Throughout the total absurditythat’s been the aftermath of Target’s massive data breach, one question has continued to persist unanswered: Why the hell didn’t one of the biggest retailers in the country have sufficient security software? Well, the thing is—it did. It just ignored it.
https://gizmodo.com/last-months-massive-target-hack-was-the-heating-guys-1516926877
Thanks to a Bloomberg Businessweek exclusive, we now know that Target could have saved itself (and its 110 million affected customers) billions of dollars’ worth of pain if it had just listened to its malware detection software’s alarms the first time—or even the second, third, fourth, and fifth times.
Instead, Target executives stood idly by as the biggest retail data breach in US history happened right under their noses. Bloomberg writes:
In testimony before Congress, Target
has said that it was only after the U.S. Department of Justice notified
the retailer about the breach in mid-December that company
investigators went back to figure out what happened.
What it hasn’t publicly revealed: Poring over computer logs, Target
found FireEye’s alerts from Nov. 30 and more from Dec. 2,
when hackers installed yet another version of the malware. Not only
should those alarms have been impossible to miss, they went off
early enough that the hackers hadn’t begun transmitting the stolen card
data out of Target’s network.
Yes, despite spending $1.6 million on security software FireEye, Target decided that it probably wasn’t worth the trouble to actually, you know, use it. Because, even though Target’s hackers were fairly elaborate in their attempt to circumvent Target’s system, FireEye was more than capable of handling it.
The [FireEye] system works by creating a parallel computer network on
virtual machines. Before data from the Internet reach Target, they pass
through FireEye’s technology, where the hackers’ tools, fooled into
thinking they’re in real computers, go to work.
The technology spots the attack before it happens, then warns the
customer. Unlike antivirus systems, which flag malware from past
breaches, FireEye’s isn’t as easily tricked when hackers use novel tools
or customize their attack, customers say. “It’s a very
smart approach,” says Robert Bigman, the CIA’s former chief information
security officer. “When we first started working with them several
years ago, no one ever thought of doing it that way.”
So why would Target just completely ignore an obvious data breach when the company itself stands to lose the most in the long run? “Incompetence” might seem a bit harsh, but after realizing that Target’s security actively chose to turn off the function that automatically deletes malware, it’s hard to see it any other way.
As the hackers inserted more versions of
the same malware (they may have used as many as five, security
researchers say), the security system sent out more alerts, each the
most urgent on FireEye’s graded scale, says the person
who has consulted on Target’s probe. The breach could have been stopped
there without human intervention. The system has an option to
automatically delete malware as it’s detected. But according to two
people who audited FireEye’s performance after the breach,
Target’s security team turned that function off…
Target had done a months-long test of FireEye that ended in May and was
rolling out the technology throughout the company’s massive IT system.
It’s possible that FireEye was still viewed with some skepticism by its
minders at the time of the hack, say two people
familiar with Target’s security operations…
Head on over to Bloomberg to read the full story; the whole thing is fascinating. Deeply, deeply troubling, yes, but fascinating nonetheless. [Bloomberg]
