Tag Archives: Red team

The Target Breach Story – How Did They Let This Out?

Krebs On Security has extensive reporting of an investigation by Verizon conducted starting a few days after the Target breach was announced.

Target has refused to confirm or deny the report .

One thing to consider.  We do not know how Brian (Krebs) got the report, so all we can do is speculate.

This report, in my opinion, is a wonderful tool for the banks and consumers who are suing Target.  It shows all the things that Target was not doing or was doing wrong.  This report makes it so much easier to show Target was not treating cyber security consistent with even reasonable industry practices, never mind best industry practices.

What Target should have done is have their outside counsel manage the engagement of Verizon so that this report could have been shielded by attorney-client privilege.

It is certainly possible that they did that, but then, how did the report get out to a reporter?  Part of engaging the attorneys to manage this is to control the distribution of the final work product.

Any way you look at it, in my opinion, letting this report out of their control is yet another FAIL! by Target.  

While Target spokesperson Molly Snyder said that Target believes that sharing information will make everyone stronger – thereby basically validating that the report is real – it doesn’t make sense to release this kind of detail while there are so many lawsuits pending.

You can go to Brian’s web site (see link below) for the long gory details, but here is the short version:

  • Once the Verizon hacking team was inside Target’s core network, there was nothing stopping them from communicating directly with the cash registers – violating every principal of segmentation known to IT.  They should never have been able to do that.
  • Target had guessable passwords on Microsoft SQL servers and weak passwords for system accounts.
  • Target had a password policy, but it was not being followed. Verizon found clear text password files for system accounts on several servers.
  • Verizon was able to create domain administrator accounts and dump all of the password hashes.
  • Within one week, the consultants were able to crack 472,000 (86%) of the passwords.
  • Patches to systems and services were not applied consistently.
  • Verizon said that Target, who was using Tenable’s vulnerability scanning system, had a comprehensive scanning program in place but was not acting on the vulnerabilities discovered.

There is more in the report, but you get the idea.

If you are a security person, the report is a fascinating indictment of Target and a roadmap of what not to do.

If you are a CEO, the leak of a report like this falls into the worst nightmare category.

Information for this post came from KrebsOnSecurity.

TSA Fails To Detect Contraband 95% Of The Time

ABC News reported what we already knew and as Bruce Schneier aptly said – the TSA is security theatre.  All show and not much substance.  Homeland Security “Red Teams” were successful 67 out of 70 times at getting mock weapons and explosives through TSA checkpoints all over the country.

Previously, TSA “fails” had been cast as limited to a few airports such as O’Hare, but apparently, according to data leaked to ABC News, the problem is systemic.

The solution:  DHS Director Jeh Johnson “reassigned” acting TSA director Melvin Caraway to some other place inside DHS.

In my opinion, TSA was given a no-win charter.  Take more than 50,000 people, give them minimal training and low pay (salaries start at around $25,000 – less than a supermarket checker makes) and expect them to be successful.  I don’t think that is possible.

If anything comes of this and I am not optimistic anything will, this falls squarely in Congress’ lap.  The whole concept of airline security needs to be re-thought.

One source says that the cost per gun found is $6 million.  I don’t know if that number is correct or not, but it would not surprise me.  The Blaze said the House proposed a 2015 budget for the TSA of $4.6 Billion with 45,000 full time screeners – and that is a reduction.

The simplest hack

CSO Magazine is reporting on an experiment conducted by the Ponemon Institute.  They sent researchers disguised as temporary employees, with temporary badges, into 43 offices belonging to 7 companies.  The management was aware of the plan but the office staffs were not aware.

The researchers went into the offices, wandered around, took pictures of computer screens, picked up documents marked confidential and put them in their briefcases.  The researchers even brought spreadsheets up on their computer screens and took pictures of the screens.  All in full view of the office staff.

The security industry calls these ops red teams.  Been there.  Done that.  I know they work.  Almost 100% of the time.

And the results ….

But out of 43 trials, the researcher was confronted by a company employee only seven times when taking pictures of the screen, only four times when it looked like they were stealing confidential documents, and only twice when wandering around looking at things on people’s desks, computer monitors, and at printers, copiers and fax machines.
And there was only one case where the strange behavior was actually reported to management.

In a little over two percent of the cases, someone spoke up.  97 percent of the time, they told no one.

The information they collected included staff directories, customer information, financial information, confidential documents and access credentials.

Open layout offices were easier to compromise than traditional offices.  Customer service, marketing and sales were the easiest targets;  legal and finance were the hardest.  IT was in the middle.

The sponsor was 3M and the mission was to see if their computer privacy screens made a difference – the answer is not much.

Things did make a difference included clean desk policies, standardized shredding policies and mandatory training.

And, they did not need to be in the offices so long.  They spotted their first target information in the first 15 minutes.

The moral of the story is that we need to deal with the simple stuff before we deal with the impossible.  If we fail at the simplest security tasks, there is no way that we will defeat an advanced persistent threat.