Skip to comments.A First Look at the Target Intrusion, Malware
Posted on 01/16/2014 8:40:12 AM PST by BlueMondaySkipper
click here to read article
That is complete BS. First Windows XP is no longer in regular support and is going to be completely unsupported in April.
Try getting a version of Linux from when XP was launched that is still secure today.
I know they are two separate words. Cramming them together is reminiscent of a (now) very old SNL skit.
It'd be pretty hard to find a better description of healthcare.gov, eh? Today I was watching the news coverage of one of the Dem. Reps (in Lamar Smith's committee, I think?) The Rep. was accusing the Pubs of trying to "scare" people away from signing up for ObamaCare, with security concerns. This from an old fool who could not run a lemonade stand, or learn in 2 years how to write a 6 line program in Basic. (See, there I am dating myself!) The gratifying thing was the interviews of young people asked if they were concerned / would sign up, and were saying "no way!"
The Dems of course had their own "expert" saying, essentially, that healthcare.gov was not as attractive a target as other sites. Obviously this guy doesn't understand all hackers or their motivations. Most Everest climbers don't do it solely for the money...
Then of course there was that Pub bill the other day, that would supposedly require the Administration to report any thefts of information from the healthcare.gov within 2 days of the occurrence. (Paraphrasal.) Yeah, that'll help. Shouting at the horse that's already galloped 500 ft. out the barn door helps too.
Because, if you're running on bare metal, you'll have to invent the OS.
Then where are you? You will now have an ad hoc, informally specified, bug-ridden semblance of an OS. Congratulations!
The bad guys will get a hold of a sample of your custom brainchild OS, reverse engineer it, and fashion a suitable attack. Then all they have to do is get on your network and deploy their code with a script, similar to the ones you use to update your system.
If the door's ajar, they'll get in!
How do you pay your bills?
I have a B of A account. When my Amex bill arrives, I log onto my B of A account and schedule a payment of the full amount on the due date several weeks into the future. Just keystrokes and clicks. Works every time. Puts the USPS out of business (or reduces them to littering my mailbox with ValuePaks).
What's the use of a bank account if not to make payments?
No, it's your problem if your checks bounce.
My solution is always to use my Amex card.
I remember when "check cards" were introduced. My new ATM card came with a MasterCard logo and a brochure touting the new charge card "feature".
I called the 800 number and asked if that meant charges could be made without entering the PIN. They said yes, it's more convenient you can use it anywhere a credit card can be used. I told them to close my account. They said, hold on, we'll send you a new card. And they did. In the next day's mail no stinkin' MC logo and a new account number not in the MC range.
ATM card should be used only at ATMs. All other payments should be using charge cards!
If the POS is running on top of a vulnerable Windows OS, all too easy. All it takes is one compromised machine on a network, and it can be used as an attack platform to target other machines that can be exploited. Pretty soon, the attacker 'owns' the place.
Businessweek has an article that saying that 95% of ATMs worldwide are still using XP. Support for embedded XP ends in 2016, instead of this year for regular XP. It wouldn't be surprising if POS systems have similar ratios.
Because they can. Because it's cool. To be fair, embedding something like Linux in an electric meter gives you access to protocol stacks and other platform software that work pretty well. But putting stuff like this under so much automation opens us up to remote attacks and we can't anticipate all of them. Was it really so bad having a 90 IQ guy drive around and read meters instead of sitting at home watching Jerry Springer?
Embedded operating systems often have customized kernels to accommodate the lower-end hardware in most POS and ATM devices. That being said, it’s still a Windows XP kernel which is a well-known vector and capable of exploitation if not patched properly, which I can personally attest they usually aren’t.
After the congress critter declared the Target problem to be like the Obama care problem,I am certain the hack was done by the treacherous tyrant in the White House to make himself look good.
Emily Litella? I remember that too, but it was still two words.
Easy, I only Write Checks for Bills, and pay CASH for everything else. I make NO electronic Transactions of ANY KIND EVER. I should also point out the obvious, when you Use CASH ONLY, you will find yourself not Wasting Money on trivial Bullshit that you really don’t need. Abstinence works every time it is Tried.
Well, to each his own I guess. I have bounce protection and fraud protection from my bank, so there is really nothing to worry about, for me.
That was a thorough monkey hammering they took. If they weren't patching them before, they will be shortly.
That’s hackers’ goal was the data, not to bilk cardholders directly. The way these large scale credit card scams generally work is the hackers steal the information, package it in bundles, and then resell it to criminals on the black market. These criminals then run the false transactions.
That could be a minor annoyance. I might have to call the 800 number and tell them I haven't been to Estonia or wherever. They might need to issue me a new card. But there would be no dent in my bank account and no bounced checks. They are unusually efficient about removing fraudulent or disputed charges.
In any case, at Target, I use the house REDcard because they give a 5% discount.
I was thinking Rosanna Rosanadanna, but it has been a while...
Don't I know it! I don't know how I even remembered the Emily Litella character. It just popped into my head. But she was the one who used to go off on the rants because she misunderstood a word.
The bad guys were logging in remotely to that [control server], and apparently had persistent access to it, a source close to the investigation told KrebsOnSecurity. They basically had to keep going in and manually collecting the dumps.
Its not clear what type of software powers the point-of-sale devices running at registers in Targets U.S. stores, but multiple sources say U.S. stores have traditionally used a home-grown software called Domain Center of Excellence, which is housed on Windows XP Embedded and Windows Embedded for Point of Service (WEPOS).
If the malware was an attack on Windows XP Embedded/Windows Embedded for PoS" it'll be the first case I've heard of, though likely not the ONLY case out there.
XP Embedded happens to run quite a few ATM machines in the U.S. I was part of a large project for a big Chicago Based Bank (now B of A) back in 2003 which converted legacy mainframe based 3270 ATM's with Windows XP Embedded.
My guess is right about now there's a whole lotta banks double-checking their ATM security .....
Its not that clever. Buffer overflows have been used since Sendmail came out in the 1980s. Its old hat now. Sendmail ran as root. Guess what file they went after? That's right. Send your stuff straight to the passwd file.
Never let anyone code using gets() and you'll take care of mot of those.
I was thinking that everyone certainly is speaking negatively of Target’s system until I suddenly remembered that POS also means “point of sale”.