Customer Relationship Management News NewsFactor Sites:       NewsFactor.com     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
   
Home CRM Systems Customer Service Contact Centers Business Intelligence More Topics...
GET RECOGNIZED
Let an ISACA® certification elevate your career.
Register today and save
You are here: Home / Network Security / Target Breach Traced to HVAC Vendor
DDoS Protection Powered By Verisign
Massive Target Breach Traced to HVAC Vendor
Massive Target Breach Traced to HVAC Vendor
By Jennifer LeClaire / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
FEBRUARY
06
2014


At long last, it appears investigators have found the cause of the Target breach. The retailing giant last week revealed that the source of the costly drama was connected to network credentials stolen from a third-party vendor.

Now, KrebsOnSecurity is reporting that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers. Brian Krebs, a security blogger, said sources close to the investigation claim the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, an HVAC systems provider. Target has not officially issued a statement.

“Fazio president Ross Fazio confirmed that the U.S. Secret Service visited his company’s offices in connection with the Target investigation, but said he was not present when the visit occurred,” Krebs said on his blog. “Fazio Vice President Daniel Mitsch declined to answer questions about the visit. According to the company’s homepage, Fazio Mechanical also has done refrigeration and HVAC projects for specific Trader Joe’s, Whole Foods and BJ’s Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia and West Virginia.”

IP-Addressable Appliances

We caught up with Dwayne Melancon, chief technology officer for security software firm Tripwire, to get his take on the latest Target breach revelations. He told us this is something you'll see a lot more of in the evolving "Internet of Things" world.

“HVAC's are IP-addressable appliances now, which means they have network access and logins. It wouldn't be unusual for contractors to have an HVAC login,” Melancon said. “The trouble is that a lot of people implementing ‘smart devices’ do not recognize the security risks of placing them on a production network where they can access other sensitive data or systems.”

As he sees it, this is yet another example of the need for security professionals to take a step back and look at the overall ecosystem of devices and how they are connected. Attackers will find and exploit the weakest link in an interconnected network every time, he predicted.

“One thing that isn't known about this attack: were the same credentials for the HVAC system used on other devices in the network?” he asked. “If so, that is what I would call a ‘rookie mistake.’"

Who’s To Blame?

We also turned to Lamar Bailey, director of security research at Tripwire, to seek his opinion on the HVAC contractor connection. He told us all commercial HVAC systems are computer controlled today and the temperature for most big, commercial buildings is set based on time of day and proximity sensors and requires computer access to the controls.

“If there was something wrong with the HVAC settings in one of Target’s properties, they would probably call a contractor, and it’s entirely possible that a repairman with a laptop would need to log on to the network where the HVAC controls are located to troubleshoot the problem,” he said.

If Target had other network systems, especially the patch delivery server for the POS devices or the POS devices themselves, on the same segment of the network where the contractor logged in it would be relatively simple to infect the network with malware, he explained.

“The contractor may not have known his laptop was compromised with malware, or he could have been one of the lynchpins in the attack,” Bailey said. “We’ve certainly seen enough movies where the plot hinges on a guy with a clipboard using a repairman ruse to get inside an organization. Based on what we know about this breach that scenario is completely plausible.”

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY BE OF INTEREST
Salesforce.com is the market and technology leader in Software-as-a-Service. Its award-winning CRM solution helps 82,400 customers worldwide manage and share business information over the Internet. Experience CRM success. Click here for a FREE 30-day trial.
MORE IN NETWORK SECURITY
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
Dairy Queen Latest Retailer To Report Hack
Dairy Queen is known for its hot fries and sweet treats, but it just made cyber history as the latest victim of a hack attack. The fast food chain said that customer data at some stores may be at risk.
 
Lessons from the JPMorgan Chase Cyberattack
JPMorgan Chase is investigating a likely cyberattack. The banking giant is cooperating with law enforcement, including the FBI, to understand what data hackers may have obtained.
 
Who Is the Hacker Group Lizard Squad?
Are they dangerous or just obnoxious? That’s what many are wondering about the hacker group Lizard Squad, which tweeted out a bomb threat that grounded a flight with a Sony exec aboard.
 

Enterprise Hardware Spotlight
HP Previews ProLiant Gen9 Data Center Servers
Because traditional data center and server architectures are “constraints” on businesses, HP is releasing new servers aimed at faster, simpler and more cost-effective delivery of computing services.
 
Apple Set To Release Largest iPad Ever
Tech giant Apple seems to have adopted the mantra “go big or go home.” The company is planning to introduce its largest iPad ever: a 12.9-inch behemoth that will dwarf its largest existing models.
 
Alert: HP Recalls 5 Million Notebook AC Power Cords
HP is recalling about 5.6 million notebook computer AC power cords in the U.S. and another 446,700 in Canada because of possible overheating, which can pose a fire and burn hazard.
 

Mobile Technology Spotlight
Apple Sets Sept. 9 Event: iPhone 6, iWatch on Tap?
Save the date. Apple formally announced that its long-anticipated “special event," will take place on September 9. Does the tech giant have the iPhone 6, and the iWatch up its sleeve?
 
Samsung's New Smart Watch Makes Calls Without Phone
Following up on the Gear 2, Samsung has unveiled a new 3G smart watch, the Gear S, that stands out in its ability to make phone calls and send text messages without a smartphone.
 
Reading Tablets Decent, But Needed?
E-book readers are great for reading books, but they can't be used get directions or watch videos of people dumping ice over their heads. Tablets can. Here's a look at reading-centric tablets.
 

Navigation
CRM Daily
Home/Top News | CRM Systems | Customer Service | Contact Centers | Business Intelligence | Sales & Marketing | Customer Data | CRM Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.