Guest Posted January 18, 2014 Share Posted January 18, 2014 Cybercriminals have stolen payment card data from six more U.S. retailers using similar point-of-sale malware that compromised Target, a computer crime intelligence company said Friday. View the full article Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted January 18, 2014 Share Posted January 18, 2014 Cybercriminals have stolen payment card data from six more U.S. retailers using similar point-of-sale malware that compromised Target, a computer crime intelligence company said Friday. The conclusion comes from a study of members-only forums where cybercriminals buy and sell data and malicious software tools, said Dan Clements, president of IntelCrawler, which conducted the analysis. The retailers have not been publicly named, but IntelCrawler is providing technical information related to the breaches to law enforcement, Clements said in a telephone interview Friday. Quote Link to comment Share on other sites More sharing options...
ross549 Posted January 18, 2014 Share Posted January 18, 2014 Oh, bother. Quote Link to comment Share on other sites More sharing options...
Corrine Posted January 18, 2014 Share Posted January 18, 2014 Regarding Target, I got this from a private source commenting on Brian Krebs article (A First Look at the Target Intrusion, Malware — Krebs on Security): PCI compliance objectives include the fact that cardholder data present environments (CDP) like those POS terminals should NOT have been on the same network as the webserver where the malware was originally dropped for command and control. Those POS terminals SHOULD have been physically separated by VLAN switching and prevented from talking to a webserver that is Internet facing. A 17 year-old! IntelCrawler - Multi-tier Intelligence Aggregator - IntelCrawler: �17-years-old teenager is the author of BlackPOS malware (Target)� Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted January 18, 2014 Share Posted January 18, 2014 Yes... there has been a saying for a very long time now. First said by someone at SANS.org on their list. "What part of critical systems should not be on the Internet do you not get?" Actually I think that might be a paraphrase ... Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 19, 2014 Share Posted January 19, 2014 What good is that article without a list of the other retailers? Quote Link to comment Share on other sites More sharing options...
ross549 Posted January 19, 2014 Share Posted January 19, 2014 Good point, but does it really matter? Target is offering a year of identity theft protection as a result of the breach, so that's a plus. Adam Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 19, 2014 Share Posted January 19, 2014 Yeah... a PLU$ for Experian, the company they got to offer the service. Quote Link to comment Share on other sites More sharing options...
ross549 Posted January 19, 2014 Share Posted January 19, 2014 Offering the credit monitoring was the right thing to do though, and Target gets to pay for it. They will treat their point of sale systems a bit more securely now, won't they? Adam Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 19, 2014 Share Posted January 19, 2014 They will treat their point of sale systems a bit more securely now, won't they? Adam Maybe. Quote Link to comment Share on other sites More sharing options...
crp Posted January 20, 2014 Share Posted January 20, 2014 Maybe. If they don't compile the POS software for each POS themselves, maybe not. Quote Link to comment Share on other sites More sharing options...
siljaline Posted January 20, 2014 Share Posted January 20, 2014 A gang of shadowy hackers tears through the systems of big-box retailers, making off with millions of credit and debit card numbers in a matter of weeks and generating headlines around the country.Target and Neiman Marcus last week? Nope. This oh-so-familiar attack occurred in 2005. [...] Target Got Hacked Hard in 2005. Here’s Why They Let It Happen Again Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted January 20, 2014 Share Posted January 20, 2014 I remember that attack siljaline! The latest string of hacks attacking Target, Neiman Marcus, and others raise an obvious question: How is it that nearly a decade after the Gonzalez gang pulled off its heists, little has changed in the protection of bank card data? Target got off easy in the first breach: A spokeswoman told Reuters an “extremely limited” number of payment card numbers were stolen from the company by Gonzalez and his gang. The other companies weren’t as lucky: TJX, Hannaford Brothers grocery chain, the Dave & Busters restaurant chain, Office Max, 7-Eleven, BJ’s Wholesale Club, Barnes & Noble, JC Penney, and, most severely, Heartland Payment Systems, were hit hard. This time around, if past is prelude, Target will be forced to pay out millions in fines to the card companies if it’s found that the retailer failed to properly secure its network. It also will have to pay reparation to any banks that had to issue new cards to customers. In addition, class-action lawsuits are already being filed against Target by customers, and lawmakers are lining up to make an example of the retailer. Target should not have gotten off easy back in 2005! All companies should be held to a higher standard with our money and/or credit! We would not be going through this now if ALL RETAILERS were held to the same standard they used for the others (noted in bold above). Personally I think even those were not held to standards that should have been used when they are responsible for other people's money! Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 20, 2014 Share Posted January 20, 2014 They let this continue to happen simply because pro-active security costs money. That's profit right off the bottom line. These greedy corporations are willing to gamble that they won't get hit in order to bleed as much $$$ as they can from their customers. Once they do get breached, they're all apologetic and regretful, but you can bet your arse that someone somewhere in that organization made the conscious decision to disregard security in favor of higher profits. It should be made a criminal offense when companies are found to be negligent in their security measures that result in breaches such as this one at Target occur. Quote Link to comment Share on other sites More sharing options...
crp Posted January 20, 2014 Share Posted January 20, 2014 They let this continue to happen simply because pro-active security costs money. That's profit right off the bottom line. These greedy corporations are willing to gamble that they won't get hit in order to bleed as much $$$ as they can from their customers. Once they do get breached, they're all apologetic and regretful, but you can bet your arse that someone somewhere in that organization made the conscious decision to disregard security in favor of higher profits. It should be made a criminal offense when companies are found to be negligent in their security measures that result in breaches such as this one at Target occur. How would pro-active security have helped in this case? how is target bleeding money from their customers by using a computerized POS system? That they didn't compile the POS for each machine was due to the POS software being certified. For all we know, the NSA could have intercepted the machines and placed the trojan software on it. I'm actually impressed that someone there caught on so quickly that something was amiss.If I was in charge, would I have compiled from code to each machine? yepp, but i'm just about paranoid about this sort of thing having had a server egg-dropped a few years back. The machines were certified, I really can not fault Target for trusting the certificate. Does anyone here have an idea or datum on what happened to Neiman-Marcus or the other 5? I remember that attack siljaline! Target should not have gotten off easy back in 2005! All companies should be held to a higher standard with our money and/or credit! We would not be going through this now if ALL RETAILERS were held to the same standard they used for the others (noted in bold above). Personally I think even those were not held to standards that should have been used when they are responsible for other people's money! btw: they were PCI compliant Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 21, 2014 Share Posted January 21, 2014 In this day and age, these companies are just going to have to bite the bullet and do what needs to be done. Or they can shut their websites down and go back to this technology... Or maybe even this... Although, this latter option is a bit iffy these days. Quote Link to comment Share on other sites More sharing options...
ross549 Posted January 21, 2014 Share Posted January 21, 2014 Your first option there is certainly far less secure than a computerized POS system. Adam Quote Link to comment Share on other sites More sharing options...
Corrine Posted January 21, 2014 Share Posted January 21, 2014 Speculation is that data sets are being sold by region. 2 nabbed at Texas border in Target credit card fraud case McAllen police began working with the U.S. Secret Service after a number of area retailers were hit with fraudulent purchases on Jan. 12. The Secret Service confirmed that the fraudulent accounts traced back to the original Target data breach from late last year. Investigators fanned out to McAllen-area merchants and reviewed "miles of video" looking for the fraudsters, Rodriguez said. From that, they were able to identify two people and a car with Mexican license plates. With the help of U.S. Immigration and Customs Enforcement, investigators confirmed the identities of their suspects from immigration records of when they had entered Texas in the same vehicle. Police prepared arrest warrants last week and waited for them to return. On Sunday morning, federal officials alerted police that their two suspects were at the Anzalduas International Bridge trying to re-enter the U.S. They were carrying 96 fraudulent cards, Rodriguez said. Investigators believe the two were involved in both the acquisition of the fraudulent account data and the production of the cards, but only part of what must have been a much broader conspiracy. Rodriguez said investigators suspect Garcia and Guardiola were singling out Sundays for their shopping sprees hoping that the banks would not be as quick to detect the fraud. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 21, 2014 Share Posted January 21, 2014 Your first option there is certainly far less secure than a computerized POS system. Adam Yeah, but having all those cool tissue receipts was pretty neato. I still remember the little half-size ones for the gas credit cards. My dad used to give me stacks of the old ones to play with when I was a kid. I think that's when I developed my love of credit cards. Quote Link to comment Share on other sites More sharing options...
crp Posted January 21, 2014 Share Posted January 21, 2014 it could be worse . 1 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 21, 2014 Share Posted January 21, 2014 Man! I really need to become a black hat hacker and make some $$$$! Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted January 21, 2014 Share Posted January 21, 2014 PCI Compliant is no panacea. They are not holding any of them to standards that should be used when they need to be trusted with other people's money! Glad to see some are getting caught but it shouldn't have happened in the first place. And so many are using Windows XP POS Dell computers! What about those come April 8, 2014? This crap unfortunately happens around the world. It's a travesty that people must trust their money to companies that are obviously not worthy of their trust. Quote Link to comment Share on other sites More sharing options...
ross549 Posted January 22, 2014 Share Posted January 22, 2014 "They" are certainly having a bad day, it seems. Adam Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted January 25, 2014 Share Posted January 25, 2014 Hey good news for the Windows XP Professional Embedded POS systems: Windows XP Embedded (Toolkit and Runtime), all versions General Availability: January 30, 2002 Product EOL: January 30, 2017 Windows XP Professional for Embedded Systems General Availability: December 31, 2001 Product EOL: December 31, 2016 NOTE: EOL: End of Life - apparently for these types of programs, they call it "Product Distribution End Date" Many are still using the Windows XP ones. I have seem so many in use currently in retail outlets. But they also have newer Embedded based on Windows 7 and Windows 8 as well. See full article here. (Have to go down about halfway down the page...way past the first screen/above the fold view on the page) Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted January 26, 2014 Share Posted January 26, 2014 (edited) A few security lessons from the Target breach (on Fran's Computer Services Blog) I picked up on Susan Bradley's excellent article in the recent edition of WindowsSecrets article first, then Wired Threat Level's recent and very excellent article on the Target got hacked in 2005 and don't think oh, I know about this already, it is about much more and finally the new Michael's breach that Brian Kreb talked about on his blog, and more, plus some of my own thoughts of course. Edited January 26, 2014 by LilBambi Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.