Target breach update – how were HVAC passwords stolen?

As we learned from Krebs a few days ago in a Target breach update, the original entry point of the malicious software was Target’s HVAC company. Yes, that means the folks who handle their air conditioning and heating. I’m guessing in the aftermath of this admission, scads of large companies are scrambling to ensure there are no “touch points” between “building Maintenance GuyMaintenance Guymanagement” systems and their treasured business networks. It makes sense to me that the building manager would MP900383000Maintenance Guywant to have “heating and lights” right there under the same “pane of glass” as “inventory” but if that’s how companies have been operating, it’s time to rethink it.

Those of us in cybersecurity eagerly await more details. Fortunately we won’t have long to wait since Krebs is on the case. But in the meantime, are there security lessons to be learned from this aspect of the Target breach too (aside from the obvious: keep supplier networks separate)? The big question on everyone’s mind is: how is it that the HVAC company’s password was discovered by the cybercriminals?

Even without knowing any more that we do right now, the answer almost always comes down to the same few possibilities. Here are the six most common ways in which passwords are stolen:

1.) Paying an insider to divulge the password.mafia with arms crossed and a gunon hand

2.) If the insider doesn’t know customer passwords, paying an insider to add malware (slip in an infected USB) with keylogger capabilities and a Trojan which steals the password and then “phones home” with it.

3.) Trickery, aka “social engineering”: someone calls pretending to an uber-important person, or to be the assistant of an uber-important person and convinces the supplier to divulge the password.

4.) Infecting a computer which allows remote access into the facility and has the password & user name stored on it.

5.) Stealing a computer which allows, or has, the same.

6.) The smaller company’s network is hacked (because they are less protected). The hacker seeks out a list of customer records and passwords. If necessary, the hacker connects to the larger company’s network from inside the smaller company.

Now, pop quiz: which of these is most likely to be the one used in this case?

Of all the options, I would bet on the last one. This is the one which is most easily conducted remotely by a team who probably doesn’t speak fluent English. It’s also child’s play for anyone who has the sophistication to pull off all the other elements of the Target breach. Of course this is only a guess.Lioness Yawning

If this is how it happened – the HVAC computer company was compromised – it’s actually the reverse of the so-called “watering hole” attack. The idea of the watering hole is this: it’s tough to snare a lioness. But at least once a day she is likely to visit the local watering hole. This makes the hole a good place to set a trap; perhaps poison the water in some way (since I like animals, let’s say “tranquilize”). This is especially easy because the watering hole is easy to get to. Who would bother guarding it? In fact the watering hole is only valuable for its visitors.

We could call this situation a “reverse watering hole attack” because it’s a bit more like the watering hole took a walk, flagged down the lioness, and offered her bad water. But it’s the same principle – find a company connected to the real Ttarget who is less defended (hopefully much less defended) and compromise them first.

This in fact, supports a reasonable defense for our HVAC company: the only reason they were attacked is because they know something extremely valuable. If they weren’t supplying Target in the first place, they would not have been an interesting victim.

I guess maybe it sounds like I don’t think the afore-mentioned hacked companies are at fault here. It’s true: as long as they are following reasonable security protocol, for the most part I don’t. Cybercriminals are ruthless, brilliant and incredibly well-funded.  The way I think of it is this: when was the last time we blamed a bank for getting robbed?



Tags: , , , , , , , , ,

Leave a Reply