Target Breach Started as an E-Mail Phishing Expedition
Minneapolis Star Tribune (MN) (02/13/14) Bjorhus, Jennifer
Data security reporter Brian Krebs says the data thieves behind the attack on Target used a phishing e-mail infected with malware to steal the passwords employees of Fazio Mechanical Services, Target’s heating and refrigeration contractor, used to access several of the retailer’s systems. Multiple sources close to the investigation said the phishing e-mails were sent at least two months before the hackers began gathering payment card data and other information on Target’s customers. Sources said that the malware used was a password-stealing bot program called Citadel but that this “could not be confirmed.” Krebs also reported that Fazio had been using a free version of Malwarebytes Anti-Malware as the main tool for finding malicious software on its internal system, which he noted was an inadequate measure given that it is only intended for spot use by individual users. Dick Roberts, a spokesman for Fazio Mechanical, said his company is continuing to cooperate with the investigation and cannot comment further, though he said that the company’s security measures and information technology system are in full compliance with heating, ventilation, and air conditioning (HVAC) industry practices.
Hackers Circulate Thousands of FTP Credentials, New York Times Among Those Hit
PCWorld (02/13/2014) Kirk, Jeremy
Hold Security CISO Alex Holden has revealed that hackers are circulating the credentials for more than 7,000 file transfer protocol (FTP) sites on underground forums, and appear to have compromised file transfer servers at The New York Times and other organizations. In some instances, the hackers used the credentials they obtained to access the servers and upload malicious files. In other cases, the hackers placed files on the servers that included malicious links that could be included in spam messages. These links would take recipients of the spam messages to the infected FTP server and then redirect them to Web sites advertising various scams. Holden said he did not know the name of the group responsible for the FTP attacks, but said that they might have been able to access the credentials due to malware on other computers at the impacted organizations. He added that the stolen passwords were all complex, indicating that hackers were not simply guessing default passwords. The New York Times, for its part, says it is currently taking steps to secure its network.
Govt Report: Cyberattacks Against Retailers Not Coordinated
Associated Press (02/11/14) Yost, Pete
The investigation into the recent cyberattacks against retailers has not uncovered any evidence the attacks were part of a coordinated campaign, according to a report from the National Cyber Investigative Joint Task Force, which includes members from several federal agencies. The report states says the task force will be tracking information from industry partners and government agencies related to the use of a type of malware that affects payment information systems called Kaptoxa, as well as other related malware. CrowdStrike’s Steve Chabinsky says that although there was no evidence of a coordinated attack, the government is reaching out to the retail industry and encouraging it to become part of the information-sharing process. He says the report expresses the government’s concern that the intrusions, if they continue, could have an impact on the global economy.
Chip-and-PIN, or Chip-and-Choice?
Portals and Rails (02/10/14) Lott, David
A chip-and-signature approach could be a reasonable first step in the U.S. migration to EMV, writes the Atlanta Fed’s David Lott, who notes that although chip-and-PIN authentication may offer greater security for electronic transactions than chip-and-signature, it comes with its own issues. For example, Lott says few U.S. consumers know their card PINs, while the costs of a chip-and-PIN equipment upgrade to merchants would be significant. “It’s difficult to know if merchants will want to make the additional investment required to equip, program, and maintain their [point of sale] systems to support PIN transactions,” Lott says. In addition, merchants such as car rental and lodging firms would have problems with PIN-based transactions because they must run preauthorization transactions before the final amount of the transaction is determined. He says the separate authorization and settlement process delivered by the dual-message format of a signature-based transaction is better aligned with such merchants’ business needs. “With debit cards now, a signature authentication can be a backup method of acceptance,” Lott says. “But in a chip-and-PIN environment, how high will the rate of incomplete transactions be when cardholders can’t remember their PINs and they have no other method of payment?”
Snowden Stole Co-Worker’s Password to Gain Access to Secret Databanks: NSA
Homeland Security News Wire (02/14/14)
National Security Agency (NSA) Legislative Director Ethan Bauman noted in a letter to the House Judiciary Committee on Monday that Edward Snowden was able to obtain some of the documents he leaked by tricking a co-worker into providing him with his Public Key Infrastructure (PKI) certificate. The letter noted that Snowden’s co-worker, an unnamed civilian employee at NSA who has since resigned and has had his security clearance revoked, entered his password on Snowden’s computer, where it was captured. This allowed Snowden to gain access to NSANet, the computer network that connects many of the agency’s classified databases, even after his own access to the network had been cut off. Once inside NSANet, Snowden reportedly used a Web crawler loaded with his password and those of at least one of his co-workers to index the network and copy documents. Bauman noted in his letter that the co-worker whose password Snowden stole was not aware of plans to leak NSA documents. The letter also addressed the issue of whether or not anyone besides Snowden will be held responsible for the breach. Bauman said no one at NSA or the Office of the Director of National Intelligence, which oversees NSA, will be disciplined or fired.