Target 5.5
Yvone Samiento
Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.
Sources said that between Nov. 15 and Nov. 28 (Thanksgiving and the day before Black Friday), the attackers succeeded in uploading their card-stealing malicious software to a small number of cash registers within Target stores.
These were essentially compromised computers in the United States and elsewhere that were used to house the stolen data and that could be safely accessed by the suspected perpetrators in Eastern Europe and Russia.
It remains unclear when the dust settles from this investigation whether Target will be liable for failing to adhere to payment card industry (PCI) security standards, violations that can come with hefty fines.
In any case, Litan estimates that Target could be facing losses of up to $420 million as a result of this breach, including reimbursement associated with banks recovering the costs of reissuing millions of cards; fines from the card brands for PCI non-compliance; and direct Target customer service costs, including legal fees and credit monitoring for tens of millions of customers impacted by the breach.
Target may be able to cover some of those costs through a mesh network of business insurance claims. According to a Jan. 19 story at businessinsurance.com, Target has at least $100 million of cyber insurance and $65 million of directors and officers liability coverage.
Fazio Mechanical Services, Inc. places paramount importance on assuring the security of confidential customer data and information. While we cannot comment on the on-going federal investigation into the technical causes of the breach, we want to clarify important facts relating to this matter:
Like Target, we are a victim of a sophisticated cyber attack operation. We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive initiatives that will further enhance the security of client/vendor connections making them less vulnerable to future breaches.
Best guess for a company with around 2,000 locations and 360,000+ employees is it got dumped on a network segmented from the payment network but with wide access to their internal corporate network. That would remove the PCI 2-factor requirement and allow that RDP server to access the other AD resources it needs to perform its intended functions.
A classic PCI whitepaper from a QSA talks about how they owned the entire internal network from the Internet via a pen test undetected and in short order but found the PCI zone bullet-proof. Nothing they did would allow them to break-in and almost everything they tried generated an alert., unlike the internal network. Separate accounts, separate AD forest, you name it, they did it right.
With regards to the comments about whether yet another security product could have detected the intrusion I have two observations. These are not directed at the posters so please do not take offense.
I am not confident in what Avivah Litan states regarding PCI applicability, though her statement may have been taken out of context. Take a look at requirement 7 and 8 of the referenced PCI document; requirement 9 is applicable in a sense albeit it is regarding physicals access. Anyone who has done PCI DSS for an ASV (Approved Scanning Vendor) has read this document at least once in its entirety and references it often during certification and scans. Moving on, these requirements in PCI DSS (and other regulatory compliances) are difficult for an ASV to audit simply because a vendors word may be the only verification that is possible. We can make speculations and do finger pointing but ultimately it is the responsibility of the vendor to monitor and audit their own network and the individuals that have access.
After visiting Target yesterday, I became concerned after they scanned the back of my drivers license (which I believe is called a pdf417 barcode to comply with the Real ID Act). They did this because I did not have a receipt for my return. I understand that they are tracking individuals for fraud purposes, but why is all of the information on the license required?
Thank you again, JJ. It was indeed my fault for handing over my license. It was a deer in the headlights moment after realizing they were scanning the license, versus manually taking information from it. Well, lesson learned.
Great discussion. I did not see any mention of File Integrity Monitoring. PCI requires FIM to be in place and I was wondering whether this would have alerted that something was going on. Appreciate your thaoughts on this.
FIM will catch the dumb criminals. No good malware nowadays ever touches disk except maybe to store files in a system temp folder and nobody monitors a temp folder. If it never touches the disk, FIM is blind, deaf and dumb.
Thanks JJ. Given the increased sophistication of malware how do security practitioners defend against ram scraping attacks as it has been alleged to be the case in the Target breach. Is chip and pin implementation the solution? I believe that companies spend a lot of money to secure the perimeter of their network but ignore internal network security such as segmenting their networks i.e. a defense in depth approach. Plus running on old outdated technology make it easy targets for criminals.
Rupert asks how to defend from a RAM scraper. The answer is to encrypt at the swipe. Then you have to worry about the recent threat of hackers who substitute their device for yours, but this is easier than defending card numbers.
As far as I am concerned, the problem lies squarely with the processors. They have had end to end encryption for their standalone counter machines for many years, but they still drop the ball at the outside edge of the merchant network for POS based systems. There is no excuse for it, except that they are never the ones fined.
Would implementation of chip and pin and p2p encryption prevent such an attack? I have read that this attack would not be successful if the above was in place. Is this true? Does this mean that the data is never in the clear from start to finish of the transaction processing. Any feedback comments or information on this would be appreciated.
Thanks for your response JJ. EMV looks like the real deal along with p2pe encryption. Given that this is a very secure method of processing payments do we really need FIM if this is in place. I guess PCI will waive this requirement as well. I do agree with you that criminals will move to targets that are easier to exploit. A cop told me once that if you have a home alarm system installed burglars may just try a home without one and skip your home.
The RoC is submitted to the relevant card brand for their determination of whether it is acceptable. They can reject it or reject the compensating controls listed in it. They also can accept it as-is.
Target CPA bidding is an automated bid strategy that sets bids for you to get as many conversions or customer actions as possible. When you select the Target CPA (cost-per-action) bid strategy, you set your desired average cost per conversion. Google Ads uses your Target CPA to set a bid based on the likelihood of the ad to convert.
Target CPA bidding automatically finds an optimal bid for your ad each time it's eligible to appear by using historical information about your campaign and evaluating the contextual signals that are present at Google Ads auction-time.
Some conversions may cost more than your target and some may cost less, but altogether, Google Ads will try to keep your cost per conversion equal to the target CPA you set. These changes in CPA take place because your actual CPA depends on factors outside Google's control, like changes to your website or ads or increased competition in ad auctions. Additionally, your actual conversion rate can be lower or higher than the predicted conversion rate.
For example, if you choose a target CPA of $10 USD, Google Ads will automatically set your bids to try to get you as many conversions at $10 USD on average. To help improve your performance in every ad auction, this strategy adjusts bids using real-time signals like device, browser, location, time of day, remarketing list, and more.
Explanations give you insights into large changes in your Google Ads account performance. If you find a significant fluctuation in performance for a Search campaign or ad group using target CPA strategy, explanations help you quickly find out why it happened.
If your campaign has historical conversion data, Google Ads will recommend a target CPA. This recommendation is calculated based on your actual CPA performance over the last few weeks. The calculation also accounts for traffic so average targets may vary slightly based on the traffic in the places where your ads show.
The Include in "Conversions" setting lets you decide whether or not to include individual conversion actions in your "Conversions" and "Conversion value" reporting columns. The data in these columns are used by bid strategies like Target CPA, Target ROAS, and ECPC, so your bid strategy will only optimize based on the conversions that you've chosen to include. Learn more About account-default conversion goals.
Unlike bid adjustments for manual CPC, your bid adjustments for Target CPA modify the value of your CPA target, rather than the bids themselves. For best performance, you may want to remove your manual CPC bid adjustments when switching to Target CPA.
20+ Potential New Drugs: A strong drug development pipeline is our best hope for the creation of lifesaving treatments. Continuing to add new promising targets translates into many more opportunities to discover truly effective treatments.