Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Target Compromised Via Its HVAC Contractor's Network Credentials

Attackers compromised credentials for a third party and were off to the races -- leaving a key concept of network security in the dust

In the movies, the sight of a burglar sneaking into a building through an air duct is not uncommon. But a hacker compromising credentials belonging to a HVAC company? Not so much.

Yet that appears to be what happened in the Target breach late last year. In this case, hackers are believed to have stolen network credentials belonging to Fazio Mechanical Services, a provider of refrigeration and HVAC systems, and used them to ultimately compromise Target's point-of-sale systems with malware.

In a statement, the company says its data connection with Target was "exclusively for electronic billing, contract submission and project management," and that it does not remotely monitor or control heating, cooling, and refrigeration systems for Target.

"Like Target, we are a victim of a sophisticated cyber attack operation," according to the company. "We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive initiatives that will further enhance the security of client/vendor connections making them less vulnerable to future breaches."

If theft of user credentials from Fazio is at fault, then the breach has just shined a light on a key concept of network security: segmentation.

"Attackers do not always break into your computer network using exploit code," says Tom Cross, director of security research at Lancope. "In this case, the attackers reportedly used a valid login and password, and they logged right in. Many organizations aren't prepared to defend themselves against that kind of attack scenario -- they are looking for traditional attacks, and they cannot identify a situation where a 'valid' user on the network is behaving anomalously and might be compromised."

Interestingly, segmenting payment systems from other systems on the network is not part of the requirements of the Payment Card Industry Data Security Standard , something people have argued about for years, Gartner analyst Avivah Litan notes.

"Frankly, I think their hands-off approach, which does include gentle guidance, makes sense here," she says. "Companies with large networks know they have to segment their cardholder data environment because otherwise their entire network is in scope of the PCI audit. So this is generally where retailers and other card accepting companies start. And in a way, the less prescription from PCI on this the better because this is an area where technology advanced quickly."

"There are lots of things you do to segment a network -- i.e., firewalls, IPS, DLP, strong access controls ... I'm sure they did that. They just must have missed a hole or two," she says. "It's tough -- very tough -- to secure thousands of [endpoints]."

Nevertheless, organizations that have opened their businesses and networks to third parties have to understand the risk associated with allowing users from outside of the company to access internal resources, says Mike Denning, senior vice president and general manager of CA Technologies' security business. Companies need to segregate groups of users and treat vendors, employees, and their access privileges differently and ensure their network architecture is built to prevent unauthorized access into other systems.

"They also have to understand the scope of control they have around a contractor is not as strong as an internal employee," Denning says. "For example, there is no control over the contractor’s IT system or its best practices for security."

While network segmentation may not be stressed in PCI, checking logs is [section 10.6]. Analyzing log data should have alerted Target to what was happening, argues security researcher Vinny Troia, founder of Night Lion Security. Point-of-sale terminals and IT systems at Target can probably generate gigabytes of data per day. But an abundance of log data is not justification for ignoring the logs, says Troia.

"My personal experience has shown me that a major problem with many organizations today is that security always takes a back seat to finance," he says. "Without a mature risk or governance program in place, security usually does not have representation in the executive boardroom and is often pushed aside for the sake of cutting costs or rapid progress. In every situation where I have witnessed executives sacrifice security at the start of a process or program for the sake of saving money, the cost of retrofitting security into an existing solution often ends up costing considerably more to implement."

"That lack of structure and governance within organizations is why I believe that chips within credit cards will inevitably fail," Troia adds. "If we rush to implement credit cards with encrypted data, companies will [be able to] rely on the encryption of the cards, rather than the security of their own systems. Every time money is spent developing an unbreakable solution, it is inevitably broken -- remember Sony’s copy protection being cracked with a marker? If we switch the focus of security to these new cards, it will just create an even bigger hole once the encryption is broke."

In congressional testimony (PDF) Feb. 4, Target CFO John Mulligan said that the company is undertaking an end-to-end review of entire network and will make any appropriate security enhancements.

"We had in place multiple layers of protection, including firewalls, malware detection software, intrusion detection and prevention capabilities and data loss prevention tools," Mulligan says in his testimony. "We perform internal and external validation and benchmarking assessments. And, as recently as September 2013, our systems were certified as compliant with the Payment Card Industry Data Security Standards."

"To prevent this from happening again, none of us can go it alone," he continues. "We need to work together. Updating payment card technology and strengthening protections for American consumers is a shared responsibility and requires a collective and coordinated response. On behalf of Target, I am committing that we will be an active part of that solution."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
shjacks55
50%
50%
shjacks55,
User Rank: Apprentice
3/7/2014 | 5:20:04 AM
re: Target Compromised Via Its HVAC Contractor's Network Credentials
Fazio wasn't involved in Nieman Marcus exploit. The skeptic in me sees Fazio as misdirection "bread crumbs".
shjacks55
50%
50%
shjacks55,
User Rank: Apprentice
3/7/2014 | 5:18:33 AM
re: Target Compromised Via Its HVAC Contractor's Network Credentials
All the major retailer use Software Automation to push updates from the corporate data center to the individual store servers to the POS equipment. Although many block ports (e.g. 3389), the ability of the corporate data center to manage machines remotely always allows access. Corporations (run by managers) place more emphasis on loss prevention by low level employees and customers than the great magnifying effect of errors by upper management.
cyannella
50%
50%
cyannella,
User Rank: Apprentice
2/13/2014 | 10:06:38 PM
re: Target Compromised Via Its HVAC Contractor's Network Credentials
Anyone at Target ever hear of vlans? Lets just put the entire stores networked devices on one connected switch said no one ever. Probably had the hvac, lrt's, pdt's, registers, workstations, store servers all on one network. Dumb. AP's camera systems are probably all tied in there too. Dumb.
AccessServices
50%
50%
AccessServices,
User Rank: Apprentice
2/10/2014 | 7:34:40 PM
re: Target Compromised Via Its HVAC Contractor's Network Credentials
I agree with problem identified with putting chips in credit cards. Has anyone thought about using PKI from the card to the bank? So my card has a pubic and private certificate inside of it. I would connect the card to the merchant's reader where an encrypted tunnel would be built between the reader and the bank. The PAN and PIN would be sent over this tunnel encrypted. The merchant would only see a response from the bank that the transaction was approved. The only audit would be on the readers. This model breaks down for online purchases where card holders could either purchase home readers or banks would use cell phones or email for two factor authentication.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...