Hoovering up the data
Feb. 8th, 2014 03:48 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
walkitouthttp://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
I've heard a variety of things about the Target breach (a lot of them broken on the above referenced blog, FWIW -- I'm not a regular reader of it so I have no opinion), but this article really has some amazing tidbits in it.
The idea is that the initial access to Target's network was via an HVAC company. Earlier remarks about the breach focused on how easy, once in, it was to get to absolutely any system within the company. So why would an HVAC company have this kind of access? Internet of things!!!
"But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.
“To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software,” the source said. “This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.”"
There's a lot to think about there, but mostly I think that (a) internet of things, for real and (b) probably need to give (more) thought to the security implications, while making sure to keep costs down and retain convenience, because if it's expensive and/or inconvenient, the customer (company) isn't going to go for it.
An update at the bottom of the post has a response from the HVAC people. My remarks aren't so much about this particular instance as that it's potentially generalizable. Altho wow, if it only costs $100 million to upgrade to chip-and-pin EMV cards, that's going to look cheap to Target now.
I've heard a variety of things about the Target breach (a lot of them broken on the above referenced blog, FWIW -- I'm not a regular reader of it so I have no opinion), but this article really has some amazing tidbits in it.
The idea is that the initial access to Target's network was via an HVAC company. Earlier remarks about the breach focused on how easy, once in, it was to get to absolutely any system within the company. So why would an HVAC company have this kind of access? Internet of things!!!
"But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.
“To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software,” the source said. “This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.”"
There's a lot to think about there, but mostly I think that (a) internet of things, for real and (b) probably need to give (more) thought to the security implications, while making sure to keep costs down and retain convenience, because if it's expensive and/or inconvenient, the customer (company) isn't going to go for it.
An update at the bottom of the post has a response from the HVAC people. My remarks aren't so much about this particular instance as that it's potentially generalizable. Altho wow, if it only costs $100 million to upgrade to chip-and-pin EMV cards, that's going to look cheap to Target now.