Home > Uncategorized > Checking In From Home Leaves Entry for Hackers

Checking In From Home Leaves Entry for Hackers

NY Times

Bits - Business, Innovation, Technology, Society


The Homeland Security Department, in a new report, warns that hackers are scanning corporate systems for remote access software — made by companies like Apple, Google and Microsoft — that allows outside contractors and employees to tap into computer networks over an Internet connection.

When the hackers discover such software, they deploy high-speed programs that guess login credentials until they hit the right one, offering a hard-to-detect entry point into computer systems.

It is also a reminder that a typical network is more a sprawl of loosely connected computers than a walled fortress, providing plenty of vulnerabilities — and easily duped humans — for determined hackers.

“As we start to make more secure software and systems, the weakest link in the information chain is the human that sits on the end — the weak password they type in, the click on the email from the contact they trust,” said Vincent Berq of FlowTraq, a network security firm.

While the report does not identify the victims of these attacks, citing a policy of not commenting on current investigations, two people with knowledge of these investigations say that more than a dozen retailers have been hit. They include Target, P. F. Chang’s, Neiman Marcus, Michaels, Sally Beauty Supply, and as recently as this month, Goodwill Industries International, the nonprofit agency that operates thrift stores around the country.

Once inside the network, the hackers deploy malicious software called Backoff that is devised to steal payment card data off the memory of in-store cash register systems, the report says. After that information is captured, the hackers send it back to their computers and eventually sell it on the black market, where a single credit card number can go for $100.

In each case, criminals used computer connections that would normally be trusted to gain their initial foothold. In the Target breach, for example, hackers zeroed in on the remote access granted through the retailer’s computerized heating and cooling software, the two people with knowledge of the inquiry said.


In  an interview, Brad Maiorino, recently hired as Target’s chief information security officer, said a top priority was what he called “attack surface reduction.”

“You don’t need military-grade defense capabilities to figure out that you have too many connections,” Mr. Maiorino said. “You have to simplify and consolidate those as much as possible.”

Low detection rates meant that “fully updated antivirus engines on fully patched computers could not identify the malware as malicious,” the report concluded.

Backoff and its variants all perform four functions. First, they scrape the memory of in-store payment systems for credit and debit card “track” data, which can include an account number, expiration dates and personal identification numbers, or PINs.

The malware logs keystrokes, as when a customer manually enters her PIN, and communicates back to the attackers’ computers so they can remove payment data, update the malware or delete it to escape detection.

The hackers also install a so-called backdoor into in-store payment machines, ensuring a foothold even if the machines crash or are reset. And they continue to tweak the malware to add functions and make it less detectable to security researchers.

Security experts say antivirus software alone will not prevent these attacks. They recommend companies take what is called a “defense in depth” approach, layering different technologies and empowering security professionals to monitor systems for unusual behavior.

Among the report’s recommendations: Companies should limit the number of people with access to its systems; require long, complex passwords that cannot be easily cracked, and lock accounts after repeated login requests.

The report also suggests segregating crucial systems like in-store payment systems from the corporate network and making “two factor authentication”— a process by which employees must enter a second, one-time password in addition to their usual credentials — the status quo.

The report also recommends encrypting customers’ payment data from the moment their cards are swiped at the store, logging all network activity and deploying security systems that can alert staff to unusual behavior, like a server communicating with a strange computer in Russia.

At Target, Mr. Maiorino said he planned to build a security program as tough as what was expected from military contractors.

“All of the same tools and techniques that nation states are using for attacks have been commoditized and are available for sale in the black market,” Mr. Maiorino said. “And for the right amount of money you can go out and create a cybercrime ring at a relatively low cost.”

 Brad Maiorino joined Target after working at General Motors where he was the company’s chief information security and information technology risk officer.CreditBusiness Wire

Brad Maiorino sounds like a man unfazed by military hackers in Shanghai or cybercriminals in Eastern Europe.

Two months ago, he left his post at General Motors to become Target‘s first chief information security officer, or CISO, as the retailer was still reeling from a massive security breach that cost hundreds of millions of dollars.

Some might say he has one of the hardest jobs in corporate America. In an interview, he explains why he doesn’t see it that way. The following interview has been edited for brevity.


Brad, nice to meet you. Thanks for doing the interview, and I suppose, welcome to one big challenge.


I read your recent article about CISOs having terrible jobs and I actually come at it from the other end. I love it! Maybe I’m a glutton for punishment, but this is every kid’s dream job. I’m a geek, and this is an opportunity to play with the latest and greatest toys. There’s a cops and robbers aspect to it. Right now, we have an opportunity to define what a CISO is, who we should report to, and it’s an exciting time to be in the role.

From a security standpoint, Target was always very involved in the security community. You could tell they took it very seriously. Pre-breach, Target was not on my radar professionally but after the breach, Target was front and center. All CISOs and board directors were asking, “What happened at Target? And what are we doing to make sure that doesn’t happen to us?”

As I started studying what happened at Target, and how they responded, I concluded they were getting a bad rap. What people were failing to see, is that mistakes were made like in any situation, but they came under attack by a highly sophisticated set of actors and any company would have had the same results.

Their response post-breach was really impressive to me. My first interview was with the CEO, John Mulligan, and in his eyes I could see the genuine humility and the belief they were doing the right thing as well as the perseverance that “We’re going to fix this and we want the best and the brightest to do this.” That’s what really sold me on it.


The breach taught us that large companies are no longer confined, single entities that can hide behind a single firewall but sprawling networks of interconnected vendors. How do you even begin to defend that? 


Target already had a robust vendor security program and that is definitely a priority for me. But one of the principals I apply to information security isn’t security-related at all. It’s about simplification and consolidation. My geeky term for it is ‘attack surface reduction.’

When you look at a multinational company, it makes DNA look simple. You don’t need military-grade defense capabilities to figure out that you have too many connections. You have to simplify and consolidate those as much as possible and have adequate measures to detect and respond when those controls do fail.


We know that the criminals behind the Target attacks continue to scan networks for entry points. Are you still seeing that scanning activity on Target’s network? 


There’s always kids in the basement running scanners on the Internet, and bad guys who are well-resourced, skilled and scanning the environment continually. In my background, most advanced attacks were done by guys in uniforms. I’ve done many board presentations about how those attacks occur, and what the anatomy of those attacks look like.

In the retail space, I don’t need different slides. It’s the same tools, same process, same sophistication. Think Ocean’s 11 (the heist movie). All of the same tools and techniques that nation states are using for attacks have been commoditized and are available for sale in the black market and for the right amount of money you can go out and create a cybercrime ring at a relatively low cost.

There has been a big shift in organized crime out of the narcotics trade into cybercrime because it’s lower risk and more profitable.


Which makes a lot of sense. 


Target is committed to building a defense contractor level security program. We’re an online retailer and have a brick and mortar retail program. Yet if you follow the logic, you have to have a defense contractor level of capability. We’re going to do that and do whatever it takes to get there.


Sure. But even if you do, what about all the vendors connected to you that don’t have the same resources and security budgets?


Not everyone can do what we’re going to do. My goal is to build a world class information security model for the industry to follow. We’re committed to helping the smaller guys. Target is doing a lot of outreach in the security space. We’re helping create a Retail ISAC (Information Sharing and Analysis Center) to figure out how we are going to fix this for everyone.


Q. Are you working closely with other the victims of these cyberattacks to share tactics?


I’ve heard a lot of different perspectives. We’re learning from everything that happened. We’re an open door with law enforcement, but there’s only so much we can say about an ongoing investigation.


So what are your top priorities coming into this job?


There’s been some extraordinary work post-breach, and I’m going to be tweaking those projects to make sure they each have the right priorities. But the biggest thing is keeping that machine moving, tweaking it and guiding it.


A. I’m curious. Are you going to be switching out some of your security software providers?


We’re obviously in a continuous evaluation of all the products out there. I was at RSA (the annual security conference) earlier this year. I’ve been a CISO for 16 years and I walked out on the floor and was blown away by the number of booths. I hid my badge and walked from booth to booth and played a little dumb. I don’t envy a new CISO coming into this field. Everyone has the better mousetrap.

It’s an interesting space but again, it points to a bigger problem. This industry is broken, when you see that many products out there trying to solve the same problem in different ways.

But we’re very connected to the vendor space and constantly talking to venture capitalists about where the investment should be made. I’m passionate about that, and it’s critical for my success to have the right tools in this threat landscape. Everyone is trying to figure this out and it requires constant evaluation. So we use a variety of different tools and we’ll probably keep some and change some.

Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: