Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

A First Look at the Target Intrusion, Malware
Krebs On Security ^ | 1/12/2014 | Krebs

Posted on 01/16/2014 8:40:12 AM PST by BlueMondaySkipper

click here to read article


Navigation: use the links below to view more comments.
first 1-5051-73 next last
Interesting information regarding the Target data breach. I notice that the number of people affected has gone from 30K, to 70K and now 110K.
1 posted on 01/16/2014 8:40:12 AM PST by BlueMondaySkipper
[ Post Reply | Private Reply | View Replies]

To: BlueMondaySkipper

How would malware get into the POS system?
You can’t use a cash register to go surfing on porn.com


2 posted on 01/16/2014 8:44:58 AM PST by Buckeye McFrog
[ Post Reply | Private Reply | To 1 | View Replies]

To: BlueMondaySkipper

And for those of us who believe Abstinence works, there is no problems at all with Identity Theft. If you do not make ANY electronic transactions you will be just fine.


3 posted on 01/16/2014 8:46:01 AM PST by eyeamok
[ Post Reply | Private Reply | To 1 | View Replies]

To: eyeamok

Maybe if you also don’t have any credit cards, or bank accounts, you might be safe.


4 posted on 01/16/2014 8:48:02 AM PST by Boogieman
[ Post Reply | Private Reply | To 3 | View Replies]

To: BlueMondaySkipper

Meanwhile CMS will testify in Congress today the Healthcare.gov is safe and secure and no security breaches have occurred.


5 posted on 01/16/2014 8:49:04 AM PST by AU72
[ Post Reply | Private Reply | To 1 | View Replies]

To: BlueMondaySkipper

Fascinating to read; wish I understood it...


6 posted on 01/16/2014 8:50:59 AM PST by carriage_hill (Peace is that brief glorious moment in history, when everybody stands around reloading.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Buckeye McFrog

Apparently, Target’s POS terminals are networked.

Here’s the analysis of the malware, and from that you can clearly see that the terminal must be running Windows and be capable of connecting to the internet:

http://krebsonsecurity.com/wp-content/uploads/2014/01/POSWDS-ThreatExpert-Report.pdf


7 posted on 01/16/2014 8:51:26 AM PST by Boogieman
[ Post Reply | Private Reply | To 2 | View Replies]

To: Buckeye McFrog

Because they all talk to a central computer.

SkyNet is everywhere.


8 posted on 01/16/2014 8:51:28 AM PST by Valpal1 (If the police can t solve a problem with violence, they ll find a way to fix it with brute force)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Boogieman

Bank Accounts are just fine if you choose a Credit Union, it is virtually IMPOSSIBLE to transfer Money OUT of MY Credit Union without Physically walking in and filling out a bunch of papers.


9 posted on 01/16/2014 8:57:06 AM PST by eyeamok
[ Post Reply | Private Reply | To 4 | View Replies]

To: BlueMondaySkipper

Bank are making billions on electronic economy - they scarf 1-3% of every transaction - just for handling the transfer. They have been pushing electronic transfers - debit and credit cards as an alternative to cash.

The government likes it because now they have a record of virtually every cash transaction you make - read the ironically titled “Bank Secrecy Act” if you think the governement doesn’t have full access to your account informtion. What do they care if the system isn’t secure? You should have bought “idenity protection”, bub!


10 posted on 01/16/2014 8:59:15 AM PST by Fido969 (What's sad is most)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Buckeye McFrog
How would malware get into the POS system?

According to the article, they were able to compromise a web server to gain access to the network. From there they could deploy the malicious code to the POS devices and also set up a data collection point on another one of Target's servers. The malicious code on the POS devices would send the credit card data to this collection point as the card was swiped. The bad guys were able to log on to the collection server to gather the data whenever they felt like it.

11 posted on 01/16/2014 9:03:16 AM PST by BlueMondaySkipper (Involuntarily subsidizing the parasite class since 1981)
[ Post Reply | Private Reply | To 2 | View Replies]

To: BlueMondaySkipper
I notice that the number of people affected has gone from 30K, to 70K and now 110K.

Not thousands. Millions.

12 posted on 01/16/2014 9:16:07 AM PST by IYAS9YAS (Has anyone seen my tagline? It was here yesterday. I seem to have misplaced it.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: BlueMondaySkipper

Surprise, surprise. Compromised POS systems were all Windows systems. These companies are big that they could develop and utilize Linux-based POS systems.

That’s going to be the ONLY way to secure their systems. The ONLY way. Fundamentally, Windows as it now stands is essentially impossible to secure.

I’ve worked with Windows in depth for 16 years now, and know its ends and out enough to make the above statement with complete confidence.

With Linux, the main threat is using insecure passwords and insider attacks.


13 posted on 01/16/2014 9:16:08 AM PST by catnipman (Cat Nipman: Vote Republican in 2012 and only be called racist one more time!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: IYAS9YAS
Not thousands. Millions.

You are correct, my bad

14 posted on 01/16/2014 9:25:02 AM PST by BlueMondaySkipper (Involuntarily subsidizing the parasite class since 1981)
[ Post Reply | Private Reply | To 12 | View Replies]

To: BlueMondaySkipper
I notice that the number of people affected has gone from 30K, to 70K and now 110K.

Not one hundred-ten thousand, (110,000) but 110 million. (110,000,000)

Fully 1/3 of the US population.

15 posted on 01/16/2014 9:33:43 AM PST by Ol' Dan Tucker (People should not be afraid of the government. Government should be afraid of the people)
[ Post Reply | Private Reply | To 1 | View Replies]

To: catnipman
Compromised POS systems were all Windows systems.

The compromise was at the server level. The hackers installed a compromised server on the network and read the data from the POS terminals in real-time.

IOW, they had insider help or used social engineering to gain admin-level network access.

So, in this case, at least, using Linux would have made no difference at all.

16 posted on 01/16/2014 9:36:30 AM PST by Ol' Dan Tucker (People should not be afraid of the government. Government should be afraid of the people)
[ Post Reply | Private Reply | To 13 | View Replies]

To: BlueMondaySkipper
"The malicious code on the POS devices would send the credit card data to this collection point as the card was swiped. The bad guys were able to log on to the collection server to gather the data whenever they felt like it."

I guess the net admins never heard of router security protocols. There shouldn't be open routes (unauthorized IP addresses) between internal servers. We can rest easy at night that our grid is just a secure.

17 posted on 01/16/2014 9:54:07 AM PST by uncommonsense (Liberals see what they believe; Conservatives believe what they see.)
[ Post Reply | Private Reply | To 11 | View Replies]

To: BlueMondaySkipper
I notice that the number of people affected has gone from 30K, to 70K and now 110K.

Times one thousand. That's 110 Million customers.

Why I won't get a debit card--straight pipeline into your funds.

18 posted on 01/16/2014 9:56:38 AM PST by Smokin' Joe (How often God must weep at humans' folly. Stand fast. God knows what He is doing.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: BlueMondaySkipper
Anyone want to fill out the stuff for Obamacare now??? Keep in mind it is LESS secure than this system was.

Nevermind!

Better to write an autobiography and hope someone buys the book if I want my life history on view. At least I might make enough money for a cup of coffee now and then.

19 posted on 01/16/2014 10:00:48 AM PST by Smokin' Joe (How often God must weep at humans' folly. Stand fast. God knows what He is doing.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: BlueMondaySkipper

Wimpy userids and passwords.

We had a break-in on a box and my Server2008 box was audited because the pwn3d server tried to get in. When I told them my only local user id, they responded “How did you think of something that convoluted?”.

I guess the same way you thought of using “fred” as a local acct on your server.
Now the server emails me for every incorrect login.


20 posted on 01/16/2014 10:03:41 AM PST by AppyPappy (Obama: What did I not know and when did I not know it?)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Ol' Dan Tucker
It does look like an inside job:

"But according to sources, the attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Target’s internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices.

“The bad guys were logging in remotely to that [control server], and apparently had persistent access to it,” a source close to the investigation told KrebsOnSecurity. “They basically had to keep going in and manually collecting the dumps"

21 posted on 01/16/2014 10:03:54 AM PST by uncommonsense (Liberals see what they believe; Conservatives believe what they see.)
[ Post Reply | Private Reply | To 16 | View Replies]

To: Buckeye McFrog

I’d guess the glory of the network, the POS computers talk to local servers to update inventory and other stuff, those servers talk to WAN servers to meta all that data, and those servers can connect to other server that run basic parts of the network, which in turn are talked to by laptops run by office drones that surf porn at work. Nobody keeps domains separate anymore, creates too much work when the same stuff (like Office apps) are needed in multiple domains, they setup lots of two-way trusts and viruses spread.


22 posted on 01/16/2014 10:13:14 AM PST by discostu (I don't meme well.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: eyeamok

Maybe, but as long as your credit union uses computers, your personal information is in them and vulnerable to being stolen.


23 posted on 01/16/2014 10:19:11 AM PST by Boogieman
[ Post Reply | Private Reply | To 9 | View Replies]

To: Smokin' Joe

“Why I won’t get a debit card—straight pipeline into your funds.”

Well, that’s the bank’s problem. Most banks nowadays cover any unauthorized use of your card, as long as you report it within a certain time frame.


24 posted on 01/16/2014 10:25:53 AM PST by Boogieman
[ Post Reply | Private Reply | To 18 | View Replies]

To: BlueMondaySkipper

Darned spell-checker didn’t notice that you’d misspelled “M”.


25 posted on 01/16/2014 10:25:55 AM PST by DuncanWaring (The Lord uses the good ones; the bad ones use the Lord.)
[ Post Reply | Private Reply | To 14 | View Replies]

To: Buckeye McFrog
How would malware get into the POS system? You can’t use a cash register to go surfing on porn.com

POS endpoints have to be connected, otherwise they could now work to verify credit cards. usually such embedded devices have minimal OS and network services so there aren't a lot of weak processes to try to take over. However they probably have a mechanism to upgrade/patch the software on them remotely, and to do that you generally need a port that can push software in. That might be a way the attackers got in.

One trick they use is to send data that's way too big for the buffer (sort of like the "inbox") so that the data overflows into areas of memory it's not supposed to go to. That can crash the system and force a reboot and if you planted bad stuff on it, it will load at the reboot. Really clever hackers can do far more.

26 posted on 01/16/2014 10:26:14 AM PST by pepsi_junkie (Who is John Galt?)
[ Post Reply | Private Reply | To 2 | View Replies]

To: ShadowAce

Ping to interesting details.


27 posted on 01/16/2014 10:43:44 AM PST by BuckeyeTexan (There are those that break and bend. I'm the other kind. ~Steve Earle)
[ Post Reply | Private Reply | To 1 | View Replies]

To: pepsi_junkie

Interesting post, thanks


28 posted on 01/16/2014 10:45:14 AM PST by nascarnation (I'm hiring Jack Palladino to investigate Baraq's golf scores.)
[ Post Reply | Private Reply | To 26 | View Replies]

To: Buckeye McFrog

Looks like the hackers breached a web server and then logged onto POS servers which control the POS devices. What’s disturbing is that the hackers had a persistent connection and periodically downloaded data.


29 posted on 01/16/2014 10:47:45 AM PST by BuckeyeTexan (There are those that break and bend. I'm the other kind. ~Steve Earle)
[ Post Reply | Private Reply | To 2 | View Replies]

To: BlueMondaySkipper

bookmarking this.

NOTE: If this blogger, KrebsOn Security hadn’t received a tip and researched it, then published it, none of us would have known about it. Target never even admitted it happened until two days after he published the info, and never, ever did anything to recompense customers. Even their offer of free credit monitoring came weeks after the news broke.


30 posted on 01/16/2014 10:51:00 AM PST by JoyjoyfromNJ (everything written by me on FR is my personal opinion & does not represent my employer)
[ Post Reply | Private Reply | To 1 | View Replies]

To: pepsi_junkie
However they probably have a mechanism to upgrade/patch the software on them remotely, and to do that you generally need a port that can push software in

I don't think we will ever hear what happened, but it wouldn't surprise me if the machines didn't have a password set or a very simple one.

31 posted on 01/16/2014 10:54:04 AM PST by EVO X
[ Post Reply | Private Reply | To 26 | View Replies]

To: BlueMondaySkipper

I can see how the POS data could be collected by this malware and sent to some obscure place on Target’s servers for later collection by the bad guys, but how did it get there? I suspicion that someone within Target’s IT department with access may have done this and opened a back door for the bad guys to retrieve the hacked information. It is also possible that someone could do this by hacking into the system from outside, but then why pick Target instead of some more high end stores where customers have more to steal?


32 posted on 01/16/2014 11:49:48 AM PST by The Great RJ
[ Post Reply | Private Reply | To 1 | View Replies]

To: BlueMondaySkipper
Another interesting article.

Oh the irony

33 posted on 01/16/2014 11:56:53 AM PST by BlueMondaySkipper (Involuntarily subsidizing the parasite class since 1981)
[ Post Reply | Private Reply | To 1 | View Replies]

To: BlueMondaySkipper; All
Why do I suspicion this all has to do with another octopus arm of the gov’t - they want to know every move, every purchase, everything in your bank acct’ and your movements... etc.

We can still circumvent most by just leaving monthly bill money in checking - take rest in cash and use for purchase -

Why do you think they want to get rid of cash?

34 posted on 01/16/2014 12:55:29 PM PST by maine-iac7 (Christian is as Christian does - by their fruits)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Buckeye McFrog

If it’s on a network, it can be hacked. And recently, it has been alleged that the NSA can hack even an offline machine that had been previously compromised.


35 posted on 01/16/2014 1:12:00 PM PST by SgtHooper (If at first you don't succeed, skydiving is not for you.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Boogieman

You guys are forgetting that other data sources have your info without you doing any online transactions. Consider the IRS records, local county tax records, real estate records, credit report companies, etc. You may not enter or place your info online, but somebody else does.


36 posted on 01/16/2014 1:14:46 PM PST by SgtHooper (If at first you don't succeed, skydiving is not for you.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Smokin' Joe
Nevermind Never mind
37 posted on 01/16/2014 1:34:10 PM PST by Windflier (To anger a conservative, tell him a lie. To anger a liberal, tell him the truth.)
[ Post Reply | Private Reply | To 19 | View Replies]

To: SgtHooper
Yeah, that's why I said you might be safe. There's no such thing as completely safe from identity theft.
38 posted on 01/16/2014 1:39:30 PM PST by Boogieman
[ Post Reply | Private Reply | To 36 | View Replies]

To: JoyjoyfromNJ

One of the better investigative reporters on the web.


39 posted on 01/16/2014 1:42:29 PM PST by RKBA Democrat (Having some small say in who gets to hold the whip doesn't make you any less a slave.)
[ Post Reply | Private Reply | To 30 | View Replies]

To: BlueMondaySkipper; rdb3; Calvinist_Dark_Lord; Salo; JosephW; Only1choice____Freedom; amigatec; ...

40 posted on 01/16/2014 1:52:00 PM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: catnipman

You’d be foolish to omit network vulnerabilities as part of the issue. As a server administrator and network engineer, I can tell you that everything from your ISP modem to your iPhone are scanned on a regular basis from points all around the world for port and protocol vulnerabilities every day, every hour, every minute.

I run a VM server and host several gaming clan sites and voice services from my home, and my logs are flooded with requests from all over the globe: Romania, France, Sweden, Russia, China, Vietnam, the Phillipines, Venezuela, Brazil, you name it. I’ve set up filters on my proxies to prevent IPs from Russia and China, specifically, but my firewall logs are constantly hammered. They’re scanning every possible port from lowly SSH (22) up through the higher random ports most Windows systems use (1024-65K). If they find something, they’ll get in.

This is where I tell everyone who is using Windows XP to STOP USING WINDOWS XP! I don’t care if you’re in your 60s and XP “just works,” for us younger whippersnappers, there’s nothing more laborious or frustrating than getting a call from our elders about computer problems and coming to find out you’re running XP. Would you still be driving around an Edsel if you could? C’mon! XP is a giant vulnerability matrix. You’re on your own VERY soon, as MS no longer supports the OS in any way.

Many POS systems are running XP or some screwy Windows variant. There are plenty of FREE Linux distros for POS. Most large businesses like Target don’t want to invest the money for the right people to do a large-scale implementation, but we do exist.


41 posted on 01/16/2014 2:05:02 PM PST by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 13 | View Replies]

To: AppyPappy

Smart. I love wing dings.


42 posted on 01/16/2014 2:22:06 PM PST by 1010RD (First, Do No Harm)
[ Post Reply | Private Reply | To 20 | View Replies]

To: SgtHooper

“You guys are forgetting that other data sources have your info without you doing any online transactions. Consider the IRS records, local county tax records, real estate records, credit report companies, etc. You may not enter or place your info online, but somebody else does.”

One of the most vulnerable places is our health care system even before Obozo Care.

Medicare, Medicaid and most insurance companies use one # for patients, our Social Security #.

Then, they have our DOB, sometimes POB, address, phone #, Cell phone # and email sites.

Many medical providers do a credit check so they have that number/data.

Many providers seem to prefer being paid by credit card, if so they have that number.

If you pay by check, they have all of your banking numbers.

Often the lowest paid people in a medical office have full access to all of the above, plus your medical history.

Last summer, our FP/s retired or went to a big HMO.

So we had to fill out all of the data above to be seen. The local group’s site was not verified and brought up warnings from my internet provider and services like Norton. I told our new FP, and he laughed until I showed him the warnings. He made a couple of quick calls, and the patient side of their site was shut down until a new site was opened up. Their current site is verified and seems okay now.

Another site a surgical specialty site has yet to get its act together. We pay our bills with electronic checks or cash.

Another specialty medical site had a similar problem, and that seems to be okay since they merged with the local hospital, which is part of a big California hospital organization. This organization has a lot of employee unrest and union battles which is not a reassurance.

Last but not least are the Store discount cards which market/mine our private data. The one such card I have, I am St Nick, born on the 4th of July in 1918. In five years, only one clerk has picked up on my fantasy ID, and she just laughed.


43 posted on 01/16/2014 2:22:21 PM PST by Grampa Dave ( Obamacare is a Trinity of Lies! Obamaganda is failing 24/7/365! Obamaganda will fail 24/7/365!)
[ Post Reply | Private Reply | To 36 | View Replies]

To: BlueMondaySkipper
From there they could deploy the malicious code to the POS devices...

I'll say! Actually I do. Devices that are targets for this kind of attack shouldn't be able to be remotely flashed with new software. It's convenient for the people who manage them, but so what, it's not their money to be putting at risk.

44 posted on 01/16/2014 2:58:47 PM PST by Still Thinking (Freedom is NOT a loophole!)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Still Thinking
Devices that are targets for this kind of attack shouldn't be able to be remotely flashed with new software. It's convenient for the people who manage them, but so what, it's not their money to be putting at risk.

Barring doing the safest thing (not allowing remote flashing of code) they should at minimum have monitoring that alerts when code is added or changed.

45 posted on 01/16/2014 3:26:00 PM PST by BlueMondaySkipper (Involuntarily subsidizing the parasite class since 1981)
[ Post Reply | Private Reply | To 44 | View Replies]

To: BlueMondaySkipper

I’m not even saying flashing shouldn’t be “allowed”. I’m saying it should be impossible. Whatever code the devices run should be in hardware, requiring physical contact to reload. If it’s a permission thing, there might be some way for them to end run it.


46 posted on 01/16/2014 3:34:38 PM PST by Still Thinking (Freedom is NOT a loophole!)
[ Post Reply | Private Reply | To 45 | View Replies]

To: Grampa Dave

Agreed. Perhaps the only saving grace is that greed may overtake the hackers to the extent that large sums of money are detected as moving from place to place and catches the eye of Law Enforcement. If they stay small, they likely will never be caught. There are simply too many sources from which to piece together a user profile and then raid their accounts. Especially when governments support this type of behavior.


47 posted on 01/16/2014 3:38:55 PM PST by SgtHooper (If at first you don't succeed, skydiving is not for you.)
[ Post Reply | Private Reply | To 43 | View Replies]

To: AdmSmith; AnonymousConservative; Berosus; bigheadfred; Bockscar; cardinal4; ColdOne; ...

Thanks BlueMondaySkipper.


48 posted on 01/16/2014 4:36:56 PM PST by SunkenCiv (;http://www.freerepublic.com/~mestamachine/)
[ Post Reply | Private Reply | View Replies]

To: Still Thinking
“requiring physical contact to reload.”

I am 100% behind you, but it's not going to happen. The buggy software that we squeeze out now days needs to be patched too often. IMHO we are on the precipice of a software crisis where our systems are too big and too convoluted for anyone to understand. They are poorly designed and hurriedly slapped together with little or no QA. They are riddled with security flaws. If we could not continuously push out bug fixes, nothing would work. And now, this is all catching up with us. God help us.

49 posted on 01/16/2014 5:06:43 PM PST by beef (Who Killed Kennewick Man?)
[ Post Reply | Private Reply | To 46 | View Replies]

To: beef

It’s a credit card terminal. How complicated could it possibly be or hard to get it right? Why is it even running on an OS in the first place instead of bare metal?


50 posted on 01/16/2014 6:05:01 PM PST by Still Thinking (Freedom is NOT a loophole!)
[ Post Reply | Private Reply | To 49 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-73 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson