Target Breach!

This weekend I was interviewed by ABC news about the Target and Neiman Marcus breaches. You can see the video here. As usual, there is a lot more to the story than is covered on the evening news. Don’t get me wrong, they do a superb job of telling the story. It’s just….more complicated than what you might think.

Somehow, someone penetrated the defenses at Target. Not at your local store, but at it’s corporate headquarters or some regional data center that they may run (Target, naturally, is not going to release precise data about the attack for very good reasons of protecting against future attacks) It’s likely, given the huge numbers cited by Target spokespeople (as many as 110 million households, as referenced here in Lysa Myers great ESET blog)  to have been accomplished at some central location.

There are many ways this could have happened. There might have been malware involved, or a wireless connection, or even a rogue employee (what is called an insider threat) In fact there are thousands of ways that this could have happened, and it is very likely that this was what is commonly called an advanced persistent threat, using mixed attack methods (we call them vectors) over an extended period of time. Note that the APT is not a kind of malware, but a name for the overall crime committed. (I will put up a whole blog entry about the APT phenomenon, and soon)

So, we probably aren’t going to ever know exactly how this happened. That isn’t in the cards. No matter, really, because this isn’t an isolated event, and to you, dear reader, it isn’t the point. This is an adjustment in our experience of the world, a milestone on the road to tomorrow. It isn’t the first. It certainly won’t be the last. It is a very good book mark for me to tell you some important stuff that might not be obvious to the untrained eye.

FIRST: The other side of a credit transaction might not be safe, but your side is always more risky.

We have had many notable breaches in history. TJX corporation (home of TJ Maxx and other fine retailers) was hit for about six million customer transactions in 2007, and Heartland Payment Systems Corporation (who processes credit and debit card transactions for people you have heard of) was hit for a hundred million transactions in 2009. These are big stories, with lots of news coverage and ballyhoo, but there is a bigger story, that doesn’t make the front page news.

The truth is, you are much more likely to be hacked on your own computer, without ever knowing it. Your data is likely to be either stolen from you, directly; or, even worse, you are likely to give away that data voluntarily.

For allegory, I like to compare your computer (and by extension, your presence online) as a house. There are lots of doors and windows into that house and you don’t even know what to lock, or shut, or guard. I checked this image with a very smart man and he said I fell short of the mark.

“It’s more like you are now finding that your house is made of tissue paper” says Professor Richard Ford of the Florida Institute of Technology. “There is no simple way to secure it.” I agree, wholeheartedly. If you want to be secure in the data age you will need continuing education, you will need a strategy, but most of all you will need awareness of what is important in the data on your computer, online, and in the cloud.

(this will be an ongoing thread in this blog, so please ask any questions to this post and it will guide where I go next in this discussion)

SECOND: The criminals that stole the data from Target are likely not the same ones that will use the data in the commission of a crime.

This is easy to explain. There is are many underground thieves’  markets on the internet (and no, I will not help you to find your way to one, and am officially warning you not to even try—they would pwn you in a second, and that’s not a good thing) So the people who sold this data will likely parcel it out for sale to other criminals to use in a variety of ways. The sort of data stolen (name, address, email address, credit card number) is a virtual toolkit for the cyber-criminal. It represents a dossier on the victim that can be exploited for years to come. This will probably happen after the noise about this breach has worn off.

THIRD: If your data were stolen, when the follow-up attack comes, it will probably not be associated with Target.

These criminals are not stupid. (stupid criminals rob liquor stores) They might, for example, make very small charges to the credit cards (even a dollar charge over all these credit cards is a very large haul) or they might just use your email address to send you phishing to capture you even more completely.

That email is not going to look like it’s coming from Target. There is an unfortunate assumption on the part of the public that cybercrime is obvious and visible in nature. It will look like it’s coming from a bank, or from FedEx, or from a doctor. Just because it comes from some vendor who you do NOT do business with does NOT make it safe to open this email. In general, be suspicious, don’t open email unless you have a good reason to, and throw the rest away unread. It’s not just SPAM, it could be malware, or phishing, or things we don’t even have a cutesy name for yet.

A good suggestion comes from computer security guru, Jimmy Kuo. Make aliases for each vendor and tell the vendor to use that alias for your email. (so you have an alias for Amazon, one for eBay, one for Target, etc) and have them all forward to your main email address. You can tell from the header which address received the email, and if there is a mismatch between recipient and intent, then get rid of it unopened and unread.

(This is a long enough post already, so I am going to sign off, but expect some details on these and other topics in the future)


David Perry

Huntington Beach, California

6 thoughts on “Target Breach!

  1. I agree with you that this likely happened in a central location. The first news reports said POS terminals. While entirely possible, the easier target (no pun intended) would be a system that authorizes and queues CC transactions before sending to a clearing house. I was not aware that customer data like email addresses was also stolen. That would make for some interesting fishing attacks. Given that the first 5-6 digits of a credit card identify the issuer, the fishing emails could appear to come from the users specific bank. This would make customers of smaller regional banks more susceptible in my opinion. I am more likely to open an email from my credit union than from Chase.


    1. Michael,
      Your assumptions would be true if the general computing public knew as much as you do. They don’t. I frequently hear from end users who think that the Target breach follow on attack email will have to appear to come from Target, or conversely, that an email from somewhere they have no account is perfectly safe for them to open (after all, they have no account at that bank/store/whatever) I have written a couple of research papers on popular cognitive dissonance and computer security and you will see some blog entries coming up in the near future (first, though, I get to do some fun stuff from my CES experiences) keep tuning in and keep commenting! Thanks for your kind attention.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s