

It is amazing how a lot of small stupid errors that in and of themselves were not that dangerous, combined into total pwnage.
 
Displayed 50 of 70 comments

First | « | 1 | 2 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report