Target Breach

The Target Breach: Lessons Learned

As a security professional, every breach provides a valuable lesson. As more information is revealed about how the breach took place, I’m always careful to take some valuable information away from it. This is a really high profile breach which in many ways is unprecedented. Not only was the malware extremely sophisticated in nature and able to infect a massive amount of point-of-sale terminals undetected, but the sheer magnitude of the card data stolen is also impressive. Unfortunately, I think we are only in the beginning of a new age for digital security. Most companies plan for “when” a breach happens, not “if”. One of the things I think is interesting in Target’s situation is that they claimed they had pretty well designed and thorough security controls in place. Despite this, the breach happened, and the reasons why it happened are a great lesson to be learned. According to the Verizon Data Breach Investigations Report for 2013, you will see the numbers make sense. In 2013, 24% of breaches targeted the retail industry. While the financial industry makes up the highest percentage, retail outlets are often less prepared and contain much of the same PCI compliant information that banks and credit unions are faced with protecting under compliance such as GLBA. In 76% of these breaches, stolen credentials played a role. Recent press has announced that the Target breach has been traced to compromised credentials owned by one of Target’s close vendors, an HVAC company named Fazio Mechanical. In this case, the criminals targeted Target through their vendor. They attacked the HVAC company with a sophisticated phishing attack which is believed to be a version of the Citadel malware (based on the ZueS banking trojan).

1. Vendor Security should be a top priority. Despite Fazio Mechanical’s statement claiming they comply with industry standards, Fazio Mechanical is believed to not have had adequate security measures in place to prevent this attack. In fact, it has been reported that they were using a free version of a popular home-use anti-malware client that did not use real-time protection. Fazio had a direct data connection to one of Target’s outside facing billing systems (Ariba), which is believed to have been exploited as part of the attack. These credentials were most likely Active Directory credentials which then were used to exploit the server application’s access to the rest of the network. Companies must consider how each external or vendor facing application could be exploitedThe mindset has to be: “If someone with malicious intent obtains these credentials, what could they possibly achieve using this vendor facing system?” But not only that, the security of each vendor must be evaluated and verified. I wonder if Target would have re-evaluated their vendor contract if they had learned that Fazio was using a home-based free version of malware protection running under an illegal license model. I think companies should be doing their due diligence by verifying that anyone who has access to their network and/or vendor facing systems has adequate security in place on their own networks. Requiring compliance such as SAS-70 from your vendors proves that the vendor not only has controls, but that the controls are being used adequately. This is extremely important, especially in more high profile vendor relations, such as VPN and extranet access.

2. Network segregation is a huge factor in securing vendors. Many times, vendor credentials have authorization that is beyond the normal bounds of a typical user, either from a network segregation point of view or even a database view. Target may have put a lot of due diligence into their VPN access vendors, but could have failed to treat their other vendor facing applications with the same care. A set of vendor credentials should always fall under the least privilege concept. If a database consultant has VPN access to maintain a set of servers, his network authorization should only allow him to access those servers, and not the entire network. In this case, having the payment system network properly segregated from the vendor-facing system, may have prevented this breach.

3. Blacklisting is not an effective form of protecting systems from targeted malware. I’ve been saying this for a while now, but anti-virus and anti-malware industry current methods are becoming obsolete, especially against targeted attacks. Not only was Fazio’s network compromised easily by a common, yet advanced trojan, but Target’s own point-of-sale systems were eventually compromised using a sophisticated form of malware which was able to scrape the RAM for card data before the cards were even approved or denied. The fact of the matter is, traditional detection methods range from 40 to 60% when it comes to signature-based and anomaly-based detection methods. The only true preventive method against targeted attacks is whitelisting. Vendors such as Bit9 and Savant come to mind. Not only could they have prevented the attack, but they could have been alerted to the attempt. Enforcing change management on system files such as DLL’s and kernel level files really is the only way to prevent this form of attack where no signature or behavior was known.

4. Context-based monitoring is key in detecting malicious behavior with known-good credentials. What Target was missing was the ability to be alerted on abnormal behavior by the vendor credentials. While a vendor logging in to a system during a normal baseline of times is no reason for concern, those same credentials being used to log into other various systems should have been a red flag. For instance, if vendor credentials were used at 3 a.m. on a system unrelated to the vendor’s role, then there should be an alert in place that flags this behavior. Modern SIEM products such as IBM’s QRadar can easily do this. Reference sets and rules can be created to alert on any of this activity based on the context of usage. I think a big part of preventing breaches like this is understanding what is going on on your network and being alerted of abnormal activity, even if it is by trusted credentials.

NSA headquarters

NSA’s “Prism” and Edward Snowden

We’ve all seen the headlines or heard on the radio of the vast monitoring program that the CIA and NSA have been using to mine data on U.S. citizens as well as on people around the world. The media is, of course, sensationalizing this information and I think some people are getting a skewed idea of what is really happening. Is this a massive conspiracy? Did Edward Snowden commit treason? Or is he a valid whistle-blower? These are all questions that bring on debate. Here is my take on the situation.

NSA

First, I want to say that when it comes to the NSA, large-scale data mining on U.S. citizens is nothing new. In fact, back in 2006 they admitted to having a massive database of Americans’ phone calls (http://yahoo.usatoday.com/news/washington/2006-05-10-nsa_x.htm) and even had set contracts with three of the major carriers to do so. Around this same time, Wired magazine published an article about a whistle-blower who saw a “secret room” tapped into the fiber backbones at AT&T. (http://www.wired.com/science/discoveries/news/2006/04/70619). The courts sealed that investigation from the public. At the time, and under scrutiny, Bush declared that these phone calls were only recorded if one end of the call was international. If you look even further back, this started in 1975, when it was revealed that the agency along with the CIA had been doing this for over 20 years, and without warrants. A few years later in 1978, the Foreign Intelligence Surveillance Act (FISA) was passed to protect the privacy of U.S. citizens. This mandated a secret court of 11 individuals to handle these requests according to the law when surveillance was used on U.S. citizens.

So lets all take a step back a little because the NSA and CIA data mining isn’t a new concept. But what has definitely evolved since then is HOW we communicate. The sheer amount of email and internet communication has almost tripled since 2006. Back then there were around 1 billion people using the internet for communication around the world. Fast forward to now and there is almost 3 billion (2.75 billion as per http://www.w3.org/). Factor in SMS messaging, video chat, voice over IP, and other forms of communication that traverse internet backbones and you have an unprecedented amount of data being passed on a daily basis. The NSA has had to evolve due to this growth, and it is evident in their building of the Utah Data Center (http://www.npr.org/2013/06/10/190160772/amid-data-controversy-nsa-builds-its-biggest-data-farm). While the actual data capacity and processing power of this data center is classified, it has been estimated to have the capability to store 100 years worth of worldwide communication, or around 5 zettabytes. To all you non-techies, 1 zettabyte is about the same amount of data that would fit on 250 billion DVDs.

So with this in mind, I bring some debatable points.

1. Data mining can be effective, but what about privacy? As much as we may not want to admit, data mining can work. Even Edward Snowden admitted to this in a sense, in that he thought the program can work, but that the American people should know or have a choice in the matter. In a world where the sheer amount of communication data is so massive, the only approach can be to gather as much data possible, and then when needed, pull the data that is suspect. The speed of internet communication is too fast to be able to do “on-the-spot” choices of where and when to initiate surveillance. I suspect that most times the communications they are looking for are ones they have already recorded and they are then able to pull the data in retrospect when it is part of an investigation. This really is the ONLY approach to data mining that works. The downside to this, and the debatable point is whether it’s right for them to keep the data on regular citizens like you and me. It’s also debatable from a personal privacy standpoint since the secrecy of the program prevents the public from knowing the details of how, when, and by whom it can be accessed. If the data is there, but never seen or accessed unless a FISA court agrees on it, what harm is it really doing to our privacy? While I’m a Libertarian and support full liberty under the constitution, we don’t really have enough information to judge on whether this seriously infringes on the 4th amendment. We also have to remember that these same people approving these programs know that they themselves are being monitored. Would they have issues with this program if they felt it violated their own and their family’s privacy?

2. Terrorists conceal their communications. It’s debatable that most terrorists are susceptible to this eavesdropping. I would take a guess and say that most terrorist organizations use encryption and methods of communication that are less susceptible to interception, while ordinary citizens who have nothing to hide would be most of what is mined. I really doubt the Taliban would discuss their operations over Gmail. With that said, we also really don’t know the capabilities of the NSA. The computing power and technology that they have is said to be way ahead of the times, so tasks like breaking large certificate keys and encryption could be easier for them than we know. We really don’t know their methods, but if I had to take a guess, I think for them to invest a massive amount of funds into intercepting world communication, they can probably use what they find, despite encryption and other methods of concealment.

3. What about false positives? This is a debate that has been going on for some time. The classic example is someone getting added to the “no-fly list” or having their assets frozen by DHS because they used a particular set of words during a harmless exchange over the internet. At another site, I saw an example in a comment by another user where he mentioned a 70-year-old man sending an email to his granddaughter about her birthday party while using a few combinations of words out of context that may have fallen into the NSA’s “filter”. If the government wants to mine all of our data, then I do agree that their methods need to be accurate. The NSA has not revealed any false positive percentages and the way Prism works is classified, so in a sense, we are trusting them to get it right. No system can be perfect, and privacy advocates claim that this could lead to false charges, associations, ties, or accusations.

4. Who owns your data? You? Your ISP? Google? These lines tend to be fuzzy these days. Technically, many people and organizations probably own your data, especially if you use services that are “in the cloud”. Every time you use a service you accept a “terms of service” agreement which usually has some really broad wording in it. Whether it’s marketing, demographics, or other reasons, you can be sure that many companies are using your data if they have it. They could also technically “own” it unless they have explicitly agreed on privacy terms that state otherwise. A general analogy could be made and compared to someone taking a video of people walking around in the public street. They record the faces of everyone walking by, but they still own the video, and can do with it what they choose. Could the same be said for the NSA tapping fiber optics? In a sense, they would not even be looking at the “video” unless it’s needed and approved by FISA court (according to them at least). As for the tech giants, they claim they have no knowledge or agreement with the NSA or even know what Prism is (http://www.guardian.co.uk/world/2013/jun/07/prism-tech-giants-shock-nsa-data-mining). From The Guardian:

 An Apple spokesman said: “We have never heard of PRISM. We do not provide any government agency with direct access to our servers and any agency requesting customer data must get a court order,” he said.

To me, the question on whether the tech giants are involved is kind of a moot point, since it appears that the way the NSA is receiving this data is beyond any agreement or understanding of the companies who house it. It most likely is captured in transit or using other classified methods. It could also be said that if there was a secret partnership between the NSA and these companies, then a gag order or other NDA would have to be in place.

6. Is Edward Snowden a criminal?  I really think the courts should decide this. While he violated terms of employment and agreements of confidentiality, and possibly risked national security, I think it’s debatable and should be proven how he in-fact endangered national security. I think he certainly has the potential to cause a national security issue, but from what has been revealed so far, it seems as if he has mainly just revealed that the system has potential for abuse, and is so vast that he felt the American public should know about it. Did he reveal something that we didn’t want terrorists to know, or is it more of something that we didn’t want the American public to know? These two reasons are different, but both could lead to problems with the program’s effectiveness. I don’t really feel like he should be classified the same as Bradley Manning, since he was very selective with what he revealed. This one should be left up to a jury.

Shining Rock Photo 1

Shining Rock Wilderness Trip

I really wanted to experience as much of the Shining Rock Wilderness area that I could over the weekend. I determined a route based on a couple other people’s blogs and experiences that I had read. The plan was to start at the Graveyard Fields Overlook on the Blue Ridge Parkway and take the Graveyard Fields connector to Graveyard Ridge trail. Then follow Graveyard Ridge all the way to Ivestor Gap. Once at the gap, we would get onto the Art Loeb and head north to Shining Rock. On the way back, we would take Art Loeb back through Ivestor Gap and over Tennent Mountain and Black Balsam Knob, then junction with fire road 816 and hop onto the MST and then back onto Graveyard Ridge to return to the trail head. The Graveyard Fields Overlook is about a 25 mile drive southeast on the Blue Ridge Parkway from I-26.

Shining Rock Wilderness GPS Route

The overlook was pretty busy despite the overcast weather. We all were a little surprised at how cool it was when we stepped out of the car, so we put on our jackets and setup our gear and got ready to hike. We entered the Graveyard Fields Loop trail to the right of the overlook and descended down on the paved path to the waters of Yellowstone Prong. Here they had a nice wooden bridge and most of the road-going tourists would come down here and look at the river. I had a quick chat with a couple older guys down there who asked where we were going and said we were in for a great hike. The crew was Daniel, Justin, Maya, and Luke, and I was pumped and the dogs were rearing to go.

After we crossed the wooden bridge, we hung a left and followed the river on the Graveyard Fields Loop. The trail was pretty muddy and old fences lined the sides in some areas. We found the junction where we had to take Graveyard Field Connector up to Graveyard Ridge. In this area there are some boardwalk-like wooden bridges that cover some wet grass fields. All the rain had left this area in a mild swamp condition so I was glad they were there. About this time it started to rain lightly and we threw on our rain jackets. Tromping through this area felt a little like one of those Japanese Cherry Blossom gardens. There were similar looking trees but with white blooms just poking out of the swampy grass everywhere.  This area can become really confusing at times at which direction to take and we relied heavily on GPS.  It seemed like every hundred yards there was a 4-way intersection of unmarked trails.  At this point I realized that the altitude was already making a difference in my breathing, but after about 30 minutes or so, it passed, and I felt great.

We got onto Graveyard Ridge and trudged along. Graveyard Ridge was really wet. Most of the time we were walking through mini streams or mud. Daniel didn’t have Gortex boots and soon enough, his feet were soaked, but he was listening to some Grateful Dead tracks and I don’t think he cared too much. Mine were Gortex but still managed to get a little damp.

Graveyard Ridge in Shining Rock Wilderness

We reached the 4-way intersection where Graveyard Ridge crosses the Mountains-to-Sea trail and continued north on Graveyard Ridge headed for Ivestor Gap. We crossed over the Dark Prong, which is an excellent water source, though none of us needed water at this point. Following the ridge further proved to be even more wet. Of course, Maya is a water baby and laid down in any and every puddle of water that was available. There were some great views to the east overlooking the Graveyard Ridge mountains here as we climbed up in elevation. At one point to the east we heard and saw the top end of a rushing river down below us, which I believe was the headwaters of Greasy Cove Prong. The trail went up and down a little and then turned out and back in up toward Ivestor Gap. We continued up to Ivestor Gap and saw a group of day-hikers playing frisbee on the gap bald. We stopped and chatted for a minute and took in the views. This place really gives you a sense of expansiveness. It’s a feeling of being very open. At this point we were truly entering the Shining Rock Wilderness boundary and so we headed up on the Art Loeb trail, or at least what we though was the Art Loeb.

 

Maya in Shining Rock Wilderness

We started out climbing up Grassy Cove Top on what we thought was the Art Loeb trail. We had climbed probably 100 feet up and then it started getting very rough and strenuous to the point where I just kept thinking, “this can’t be right”. I pulled out the GPS, and sure enough we were way off the trail. Apparently we had followed an erosion path. It was either hike back down and around to get on the Art Loeb, or continue up to the bald, which was around 6050 feet elevation. After looking at the topography we saw that we could get onto the Art Loeb on the other side within 50 feet of elevation so we just kept going up. We made it up top and marveled at the view. Big views to the east and west. Tall grasses and alpine brush covered the bald and there were a couple really cool little campsites right on top. Not a good place to stay with the clouds looking like they were above though. I remembered from a guy’s blog that there was a point that you could go up and left from Art Loeb to ascend this bald, so we basically went down that path and merged directly with the Art Loeb and continued north and headed toward Flower Gap. This area of the trail was pretty easy and level, but narrow at times. Flower Gap was our first really cool moment to just chill and take in some views. The gap between Flower Knob and Grassy Cove Top is a lush green grassy area between the two mountains with nice views to the east and west. The dogs bolted off and were just running around enjoying the openness, especially Luke. I don’t think I have ever seen him that happy.

Flower Gap in Shining Rock Wilderness

After a quick rest, we continued up Flower Knob and headed toward Shining Rock Gap, to where we planned to find a campsite. We finally hit the treeline and realized we were getting close. The forest here was really beautiful. The trees were mostly all big evergreens and it left the forest floor completely shaded and soft with dirt and almost no grasses or shrubbery underneath them. Lots of campsites were around this area, but we decided on one on the eastern ledge that was pretty secluded and well covered.

The sun had just come out and we saw blue sky! The temperature was around 70 with a light caressing breeze. Everything was looking up!We set up our tents, and if you are Justin, a hammock. Shortly after we cooked up some grub, the dogs ate some dog food and all was well. As we finished eating, I looked over to the west and between the trees, the sky didn’t look so good. Dark grey had moved in quickly. Around this time it started drizzling and so we moved some stuff into the tents and whatnot. Within about a minute the sky opened up into a heavy windy rain. We all got in our tents and figured we would wait it out. I tried getting the dogs into one of the vestibules of my tent but they wanted to stay out in the rain for some reason. The temperature dropped really quick by about 20 degrees and the rain felt ice cold. The dogs were out there still and I finally convinced Maya to come under the vestibule. She was soaked and cold and curled up to stay warm. Luke was right behind her. They ended up curling up together under the vestibule to form a sort of yin yang shape. I’m glad they had each other at that moment because I think both of them were freaked out and really cold.  I surprisingly had 1 bar of service on my phone and was able to pull up the Doppler radar. Yeah, we were in for a little rain, but not too much. It rained for about 2 and a half hours. We just tried to nap while it passed. Around 8:30 it let up, but it was much colder. We walked down in partial darkness to a natural spring near Shining Creek’s north prong to fill up on some water. All the wood was soaked, but Justin had the good idea to brew up some tea. I chose a Chamomile, Lotus flower tea, hoping it would help me sleep. I dried off the dogs the best I could (luckily Daniel had brought a towel that I told him he didn’t need) and laid down my emergency blanket in my tent. I got the dogs to come in the tent with me and lay on the foil blanket, and they kind of curled up together and dozed off. It was around 10 p.m. when we all went to sleep.

Dogs in the tent in Shining Rock Wilderness

The night proved to be much colder than we thought. It was at least in the lower 30′s at our camp site. I had brought a lightweight 40 degree bag and so I wasn’t cold, but I wasn’t warm either. It was kind of a “barely warm enough” feeling the entire night. I woke up multiple times during the night due to wind gusts. The dogs were really cold and I tried to wrap them up in the emergency blanket. They were totally okay with me completely covering them (even their heads) in this foil, so I knew they had to be cold, but I think this kept them pretty warm because they were snoring away.

We woke up in the morning to a bright blue sky with not a single cloud in it. Ate a quick bite, tried to warm up a little despite the cold, and packed up our gear and headed back down towards the Art Loeb. This was the day we wanted! The scenic day. Today we would follow the Art Loeb all the way south across the top of the balds.

We backtracked all the way to Ivestor Gap, but this time stayed on the Art Loeb headed south. The climbs here were steady, but not extreme and we trudged along through a pine forest, and then up over around a ridge to Tennent Mountain. Tennent was beautiful, with full circle views of the surrounding wilderness for miles. There was a group of day hikers from the south on Tennent that had about 4 dogs with them. They were all friendly and Maya and Luke were running around with them over the bald. We chatted for a few minutes and then headed back down into a small gap before ascending Black Balsam Knob.

The ascent up Black Balsam was steady and long. I had heard that this is a popular spot for day hikers because there is a parking area not too far from the bald on the other side. This proved to be true, and we passed at least 20 people, some in larger groups, on our way up. When we finally reach the top at 6240 feet, it was the climax of the trip. The view was breathtaking. The grassy bald was about the length of a football field both ways and with a 360 degree view for at least 70 miles in every direction. It is really impossible to capture this experience with a camera. You would just have to be there. You really felt like you were on top of the world. We relaxed here in the sun for a while. I laid down in the grass with my pack and just enjoyed the view.

Black Balsam Knob in Shining Rock Wilderness

Our heated bodies started slowly cooling off and we realized it was actually pretty cold up there. We decided it was time to start back toward the trail head.We descended Black Balsam on the south side to enter the treeline and and came out onto fire road 816, AKA Black Balsam Road. We turned left down the road about 100 yards and then found the entrance to the Mountains-to-Sea trail under the forest canopy. It was marked by a footbridge. This was a pretty well made narrow trail with lots of bridges and wood ledges. We reached the headwaters of Yellowstone Prong and I got a much needed drink from the water here. The water from here tasted great and almost all of the sources were probably clean enough to drink even without a filter because they came straight out of the ground. Despite this, I still used my Life Straw in my Nalgene. The trail started climbing up the ridge line again, which sucked! At this point, I had had enough climbing for one day, and wasn’t expecting more of it on this trail. It proved to be fairly short though and once we got to the overlook, it descended sharply for about a mile down to the 4-way intersection where we turned back onto the Graveyard Field trail and trudged back to the trail head. What a hike! It was time for a cold IPA and a massive steak, which turned out to be from The Admiral in West Asheville. A perfect way to cap the weekend before heading home.