It's not difficult to make crimeware, I'm sure anybody here could wreak havoc on the financial system if they turned to the darkside. You start hanging around xakepy/antichat russian hacker forums and make your own booters and other script kiddy tools.. soon you have money and can buy or vouch your way into private crimeforums like infraud and gain access to the invite only base where they dump POS intel like reverse engineering tools and manuals.
Russians can get away with this because their gov doesn't care about US fraud, also no extradition treaty. Sadly this kid can never travel anywhere ever again unless it's directly to Brazil or another country with no US extradition treaty because they will get him even if it takes 5+years from now they will watch waiting for him to make a mistake and update VKontakte (russian FB) on his Turkey vacation plans.
If I'm reading this correctly, the real "hack" was stupid passwords like admin:admin, pos:pos on the POS machines. In which case, we need to hold management more accountable for such lax password policies.
From what I heard from a friend who use to work for Target IT is that they just had a massive lay off before this. More likely that someone intentionally left a back door open before they left.
I assume it's like the number of printers and CCTV cameras you can access--no one knew they were public. This doesn't appear to be the Target hack though, just some random IPs that had the default passwords on them.
>> This doesn't appear to be the Target hack though
Yeah it's not very clear to me either. Not sure if the relevant Target part is in the second IM transcript where ree4 seems to try and sell a special version of his product that CAN work with Verifones for 2000 USD?
You know, I'm actually surprised we haven't solved this particular problem yet. We have autoconfiguration protocols for stupidly complex things, like UPNP. It's a wonder nobody has created either a daemon (to run on domain controllers), or a network appliance, which:
1. heuristically detects unconfigured/default-passworded L2/L3 hardware (e.g. routers) on the network;
2. generates and sets a strong password for that hardware itself;
3. proxies all further access to that hardware, keeping the password only between it and the captured devices (and hopefully delivered only over TLS, if that's possible);
and 4. has actually-sensible security itself (e.g. using SSH keys, HTTPS client certificates, or any other non-repudiatable token type.)
Effectively, it'd act as an automatic password vault and security gateway for all the devices too simple to have good security themselves.
I really like the idea, but if people aren't buying the vulnerability scanning appliances available today (that would just report the open devices), why would they start buying if one was for sale with the value-add you describe?
Because vulnerability scanning is a vitamin, not a painkiller. This type of thing addresses a specific pain--IT having to generate, keep track of, and manage access to[1] device passwords--and just happens to increase security as a side-effect.
[1] This part is important. In most companies, whenever you have a tech leave who knew a password? You've got to reset that password. You might not even know which passwords they knew, so you have to reset everything to be safe. And then the passwords other techs have memorized are invalidated. Incredibly painful.
I can think of at least one product that will do, basically, what you describe. It's insanely expensive to license and setup.
It would probably be feasible to fork the RANCID network device configuration version control application to create something that could do what you're describing out of FLOSS components, too.
The censoring of the email address looks terrible. It looks like someone has just drawn a line over each email in paint. I would not be surprised if the original email could be recovered just by putting the different "erased" copies together.
Edit: Got the above by combining emails censored in the top part of the first screenshot. You can definitely reveal the full email if you incorporate the other screenshots.
why in the world are POS systems connected to the internet on public ip addresses?
security considerations aside, this is also more expensive and harder to implement than a private net. so someone actually sat down, and made this decision deliberately.
why in the world are POS systems connected to the internet on public ip addresses?
Historical reasons? target does has a /16.
They can probably fill that block many times over now, but it would make sense that their numbering scheme has historical roots and to continue using that space for interstore communication today. They got it in 1993, back when we were still pretending like exhausting the v4 space wasn't a thing and before everyone started acting like the fact a many-to-one NAT requires what is effectively a statefull firewall somehow offered a security advantage you couldn't get by just writing those firewall rules.
I was at an organization with a large v4 block once. It took a few years of having my desktop, laptop, and cellphone wifi connections all with routable v4 addresses before I stopped thinking it was weird, bad design and really came to appreciate: "oh shit, this is how the internet is supposed to be and it is so much nicer to work with."
I don't think the Target POS terminals were on the Internet. The Brian Krebs article stated that the hacker compromised an externally facing web server and used that as a bridge to get into the corporate (private) network.
Since the POS terminals were all running a variant of Windows, it might have been as simple as querying the Active Directory to find out where everything was located within the Target network (at least for the Windows machines). Comments in the Krebs article also speculated that they exploited an account with a BMC systems management tool used at Target as well.
It wouldn't be a best practice to isolate the POS environments from all the other internal systems. Pricing, items, taxes, offers, coupons, etc. are all separate systems on the corporate network. They all need to communicate to the POS. It isn't realistic to air gap the POS at a business the scale of Target.
PCI rules just state the cardholder data environment (CDE) needs to be segmented from the rest of the corporate network (in addition to many other obligations). That would usually be done with VLANs and firewalls, but both are still on the same layer 2 network.
you only allow the POS system to be reachable by systems that ABSOLUTLY need to. NOT! every tom dick and harry in marketing - you can do a nightly dump of finance data off this network for data warehousing analytics and what have you.
Depends on how you define airgapping. If it's a fungible "you know what I mean," well then obviously yes. If it's an actual air gap, then no.
Practical business requirements on inventory management, sales metrics, system administration and (funnily enough) payment processing all prevent a register network from being airgapped. If you want to say their protection of those communication channels was shit, well, we already have proof it was. But airgapping? Not so much.
they had some lazy method where an admin could log in and update all the POS systems at once. of course this was not done using ssh keys and probably weak password + gui
A lot of POS systems are entirely online based these days (even hip ones like Square https://squareup.com/sell-in-store). I haven't read anywhere that Target's POS were online, this was a forum where the author was demonstrating how his software worked and Target was not part of it. There haven't been a lot of details released, but from what's known now is that an online facing server was compromised and that was used as a hopping off point to get to the POS.
The days of phoning in with a 1200-baud modem or collecting embossed card impressions are long gone.
A typical small-shop retail arrangement is to have the POS terminals behind a NAT router which is behind another NAT router that also serves up the customer-convenience WiFi AP.
When a terminal wants to put through a charge, it simply makes an HTTPS request to the payment processor. One or two seconds later, the request comes back, declined or accepted and here's the approval code. At that point, the POS sanitizes away the credit card details and applies the credit tender. Enjoy your latte, ma'am!
To hack such a system, you need to get onto the POS LAN. E.g., maybe there's a store server on the with an SSH login, which you've uncovered after breaking into the corporate above-store network. Or maybe a disgruntled employee installs malware from a USB stick.
Then you exfiltrate the captured swipes, hopefully without leaving enough tracks to get caught. E.g., the malware periodically uploads the intercepts to some FTP site to which you can get access. Or, in the case of the disgruntled employee, it could simply involve dragging the files to the USB stick.
Between the store and the payment processor, we should be safe, given we're using HTTPS. However, payment processors have themselves been hacked. E.g., Heartland†.
The terminals need to send sales data, receive updates of all kinds, and be available for remote access. I do POS support and connect to stores all over the world via public IP for troubleshooting.
Why is that a surprise? It is not like it is difficult to write those kind of things. specially a ridiculous one like that that sent data to a windows share in the network he was attacking.
The technical part is silly easy. The hard part is the moral and fear of loosing what you gained honestly so far. And for that, being a teenager is much easier.
So, what is really the surprise here? It is not like it was a elegant worm or anything. It was just not looked after for ages. The real interesting info in this whole history is why it was ignored for so long, and who monetized it later one (hint: i doubt it was the teenage kid)
They are trying to. Check out the "Skolkovo innovation center". Hopefully some day in the future you'll be buying smartphones and running software from my country, and people will stop asking me if my parents are alcoholics and if I want some raw potatoes.
But 'tis enough ranting, my borsch is getting cold.
Skolkovo is just another way to steal money from the taxpayers under the guise of innovation. Which they already did: $3.72 billion dollars (125 bullion rubles).
It's like asking why US sends drug dealers to jail instead of making them pharmacists.
In 99.999% cases you don't need to know assembly language to start a company. But you have to know or be able to figure out many other things which these kids have absolutely no idea about.
From what I understand, Russia has a good ecosystem going for technology startups. They excel at security, among other disciplines. Perhaps the question should involve how we all educate our young people on the matters of harming others who aren't as good at one thing as you are.
When I was 14, I used to hang around all these sketchy script kiddie forums. I learned assembly off some crapily written assembly.txt guide, with the ASCII art of the author at the top and all. Fast forward two years later.
A buddy of mine from IRC links me a webpage like he usually does, most of the time it's a static HTML file buried deep into the file structure of some large corporate site. This file was different, it was the CC database for a huge site.
Few weeks later police kick my door down, seize most of my personal electronics, and I have yet to hear from them or see my equipment.
Do you think the feds managed to track you down from the file access? Or do you think your friend, prompted by the feds to disclose his "hacking ring", implicated you?
I ask because it's pretty easy to find carding forums on Tor, to the point that I can't imagine the police bust the door down of everyone they can identify as having glanced at a CC dump.
You should be able to retain a lawyer who would be able to send a letter/etc to get your stuff back assuming you still have the search warrant information used to seize it. Admittedly that requires the stuff seized to be worth it.
When I was 14-16, I used to host forums for different online gaming communities that attracted DDoS. A few times I managed to get myself inside of the C&C, but I was almost always already in contact with the hosting provider by that point and basically was able to get them to shut it down immediately once I had proof of what it was. I was always scared something like what you described would happen, because very frequently the attacks were larger than DDoS attacks described in world news. I guess the people attacking my servers didn't use their botnet for anything more criminal than harassment and generating ad revenue.
Russians can get away with this because their gov doesn't care about US fraud, also no extradition treaty. Sadly this kid can never travel anywhere ever again unless it's directly to Brazil or another country with no US extradition treaty because they will get him even if it takes 5+years from now they will watch waiting for him to make a mistake and update VKontakte (russian FB) on his Turkey vacation plans.