Skip to comments.A First Look at the Target Intrusion, Malware
Posted on 01/16/2014 8:40:12 AM PST by BlueMondaySkipper
Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Todays post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter.
(Excerpt) Read more at krebsonsecurity.com ...
"But according to sources, the attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Targets internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices.
The bad guys were logging in remotely to that [control server], and apparently had persistent access to it, a source close to the investigation told KrebsOnSecurity. They basically had to keep going in and manually collecting the dumps"
I’d guess the glory of the network, the POS computers talk to local servers to update inventory and other stuff, those servers talk to WAN servers to meta all that data, and those servers can connect to other server that run basic parts of the network, which in turn are talked to by laptops run by office drones that surf porn at work. Nobody keeps domains separate anymore, creates too much work when the same stuff (like Office apps) are needed in multiple domains, they setup lots of two-way trusts and viruses spread.
Maybe, but as long as your credit union uses computers, your personal information is in them and vulnerable to being stolen.
“Why I won’t get a debit card—straight pipeline into your funds.”
Well, that’s the bank’s problem. Most banks nowadays cover any unauthorized use of your card, as long as you report it within a certain time frame.
Darned spell-checker didn’t notice that you’d misspelled “M”.
POS endpoints have to be connected, otherwise they could now work to verify credit cards. usually such embedded devices have minimal OS and network services so there aren't a lot of weak processes to try to take over. However they probably have a mechanism to upgrade/patch the software on them remotely, and to do that you generally need a port that can push software in. That might be a way the attackers got in.
One trick they use is to send data that's way too big for the buffer (sort of like the "inbox") so that the data overflows into areas of memory it's not supposed to go to. That can crash the system and force a reboot and if you planted bad stuff on it, it will load at the reboot. Really clever hackers can do far more.
Ping to interesting details.
Interesting post, thanks
Looks like the hackers breached a web server and then logged onto POS servers which control the POS devices. What’s disturbing is that the hackers had a persistent connection and periodically downloaded data.
NOTE: If this blogger, KrebsOn Security hadn’t received a tip and researched it, then published it, none of us would have known about it. Target never even admitted it happened until two days after he published the info, and never, ever did anything to recompense customers. Even their offer of free credit monitoring came weeks after the news broke.
I don't think we will ever hear what happened, but it wouldn't surprise me if the machines didn't have a password set or a very simple one.
I can see how the POS data could be collected by this malware and sent to some obscure place on Target’s servers for later collection by the bad guys, but how did it get there? I suspicion that someone within Target’s IT department with access may have done this and opened a back door for the bad guys to retrieve the hacked information. It is also possible that someone could do this by hacking into the system from outside, but then why pick Target instead of some more high end stores where customers have more to steal?
We can still circumvent most by just leaving monthly bill money in checking - take rest in cash and use for purchase -
Why do you think they want to get rid of cash?
If it’s on a network, it can be hacked. And recently, it has been alleged that the NSA can hack even an offline machine that had been previously compromised.
You guys are forgetting that other data sources have your info without you doing any online transactions. Consider the IRS records, local county tax records, real estate records, credit report companies, etc. You may not enter or place your info online, but somebody else does.
One of the better investigative reporters on the web.