Late last week, Home Depot finally released a statement about its data breach. At least they had the decency to call the attack “custom” and not spin it as “advanced” or “sophisticated.” Even “custom” is really a euphemism, as the attack wasn’t all that different from what other retailers experienced earlier in the year. It may have been as simple as recompressing the BlackPOS malware using a different compression algorithm or compression ratio to evade antivirus.
The breach involves about 56 million cards, making it a bigger breach than Target.
The breach may have been confined to the self-checkout lanes. Why were the self-checkout lanes the easier target? I don’t know, but I’ll tell you the attackers take the path of least resistance, like so many other things. It could be that the self-checkout lanes were what the attacker found first. Or maybe they found a system in that portion of the network that was missing a single critical patch. That can happen rather easily, and all it takes is one system with MS08-067 missing for a company to have a really bad day.
Home Depot has taken a lot of flack for using end of life or nearly end of life software. To their credit, they began a process of modernization right after the Target breach and were well into it when the attack happened. But the attackers were faster, and once the attackers were already in, the modernization didn’t do anything to slow them down. It may take us a while as an industry to learn that the better we are about staying current, the less likely we are to be breached. There are still far too many people who believe that old software is more stable than new software. That’s not always true, and new software is almost always more secure than old software.
Right now the estimates say that the breach will cost Home Depot $62 million. They have insurance that will cover $27 million of it, but that leaves them on the hook for $35 million. $35 million will buy a fair bit of modernization, and modernization brings more benefits than cleaning up breaches.
At the very least, if you don’t have any Windows Vista and Windows Server 2008R1 left on your network (let alone the much more common Windows XP and Windows Server 2003), it guarantees you don’t have any MS08-067 left. You can buy extended support for Windows XP, but some percentage of patch deployments will fail, so the fewer patches you have to push and re-push, the fewer vulnerabilities you have and the fewer opportunities you leave for attackers to run off with your valuable data.
What’s so special about MS08-067? It’s the patch for the last really reliable remote code execution vulnerability. It’s rather old, but if someone builds a system with the wrong image and the patch management system isn’t pushing out all missing patches every month, it’s possible to end up with a system missing that patch. Several things have to go wrong for MS08-067 to end up missing, but it’s not inconceivable. I’m not saying that’s what happened to Home Depot, but it’s one possible scenario.