Why the Target data breach news keeps getting worse, and what you need to do

As you probably know, last year some still-unknown criminals stole a whole bunch of credit and debit card data from Target. And the story keeps changing. First there weren’t any PINs. Then they got the PINs, but no personally identifiable data. Well, the latest news indicates they got credit card numbers, names, addresses, phone numbers, e-mail addresses, and for a whole lot more people, and probably from a longer length of time than just late November to mid-December.

There are a few things you ought to do if you shop at Target, which many people do.1. Check your statements. If you see any suspicious charges, report them immediately.

2. Contact your credit card companies if you haven’t already. Then again, they may have contacted you. My local bank replaced my debit card last month, and I just got e-mail from my other credit card company today saying they’ve issued me a new card.

3. Take up Target’s offer for identity theft protection. Target has set up an information page, where they will soon be offering free credit monitoring and identity theft protection. As soon as it’s available, sign up for it. I know it would be absurdly difficult for someone to take the breach information, steal the e-mail address and a person’s identity and then buy a house, because it’s absurdly difficult for me to buy a house legitimately, but the chances aren’t zero. So take Target up on their offer.

4. Call your homeowner’s insurance agent. Many homeowner’s policies cover identity theft, or can cover identity theft for a surprisingly low fee–much cheaper than the identity theft products you see on low-budget television, and these policies won’t interfere with your legitimate uses of your credit, which isn’t the case for many of the other products. Call to find out if your policy does, and if not, ask how to add that. The magic words to ask for often are “umbrella policy.” This will protect you after your year of free protection from Target runs out, and likely provides enough additional protection to be worth having anyway.

So, why does this story keep changing? Chances are, as they investigated the breach that happened during the Christmas shopping season, they uncovered more stuff. And it’s possible that what they found was part of separate campaigns against the company. Many large companies have their own incident response team–I currently administer a centralized logging system for a large company’s incident response team, and chances are the corresponding team at Target has been very busy for the last couple of months. It’s also possible that Target contracted an outside firm to come in and help with the investigation. There are several companies that specialize in that, such as Mandiant. It’s possible that the initial findings came from Target’s own security team, and that these latest revelations came from an outside team doing its own an investigation on Target’s behalf. The details of who investigated what will probably never be made public. In the case of firms like Mandiant, being secretive and shadowy is part of the business model.

But I think there’s a silver lining in all of this. Fair warning: I’m about to get long winded here. At several points in my career, I’ve seen some security that I wouldn’t even describe as an atrocity, because that’s being too kind. I’ve seen systems that should have been shut down immediately, tossed into the nearest body of water and never spoken of again–they were that hopelessly broken. But it probably wouldn’t surprise you to find out that doesn’t happen very often.

I’m not saying that’s what happened at Target because I’ll never know, but the way an attack usually plays out is that an attacker finds a system that shouldn’t be there, like an outdated server that everyone forgot about and isn’t even supposed to be powered on anymore–it happens–and they break into it. From there, they look around on the network and find something vulnerable. Maybe they jump there and can see a different network segment that the first system couldn’t see. With enough patience, eventually they’re bound to find a production system that has some juicy data in it. Those are supposed to be much harder to break into, but not everyone deploys their monthly Microsoft patches right away, so if a good vulnerability comes to light, they may have a few months to be able to use it, and get into something important. A database containing customer data or a credit card processing system would be two examples. The biggest thing that’s changed from the days of the classic book The Cuckoo’s Egg is that dialup modems are a lot less likely to be involved now. Malicious hacking is still just about finding an opening somewhere, going through it, then seeing if you can find something interesting, or another opening.

So here’s the thing. The next time I come across a system that does something that seemed like a good idea in 2005, or 1998, or 1973 but isn’t anymore, I can mention Target. I can describe how an attacker could use this system to eventually get to the crown jewels, like they did at Target. And the people running the system might actually want to understand–because it affected them personally. Like me, they shopped at Target, and had to get their cards replaced. Or maybe they didn’t, but a close relative did. And maybe that close relative even asked that person for advice.

Last year when I described embedding executable code in an Adobe Acrobat document, everyone sitting at the table around me pooh-poohed me. Too theoretical, and I was a dangerous person because I knew about doing that. Two months later I was looking for another job, and it wasn’t a coincidence. But when security is personal, it seems a lot less theoretical and far-fetched.

You see, one way to steal credit card information would be to embed executable code–say, a keylogger–into one of those Adobe Acrobat documents and send it to a database administrator. The database administrator clicks on it, unknowingly installs the keylogger, then all of the DBA’s usernames and passwords are getting logged. The attacker can wait for something that looks good, then when the DBA goes home, go get the credit card data.

Call that theoretical if you want, but I see similar things happen from time to time as part of a red team exercise. The bad guys can do it just as easily as the red team guys. Probably easier, since they have to worry less about collateral damage than red teams do.

So the next time it happens, I can go to the whiteboard, show how that system could have led to the Target breach if Target had that system, then show how something similar could play out wherever I happen to be at the time.

And even if the naysayers want to keep naysaying, there will be someone in the room who shopped at Target and doesn’t want to be part of a similar mess.

So I think it’s possible that other companies will take security a lot more seriously now that this breach has occurred. That’s good for my career, obviously, but it’s good for all of us personally too.

If you found this post informative or helpful, please share it!