Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Target’ Category

ASSESSMENT: Target Media and Lawsuit Failures

with 2 comments

new-management-model

 

The Target Hack Media Failures:

From the moment that Brian Krebs first put out his story on the Target hack it’s been mostly a feeding frenzy of reporters trying to out scoop not only Brian but everyone else they could leverage to get a headline. Throughout the whole affair though there has been a lot of speculation on how the hack happened, the timelines and just what if anything Target knew about what was happening to them as it was going on. Since the first report we have come a long way to understanding through confidential sources just how the happened but the reality is that there are many things still unsaid about the hack itself with any certainty.

The biggest hole in the whole story to date has been how did the hackers infiltrate into Target in the first place? After looking at data that Brian had shown me and doing my own research on Rescator and the Lampeduza he and I came to some conclusions on how they most likely got into their systems. Primarily the phish on Fazio allowed the attackers to gain access to Target’s booking/payment systems for doing business with their vendor’s online. It was a supposition on my part that they used an infected Excel sheet, doc file or pdf to gain access to the peripheral system connected to the internet by passing it with the stolen credentials to Target’s online system. Once a user had the file inside they likely opened the document and infected themselves and thus allowed access to the general network. Of course then it become simply an issue of locating a machine that sits on the LAN where the servers and the POS can be accessed.

The media generally though has been harping on the idea that since Fazio is an HVAC company that they had access to ICS or PLC units within the Target network as this is all the rage in the news. There never has been any proof of this happening and in fact Fazio has made a statement saying they never had access to the Target HVAC systems remotely as they don’t do that kind of work for them. This however escaped the media in general as well as some Infosec bloggers that I know as well. Now however we have a new twist on this media festival of failure with the advent of the Target lawsuits recently brought out by banks involved with this mess.

The Target Lawsuit Failures:

The Target lawsuit  now not only goes after Target Corp itself but also Trustwave, a security company that allegedly carried out the Target PCI-DSS (Payment Card Industry) assessment at or around the same time as the compromise to Target was happening. It was at this time that Trustwave certified that Target was in fact “PCI Compliant” and that in the industry’s eyes secure. Of course this is a misnomer that many in the security field have been venting about for years and the popular euphemism for it is “Check box Security” because in reality it is just a check mark on a form and not a real means of protecting data.

Screenshot from 2014-03-28 15:59:42

 

The lawsuit is filled with ill informed views on what happened to Target as well as how security works and has been roundly regarded in the security community as well as the legal community as a joke. Using dubious sources on cyber security and primarily believing all that the media has written on the subject of the Target breach this lawsuit makes assumptions about the PCI that are common and untenable. One of the more egregious failures in comprehension is that any system of checks and or regulations would make any system or database secure just by the very fact that you have checked off all the boxes in a list of things to do. This is especially the case with PCI due in a larger part because of the way it is audited and by whom.

PCI-DSS Failures:

One of the real issues that seems to be coming out of the lawsuit and the reporting on it centers on encryption of data. The encryption of data at rest (in a database) or in flight (on the network between systems) is the crux of the issue it seems to the legal team for the litigants in the Target affair but I would like to state here and now that it is a moot one. The idea is that if everything is encrypted end to end then it’s all good. This is not the case though as in the case of this particular attack on Target the BlackPOS malware that was used scraped the RAM of the systems which was not encrypted and usually isn’t. This is a key factor in the case and unfortunately I know that the legal teams here as well as the legal system itself are pretty much clueless on how things work in technology today so this will just sail right over their heads.

Here are the facts in as plain a way as I can get across to you all:

  • BlackPOS infects the system and scrapes the RAM for the card data
  • BlackPOS then copy’s the data and exfiltrates it to an intermediary server to be sent eventually to the RU
  • The data is not encrypted at this time and thus all talk of encryption of data or databases is moot unless said data came from database servers and not copied from POS terminals
  • Encryption therefore in database or on the fly is a MOOT POINT in this case

There you have it. It’s a pile of fail all the way round and the media and the law are perpetuating half truths and misconceptions on how things really work in the digital world. There are many issues with PCI-DSS and the encryption issue that is cited in the law suit and the Wired piece linked above are just silly because the writers and the lawyers haven’t a clue. While PCI needs to either die a quick death for something better it is not the only reason nor the primary one that the attack on Target worked. There are of course many other reasons due to inaction that have been brought forth recently that do paint quite another picture of ineptitude that are the real culprits here.

Analysis:

Overall the analysis here is that there are many to be blamed for this hack and not all of them are the adversaries that carried it off. The fallout now with the lawsuits and the press coverage of the debacle has only amplified the failures  and is making things worse for some and better for others. We have seen an uptick already in finger pointing as well as sales calls laden with snake oil on how their products could have stopped Rescator cold. The fact of the matter is Fireeye and Symantec both tried but the end users failed to allow it to act as well as heed their warnings. Of course one also should look at this and see that even if the tools had been heeded it may not have stopped the attack anyway without a full IR into what was going on.

The people who are any good in this business of security live every day with the assumption that their network is already compromised. This is a truism that we all should take to heart as well as the knowledge that we cannot stop every attack that is carried out against us. We can’t win every battle and we may never win the war but we have to try. Targets failures will hurt for some time within the company as well as to those who were working there at the time. I have no doubts that heads rolled and perhaps that was necessary. It is also entirely possible that people did try to stop this event but were told not to do something because it might affect their production environment. Of course this is all speculative but you people out there reading this from this business know what I am talking about. It’s a universal thing to be shackled in your battle to secure the network because it affects the bottom line.

What I would like you all to take away here though is that PCI is not the only reason for this hack and certainly it isn’t because Target was not encrypting their traffic or their databases. This is just a ridiculous argument to be having. Just as ridiculous as it is to have the cognitive dissonance to believe that checking a box in an audit makes anything more secure.

K.

Written by Krypt3ia

2014/03/28 at 20:50

Posted in FAIL, Target

ASSESSMENT: Target Lessons Learned

with one comment

Newbie working

The Hack:

While there is a lot of information out there on how the Target hack allegedly happened there are a few points that have been clarified. The blackPOS was installed in systems within Target after the hackers had been in for some time carrying out recon and getting a handle on how to carry out the ex-filtration of data. Given the information already out there it is a postulate that the hackers got hold of the Fazio credentials to the Target portal and then leveraged that system to carry out the compromise internally. The system trafficks in excel, word, and pdf files and to my mind, as the hackers had the Fazio creds to get onto that system they just uploaded a malware laden file for someone internally to open and compromise their system. The question then becomes just how long it took from that moment to the moment that the hackers gained access to the Target POS systems and servers to install their malware on.

According to PCI rules as well as the CEO of the company (Gregg Steinhafel) Target was in PCI compliance and that means that the network should have been segmented to disallow easy compromise from end users systems etc. Of course we are relying on the testimony of the CEO and others at this point in time because we have no other reports from FireEye or anyone else to attest to that fact. In any case the hackers got to the data and ex-filtrated it while triggering alerts that should have started an incident Response (IR) internally at Target. This did not happen though it seems and thus the hackers made off with all the data that they wanted. The moral of the story here can be summed up in an old aphorism I love to cite; “A fool with a tool is still a fool”

The After Action Report:

According to sources close to the investigation of the incident (Fireeye/Mandiant) alerts were given on key systems that were infected by the BlackPOS and detected as malware of indeterminate kind due to there not being any current signatures on it in the AV and IDS/SIEM systems. If the information given by the anonymous sources, then the fact of the matter is that the technologies that Target bought into to protect their data were in fact ignored at best and at worst turned off by the SOC managers internally at Target because they perhaps gave too many alerts. This is a common problem with IDS/SIEM/AV systems as they need tuning constantly and in larger companies the amounts of traffic that pass through the sensors is huge and complex. It is not uncommon in some organizations to have no real FTE’s watching those systems either with a reliance on employees who may be under-trained or not trained at all watching over the hen house. Security it seems has always been an afterthought for many companies, until that is they get hacked and outed in the press.

In the case of Target there are moves going on since the incident happened to shuffle the internal deck so to speak and make it seem that changes are happening to policy regarding security. The CEO is making the rounds with legalese responses couched in flowery language that really boils down to “no comment” and the CIO has resigned perhaps under considerable pressure. After the incident occurred I began checking the Target postings for security and began to see a lot of activity out there for workers to take over their security operations. I am assuming that there has been a bit of attrition other than the CIO and this should really be the case given the information that has come out to date on how this attack succeeded and the failures afterwards to cope with it. Suffice to say that the aphorism above about fools and tools applies certainly to Target in this instance but who else might it also cover as well out there today one wonders.

ANALYSIS:

The final analysis of the Target hack cannot be fully determined because the evidence is not yet public. However, the data that has come out (re: Bloomberg piece linked above) shows a very salient fact that should be heeded by us all in INFOSEC. That fact is this; “Technology is great but one has to use it properly to stop these things from happening” If the Target SOC had not turned off functionality they would have caught this attack happening. If the Target SOC had in fact been paying attention to the Fireeye system as well as the Symantec system they could have reacted quickly to at least attempt to catch the data being ex-filtrated out of their company via FTP. The sad truth is that they did not catch it nor did they see it because the human propensity for ease of use caused a systemic failure to occur in security.

I am sure more data will come out someday as much as Target will allow. One has to wonder in a publicly traded company how much transparency they should provide and what you actually will get though. The information coming out so far though, if indeed true, is pretty damning to Target and their practices. I will say that I believe what has been told to reporters in confidence given my experience over the years with corporate entities and their lackadaisical attitudes toward security thus far. All too often companies are pretty cavalier about security and in the case of Target all you have to do is look to the reports coming out now about how they plan on hiring a CSO for the company. It seems the CIO had no real experience and the company did not see fit to have a CSO or CISO until now. To boot, if you look at the wording it was implied that they were seeking an internal candidate up until recently. Think about that for a minute, they wanted an internal candidate for a job function where they lacked skill sets to begin with and had such a spectacular failure? The word hubris comes to mind.

The ultimate takeaway I would like to leave you with here is that Target is just one corporation of many that have the same problems. In fact I would hasten to add that we as a species are our own worst enemy when it comes to security and if you add to this the dynamic of corporate mores you have a recipe for epic failure. You can have all the high tech gadgets in the world but you still can be defeated by the human animal either through shrewdness on their part of laziness and stupidity on yours. There is a trend today in a reliance on technology as the panacea to all of security’s ill’s and this must be tempered with the human nature of those who operate it before we will ever be at all secure.

K.

Written by Krypt3ia

2014/03/13 at 19:30

Posted in Target

ASSESSMENT: The Target Hack As An APT Style Attack

with 3 comments

140110103529-computer-hacker-620xa

Fazio Heating & Cooling Phished via OSINT:

Screenshot from 2014-02-12 13:42:14

With the release of Brian Krebs’ article on the Fazio Heating phish and use of their credentials in the Target TTCE/POS hack comes the notion that the criminals potentially used OSINT to carry out their crime. In looking at the sites that Brian has posted about you can see that there is a plethora of data available for an attacker to use to footprint Target as well as the eventual partner or supplier that was to be Fazio. By using common tools and techniques it is quite possible that the Lampeduza Republic or proxies thereof carried out the intelligence gathering needed to determine who they should target in order to possibly garner access to the Target networks via portals like the supplier portal mentioned in the article. What may in fact be the case though is that Fazio was just one target of a phishing campaign directed at all of the vendors that could be gleaned from the site leakage online (i.e. doc files, pdf files, and xls files containing metadata as well as direct data on companies and contacts that can be harvested through Google and Maltego) All of this data could well be used to set up phishing campaigns for any and all vendors found in hopes that they (the criminals) would be able to gather access credentials for the Target network to carry out the next phase of the operation.

Side Channel Attacks:

In this case it is being intoned that the access of Fazio on the extpol.target.com site/application may have had AD credentials that could either have had too much access to start or that they were used to escalate privileges on the server/system/application to exploit the core server inside the TTCE. While this is possible, one has to wonder if that is indeed the case or was there some other access that Fazio may have had? It seems though on the surface of it, that the access to this server and the lack of segmentation allowed for the exploit to be carried out and access granted to more of the internal networking within the Target TTCE. The fact though, that at the present time people are saying (off the record and anonymously) that Fazio was the epicentre of the access that caused this data theft shows a certain type of attack that is more common to a more planned and funded style of operation called APT. The side channel attack here is first foot-printing all the companies that doe business and then either choosing a target to phish or hitting them all to see what access could be stolen for escalation. This is a common APT tactic and bespeaks more planning than the usual phish of a company like target (shotgun approach as Brian says) and then exploiting to steal data. This from all evidence thus far, seems to be a very well thought out campaign from the creation of the malware (BlackPOS) to the phish and ex-filtration of data.

APT Activities by Non State Actors:

Up to now the focus of all of the APT talk has been over nation state actors. I would like to point to the Target hack and the Lampeduza as as evidence (so far) that we are now seeing a non nation state actor taking cues from all of the talk about the APT and using those techniques to their own advantages. It is of course not difficult to carry out these types of attacks in an orderly and persistent manner, it just takes an organization that is motivated and able to handle the work. I would say that the Lampeduza shows this kind of regimented behaviour as well as a motivator in the dumps of cards and easy money from their sale. The point being is the APT genie is out of the bottle and anyone with the means and the will can now carry out APT style attacks by using OSINT and other common hacking techniques to commit their crimes so no, it’s not China all the time is it? This case as it unfolds should be watched by everyone in the Infosec community because these types of attacks are only going to be more and more common and not just reside within the sphere of nation states and espionage.

ANALYSIS:

The ongoing fall out from the Target compromise is becoming more and more interesting and prescient on many levels for the security community as well as the populace at large. The attack vectors are leaking out slowly and I am sure that some day soon there will be an explanation from the DFIR folks hired by Target and the USSS as to what really happened. In the meantime information like Brian’s is very elucidating on how things may have happened and with the direction they are taking currently, it would seem that this attack and exploitation cycle was rather well thought out. As you have seen in my previous post, the Lampeduza while flamboyant, also show that they seem to have a sense of hierarchy and military ethos that I can see fits well into a criminal league who use APT techniques to get into systems, exploit them, and then keep the persistence as long as possible as they exfil their desired data. That these guys also seem rather blatant about their sites and their actions only seems to be an exceedingly large case of hubris that may eventually get them in trouble but that is for the future to hold. As well, if it wasn’t the Lampeduza who carried out the attacks, then whoever they are working with or hired has been studying the APT in the news cycle as well. Either way, this was a slick attack and I look forward to seeing where all this leads.

K.

Written by Krypt3ia

2014/02/12 at 19:13