Credit Card Data Breach... AGAIN!

robjvargas · Jan 30, 2014

Alpha Echo said:
Wow. That is shocking, really, that a business wouldn't have a secure network. Especially a bank! Sounds like your son is a good man, though, hunting down the insecure networks and saving us from fraud, one institution at a time.

Security is a tough sell sometimes. It sort of "spiders" into all sorts of unrelated areas.

Recently, I was part of a team trying to isolate some malware activity. I was also getting pinged by an employee who had installed some form design software and couldn't access cloud storage with it. He was upset that we hadn't replied to him in four hours.

TerryRodgers · Jan 30, 2014

robjvargas said:
Several news outlets are reporting another major cardholder data breach. This time it's Target. Here's the CNBC story. (Emphasis added)

One of the interesting items here is that the story says that, "Shoppers who made purchases at their stores" are the affected people. At least the story says that's who should be alert. So this isn't a breach of online transactions. Or doesn't appear to be so.

Wasn't there a guy over on WD saying this isn't possible? Or was he referring to there's no such thing as brute force attacks?

robjvargas · Jan 30, 2014

TerryRodgers said:
Wasn't there a guy over on WD saying this isn't possible? Or was he referring to there's no such thing as brute force attacks?

Are you trying to bait him over to here, Terry? :tongue

As it turns out, this wasn't a brute force attack.

For those interested, here's a bit more detail emerging over how this attack took place.

Widely used management software running on Target's internal network may have given an important leg-up to attackers who compromised 40 million payment cards belonging to people who recently shopped at the retail giant, according to an article published Wednesday by KrebsonSecurity.

A default username and password essentially hard-coded into an application.

raburrell · Jan 30, 2014

^Yep - that 'backupuser' password thing was the same story I got from the hubs.

I think Target is is some very big trouble with people who decide to sue over this. And I hope (but have my doubts) that the dozens of other retailers who likely have the same stuff in place are taking steps to fix things.

Alessandra Kelley · Jan 30, 2014

I gather Target was completely clueless about the security breach until the FBI contacted them.

robjvargas · Jan 30, 2014

raburrell said:
^Yep - that 'backupuser' password thing was the same story I got from the hubs.

I think Target is is some very big trouble with people who decide to sue over this. And I hope (but have my doubts) that the dozens of other retailers who likely have the same stuff in place are taking steps to fix things.

Maybe, but if this was enabled by the management software, then the maker of that software (BMC Software) is then vulnerable to being sued by Target.

raburrell · Jan 30, 2014

That too. And deservedly so.

TerryRodgers · Jan 30, 2014

robjvargas said:
Are you trying to bait him over to here, Terry?

As it turns out, this wasn't a brute force attack.

For those interested, here's a bit more detail emerging over how this attack took place.

A default username and password essentially hard-coded into an application.

The old default username and password issue. It amazes me around my office when I see passwords stuck to the user's monitor. I sometimes take them when no one is looking. :evil

robjvargas · Jan 30, 2014

TerryRodgers said:
The old default username and password issue. It amazes me around my office when I see passwords stuck to the user's monitor. I sometimes take them when no one is looking.

I once saw an article that opined having the password on a stickie at your desk wasn't so bad. After all, if someone malicious has physical access to your desk, you've got bigger problems than logins.

It intrigued me. But then I thought, "janitorial staff." There are people in a business who have physical access that should not have digital access.

Torgo · Jan 30, 2014

robjvargas said:
I once saw an article that opined having the password on a stickie at your desk wasn't so bad. After all, if someone malicious has physical access to your desk, you've got bigger problems than logins.

It intrigued me. But then I thought, "janitorial staff." There are people in a business who have physical access that should not have digital access.

There's been recent research to suggest that the higher up you are in an org the more of a security risk you are. My brother, who has been sysadmin on some huge corporate networks, tells me that guessing CEO passwords is usually as easy as trying PASSWORD or 12345 or QWERTY. Harder to get the email address, but not that hard. Janitors are often a lower apparent security risk than the boss.

Or if you need physical access? Some big publishing offices I've been in; wander in looking like you work there, past reception, find a 'hot desk', crack the network. (I've worked places where they're running XP SP2 and don't have any safeguards on, say, booting from USB.) If you can get physical access to an internal network, you probably aren't going to have too much trouble getting whatever kind of digital access you want.

roundtable · Jan 31, 2014

Torgo said:
There's been recent research to suggest that the higher up you are in an org the more of a security risk you are. My brother, who has been sysadmin on some huge corporate networks, tells me that guessing CEO passwords is usually as easy as trying PASSWORD or 12345 or QWERTY. Harder to get the email address, but not that hard. Janitors are often a lower apparent security risk than the boss.

I work from home and know one client's password is the company name. It's scary that someone thinks this is a good password. My son's professors taught them all to think of something personal, like the name of a favorite song, and then make the letter in each word uppercase, replace some letters with numbers or symbols and then add the initials to the website they use the password for to make the password different for every site. For example, if the favorite song was Hotel California - it would become something like H0t3lC4!1f0rn1a and then to use that password on Barnes and Noble, they'd add BN somewhere in it. My problem becomes sites that do not allow symbols in the passwords or that limit the number of characters you can enter. There are still a number that do not allow symbols, and I know of one major credit card company that limits passwords to 8 characters.

Torgo · Jan 31, 2014

roundtable said:
My problem becomes sites that do not allow symbols in the passwords or that limit the number of characters you can enter. There are still a number that do not allow symbols, and I know of one major credit card company that limits passwords to 8 characters.

Any time you see a restriction on the number of characters allowed, you're probably dealing with a badly-designed system that stores passwords in plaintext. If you have properly-hashed passwords, the hashes end up all the same length however long your password is, so there's no reason to restrict it.

A credit card company limiting passwords to 8 characters is, I think, nuts.

Credit Card Data Breach... AGAIN!

robjvargas

TerryRodgers

robjvargas

raburrell

Treguna Makoidees Trecorum SadisDee

Alessandra Kelley

Sophipygian

robjvargas

raburrell

Treguna Makoidees Trecorum SadisDee

TerryRodgers

robjvargas

Torgo

Formerly Phantom of Krankor.

roundtable

Torgo

Formerly Phantom of Krankor.