Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Target's Internal Security Team Warned Management

Soulskill posted about 5 months ago | from the they-were-definitely-a-target dept.

Security 236

david.emery writes "According to this story, Target's own internal computer security team raised concerns months before the retailer lost millions of credit card numbers in an attack. (Quoting a paywalled story in the Wall Street Journal.) Target's management allegedly 'brushed them off.' 'At least one analyst at the Minneapolis-based retailer wanted to do a more thorough security review of its payment system.' This raises a more general question for the Slashdot community: how many of you have identified vulnerabilities in your company's/client's systems, only to be 'brushed off?' If the company took no action, did they ultimately suffer a breach?"

cancel ×

236 comments

Posting anonymously for obvious reasons... (5, Interesting)

Anonymous Coward | about 5 months ago | (#46250423)

Yes, there are horrible security flaws where I work. Things as basic as changing passwords on a regular basis have been brought up repeatedly, and the answer is always, "we can't make people do that", or "that's something to keep in mind for the future, but we have more important things to worry about"

Re:Posting anonymously for obvious reasons... (5, Informative)

ackthpt (218170) | about 5 months ago | (#46250515)

Yes, there are horrible security flaws where I work. Things as basic as changing passwords on a regular basis have been brought up repeatedly, and the answer is always, "we can't make people do that", or "that's something to keep in mind for the future, but we have more important things to worry about"

I've worked at two kinds of places - one, where it was pretty much as you described. The second sort was, upon orientation you are given your accounts and access and told they are your responsibility to use discretely and to notify the appropriate support should you even suspect they have been compromised. Failure, in the second case, was ground for discipline or termination of employment.

Guess where things went more smoothly and security issues seldom elevated to crisis.

Re:Posting anonymously for obvious reasons... (4, Insightful)

Penguinisto (415985) | about 5 months ago | (#46251193)

Ditto here... once you make the employees know that their screw-ups will end up costing them, they tend to not screw up as much, and tend to report things much, much faster should something go awry.

That said, the Target penetration wasn't directly caused by a Target employee/user - the bad guys snuck in through a contractor that was given network access that they should have never had. This was more due to lazy architecture/vlan partitioning than it was $random_employee with a bad post-it note habit.

If anything, the network admins should be facing the barrel before anyone else, followed very closely by most of the security admins, if not simultaneously (excepting the guy who shouted the warning and those who demonstrably supported him; that dude should be promoted post-haste.)

Re:Posting anonymously for obvious reasons... (2)

MightyMartian (840721) | about 5 months ago | (#46250535)

Generally whomever I worked for took my security warnings to heart (the first production Linux server I ever built was put in place as a mail relay for a Windows-based mail server's SMTP daemon to prevent joe jobs and overcome some nasty security vulnerabilities, with the management's approval).

I can tell you that other kinds of warnings have historically not been heeded. I had a boss who decided that because Windows 2000 Server supported disk mirroring on IDE drives, he didn't need to invest in decent hardware RAID. I warned him repeatedly that software RAID is better than nothing, but certainly not as efficient nor as effective as hardware RAID and that SCSI drives were infinitely superior on heavy load servers like our SQL and Exchange servers. Well, guess who was bitching about Outlook being a dog, and he just got really pissed off when I told them that at least the db server should be moved to appropriate equipment.

Re:Posting anonymously for obvious reasons... (5, Insightful)

Desler (1608317) | about 5 months ago | (#46250637)

You do realize that making people change their passwords all the time simply leads to people using weaker passwords or writing them down, right? This type of policy though up by some self-proclaimed security expert amongst the IT monkeys almost always leads to worse security than not. And you don't even need to take my word for it:

The downside of changing passwords is that it makes them harder to remember. And if you force people to change their passwords regularly, they're more likely to choose easy-to-remember -- and easy-to-guess -- passwords than they are if they can use the same passwords for many years. So any password-changing policy needs to be chosen with that consideration in mind.

https://www.schneier.com/blog/... [schneier.com]

Re:Posting anonymously for obvious reasons... (1)

Anonymous Coward | about 5 months ago | (#46250669)

In most situations, you would be right. However, the majority of our user base is interested in compromising accounts, but there is a delay in the propagation of compromised credentials (word of mouth, mostly). Our users typically write their passwords down anyway, and they're already incredibly weak. Because of this, I think occasional password changes would be a significant benefit.

Re:Posting anonymously for obvious reasons... (1)

Desler (1608317) | about 5 months ago | (#46250693)

Our users typically write their passwords down anyway, and they're already incredibly weak. Because of this, I think occasional password changes would be a significant benefit.

No, you're simply rearranging the deck chairs to make it seem like you did something.

Re:Posting anonymously for obvious reasons... (0)

Anonymous Coward | about 5 months ago | (#46250731)

No, we would invalidate the compromised credentials before the information becomes widely distributed by word of mouth. That would be a benefit - admittedly, a band-aid on a submarine kind of benefit, but one nonetheless. If the IT people here don't have enough sway to implement a sane password policy, what makes you think they'll have any luck making users take better care of their account security? We fight the battles we think we have the best chance of winning.

Re:Posting anonymously for obvious reasons... (2)

Desler (1608317) | about 5 months ago | (#46250751)

Inplementing a boneheaded change password policy is not going to make your users act better. You are simply going to make no difference or make it worse.

Re:Posting anonymously for obvious reasons... (0)

Anonymous Coward | about 5 months ago | (#46250789)

Clearly, you know the situation better than I do. Enjoy your feeling of superiority - I'm not here to argue with you.

Re:Posting anonymously for obvious reasons... (2)

DarkOx (621550) | about 5 months ago | (#46250837)

I hate people who insist that password changes are not a good thing. Look very very few organizations have proper identity and account management.

Password rotation at least closes the hole of former employees still having access at some point in the future.

Everyone's password ends up in a log file somewhere some time, in plain text just laying around. Usually its because they are in a hurry and enter it in a user name field. Password rotation ensures this password will at least at some point no longer be valid.

People choose crappy passwords even when you don't force changes. Someone may well get access to an account by slowly guessing likely passwords over a long period of time. Password rotation reduces persistence of access to said account.

All of these should be covered by other controls yes, but sometimes any given control can fail, especially in an organization where there is anything less than total maturity around IT processes (most) someone misses a step one time, and things can go terribly wrong. Good security is about layers. Changing of password is one layer. If someone claims to be a security professional and says you don't need at least some password rotation policy. They are a know nothing; who is just repeating someone equally incompetent's blog post to you and you should fire them.

Re:Posting anonymously for obvious reasons... (2, Insightful)

Anonymous Coward | about 5 months ago | (#46251111)

Password rotation at least closes the hole of former employees still having access at some point in the future.

No. If former employees still have access, that means the network admin folks are incompetent or the off-boarding procedure is broken.

When an employee terminates, their account should be disabled. Problem solved.

There should never be any anonymous or independent accounts that can cause damage (e.g.,, an FTP box could have anonymous access if nothing confidential is kept there, but it should never be allowed write access).

in this cases it may be out side vendors / contrac (1)

Joe_Dragon (2206452) | about 5 months ago | (#46251181)

In some cases out side vendors / contractors have shaded / fixed accounts / passwords.

Re: Changing Passwords (2, Interesting)

Anonymous Coward | about 5 months ago | (#46250749)

Places where I've worked that users were required to change their password regularly invariably had the same password but with an incremented number at the end every time they needed to change the password. This allowed them to remember it more easily, be effectively meant they were using the same password.

The more stringent that the password requirements become, the more likely it is that users are going to start writing them down somewhere or trying to come up with workarounds so that they can remember them. And in turn, you have another security issue.

Everywhere I have worked has also have a review of brute force password hacking attempts. :-)

It's okay to write them down. (3, Insightful)

khasim (1285) | about 5 months ago | (#46250813)

You do realize that making people change their passwords all the time simply leads to people using weaker passwords or writing them down, right?

As long as you keep them in your wallet then writing them down is fine.

You're MUCH more likely to be aware when someone steals your wallet than when someone steals your password. So keep your passwords in your wallet if you cannot remember them.

Similar for home systems. Keep them safe at home. Criminals breaking into your home to steal stuff are not USUALLY going to be looking for a piece of paper with your passwords on it.

but when you work with HVAC vendors who sub work o (1)

Joe_Dragon (2206452) | about 5 months ago | (#46250863)

but when you work with HVAC vendors who sub work out / are not really IT people. Then they may have a few fixed passwords / login's that they need to give out to all the people in the field it's much easier to have fixed one then giving each field tech own log in's that they may not even need day to day or even working at target all the time.

Keeping track of who works for each Contractor / Subcontractor down the line is hard and can be a lot of need less work of adding / removing users who may not even be on a target site but may work for a place that does some target work. Or let's say you have a tech who does not go to target sites all the time and the password times out on there next visit? or you have a tech who does not do target but needs to fill for the tech that does as they are tied up on another job and some needs to cover?

They get their own network. (2)

khasim (1285) | about 5 months ago | (#46250987)

Then they may have a few fixed passwords / login's that they need to give out to all the people in the field it's much easier to have fixed one then giving each field tech own log in's that they may not even need day to day or even working at target all the time.

So they get their own network that does not touch the production network.

Probably just a *DSL/cable from a local ISP.

With a firewall that you control. Heavily locked down. No need for them to hit Facebook from the HVAC, is there? No need for inbound access from 99.9% of the IP addresses out there, is there?

Then paint it and label it and make sure no one else can touch it. Use super-glue on the ports.

Re:They get their own network. (2)

Joe_Dragon (2206452) | about 5 months ago | (#46251045)

and then some cost cutting cutting yoho says why does the HVAC need it's own network cabling and or DSL/cable line? or says we are not paying for cable when we get free directv / dish demo accounts and there is no DSL in the area.

Re:They get their own network. (1)

khasim (1285) | about 5 months ago | (#46251227)

and then some cost cutting cutting yoho says why does the HVAC need it's own network cabling and or DSL/cable line?

At which point you move to a different job. If they're that concerned about the cost of a local ISP connection then they're going to be making other bad decisions. Consider that to be the "canary in a coalmine" signal.

I know, it sucks. But if you're having to fight for basics such as that then take your skills to someone who will appreciate them.

And when they ask you why you want to leave your old job give them the code phrase "it seems like a good time to pursue future options with your company".

They will understand.

Re:but when you work with HVAC vendors who sub wor (1)

sabinelr (1061112) | about 5 months ago | (#46251155)

Someone please tell me what HVAC contractors could possibly need to do on a corporate network. This sounds totally insane. If a company has 74 million people's credit card information on the same network that HVAC contractors can access, something more powerful than flamethrowers are needed to clean up that kind of crazy.

Yup (1)

Anonymous Coward | about 5 months ago | (#46251071)

The downside of changing passwords is that it makes them harder to remember. And if you force people to change their passwords regularly, they're more likely to choose easy-to-remember -- and easy-to-guess -- passwords than they are if they can use the same passwords for many years.

My current day job requires a new password every 60 days or something.

I finally got tired of having to call the Helpdesk to get my password reset every time I forgot the new one (EVERY TIME I was forced to change it), so the last time I called them, they reset my password to "Helpdesk1". Now I just increment the password's digit by one when I'm forced to change.

I'm not going to memorize a new password every n months. You want it secure? Let me use a software authenticator or a hardware thing like SecureID.

Re:Posting anonymously for obvious reasons... (4, Insightful)

plover (150551) | about 5 months ago | (#46250777)

Interesting that you should mention "changing passwords on a regular basis" as a "horrible security flaw". Have you considered that changing passwords generally introduces more risk than it guards against, and doesn't actually have an effect on most actual hack attacks?

The attacker strikes with whatever credentials he finds, whenever he finds them. The second step of an attack is to create a separate back-door, so that if the first password is changed he's back in anyway. And how does an attacker find credentials? When someone's entering them, which includes changing them, or if someone's handling them. There is often a case when you have people who can't remember their newest recently cycled password who call the Help Desk. The phone drone resets it to something like "ForgottenPassword#1", then voicemails the chump with the temporary password. If a hacker's able to listen to their voicemail, he simply calls in a phony forgotten password request and it's Winner, Winner, Chicken Dinner!

So what does changing the password every 30 days actually protect against? I suppose if you wrote the password on your blog, then in 31 days you're safe. Of course, if you wrote the password on your blog, I don't think password rotation should be your highest priority for fixing your security issues. Do you honestly think hackers have machines that can crack passwords in 31 days, but not 30? Either he can crack it in an hour or less, or he likely can't crack it at all and won't bother trying.

Changing passwords periodically was only a good idea when there was one password shared by many people, and you had to exclude your former colleagues. But those days ended back with moats and longbowmen on the castle walls. In these modern days of electronic passwords that are never shared, it's a ritualistic holdover with negative consequences.

Re:Posting anonymously for obvious reasons... (0)

Anonymous Coward | about 5 months ago | (#46251199)

Changing passwords periodically was only a good idea when there was one password shared by many people.....

Companies that still allow this are staffed by idiots, and ripe for a hacking.

Re:Posting anonymously for obvious reasons... (-1)

Anonymous Coward | about 5 months ago | (#46251203)

So you think changing passwords is bad, because someone might be hacking your PBX and listening to your phone calls? Are you out of your fucking mind?

Re:Posting anonymously for obvious reasons... (1)

Anonymous Coward | about 5 months ago | (#46250831)

Also posting anonymous. I work as a contractor for a major company, they have multiple layers to get into their systems. Something I have tried to point out to both their IT department and their management, only to be brushed off multiple times by both, is that after your initial log in, when logging into their SAP system it doesn't matter what username / password combo you give, it will let you log in as the username you type. This was as recent as 2/14/2014. And that is correct.

You log into the main system with your regular credentials. Then when you log into the SAP system after that, you can type ANY username and even leave the password blank, and it will log you in as that user into SAP. MULTIPLE people have brushed that off as "Not a big deal" because you need to log into the main system before logging into SAP.

Some companies don't listen to the peons.

Re:Posting anonymously for obvious reasons... (0)

Anonymous Coward | about 5 months ago | (#46251151)

Serious question - do regular password changes increase security?

I posit they don't. Everywhere I've seen that need frequent changes, get the shittiest passwords possible. And then come change time, just increment the number at the end of it 90 days later, and so forth.

I'd prefer to enforce longer, better passwords (15+ character min, needs a capital, one year expiry) than the regular (6 characters, at least a number, capital, special character, changes every 90 days) bullshit that I keep running into.

fallacy (1)

SeanBlader (1354199) | about 5 months ago | (#46251159)

Changing passwords regularly has been found to be more of a security risk than not changing them and having a more restrictive password policy. I've had informal discussions with a number of people at various companies where password changing every 3 months causes more problems with lost passwords and written down passwords.

Posting anonymously so the h4ck3r5 don't find out (1)

Anonymous Coward | about 5 months ago | (#46250435)

I have several times. It was never much of a concern of the client. Luckily we were never breached to our knowledge, but several others around us and in our field were breached and made big national headlines.

Oh well... we speak, they don't listen, screw them.

Re:Posting anonymously so the h4ck3r5 don't find o (0)

Anonymous Coward | about 5 months ago | (#46250473)

Actually I should have said... once those breaches occurred, our bosses were uber-concerned. For about 2 weeks. Then nothing again.

Re:Posting anonymously so the h4ck3r5 don't find o (1)

ackthpt (218170) | about 5 months ago | (#46250531)

I remember one system someone was trying to break into. I was sitting in my office, with a coworker, watching the traffic and everything. Very entertaining. They had walked into our honey pot.

qwqw (-1)

Anonymous Coward | about 5 months ago | (#46250457)

dffaweff

customer service portal (5, Interesting)

ironicsky (569792) | about 5 months ago | (#46250461)

Years ago I worked for one of the two big American cable companies currently merging. I identified a security flaw in the public facing side of their customer service portal, essentially giving access to all the config files, which contained admin credentials in plain text. I proposed simple solutions, like not allowing directory listings of folders, among others.

They shrugged it off, and to the best of my knowledge, last year the vulnerability was still accesaible

Re:customer service portal (1)

Anonymous Coward | about 5 months ago | (#46250521)

These would be the same two big cable companies who offer phone service without using the security features written into the PacketCable specifications.

Re:customer service portal (-1)

Anonymous Coward | about 5 months ago | (#46250729)

I bet you suck dick pretty good though, right? Do you like to put your tongue in the assholes of other men and suck the shit out? I bet you do.

Re:customer service portal (1, Informative)

amiga3D (567632) | about 5 months ago | (#46250793)

You are a pathetic creature.

Re:customer service portal (-1)

Anonymous Coward | about 5 months ago | (#46250925)

LOLZzz!!!! You a dick smoker too? Is that why you're so pissed off? I didn't expect faggotry from an Amiga fanboy. I normally chalk that up to the Linux faggots who shit on Android for being too commercial.

Re:customer service portal (0)

Anonymous Coward | about 5 months ago | (#46250927)

In such cases if you implemented the simple security solutions without telling them they would be none the wiser.

Re:customer service portal (0)

Anonymous Coward | about 5 months ago | (#46251191)

Use to put HBO HD in to clear QAM

Raising concerns is easy (1)

damm0 (14229) | about 5 months ago | (#46250469)

Predicting which concerns will be used in an attack is the real game.

Re:Raising concerns is easy (0)

Anonymous Coward | about 5 months ago | (#46250621)

Every hole you close properly is one you know won't be used in an attack.

Predicting is easy. (1)

khasim (1285) | about 5 months ago | (#46250901)

The vulnerability used will be the easiest/first one that the attacker can find.

That sounds flippant but it is true. Most attackers won't even bother to map your network/systems. They'll just try whatever they have and use the first thing that works.

For many different clients (0)

Anonymous Coward | about 5 months ago | (#46250477)

None of them care about security unless you're willing to fix it for free...

Oh boy... Here we go... (1)

Anonymous Coward | about 5 months ago | (#46250481)

Posting as Anonymous Coward, for obvious reasons! (Hi NSA analyst! It's me again!)

Large company here, sales in the hundreds of millions of dollars.

Me: "OK, we need to make an audit of that B2B web application of yours... Something does not look quite right..."

VP: "What do you mean an audit? This application has been working without any problem for the past 3 years!! Stop bothering me with your lame ass paranoia, you slacker!"

Me: "Errr... One of your main clients juste contacted me, and wanted to know why every order he has ever made through that site can be downloaded in PDF from this directory? Unencrypted?".

VP: "Still not a major problem! Let me know when you have something serious!"

I still work there by the way.

Re:Oh boy... Here we go... (1)

MightyMartian (840721) | about 5 months ago | (#46250581)

You know this isn't going to end well for you, right? You don't think the guys above you are going to pay for the inevitable breach and scandal. Oh no, they will all point the finger at you, and by the time the legal department has finished with you, you'll forget you ever had an asshole that wasn't six inches wide.

Re:Oh boy... Here we go... (0)

Anonymous Coward | about 5 months ago | (#46251177)

you'll forget you ever had an asshole that wasn't six inches wide.

Goatse see,

Goatse do?

Re:Oh boy... Here we go... (4, Informative)

nobuddy (952985) | about 5 months ago | (#46251019)

document, document, document. And keep copies where you can get them once you are frog-marched out of the building wearing the scapegoat collar.

Re:Oh boy... Here we go... (0)

Anonymous Coward | about 5 months ago | (#46251095)

In some environments, keeping documentation of any official communications off-site is a breach of your employment contract.

I small lawsuit... (2)

achbed (97139) | about 5 months ago | (#46250485)

This has all the hallmarks of the beginnings of a civil suit for negligence, and if it can be proven that the flags were raised based on actual break-ins and were ignored, possibly criminal negligence. The only place in Target I'd want to be right now is in their legal office - they're gonna be putting in some overtime soon.

Re:I small lawsuit... (1)

blueg3 (192743) | about 5 months ago | (#46250553)

This is a strange story, overall. Target is much more aggressive about computer security than other, similar companies.

I think they would not have a hard time demonstrating to a jury that they made efforts to secure their systems beyond the industry standard. Which makes one wonder what the context of this "they were warned" is.

Every single company (5, Insightful)

Tony Isaac (1301187) | about 5 months ago | (#46250489)

There are security concerns in every company, without exception. Obviously, even the NSA itself had inadequate security!

Yes, many times security concerns are brought up, and brushed off. But this is not necessarily an indication of a problem. Every security risk must be weighed based on the likelihood of occurrence, and the severity of the impact, should it occur. Many of these calculations are inexact, and must be based on incomplete information.

Should Target have protected themselves better? Probably. But hindsight is 20/20. The difficult part is to anticipate the problems that might occur, without crippling your organization through impossibly tight security.

Re:Every single company (1)

jbmartin6 (1232050) | about 5 months ago | (#46250503)

Spot on! What many security people don't get is that a business (or any person) accepts all kinds of risk every day. Just because a vulnerability exists does not mean it is wise to do something about it. There are always factors like cost and other types of resource contention. There are an infinite number of vulnerabilities, this does not mean that every one that isn't addressed is a "brush off"

Re:Every single company (2)

gtall (79522) | about 5 months ago | (#46251103)

Which is very comforting to punters who must trust a company with their credentials in order to do business with it.

One solution to mitigate risk is insurance. Companies should have to pay for security insurance. They cannot prevent every break in, but insurance companies have ways of evaluating an pricing risk. Customers would then at least have a shot at being made whole again.

Re:Every single company (2)

James-NSC (1414763) | about 5 months ago | (#46251157)

I’ll second that. When approaching management with security concerns, many of us fall short on being able to properly communicate with management regarding risk. While it’s helpful that management, specifically upper management, deal with risk every day the downside to that is, you have to present your risk to them in terms they can understand. Using the formula of:

Cost of failure * rate of failure = total cost of failure is actually detrimental to this approach, most notably because the rate of failure for an undiscovered/undisclosed security defect is quite small and yields a total cost of risk that is well within norms for most companies.

What you need to do is familiarize yourself with the upper management, specifically those through which you report up to the CEO, and understand the types of risk they deal with and – more importantly – the total costs of failure they find acceptable. Then, when approaching them – just by way of example - prepare a report which demonstrates this specific risk in terms they both understand and with a gravity that they appreciate. Never say “we could be hacked, it would be awful”, instead “when this defect is eventually discovered (include citations on the rate of remote network probes/scans), the resulting security breach will cost us $X to resolve, further (citations are handy) as this has been in the news lately, expect additional fallout in both news cycles and social media. Instead of facing $X in known risk, by investing $Y in prevention we can address this issue and improve (insert impact on project/product they are personally invested in).”

Lastly, never leave the rate of risk ambiguous – never leave it at “might, may, could or worse still, one in a million” – always represent those uncertainties with math: number of remote attack attempts over time. If your perimeter is anything like mine, it will be read by management as an eventual certainty and *not* like something that can be safely ignored as an unlikely “storm of the century” type event.

Re:Every single company (1)

msobkow (48369) | about 5 months ago | (#46251115)

Well clearly they didn't calculate the proper cost of their risk assessment, because this breach is going to cost them a hundred mill or so in the class actions and civil lawsuits that result. It'll take years for the payments to be issued, but it's a foregone conclusion that Target is going to pay through the nose for the breach.

Especially now that it's clear they were warned they were at risk of a breach and could have done something about it.

Where I come from, that's called "criminal negligence", and all the cost-benefit analysis in the world doesn't change that fact, because they did not do everything they "reasonably could" to protect the information.

Re:Every single company (1)

msobkow (48369) | about 5 months ago | (#46251149)

Most data privacy legislation I'm aware of says that you have to take all reasonable steps to protect the data. "Inconvenience for the staff" is not a legitimate excuse for not implementing those protections.

Close ties to the FBI (2)

silas_moeckel (234313) | about 5 months ago | (#46250501)

There is there problem they are fairly computer illiterate, I've dealt with many FBI computer forensic specialists whatever's that are dumbfounded by a .tgz, unix line endings. Hire out of the Secret Service they understand computers.

Re:Close ties to the FBI (-1)

Anonymous Coward | about 5 months ago | (#46250585)

I'd be surprised if anyone I met in person was not somewhat confused by a tape archive record gnu-zip file. Just the fact that you are still using tape archive format as a prerequisite to compression is dumfounding. There are plenty of superior compression algorithms that maintain directory structure while also benefitting from random-access compression so you don't need to uncompress the whole bundle to get what interests you.

FBI troll (1)

mveloso (325617) | about 5 months ago | (#46251163)

Yeah, let's install winzip on all our unix systems so we can use Windows Explorer to view the archives. What, winzip doesn't work on unix? Then let's install WINE so we can use WinZip and Windows Explorer together!

Problem solved!

Wait (-1)

Anonymous Coward | about 5 months ago | (#46250519)

Target new it was gonna be a Target?!?!?

"Does it make us money?" (0)

Anonymous Coward | about 5 months ago | (#46250523)

They'll run with the vuln until they get caught. It's a risk worth valuable money.

Why are you surprised? (2)

benjfowler (239527) | about 5 months ago | (#46250537)

Stupid cookie-cutter MBA pindicks.

They were the jocks in school who got ahead because of their aggro and ego, but not their brains.

Guess what? They're now our bosses.

Re:Why are you surprised? (0)

Anonymous Coward | about 5 months ago | (#46250833)

certain cultures have and need to be nurtured. otherwise the appetite for profits becomes a target itself. hack em...

Re:Why are you surprised? (0)

Anonymous Coward | about 5 months ago | (#46250947)

Yep head right into the MBA bashing. That's all you simpleton aspie code monkey virgins can ever do. See? I can generalize and stereotype too.

You consider yourself smarter. Then fucking act like it shit cock.

Re:Why are you surprised? (0)

Anonymous Coward | about 5 months ago | (#46251133)

The difference between a successful MBA and a failure: they both are failures, but the successful one delegates everything.

Re:Why are you surprised? (0)

Anonymous Coward | about 5 months ago | (#46251147)

MBA here, with over 15 years of experience as an engineer (having done some cool shit, I might add). I couldn't agree with your sentiment more.

There are bozos everywhere, no matter what their background or education level.

You'd Be Amazed (5, Interesting)

The Other White Meat (59114) | about 5 months ago | (#46250545)

Years ago I worked for a government IT department. A vendor wanted us to try out a product. The device plugs directly into the Internet connection, and monitors every packet, in real time, looking for strings matching an array of string that you provide. We ran queries against our internal databases, and compiled a list of SSNs and CCNs. The vendor programmed that data into their device, which from what I can tell used an FPGA to perform deep packet inspections.

We expected that we might see maybe an email every week or two where someone accidentally sent that kind of information.

First hit occurred 12 seconds after turning the device on.

Second occurred .47 seconds later.

Etc. Etc. Etc.

Within an hour, we had overrun the quota on the network directory where we were logging this data.

We found hundreds of separate systems that were transmitting this kind of data without authorization. We were planning a massive internal sweep to find and fix them all, when the following came down from management:

Shut it down. Remove the device. Destroy all logs, emails, EVERYTHING. Offer the vendor a payment in return for signing an NDA. All employees required to sign secrecy docs (unenforceable at that level of govt, but still.)

I believe this is how the acronym SNAFU came into existence.

Re:You'd Be Amazed (1)

Anonymous Coward | about 5 months ago | (#46250615)

Non-technicians who make it to the domain of upper management (or governance, in this case) live in a world where appearances are *far more important* than reality.

We, as technicians, tend to regard that as silly. We know darn good and well the kind of risk weaknesses like this pose, and the kind of harm that they can be caused, and the kind of storm that can be unleashed when the vulnerability is exploited.

But to the politician (public or private) those are *and must be* secondary concerns. His success, and his reputation, are *entirely* a function of perception. So hiding such dirty secrets is far, far more important than addressing the issues....especially when there is any kind of plausible deniability available after the truth comes to light.

People respond to their incentives. For those who serve short terms, they have no incentive to fix any problem that can be blamed on those who came before, or can be passed on to those who will come after. They have every incentive, however, to lie about, well basically everything.
 

SSNs? (0)

Anonymous Coward | about 5 months ago | (#46250695)

We ran queries against our internal databases, and compiled a list of SSNs and CCNs.

Everything one does with the Government - Taxes to job applications - requires one to enter their SSNs, put it on forms and even put it on their resumes. If HR was sending Resumes to managers or forms or anything, of course that software had all those hits.

In other words, from what I can see, unless there is a policy to remove SSNs or CCNs (whatever those are [wikipedia.org] ), I don't see what the deal was outside of the requirement that everything needs an SSN - which is by law, so it's Congress' fault there.

Re:SSNs? (0)

Anonymous Coward | about 5 months ago | (#46250861)

CCN = Credit Card Number, even if you were just being pedantic.

Why not ask what SSN means? I mean, who really cares if someone finds out the Name of the Secondary School one attended?

Re:You'd Be Amazed (1)

Joe_Dragon (2206452) | about 5 months ago | (#46250885)

It was cheaper to cover it up then to fix all of the systems that where transmitting that data likely was more then just internal sweep but all of testing / new hardware / software needed to pull it off.

Re:You'd Be Amazed (1)

wiredlogic (135348) | about 5 months ago | (#46251059)

The vendor wouldn't have been Acxiom by any chance?

Community? (-1)

Anonymous Coward | about 5 months ago | (#46250593)

Wait I thought we were your audience? Make up your mind, Slashington shazbot.

Basically, yeah (4, Interesting)

Anonymous Coward | about 5 months ago | (#46250607)

I got my first job in the industry due to that sort of screw-up. A network administrator was "let go" following a server crash and loss of months' worth of data. The backup system hadn't been working. I was hired shortly thereafter to get things back in order.

Now, that would be the end of the story, except that I was good friends with this administrator. The embarrassing subject of his dismissal didn't come up for about three years, but when it did, and I mentioned my surprise at a fairly intelligent guy allowing backups to lapse for that amount of time, he dug up an e-mail he'd sent to the president of the company, cc'ing the head of HR (who was more or less running the show, for some reason), pointing out the various problems they had - their "server," an old workstation, had been running for two years on a three-month evaluation copy of Windows Server 2000, there were no backup tapes working, and so on. The only excuse they could have had was that the backup thing was buried in a page-long list of serious issues. But when it blew up in their faces, they pinned it on the closest available peon. Assholes.

Re:Basically, yeah (5, Informative)

nobuddy (952985) | about 5 months ago | (#46251107)

So... where do I know you from?

You could have described my one and only firing ever, to the word.

Me: "Boss, Beancounter- this backup system is broken and needs to be fixed. here is a cost breakdown for the fix and a loss analysis for failure to fix. It is genius and incorporates existing links and hardware to minimize cost and implement offsite backups for all sites!"
Boss: "Shut up and go fix a printer somewhere."

Fast forward a year- major crash of a POS server. Loss of customer records, $300,000 and 6 months predicted to be spend reconstructing the database from paper records.

Boss: "You are fired for letting this happen."
Me: "...."

I can safely speek for all here (1)

cfulton (543949) | about 5 months ago | (#46250613)

We have all recognized security breaches or system vulnerabilities and been given the brush off. Nobody in the business world wants to be proactive. If a business has never been hacked then security will remain lax until that company is finally hacked. Even then most companies will just do enough to take away (or make it seem that they have taken away) that particular attack vector. (Hope nobody minds that I spoke for all of us).

Re:I can safely speek for all here (1)

cfulton (543949) | about 5 months ago | (#46250633)

Damn but that posted before I fixed it speak not speek.

Happens all the time (2)

dave562 (969951) | about 5 months ago | (#46250619)

This is a frequent occurrence. I used to get upset about it. These days I have seen enough of these exact type of situations blow up that I am content to document my observations, report them to the appropriate people (always a direct supervisor), and then move on with my life. When things blow up, I am covered.

Situations like this are why, although I understand security, I will never work in a security position. There is too much risk and liability, and not enough support.

Many companies have terrible security (0)

Anonymous Coward | about 5 months ago | (#46250625)

A lot of companies flat out ignore security concerns and think that a simple firewall is sufficient and the latest security setup. I worked for a company that was storing a lot of PII and had basically no security (let alone understanding of security). They wanted to render arbitrary images received through email and I had to explain to them that images in fact can contain viruses and other bad things.

Here's what happened when I tried (1)

HangingChad (677530) | about 5 months ago | (#46250627)

I picked up maintenance of an application that had been built by one of the military business units. For the longest time I couldn't figure out how it was passing user credentials and session state, until I found it all contained in a 2,000 character URL string. That string included the administrator username and password, in plain text.

Instead of being grateful that I raised a red flag on the application security, they tried to insinuate that I was blaming the previous developer. They also insinuated I was being unethical.

That's what happens when you try to do the right thing.

Re:Here's what happened when I tried (1)

Anonymous Coward | about 5 months ago | (#46250961)

Reminds me of a developer that implemented single sign on integration of two web apps by writing out a cookie with the user's email address, and then checking for that cookie in the other app. I advised them that you can create that cookie easily in your own web browser, and he didn't think that anyone would think to try that so it wasn't a risk.

Same guy had another webapp that let you list root files by adding a series of "/../" to the URL, as it was designed to show links for all the files in a folder.

Both webapps were WAN facing.

Blown Out of Proportion (2)

organgtool (966989) | about 5 months ago | (#46250639)

I'm sure that Target will address the issue by firing all of the management that brushed off the security researcher's concerns and will promote that security researcher to the head of a new task forced aimed at increasing their security and give him a huge pay increase (and maybe a pony).

Re:Blown Out of Proportion (0)

Anonymous Coward | about 5 months ago | (#46251069)

And permit him to gallop down the halls on that pony..

No Shit (1)

EMG at MU (1194965) | about 5 months ago | (#46250645)

God fucking dammit everyone knew this. This happens everywhere. I have been a professional software engineer for less than 5 years and this has happened several times to me.

But what really irks me the testimony [reuters.com] that retailer's CTOs gave before congress.

Neiman Marcus CTO:

"I think what we've learned ... is that just having the tools and technology isn't enough in this day and age," Neiman Marcus Chief Information Officer Michael Kingston told the panel. "These attackers again are very, very sophisticated and they've figured out ways around that."

Translation: "We did everything we possibly could, those hackers are just too damn smart. You should probably pass some laws to make knowing how to hack illegal."

Target CTO on if they knew about the attack before they were notified:

"Despite significant investment in multiple layers of detection that we had in our systems, we did not," Mulligan replied.

Translation: "It isn't that we got caught with our pants down, we were doing our best, honest!"

There is just no accountability! Why were there even congressional hearings if congress didn't even do an investigation and call in experts to find out why Target fucked up so badly? Senator Tech. Illiterate (D) and Representative STICKYKEYS (R) don't know enough to call bullshit.

There is no penalty for ignoring your engineers when they bring up problems. Investing in security is a well known joke amongst CTOs. Target's bottom line isn't going to be affected by this in a year. The business world learned a lesson recently: you can lose 100 million people's credit card data and nothing bad will happen.

Now You Have an Example to Point to! (1)

Koreantoast (527520) | about 5 months ago | (#46250685)

Can't speak to Target, but for future people who are in this predicament, now you have a great case study and example to point to!

Asking the Wrong Question (1)

LifesABeach (234436) | about 5 months ago | (#46250691)

Given that all that was done was to re-issue credit cards to the 45% of Americans affected. What does Target have to pay? And so what if a fine is paid? The end result is, "What do you remember?" Try Target, and Credit Card. How much is that free advertising worth? Billions?

Duh... (1)

Virtucon (127420) | about 5 months ago | (#46250701)

There will be reports, studies etc. that all pointed to this retarded situation within Target. Cripes, any myopic goofball from Deloitte or Accenture could have spotted the problems from 1000 miles from space but it just goes to show how stupid management can be because ultimately it'll wind up on their doorstep. You'll obviously have a few sacrificial lambs too from the cyber-security team and management and bad news for other companies they're probably updating their resumes now. Yes retarded security professionals are available for hire in your area! Shit, we're screwed.

There's probably holes in their infrastructure that you could drive a truck through. How the hell can an HVAC contractor's credentials be used to eventually access their payment infrastructure? It's absurd in and of itself points to the fact that these idiots were doing it wrong and should be fired. Of course there will be fines from the Feds and those banks that have had to now had to deal with all the card re-issuing and the credit monitoring. I've had two cards swapped out by my bank because I shopped, one time, at Target during the supposed breech window. I haven't been back since and that in and of itself will probably do the most harm to them because if they're not secure with my data, especially payment information, then I won't be a customer.

Every company has a chicken little (0)

Anonymous Coward | about 5 months ago | (#46250709)

This exact same story could be told at any company that has been compromised. There is always someone in security trying to push management for investments in security. It is very difficult as management to determine the real need, because clearly the real need is not the $ and resource amount security is proposing, and not zero either.

this is what you get with outsourcing / contractin (2)

Joe_Dragon (2206452) | about 5 months ago | (#46250723)

When you have lot's of outsourcing / contracting / subcontracting they don't want to pay the costs of doing stuff right no they want fast / cheap.

I quit my job (1)

Bender Unit 22 (216955) | about 5 months ago | (#46250757)

We had complex installations of Linux servers that were so old that patching them often required a lot of work to be able to compile the fixes.
After a steady flow of layoffs and cut downs, I was no longer able to keep up with even just the maintenance tasks and the list of critical things that needed fixes grew longer. And forget about trying to find time to do proactive things like planning new systems or capacity planning, since I now had to do everything myself.
So I had informed my bosses of the problems, even had it in writing although I hate that CMA crap. But I ended up quitting because even though a hacked web server would not be my fault, I just could not sleep well at night.

Of course then there also was the problem with the rest of the company growing tired of the lack of progress and quality of the IT department. They quickly forgot that the staff had been reduced to half and still expected the same service they got earlier on even though the official word was that everyone would be understanding that we didn't have time to do as much as we used to.

They offered me a raise if I stayed but it was really not about the money but about my health.

Yes (0)

Anonymous Coward | about 5 months ago | (#46250759)

Dutch government tax system; only specific (high clearance) government employees should be allowed to see income info for VIPs (celebrities, high officials, etc.). Instead, anybody who could access non-VIP info could bypass this additional authentication without effort.
Warned multiple officials about this, none of them found it important enough.
This was a few years ago, so it may have been fixed. Then again; the leak was already in there for a few years when I found it.

firs7. (-1)

Anonymous Coward | about 5 months ago | (#46250765)

buuts are expoSed Previously thought

All the time (1)

Anonymous Coward | about 5 months ago | (#46250835)

I have brought up several cases like this to various employers over the years. Typically it is just struggled off. A couple of times I've basically be called a liar (probably so they can pretend ignorance of the problem if a breach happens). Sometimes I can understand management not wanting to tackle securiy matters, there is a cost/benefit balance to be made. But sometimes I have pointed out a serious flaw that would have no side-effects if we fixed it and offered to do the work on my own time. The result was I was shot down and told to leave the issue alone. That bothers me and I cannot figure out why management would intentionally want insecure machines running when a fix would be cheap and easy.

Typical Navy Response (2, Interesting)

Anonymous Coward | about 5 months ago | (#46250877)

As a former US Navy nuclear engineer, I informed management of material and procedural problems related to the nuclear reactor plant on board the USS La Jolla on a weekly basis. Have you ever gone to your boss with a technical manual that perfectly explains the "unexplainable problem" he's having, have him brush you off, and less than a week later that problem destroys a major system, causing millions of dollars in damage and endangering the entire ship? I have. I'm pretty sure none of my complaints were ever addressed except on the one or two occasions where I threatened to bypass management and complain to a newspaper. That's pretty standard Navy leadership. When you're dealing with a culture where everyone starts at the bottom, the best and brightest leave, and whatever's left gets promoted, that's the kind of technical management you get.

shpHit (-1)

Anonymous Coward | about 5 months ago | (#46250893)

comprmehensive project facEs a set

Just Desert (1)

Anonymous Coward | about 5 months ago | (#46250923)

About 10 years ago, among other bad practices, managers in this one department of SAIC had a single FTP account that was shared by many personnel, and even outside parties, which was used as a dropbox of sorts. Essentially some very sensitive data was easily accessible to many people who shouldn't have access to it. Customers could see other customer's data, etc. I had mentioned it was a bad idea, but didn't push it, as previously when I had taken a hard line about handling of some other username/passwords in the past(leaving the entire staff's windows name/passes on a printout on a table for anyone to see), I nearly got fired because the managers were offended that I told them it was a terrible practice.

Couple years after I left, I heard that someone(probably one of our military clients) found out this FTP account was going on, and things hit the fan. SAIC brought in a bunch of lawyers and interviewed the dozen or so staff in this department under the premise of "protecting the employee's interests". After about two weeks of this, they cleaned house, fired every last person in the department.

Need a poll (1)

SeanBlader (1354199) | about 5 months ago | (#46251129)

How many of anyone has been brushed off by management for what they thought were serious safety or security concerns. I know I've been there for both cases. Management however was more interested in other stupid crap than doing things right.

Maybe we're an outlier, but... (1)

Anonymous Coward | about 5 months ago | (#46251167)

I find things like XSS, CSRF, etc. during my normal line of work, report them, and they get fixed. 80% of the time that I find these things in our web apps, it's due to a developer "duh", and it gets fixed during the testing cycle of the app, BEFORE the app is in production.

I don't deal with retail/POS systems, but I do deal with web apps that have financial and/or personally identifiable information processed through them, and in my experience, management has a very mature attitude toward these kinds of things. First of all, when the shit hits the fan, nobody gets fired. Second, the team generally treats security defects in two categories: exploitable, and best practices. If it's exploitable, there's usually a fire drill to get it fixed and updated on the live site ASAP (or if the vulnerability isn't live, ensure that it's fixed before it goes live). If it's not directly exploitable, sometimes it goes into production with "weaknesses" or "best practices" issues, and remains that way for several years sometimes until it's fixed. Note that some of these weaknesses can lead to breaches if they are combined with other weaknesses or exploits, but in general, there needs to be some kind of injection, XSS or CSRF vuln as an entrypoint, and these three classes of exploits are treated very seriously and expeditiously addressed.

Maybe we're an outlier, but we pay people to test for security issues and we react to them in a mostly sane way. I haven't ever heard of someone getting brushed back or told to hush if they find a security problem. Worst case, you report it and the risk assessment folks decide that the risks are not great enough to warrant the effort of fixing it -- but that entire decision-making process is recorded, so if it blows up in their face, we know who to blame.

Couple of common sense observations. (0)

Anonymous Coward | about 5 months ago | (#46251189)

1: Target is paying for new cards and for any fraud perpetrated by the cards that got hacked because the card carrier network sure as hell ain't going to be paying for that; they have the numbers used at target, it's a quick SQL query for them and then you crossreference costs of successful chargebacks. Target is being told in backroom meetings either they pay or they get dropped. And believe you me, they will pay, because if they get dropped, business will either switch to another network or more than likely go where their card is taken. Imagine if tomorrow Visa dropped Target. Would you go get a master-card to shop at target or just go to wal-mart?

2: There's a concept of 5 Nine's for security as well, and most companies buy 3. Unless you are a bank you are not buying 5. The additional 9 is a clean double to quadruple of cost, and one of the things you do as a business is you buy 9's until the insurance company tells you to stop . Also, their business insurance just doubled.

3: The market is more than capable of using the courts to clear small-scale financial fraud. I hope you realize, Involving congress in most things these days has negative results.

4: If I were in Target's IT department I'd be job shopping right now, because the first thing execs do is blame everyone down the hill. I repeat: it does not matter if you have CYA Material, if the blame falls on the CTO, they'll find a way to make it your fault. Lookit all those IT positions open on their website (hint: search for business analyst). They just cleaned house.

http://targetcareers.target.com/search?q=IT&filter=true&locale=en_US&title=analyst

5: Businesses always skirt spend on security because the cost justification is just not there. I will guarantee you nobody in their IT department ever called up VISA and asked them what the cost would be of a complete breech, and stuck the e-mail into a power-point. At best you're the hardest target and get some business when your competition gets hacked.

Not where I work. (0)

Anonymous Coward | about 5 months ago | (#46251197)

I have never experienced this. It's mostly because if we DID have a security flaw, the implications would be far worse than stolen credit card numbers. Think hacking/controlling critical infrastructure. If I think there is a security flaw, I will be taken seriously.

The bad side of this is that we have some pretty paranoid information systems and policies in place which can interfere with productivity, but usually we can find reasonable tradeoffs and accommodations to make everyone mostly happy.

Two ways of looking at it (1)

swb (14022) | about 5 months ago | (#46251221)

There's the default way -- self-absorbed managers deliberately ignoring and not understanding security warnings, wanting to keep earning bonuses for all the money they saved, etc.

Then there's the alternate explanation, IT security people seeing threats without any conclusive proof, wanting to spend a metric ton of money, expand their empire and cause a bunch of disruption that might not even accomplish anything but create chaos and complexity.

I've seen both. It's easy to see how this could be a combination of both with neither side really able to claim they were right. While there were obviously security problems, were these specific vectors the ones the security people saw? Or did they want to go on some kind of fishing expedition with little to show for it or implement a bunch of costly changes "because security"?

While management is easy to caricature as self-serving and incompetent, Target is generally a well-run company and it's hard to see their management purposefully ignoring concrete security weaknesses that could cost them maybe billions.

My guess is its probably a long-term case of all of the above. Too many managers exposed to 3Li73 53CUrI7y who just made things difficult with no concrete improvements or any attempt at usability and too many hard-working IT/security people who put up with managers that cover for weak security simply because they don't understand it and don't want to spend the money to fix it because it will either cost them personally or professionally.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...