Home Depot: Someone's WEAK-ASS password SECURITY led to breach Hackers gained access to Home Depot's network via a third-party vendor system, according to preliminary results of an investigation into the September mega-breach. Cybercrooks used access to the US retail giants' network gained via ineffective password security at an unnamed third party vendor's system to run a stepping-stone …
If an external company running their HVAC had 1000s of bits of kit connected to the same network that ran the POS machines - the weak passwd wasn't exactlythe problem.
It's like saying that we have had thefts by our own security guards so we are changing the color of their uniforms.
As was suggested, rather obliquely above, putting vendor crap onto their own DMZ is trivial.
Enforcing password complexity within one's enclave is best practices (as is putting foreign things not related to one's day to day business operations on their own DMZ(s)).
So, what does each instance of breach tell us? Not a damned one of those organizations passed a proper audit.
Hence, are legally culpable for any damages suffered by consumers injured by their lousy practices.
Back when I was a system and network administrator, I followed best practices. I did so not for some altruistic reason, I did it simply because I'm lazy and didn't want to have to work recovering from a breach.
"Back when I was a system and network administrator, I followed best practices. I did so not for some altruistic reason, I did it simply because I'm lazy and didn't want to have to work recovering from a breach."
Not to mention that failing to do so may leave you open to legal action AND your liability insurer refusing to pay out.
I bet the tills are on an network cable - any one of which could be unplugged to allow the hacker access to the network.
Also - I call B$ on 'custom malware' - I bet they were running unpatched PCs with out-of-date AV - any old malware would have done.
And the fact they were able to do privilege escalation also means they were able to very easily either sniff weakly encrypted passwords off the wire, or more likely execute an exploit against a server and scrape the Admin password of there - which more likely than not, was the same account on all servers.
Muppets.
"I bet the tills are on an network cable - any one of which could be unplugged to allow the hacker access to the network."
This is something which repeatedly surprises me (but shouldn't) - seeing POS terminals in large retailers unattended and with the network cable connection sitting in plain sight on the customer side of the device where it's trivial to interfere with it.
At the very least a locking connector should be used.
The natural firewall in the system should be to have the barcode scanner and associated computer kit attached to the network - the worst that happens here is that customers get charged the wrong price. The checkout operator should then read the total off the screen and enter it into the card-reading system, which is entirely separate from the other network and the customer can verify the amount.
Of course, they still need a proper security protocol and decent network for the card readers, but there's no reason for all their suppliers to be talking to that network - it's a machine in a locked room with secure access to the card companies for verification and links to all the card readers in the store. The network switch should enforce MAC address validation to raise the bar a bit higher, and I'd even go as far as putting in a mechanism that noted when a terminal goes off-line and requires manual intervention to put it back with a security code. This gives some line of defence against a terminal being unplugged and the MAC cloned - the attacker it still won't get to talk to everything else until another step has been completed.
Security could be a lot better than it has been to date, and hopefully the big retailers with centrally-managed systems are starting to realise that it's cheaper than dealing with a security breach.
that's probably going to happen when someone turns over the keys to their security infrastructure, by outsourcing portions of it. outsourcers are forced into unrealistic sla's and implementing policies and security schemes much faster than they should be, and if it's anything like I've seen at some of the large corporations I've worked for, people who haven't been adequately trained are attempting to tune a fairly complex system and hoping that it's all "fire and forget".
Finally, security infrastructures in large enterprises are not something you just turn on and walk away from. They're very high maintenance and they require appropriate levels of staffing, with people who have a clue and aren't manage by a bunch of fucking bean counters.
Yes, that. The company giving third parties access also have a responsibility to vet these third parties/make sure they abide by security policies, monitor for security intrusions and actually are responsible (versus their own clients) for everything that is done once logged in with that account.
But it makes nicer spin if you just repeat "third party" as if it wasn't their own shoddy IT security... it's just that it's not ONLY their own shoddy IT security.
It's not necessarily to do with bad passwords. Low-paid employees are often given the means to access a corporate network so that they can do any grunt-work that the suits don't want to do - such as when data entries or system changes becomes urgently necessary on a Sunday evening for example. Low paid employees can usually be bought for an affordable price - and telling someone a password would not make the average person feel terribly guilty about having committed a terrible crime.
Not for me, if I cannot pay by credit card then it defeats the purpose of carrying one. I don't like carrying a lot of cash, and pre-paid debit/credit cards have huge fees.
While Home Depot's security blunder is inexcusable, at least they did something right: they gave all customers (me included) one year of free credit monitoring, which is handy. At the end of the year, I will change my card.
Its probably some company that makes shovels or doorknobs, or they are a nursery that provides the chrysanthemums that Home Depot's garden department sells. When you have a huge big-box store that sells tens of thousands of items, you hundreds and thousands of suppliers, each of them a potential vulnerability. So given this, I have no idea why a SCM network needs to be so insecure that someone from the shovel supplier can come in through SCM and ultimately infect the POS.
Using a strong password does help a lot even against the attack of cracking the leaked/stolen hashed passwords back to the original passwords. The problem is that few of us can firmly remember many such strong passwords. We cannot run as fast and far as horses however strongly urged we may be. We are not built like horses.
At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
"Enterprises should adopt 2 factor authentication for vendors who require access to their corporate networks and applications"
This. Standard, off the shelf technology. At this stage, failure to use 2 factor authentication for remote access by associated companies isn't surprising, it's just pathetic.
RE: "Let’s be clear: this is not hacking, this is routine activity that looks like normal behaviour."
If downloading 53 or 56 million accounts is "normal behaviour" on your network you should fire your security staff and start fresh. Access control is about classification, categorization, and rate of flow. Audit controls should be established that address all three. (1) Do I trust this user for this level of sensitivity, (2) Does the category of data being accessed relate to the role held by this user, (3) Is the volume of data being requested consistent with the roles and responsibilities held by this user.
If you are exceeding authority in any of those categories via cyber means, you are not performing "normal behaviour" - you are hacking!
Gary Warner - UAB Computer Forensics
I think it's pretty clear from the quote that the most plausible interpretation is that signing on using a valid account and password is "not hacking". That was his point - the initial intrusion wasn't something that could be detected as a breach. (The subsequent privilege elevation and data theft are another story, of course.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
