The Target hackers broke in through a third party. Sean Michael Kerner says this should change your security strategy
Details continue to emerge about the root cause of the security breach at US retailer Target that exposed the personal information of 70 million people during the 2013 holiday season.
According to a Wall Street Journal report, the Target attackers were able to gain access to the retailer’s system by way of stolen credentials from a third-party vendor.
Target discussed by Senate
The investigation into the Target breach has widened and now involves the US Department of Justice. In a submission to the US Senate Committee on the Judiciary, Attorney General Eric Holder specifically discussed the Target breach.
“The Department of Justice takes seriously reports of any data breach, particularly those involving personally identifiable or financial information, and looks into allegations that are brought to its attention,” Holder said. “While we generally do not discuss specific matters under investigation, I can confirm the Department is investigating the breach involving the US retailer, Target. And we are committed to working to find not only the perpetrators of these sorts of data breaches—but also any individuals and groups who exploit that data via credit card fraud.”
The use of a third-party vendor as a patsy to gain access is not a new attack method in the IT landscape. Simply put, an attacker will always go after the weakest link in the security chain, wherever that link exists.
The fact that the attack leveraged lost or stolen credentials also is not a surprise since, after all, the first step in any attack is to gain access. To gain access to any system today, some credentials are required. That’s where role-based access control (RBAC) types of systems have long played a key role, providing the right access to the right person to do the required tasks.
So where’s the failure?
Trey Ford, who until recently served as general manager of the Black Hat security conference and now works at security firm Rapid7 as its new global security strategist, noted in an email sent to eWEEK that in most cases of lost or stolen credentials, organiz]sations don’t know they’ve had an account compromised until it’s far too late and the damage is done.
“In the case of an organization like Target, you’re looking at an extremely complex environment with hundreds of thousands of employees, systems, sites, and vendors; every aspect represents some level of risk,” Ford said. “The problem is that it’s impossible to make every one of those elements bulletproof and traditional incident detection systems aren’t looking for deceptive activity.”
That’s a large issue in my view, as a lost or stolen credential is a legitimate credential until proven otherwise. To that end, organisations should have insider threat policies and technologies in place to limit the risk of lost or stolen credentials. If an organization is always monitoring the activities and access of its credentials in a constant effort of risk mitigation vigilance, the risk can be minimized.
This is not an easy challenge, and there is responsibility in this case, with both the vendor whose credentials were lost or stolen and Target itself. Security is an ecosystem, and every element in the system needs to be monitored and strengthened, which will inevitably make it harder for attackers to be successful.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
New Target Cyber-Attack Details Emerge
Security researchers reveal details of the malware used in the damaging breach of US retailer Target
Security researchers have revealed new details about the damaging compromise of retail giant Target’s systems, which resulted in the leak of tens of millions of credit- and debit-card accounts.
When Target acknowledged a breach of its systems on 19 December, the company released few details of the malware and tactics used in the attack. Over the last week, however, security researchers have discovered the likely malware used by attackers as well as the method by which the data thieves retrieved the stolen information from Target’s network.
On 16 January, security firm Seculert revealed that it had found an Internet server that the attacker had used as a communications hub to retrieve information from a drop site within Target’s own network. The attackers apparently collected the stolen data on the compromised Target server and then used a compromised Web site to grab the data starting 2 December, Seculert stated in the analysis.
“They were able to infiltrate (Target’s) network and then setup several machines as part of the data exfiltration,” Avi Raff, chief technology officer for Seculert, told eWEEK in an email interview. “As this is a two stage attack – steal PoS data from a machine not connected to the Internet, then move it to another machine which can send the data to an FTP (server) – it does seem to be sophisticated.”
Starting on 2 December, the malware began transmitting the cache of stolen data outside the network to the collection server. Using a virtual private server in Russia, the attackers then downloaded the information. The stolen data totalled 11GBs, according to Seculert.
By the time the company was able to analyse the compromised Web server, the information had been deleted from the server, but the log files still revealed that massive amounts of information had been retrieved from an Internet address within Target’s own network.
Symantec and other firms identified the program as a derivative of the BlackPOS malware, which among other features can “scrape” information from a compromised point-of-sale terminal’s memory while it is unencrypted. Security researcher and journalist Brian Krebs first reported the Target breach and that security firms had identified the malware on 15 December.
The Target breach is not an isolated incident: The average retailer has seven infections communicating out from its network, according to an analysis of 1,035 distinct compromises at 139 retailers carried out by security firm BitSight. The most prevalent malware, known as Neurevt, accounted for nearly 250 of the infections, the company found.
Overall, the retail sector appears to have significant problems with malware, Stephen Boyer, co-founder and CEO of BitSight, stated in a blog post.
“What is clear is that many US retailers had vulnerabilities that led to compromised systems that were or are currently under the control of a remote adversary,” Boyer stated. “Not all of these organisations will be impacted equally and may not begin to rival the scale of the loss at Target; nevertheless, the evidence strongly suggests that Target and Neiman Marcus are not alone.”
Are you a security pro? Try our quiz!
Originally published on eWeek.