posted by
janrinok
on Friday March 14 2014, @11:31PM
from the oops-that's-not-the-way-it's-meant-to-work dept.
from the oops-that's-not-the-way-it's-meant-to-work dept.
GungnirSniper writes:
"Late last year, US retailer Target had multiple IT failures that led to 40 million credit cards being leaked, and more than $61 million in breach-related expenditures, as well as a significant cut into their holiday profits. Businessweek has a lengthy article laying out the failures, among them:
- Despite installing FireEye's monitoring technology, security administrators disabled FireEye's option to automatically delete malware as it is detected, allowing the unclassified 'malware.binary' through.
- When Target India's team received the first critical alert from FireEye, they notified the security team at Target's Headquarters in Minneapolis, Minnesota, USA, but the report was ignored or simply no action was taken on it.
- Additional critical alerts were generated, but apparently no action was taken on them, allowing updated malware through.
- Symantec Endpoint Protection detected odd behavior on the same server as detected by FireEye, but this did not raise concern.
- The initial illicit access was gained by an outside vendor's stolen credentials, which should not have given as much network access as it did.
Though the data was copied through a few hops in the US, it ultimately was traced to Russia. Analysis the binaries shows the malware itself was unsophisticated, and included a possible hacker's alias in the 'exfiltration code.'"
This discussion has been archived.
No new comments can be posted.
Target Had Multiple Chances to Stop Card Breach
|
Log In/Create an Account
| Top
| 16 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 5, Interesting) by cyrano on Friday March 14 2014, @11:39PM
There's no ROI for security. They need to get grotesque fines before there will be any. The public isn't interested, they believe their card's fraud insurance will cover losses.
That's what you get from being 25 years behind.
The quieter you become, the more you are able to hear. - Kali [kali.org]
(Score: 4, Interesting) by Silentknyght on Saturday March 15 2014, @01:29AM
This isn't about "ROI on security." That's totally a knee-jerk, false reaction to this story. The money was already spent on the FireEye software and the personnel to monitor and report up the chain of command. Additional investment (i.e., money) wouldn't have made any difference: this was a failure of human beings, plain and simple.
that said---I, for one, would love to know what exactly transpired at that human being level, what decisions were made to actively not investigate... or perhaps worse, what decisions were NOT made for whatever reason.
(Score: 5, Informative) by tynin on Saturday March 15 2014, @02:38AM
I'll toss out an anecdote. Many times these systems produce staggering amounts of false positives, unless the staff is trained in what would be acceptable filtering, or perhaps they were trained, but someone upstairs didn't want them to possibly filter out something that might be serious on accident. Indeed, this can happen when staff thinks they know a particular set of alerts isn't a real issue because of years worth of it never being an issue, proven out over repeated investigations that it was just a false positive.
I suspect unless they are forced into providing some root cause analysis from a lawsuit, no one will ever know what manner of human culpability really occurred. But too many times I've seen a company throw money at a "solution" and never really allow it to be used properly.
(Score: 3, Funny) by captain normal on Saturday March 15 2014, @05:10AM
I'd just about put money on it being some PHB in Minneapolis.
Everyone is entitled to his own opinion, but not to his own facts"- --Daniel Patrick Moynihan--
(Score: 1) by cyrano on Saturday March 15 2014, @08:16AM
No, it's about being 25 years behind and still allowing magnet stripes as a security measurement while harassing everyone at airports, bus- and train stations. And then buying into a system that can't protect anything because there's no one to use it.
I'd need to cite Einstein on this one, I believe.
The quieter you become, the more you are able to hear. - Kali [kali.org]
(Score: 2, Informative) by Techwolf on Saturday March 15 2014, @12:26AM
s/hacker/cracker/g
Editors, you should know better. This was clearly not a hack.
(Score: 3, Insightful) by umafuckitt on Saturday March 15 2014, @12:40AM
Except that "cracker" is falling into disuse now. Outside of geek sites, either nobody would understand the distinction or they wouldn't even know what a "cracker" was. Worthwhile WP articles on the controversy are here [wikipedia.org] and here [wikipedia.org].
(Score: 3, Funny) by Anonymous Coward on Saturday March 15 2014, @03:57AM
That's racist! ...Is what 5% of the English-speaking population will think.
99.999999999999999% will think of delicious Ritz crackers.
0.000000000000001% will be butthurt over the fact that English is a living language, thus evolves, and words mean precisely what the vast majority insist they mean.
tl;dr: Quite right - it's time to give it up. You people aren't fighting the good fight. You're making yourselves look like you're really fun at parties. Also, that last bit was sarcasm.
(Score: 4, Interesting) by TheRaven on Saturday March 15 2014, @12:50AM
sudo mod me up
(Score: 2, Interesting) by Zyx Abacab on Saturday March 15 2014, @05:45AM
Sure, that word means more than one thing; and you know the meanings because you made an intellectual effort to learn them. The public mostly knows just one meaning of 'hacker', mostly because of media exposure. I know that whenever I've described myself as a hacker, I've gotten ignorance at best and at worst. The association with 'bad things' is pretty much the only one people know.
It would be nice if there was a commonly-used word that distinguishes between the two. I don't like being lumped together with criminals just because I've been clever.
(Score: 2) by Open4D on Saturday March 15 2014, @10:06AM
We need to keep on using the words 'hack' and especially 'hacker' with their non-cracking connotations.
There are some positive signs, e.g. "Flood Hack event looks to help relief efforts [bbc.co.uk]": "The statistics included readings, updated every 15 minutes, from every flood sensor in the UK - effectively giving the hackers live data on the situation across the country."
(Score: 1) by utoddl on Saturday March 15 2014, @01:52AM
If the editors are going to fix something, it should be the missing and extra words in posts. This one has two. It's hard to get everything right, but this is basic editing. Makes the site look unprofessional.
Oh, it's all volunteers? Never mind.
(Score: 2) by GungnirSniper on Saturday March 15 2014, @06:40AM
What did my editor and I miss?
Tips for better submissions to help our site grow. [soylentnews.org]
(Score: 2) by etherscythe on Saturday March 15 2014, @02:53PM
Those terms have fallen out of favor. The majority of vaguely-tech-related sectors has accepted "black hat hacker" and "white hat hacker" as the new terms du jour. There are a few holdouts like you, but you're basically fighting inertia at this point.
"Fake News: anything reported outside of my own personally chosen echo chamber"
(Score: 5, Insightful) by Baron Violent on Saturday March 15 2014, @03:13AM
... until it becomes inconvenient.
(Score: 0) by Anonymous Coward on Sunday March 16 2014, @12:06AM
Thanks to Target, I now have my first US bank account that is over 6 weeks old and still no debit card to use with it thanks to their apparent laziness and/or ineptitude.
I've never even been to Target, it's simply that my bank uses the same card issuer as many other banks and they had a 40-million card backlog to clear before they can give new cards to new customers one.
To make it more fun, I'm having to spend cash money on other methods of payment in order to function - if only the amount were significant enough, with this being a litigious country as it can be and all, it would be interesting to see how much indirect financial damages have occurred as a result of the breach for otherwise non-affected customers like myself.