Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.No, people are not hacking your refrigerator. But they are hacking peopole who monitor refrigerators (and air conditioning, and that sort of thing). This was a trusted supplier. So how much should Target have trusted that the supplier was not hackable?
It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.Quite frankly, it's well known that HVAC systems are poorly protected. The unpleasant little secret here is that it was less expensive for Target to outsource this sort of specialized monitoring. It's likely that the monitored systems were not isolated from the main network because that would add cost and complexity. In other words, Business Unit A outsourced to meet its cost goals, and IT refused to rearchitect to meet its cost goals. And the Bad Guys had an open field to run on.
This is speculation, of course, but shows that the most maddening security problems are not technical, but organizational. If this is how Target got hacked, it looks like they are in a very poor position regarding due diligence, or maybe even negligence.
* Post title shamelessly stolen from one of the most significant security papers ever given.