Skip to main content

BusinessWeek has a scathing article in the latest edition which reveals that Target had enough evidence to stop this winter's massive data breach before it even started--and did absolutely nothing.  I mentioned this yesterday, but I'm reposting given the ramifications.

It’s a measure of how common these crimes have become, and how conventional the hackers’ approach in this case, that Target was prepared for such an attack. Six months earlier the company began installing a $1.6 million malware detection tool made by the computer security firm FireEye, whose customers also include the CIA and the Pentagon. Target had a team of security specialists in Bangalore to monitor its computers around the clock. If Bangalore noticed anything suspicious, Target’s security operations center in Minneapolis would be notified.

On Saturday, Nov. 30, the hackers had set their traps and had just one thing to do before starting the attack: plan the data’s escape route. As they uploaded exfiltration malware to move stolen credit card numbers—first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia—FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then …

Nothing happened.

The bottom-feeders struck again on December 2, installing another version of their malware.  Again, FireEye redflagged it--and again, Target failed to act.  According to a consultant with Target's internal investigation, FireEye issued the highest-priority alerts on its scale.  FireEye was sophisticated enough that even though the hackers cloaked their malware with the name "BladeLogic," a legitimate program used to protect credit card data, it was able to detect that it was really malware.

Even worse, Target's security team just sat and twiddled its thumbs when its antivirus software detected suspicious behavior from the same server called out by FireEye.  As a result, for the next two weeks 110 million pieces of data adding up to 11 gigs flowed right under their noses to three compromised servers in Northern Virginia, Provo and LA before going to a server in (surprise!) Moscow.  And yet, the hackerswere laughably careless.  According to Jamie Blasco of security firm AlienVault, they had user names and passwords for those servers embedded n the code.  Had Target's security people responded to the FireEye alerts, they could have signed into the servers and taken the data back before the hackers made their daily pickup.

Target is already in a world of trouble for this snafu, and it may be in for more.  The House Oversight Committee is now pressing Target for additional documents related to the information BusinessWeek obtained; it already got a bunch of documents earlier this week before this story broke.  

I had thought about giving Target another chance.  But after reading this, it may be awhile.  A very long while.

EMAIL TO A FRIEND X
Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags

?

More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

  •  appalling (1+ / 0-)
    Recommended by:
    Sylv

    and now they get to suffer the consequences.  Wonder why they were asleep at the switch.

  •  A quote from that article: (2+ / 0-)
    Recommended by:
    Sylv, gypsytoo
    Target Chairman, President, and Chief Executive Officer Gregg Steinhafel issued an e-mailed statement: “Target was certified as meeting the standard for the payment card industry (PCI) in September 2013."
    If Steinhafel believes what he says here--and it could just be CYA PR--then this shows the real problem here.

    Security is not based on certifications--all a certification shows is that (at the best) at the point in time of the certification review, with those systems, running those versions of software, everything appeared to meet the industry standards.

    At the worst, such a certification review simply says that Target had documented procedures in place--which they may or may not have been following.

    Certification provides nothing more than a piece of paper which can be shown to execs, boards, shareholders, and insurance companies to "prove" your systems are compliant with the latest standards.  It does nothing to insure that procedures are followed.

    Further, security is not moving target (pardon the pun).  Security measures must be constantly updated to meet evolving threats, and processed must be modified to keep up with new techniques.  Quoting a certification review done 1-1/2 years ago as evidence of Target's "best efforts" to maintain security is ludicrous, disingenuous, and/or indicative of a poor understanding of security methodologies at the highest level of the company.

    "Against stupidity the gods themselves contend in vain" -- (Talbot, in: The Maid of Orleans by Friedrich Schiller)

    by rfall on Sat Mar 15, 2014 at 10:11:13 AM PDT

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site