How Not To Secure Your Company (Target Data Breach)
Video Overview & Insights
A look into how hackers stole 40 million credit and debit cards over a period of 2 weeks from Target in 2013.
We'd have a lot less incidents like these if the CEO and employees were affected too. You know they'd try harder to do basic security and push for less data retention if they knew that their credit cards would get leaked if they got lazy.
Sources:
https://www.commerce.senate.gov/services/files/24d3c229-4f2f-405d-b8db-a3a67f183883
the jojo stand stats on the citadel virus dgbhdbgdbh
also cant believe we have viruses w customer support now.
https://people.cs.vt.edu/danfeng/papers/Target-Yao-unpublished.pdf
https://aroundcyber.files.wordpress.com/2014/09/aorato-target-report.pdf
1:01 interesting, if I'm reading the Cyrillic correctly, that literally spells "tsitadel troyan", which is a pretty good approximation
https://krebsonsecurity.com/2015/09/inside-target-corp-days-after-2013-breach/
https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
How dumb you have to be, to make cash registers reachable from a corporate server?
https://www.malwarebytes.com/blog/news/2012/11/citadel-a-cyber-criminals-ultimate-weapon
https://securityintelligence.com/target-data-breach-kaptoxa-pos-malware/
PHP ❤
https://www.crowdstrike.com/cybersecurity-101/ntlm-windows-new-technology-lan-manager/
Chapters:
I worked contract in software through the 2010's and security was alwats forefront in my mind (I was pretty paranoid, but for good reason) alongside writing the best-standardised code you can. Layering security is broadly misunderstood, the assumption is the external front is "where it matters' but its really about layer upon layer of security if someone gets in. Actually lost a couple of contracts because some architects got upset when I called out obvious security issues. Did my job though as mostly people (many PM's analysts) knew that unless 'someone' on the front line with some level of experience says something they genuinely dont dont how exposed they are.
Some of the more abstract concepts are hard to understand.
0:00 Part 1: Phishing email
0:42 Part 2: Citadel trojan
A friend and I conducted a penetration test of Target's network about a year earlier and found several issues, one of them being several boxes on the network were phoning home suspicious data to Russian IPs. It was in our 300+-page report, that of COURSE they didn't read, but still paid our almost quarter of a million dollar fee to the company I worked at. After the breach and inevitable investigation, they tried to pin it on us, saying we were somehow responsible in that we didn't alert them to an issue. However, we sent yet another 300+-page paper describing how we did show them, and cited multiple pages in the original report along with multiple pages on how to mitigate the risks and on top of the report though was a cease and desist from our legal team, stating they could damage the reputation of our company with false claims if they went public with this nonsense claim. We never heard from them again. If they did try to save their ass with this bullshit claim and throw us under the bus, we were in no position to fight it, because we had signed a non-disclosure agreement with Target.
1:48 Part 3: RCE exploit
3:50 Part 4: Entry into network
Wait... I suddenly understand why hacking can be fun and satisfying
6:10 Part 5: POS malware
7:24 Part 6: Aftermath
"SQL Server 2000 Developer Edition on NT 5.1 SP2" 😭😭😭
Corrections:
-
we're sorry for exposing your info, here's a generous $.46 for the trouble
Music:
- Finding the Balance by Kevin MacLeod
TARGET BECAME A TARGET 😂
- Firecracker by LEMMiNO (https://www.youtube.com/watch?v=ulfoU2MziOc)
Twitter: https://twitter.com/kevinfaang/
Gotta love being able to VNC into servers via a Windows-based weighing scale
Instagram: https://instagram.com/kevinfaang_yt/
Still not as big a fuck up as their Canada launch lol
More User Perspectives
9:50 the yay and aw sound effect here are so perfect lmao
@meatdress81113:08 PHP is the best language in the world 🥹🥹😂😂😂😂😂😂😂😂😂😂😂😂🤣🤣🤣🤣🤣🤣🤣
@carddamom1886:26 Картоха
@DimaTiunovI think it's amusing a point-of-sale terminal can just send a DLL (a file type which might normally contain arbitrary code) containing credit card numbers to a different system in a different store and NOTHING in the network infrastructure stops them. (Sure, FireEye thought it was kind of sus, but couldn't be bothered to give an actionable error message)
@Twisted_CodeStuff like this makes me think "maybe I should apply here, seems like a pretty chill job with no proper oversight" >:)
Like seriously, weak or default passwords, I'm now just imagining "Password1!" on the freaking DA account.
No network segmentation! Sure, I guess the CEO is going to be needing to dump POS records from the Kansas City North night manager's home computer, right?
Citadel... you know, it's crazy how much business on the dark web mirrors the light web sometimes. Really, the main people they are trying to hide from is the government, and so there is some honor among thieves despite the secrecy and lack of public recourse.
@Twisted_CodeSo Target became the target.
@ostapstadyou >>> code report
@JefeVergas4:01 security is erased for everyone but me 🗣️
@Century.0_0completely missed opportunity of inserting flowey monstrous face for the among us imposter
@MohanadSaid-u8xYou wanna know something fucking insane, every single Zebra device has serious issues with security, especially the proprietary bullshit applications that's loaded onto it.
@kickeddroidthese videos are actually so entertaining
@impbsiCEO f'ed's up and still gets $61 million severance pay.
@suspiciousactivity4266The real crime is the software called BlackPOS
@samsaek666fuck microsoft
@pelaajahacks8358you atleast use sussies for the better
@espada_de_morangothis is why json is better than sql
@Cart1416this would have been solved if they just didnt use contractors
@What-ez6imClass action lawsuits are hilariously worthless.
@BaconMinionGiorno reffrence 4:02
@RjayApai1:02 Цитадель Троянская? Троянская Презерватив!
@Dr_Larkenwhy does this feel just like a ACE (Abitrary Code Exicution) speedrun
@link_team3855Google HTTP HTML HAKED Local Host Public Social Device all Global 5G SIM IPv4 Playmentes Chiński, Korea Północna i Federacja Rosyjska w Polsce Kernel KDE Linux.
@grzegorzmajewski591Fireship?
@AbdelftahZowail2:45 I think that's a WordPress file
@anthonygc965:38 never thought I'd show up in a video like this, that was probably an HLX scale, which runs Windows Embedded on an AMD Geode
@AiOinc1I love that hackers are represented by crewmates 😂
@bencorrellYOU NEED TO STOP BEING SUSSY!
@battokizuExcept apparently NFC payment is just the mag stripe data, so it's gonna come back.
@keiyakinssupply chain attack moment
@CrittingOut*троян "Цитадель"
@qoombertim doin a report on this one right now thx for all the sources and the qwick video :)
@Randy-nb6fwman i am rewatching your videos, come on drop one more already
@janardannnClassic deli meat scale attack vector
@easlernSo Target is a master class in face rolling IT security? Nice, companies need to stop collecting so much data and there is no reason for credit cards to exist anymore. There are much better payment systems now.
@allanwilmath8226Ha, Petco has the same vulnerability. Wonder if they fixed it yet.
@VeltrossthoOne issue this data breach highlights is 'alert fatigue'. It's all too common to just see the anti-virus software pop up with something suspicious and not bother to look into it because of previous false positives & the fact it looks too generic. You just assume all is good, when in this case, it very much was not. Alert fatigue is something that needs to be mentioned more often and caught early.
@SamK4074