Episode 42 - Targeted!!
Published February 6, 2014
On this episode of Robot Overlordz, we take a look at the recent hack of Target (and other retailers) POS systems. What can you do to protect yourself? How scared of identity theft should you really be? Does this latest wave of hacks that have been in the news actually affect you? Recorded on 1/29/2014.
You can download the episode here.
Mike & Matt's Recommended Reading:
Target: Names, Emails, Phone Numbers on Up To 70 Million Customers Stolen, by Brian Krebs (KrebsOnSecurity, 1/10/2014)
A First Look at the Target Intrusion, Malware, by Brian Krebs (KrebsOnSecurity, 1/15/2014)
A Closer Look at the Target Malware, Part II, by Brian Krebs (KrebsOnSecurity, 1/16/2014)
How the Target Hackers Did It, by Arik Hesseldahl (re/code, 1/17/2014)
Analyst Calls Russian Teen Author of Target Malware, by Soulskill (Slashdot)
Target Offers Free Experian Credit Monitoring for One Year, by Walter Glenn (Lifehacker, 1/20/2014)
Free Credit Monitoring via Target, if you were affected by the breach
Researcher Reads RFID Tag From Hundreds Of Feet Away, by Kelly Jackson Higgins (Dark Reading, 8/3/2010)
Identity Stronghold for RFID blocking wallets and other security products
Schneier on Security, another great security resource, this site is run by Bruce Schneier
Mike Johnston: Welcome to another episode of Robot Overlordz. I'm Mike Johnston.
Matt Bolton: And I'm Matt Bolton.
MJ: And this episode's topic was suggest via Twitter by Chris Sego, @TranceMM, Trance Multimedia. Chris is an old friend of mine, actually, I've known him since college. So, thanks Chris, for the topic suggestion. And I guess, in a nutshell, this would be the Target security breach. To start off, the article really that I had to start us off is a Krebs On Security article about the, well the first one was from January 10th, about the 70 million names, mailing addresses, phone numbers, and email which were hacked, and that's three weeks after their original acknowledgment that their credit card and debit card records had been hacked, for about 40 million people. So, Krebs On Security is a security blog, basically. It's written by Brian Krebs, he used to work for the Washington Post and writes about computer security. I don't know about you Matt, but I really think his articles, I mean, there are a couple of them that we're gonna put in the show notes tonight, but I think his perspectives are really good on computer security.
MB: Yeah, this was the first time I had ever even really heard of him, so, and I read the three articles that we're referencing tonight that he wrote, and it's very obvious, just from a layman's perspective, that he definitely knows what he's talking about for security, so, it's definitely, if you're looking for, you know, security whatever, it's definitely a great resource, so it's interesting to start following him more closely.
MJ: Yeah, well, and for me, you know, he kinda got in, if you read on his site 'About the Author', you know, he got into computer security in some of the similar ways that I got into IT myself, and he's about our age, so, anyway. Enough about Brian Krebs. In a nutshell, he writes quite a bit about how they did this hack, and one of the big things that I got out of his article, anyway, is that, really, they were able to put a, what's called a RAM scraper virus on the point-of-sale systems, and a RAM scraper just looks for that microsecond window when your information is sitting unencrypted on that point-of-sale system. They were also able to set up a control server within Target's network. The infected point-of-sale systems would upload that information to that control server, which then put it out to the internet.
MB: The one thing I found amazing from reading his articles is the fact that, even after they knew how the hackers got in and they knew what they were looking for, there wasn't a single antivirus, enterprise-level antivirus that was even detecting any of this, you know, the software that was put on the Target servers.
MJ: Yeah, well, and he does write a bit about the black market for those malicious hacking tools now, and really, they're not very expensive. Kids can buy this stuff for, I think they traced it back to, both Brian Krebs and some of the other articles, you know, it's basically been, as far as the source, it's been tracked back to Russia. And a lot of hacks nowadays do come from Russia, or at least the hacking tools, and, you know, for kids over there that have a background in computer science, this is how they make money, and it's a gold mine for them, but I think that just goes to show that things on the internet are under attack at all times.
MB: Well, I think it's silly, you know, too, in Russia, they actually teach hacking to students and things, and as awful or not as it sounds, I think it would be a good idea if we did that in the United States, just because when people understand how to hack, that's how you build better firewalls and better security, is through hacking, basically, so...
MJ: Yeah. If you know how to break something, you know how to put it back together, at least when it comes to computers.
MB: Right, because I guarantee, the next time, all they're gonna do is cut off this avenue for doing this, and somebody's gonna figure out another way to get it done in the future. It's kinda like when 9/11 happened and all of a sudden you weren't allowed to bring any pointy objects on the plane, but, you know, it was kind of, well, I don't know if the terrorists are gonna try, you know, it was assuming that the terrorists were gonna try the same exact approach again if they wanted to attack us, and it's the same way with these security breaches. Chances are, they're not gonna do the same thing twice.
MJ: Yeah. Well, and, it's a game of whack-a-mole. I mean, Bruce Schneier, another one of my security experts that I read quite a bit, talks about that. When you're defending against attacks, the attacker has all the mobility. All they have to do is change one little thing, you know, instead of trying to crash a plane into your building, now they just put explosives on remote-controlled cars or remote-controlled helicopters, you know, and yet, if you're trying to defend against an airplane, that's a completely different set of skills and approaches than defending against a remote-controlled car, or, you know, a twelve year old wearing a bomb vest, or, you know, someone mixing chemicals in an airplane bathroom. I mean, it's effectively infinite, the attack vectors, but you only have, as a defender, you only have finite resources, so. One of the other things about this hack in particular, you know, Target's point-of-sale systems, most of what I have read is that they're running Windows XP Embedded or Windows Embedded for Point-of-Sale Systems. You know, Windows XP, it came out in, it was released August 24th, 2001, and you know, for me, I don't think IT got serious about security until the SQL Slammer virus, which, you know, I looked up, that hit January 25th, 2003. So, these embedded systems, the point-of-sale systems, are running an operating system that was conceived at a time when people weren't really thinking about security. And another thing about Target, that control server, they used a user account, Best1_user is the name of the account, and that's a default user that's created by a product from BMC Software called Performance Assurance for Microsoft Servers, and we ran some BMC Software for monitoring at AT&T when I worked there, and it creates a user like that that was on all of our servers. And they claim, you know, oh, this user has to have god rights, basically, on everything, but it's not used for anything. And this reminds me quite a bit of what they say about the RFID credit cards, that those things only have a two inch range, basically. Well, the thing they don't tell you about that is it's the point-of-sale systems that have a two inch range, because they have a teeny miniature antenna. The RFID chip in that credit card of yours? It's a passive device, it takes whatever signal gets bounced off it. And at some of the hacker conventions, I think, like DefCon and things, they can build antennas and sweep those cards from like 217 feet, actually. The guy's equipment caught on fire, but, you know, that was in 2010, so the equipment will get more stable, and really, it just proves that, from what they say, the range is way greater than two inches.
MB: That's amazing, but I didn't even know that.
MJ: I just bought, actually, an RFID blocking wallet, it should be here Friday, for that exact reason, is because they can scan what's in your wallet without even coming near you.
MB: Yeah, unless we start going to retina scans or fingerprint readers, you know, and I'm sure that somebody'll figure out a way to hack those too, but up until that, it might be the only way to keep somebody from using your credit card, if it's attached to your retina, you know.
MJ: Yeah. Anything can be faked. The records can be changed on the back-end. I have this running argument with my mom about if online banking is safe, and she insists that her accounts are safe because she doesn't do online banking, and my argument is that, your bank is connected to the internet, your accounts aren't safe. You know, you're relying on a 30 day window to review your account. In 30 days, someone can do a lot of damage to your credit.
MB: Yeah, yeah, and a lot of people, especially if you're not online, you know, I check my bank statement almost every day, but if you're one of those people who's not online with your banking, then you really are only getting your bank statement once a month, and yeah, you're right, you can do, especially if you've got overdraft protection, and, you know, or it pulls money from your savings account if need be. Somebody can really remove a lot of money from you in a short amount of time.
MJ: Well and, in one of Krebs' articles, Brian Krebs' articles, he makes the point about, you know, a lot of people get mixed up the difference between credit card fraud and identity theft. And I think, in terms of credit card fraud, if someone steals your credit card number, you're not liable for that, it's pretty easy to resolve as long as you catch the charges and say, hey, these aren't me, get a new card issued, and you're done. But identity theft or something like that is much harder to resolve, and as far as debit cards, this is why I don't like debit cards personally, when money is out of your account, trying to get it back is really difficult, you know? And as far as identity theft, people are opening new accounts in your name, or changing your address, and things like that. There was a case, I don't know if you saw any of the news today on Twitter about a user who had a Twitter account @N, I mean, he got blackmailed to give up his Twitter account. And one of the ways that the blackmailer did that is he had called PayPal, and gotten the last four digits of this guy's credit card number, and he used that to get into GoDaddy, and have them transfer his domains. And if you have someone's domain where their email is being routed through, you can do a ton of damage.
MB: Yeah, it's amazing what people can come up with, which is going back to what I had said earlier about, if we taught hacking and things, not that you want people to start going around hacking, but it would create more security because you would know, people would come up with more loopholes if they knew how.
MJ: Well, and I think it would help the developers.
MJ: You know, I mean, I support developers now in IT, and half the time, they're concerned with making it work. They don't care what you have to do, and if their stuff isn't working, they have problems with their code and they can't get it to work, they'll complain to upper management until they get those god rights, like that BMC Software package, you know, I need god rights to run. Developers are terrible at knowing what their software actually needs. And I got, I actually, at AT&T, we got a fax package that AT&T wanted to bring in, and it had been written by someone in their garage, and they were selling it as an enterprise fax package. And we beat on them for all the standard things that we didn't allow of, you know, their software needed admin rights to run, it needed to be able to access everything, and we told him, no, you can't have that, and went through all this work getting them, and they did it, actually, they very successfully made their product run under the restrictions we had given them, and it worked. And then AT&T decided to go with a different fax package which had all of the same problems, only worse, and we got told to just do it because they needed this fax package to work.
MB: Big corporations usually act stupid like that, so.
MJ: And you know, that's the thing about Target. You know, my Mom has a Target credit card. She got the note from Target about the free credit monitoring that they're offering, and I looked at the email that came across. She's like, should I click on this? And I looked at it, and it came from this domain, this address at BFIO.com. And I'm like, huh, that doesn't look right, so we looked it up, and it was registered to someone in Texas at the time when we looked this up. And I looked up Target.com and it was registered in Minnesota. And I'm like, this doesn't look right. But there was nothing in the email to click on. So we went to Target.com and found that it's actually creditmonitoring.target.com, that's where you would sign up for free credit reporting service that Target is offering because of the breach, and it actually was the real email, but BFIO.com is now registered, I looked it up, actually, before we started recording, it's registered in the UK, if you look it up on the internet, like, who owns it, it does not look like Target's domain.
MB: Well I got that same email, and I just immediately deleted it because I figured it was somebody trying to take advantage of the fact that Target, you know, was going through all this, and I figured some scammer had come up with a way to get gullible people to fork over even more information. So I just immediately deleted, 'cause I couldn't figure out how Target even had my email address. But then to come to find out that it actually is a legit email...
MJ: Yeah, yeah. I just think that's amazing, I mean, Target, these companies make it easy for the hackers to get at your information.
MB: Yeah, definitely, yeah, they do.
MJ: Well, and, you know, if you are concerned about this, one of my favorite sites, lifehacker.com, one of the links we're gonna put in the show notes, is how to monitor your credit for free for life, and it just gives you some tips about ways that, you know, I mean, whenever companies get hacked like this, like Target's offer for credit monitoring, it's generally only for a year, and, you know, it times out or it comes with strings attached, and Lifehacker gives you a pretty good guide on how to get the same effect yourself, and, you know, one of their big suggestions is to log on and check your accounts, exactly like we were saying earlier. Okay, that's all for this episode of Robot Overlordz. You can find us online and our show notes from tonight at RobotOverlordz with a Z dot com, on Twitter as @RobotOverlordz with a Z, on Tumblr, RobotOverlordz with a Z dot Tumblr dot com. We are now listed on iTunes in the podcast section, you can find us there as RobotOverlordz with a Z. We're also offering voice feedback if you'd like to call in. You can reach us at 630-708-0492. New episodes are released on Tuesdays and Thursdays, so check back often. Again, I'm Mike Johnston.
MB: And I'm Matt Bolton.
MJ: Thanks for listening.