Skip to comments.A First Look at the Target Intrusion, Malware
Posted on 01/16/2014 8:40:12 AM PST by BlueMondaySkipper
Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Todays post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter.
(Excerpt) Read more at krebsonsecurity.com ...
How would malware get into the POS system?
You can’t use a cash register to go surfing on porn.com
And for those of us who believe Abstinence works, there is no problems at all with Identity Theft. If you do not make ANY electronic transactions you will be just fine.
Maybe if you also don’t have any credit cards, or bank accounts, you might be safe.
Meanwhile CMS will testify in Congress today the Healthcare.gov is safe and secure and no security breaches have occurred.
Fascinating to read; wish I understood it...
Apparently, Target’s POS terminals are networked.
Here’s the analysis of the malware, and from that you can clearly see that the terminal must be running Windows and be capable of connecting to the internet:
Because they all talk to a central computer.
SkyNet is everywhere.
Bank Accounts are just fine if you choose a Credit Union, it is virtually IMPOSSIBLE to transfer Money OUT of MY Credit Union without Physically walking in and filling out a bunch of papers.
Bank are making billions on electronic economy - they scarf 1-3% of every transaction - just for handling the transfer. They have been pushing electronic transfers - debit and credit cards as an alternative to cash.
The government likes it because now they have a record of virtually every cash transaction you make - read the ironically titled “Bank Secrecy Act” if you think the governement doesn’t have full access to your account informtion. What do they care if the system isn’t secure? You should have bought “idenity protection”, bub!
According to the article, they were able to compromise a web server to gain access to the network. From there they could deploy the malicious code to the POS devices and also set up a data collection point on another one of Target's servers. The malicious code on the POS devices would send the credit card data to this collection point as the card was swiped. The bad guys were able to log on to the collection server to gather the data whenever they felt like it.
Not thousands. Millions.
Surprise, surprise. Compromised POS systems were all Windows systems. These companies are big that they could develop and utilize Linux-based POS systems.
That’s going to be the ONLY way to secure their systems. The ONLY way. Fundamentally, Windows as it now stands is essentially impossible to secure.
I’ve worked with Windows in depth for 16 years now, and know its ends and out enough to make the above statement with complete confidence.
With Linux, the main threat is using insecure passwords and insider attacks.
You are correct, my bad
Not one hundred-ten thousand, (110,000) but 110 million. (110,000,000)
Fully 1/3 of the US population.
The compromise was at the server level. The hackers installed a compromised server on the network and read the data from the POS terminals in real-time.
IOW, they had insider help or used social engineering to gain admin-level network access.
So, in this case, at least, using Linux would have made no difference at all.
I guess the net admins never heard of router security protocols. There shouldn't be open routes (unauthorized IP addresses) between internal servers. We can rest easy at night that our grid is just a secure.
Times one thousand. That's 110 Million customers.
Why I won't get a debit card--straight pipeline into your funds.
Better to write an autobiography and hope someone buys the book if I want my life history on view. At least I might make enough money for a cup of coffee now and then.
Wimpy userids and passwords.
We had a break-in on a box and my Server2008 box was audited because the pwn3d server tried to get in. When I told them my only local user id, they responded “How did you think of something that convoluted?”.
I guess the same way you thought of using “fred” as a local acct on your server.
Now the server emails me for every incorrect login.
"But according to sources, the attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Targets internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices.
The bad guys were logging in remotely to that [control server], and apparently had persistent access to it, a source close to the investigation told KrebsOnSecurity. They basically had to keep going in and manually collecting the dumps"
I’d guess the glory of the network, the POS computers talk to local servers to update inventory and other stuff, those servers talk to WAN servers to meta all that data, and those servers can connect to other server that run basic parts of the network, which in turn are talked to by laptops run by office drones that surf porn at work. Nobody keeps domains separate anymore, creates too much work when the same stuff (like Office apps) are needed in multiple domains, they setup lots of two-way trusts and viruses spread.
Maybe, but as long as your credit union uses computers, your personal information is in them and vulnerable to being stolen.
“Why I won’t get a debit card—straight pipeline into your funds.”
Well, that’s the bank’s problem. Most banks nowadays cover any unauthorized use of your card, as long as you report it within a certain time frame.
Darned spell-checker didn’t notice that you’d misspelled “M”.
POS endpoints have to be connected, otherwise they could now work to verify credit cards. usually such embedded devices have minimal OS and network services so there aren't a lot of weak processes to try to take over. However they probably have a mechanism to upgrade/patch the software on them remotely, and to do that you generally need a port that can push software in. That might be a way the attackers got in.
One trick they use is to send data that's way too big for the buffer (sort of like the "inbox") so that the data overflows into areas of memory it's not supposed to go to. That can crash the system and force a reboot and if you planted bad stuff on it, it will load at the reboot. Really clever hackers can do far more.
Ping to interesting details.
Interesting post, thanks
Looks like the hackers breached a web server and then logged onto POS servers which control the POS devices. What’s disturbing is that the hackers had a persistent connection and periodically downloaded data.
NOTE: If this blogger, KrebsOn Security hadn’t received a tip and researched it, then published it, none of us would have known about it. Target never even admitted it happened until two days after he published the info, and never, ever did anything to recompense customers. Even their offer of free credit monitoring came weeks after the news broke.
I don't think we will ever hear what happened, but it wouldn't surprise me if the machines didn't have a password set or a very simple one.
I can see how the POS data could be collected by this malware and sent to some obscure place on Target’s servers for later collection by the bad guys, but how did it get there? I suspicion that someone within Target’s IT department with access may have done this and opened a back door for the bad guys to retrieve the hacked information. It is also possible that someone could do this by hacking into the system from outside, but then why pick Target instead of some more high end stores where customers have more to steal?
We can still circumvent most by just leaving monthly bill money in checking - take rest in cash and use for purchase -
Why do you think they want to get rid of cash?
If it’s on a network, it can be hacked. And recently, it has been alleged that the NSA can hack even an offline machine that had been previously compromised.
You guys are forgetting that other data sources have your info without you doing any online transactions. Consider the IRS records, local county tax records, real estate records, credit report companies, etc. You may not enter or place your info online, but somebody else does.
One of the better investigative reporters on the web.
You’d be foolish to omit network vulnerabilities as part of the issue. As a server administrator and network engineer, I can tell you that everything from your ISP modem to your iPhone are scanned on a regular basis from points all around the world for port and protocol vulnerabilities every day, every hour, every minute.
I run a VM server and host several gaming clan sites and voice services from my home, and my logs are flooded with requests from all over the globe: Romania, France, Sweden, Russia, China, Vietnam, the Phillipines, Venezuela, Brazil, you name it. I’ve set up filters on my proxies to prevent IPs from Russia and China, specifically, but my firewall logs are constantly hammered. They’re scanning every possible port from lowly SSH (22) up through the higher random ports most Windows systems use (1024-65K). If they find something, they’ll get in.
This is where I tell everyone who is using Windows XP to STOP USING WINDOWS XP! I don’t care if you’re in your 60s and XP “just works,” for us younger whippersnappers, there’s nothing more laborious or frustrating than getting a call from our elders about computer problems and coming to find out you’re running XP. Would you still be driving around an Edsel if you could? C’mon! XP is a giant vulnerability matrix. You’re on your own VERY soon, as MS no longer supports the OS in any way.
Many POS systems are running XP or some screwy Windows variant. There are plenty of FREE Linux distros for POS. Most large businesses like Target don’t want to invest the money for the right people to do a large-scale implementation, but we do exist.
Smart. I love wing dings.
“You guys are forgetting that other data sources have your info without you doing any online transactions. Consider the IRS records, local county tax records, real estate records, credit report companies, etc. You may not enter or place your info online, but somebody else does.”
One of the most vulnerable places is our health care system even before Obozo Care.
Medicare, Medicaid and most insurance companies use one # for patients, our Social Security #.
Then, they have our DOB, sometimes POB, address, phone #, Cell phone # and email sites.
Many medical providers do a credit check so they have that number/data.
Many providers seem to prefer being paid by credit card, if so they have that number.
If you pay by check, they have all of your banking numbers.
Often the lowest paid people in a medical office have full access to all of the above, plus your medical history.
Last summer, our FP/s retired or went to a big HMO.
So we had to fill out all of the data above to be seen. The local group’s site was not verified and brought up warnings from my internet provider and services like Norton. I told our new FP, and he laughed until I showed him the warnings. He made a couple of quick calls, and the patient side of their site was shut down until a new site was opened up. Their current site is verified and seems okay now.
Another site a surgical specialty site has yet to get its act together. We pay our bills with electronic checks or cash.
Another specialty medical site had a similar problem, and that seems to be okay since they merged with the local hospital, which is part of a big California hospital organization. This organization has a lot of employee unrest and union battles which is not a reassurance.
Last but not least are the Store discount cards which market/mine our private data. The one such card I have, I am St Nick, born on the 4th of July in 1918. In five years, only one clerk has picked up on my fantasy ID, and she just laughed.
I'll say! Actually I do. Devices that are targets for this kind of attack shouldn't be able to be remotely flashed with new software. It's convenient for the people who manage them, but so what, it's not their money to be putting at risk.
Barring doing the safest thing (not allowing remote flashing of code) they should at minimum have monitoring that alerts when code is added or changed.
I’m not even saying flashing shouldn’t be “allowed”. I’m saying it should be impossible. Whatever code the devices run should be in hardware, requiring physical contact to reload. If it’s a permission thing, there might be some way for them to end run it.
Agreed. Perhaps the only saving grace is that greed may overtake the hackers to the extent that large sums of money are detected as moving from place to place and catches the eye of Law Enforcement. If they stay small, they likely will never be caught. There are simply too many sources from which to piece together a user profile and then raid their accounts. Especially when governments support this type of behavior.
I am 100% behind you, but it's not going to happen. The buggy software that we squeeze out now days needs to be patched too often. IMHO we are on the precipice of a software crisis where our systems are too big and too convoluted for anyone to understand. They are poorly designed and hurriedly slapped together with little or no QA. They are riddled with security flaws. If we could not continuously push out bug fixes, nothing would work. And now, this is all catching up with us. God help us.
It’s a credit card terminal. How complicated could it possibly be or hard to get it right? Why is it even running on an OS in the first place instead of bare metal?