Level Nine Sports, where families ski and ride...
The Kernel

 advertise with indeep media

Targets Pickled Russian Potato

Posted: January 23rd, 2014 | Author: | Filed under: CRIME!, Hack! | Tags: , , , , , , , , | Comments Off on Targets Pickled Russian Potato

Targets Pickled Russian PotatoThe virus that was used to steal 40 million people’s credit-card details from giant American retailer Target was, it was recently revealed, called ‘Kaptoxa’ which, as English-language news outlets are helpfully explaining, is Russian slang for “potato.”

The hack is likely to affect more than 110 million credit card users in the US.

And as banks and retailers point fingers – mostly at one-another – speculation over who was behind the Target hack goes on, doubtless it was the work of a very sophisticated crime ring – бушель большевистских картофеля – A Bushel of Bolshoviks!?

The breach was clearly a real black eye for the retailer, the aftermath is however getting much, much darker.

How hackers broke into Target and installed malware on point-of-sale – POS – terminals, then harvested some 40 million card details is still sketchy, what is more more interesting is that almost all-trace of the hack is very quickly being erased, redacted, not by hackers, but by security companies linked to the breach.

At least three security companies so far have scrubbed information related to Target from the internet, highlighting a serious sensitivity to one of the largest ever data breaches ::::

Target Black Friday Sale, 29 November via Reuters: Eric Thayer

Details giving insight into the attack are being hastily removed or redacted, perhaps not to tip off hackers or jeopardize the investigation.

It’s believed the seeds for the hack were laid on or around November 27 last year, the exposure wasn’t discovered until December 15, news of the breach hit the streets on December 18 via krebsonsecurity.com

Timeline of Breach

Nov. 27 to Dec 15: A data hack at U.S. Target stores exposes as many as 40 million credit- and debit-card customers to potential fraud.

Dec 18: News of the breach is reported by data and security blog KrebsOnSecurity.

Dec 19: Target acknowledges the breach publicly, saying the matter is under investigation, the company acknowledged that the information accessed included customer names, credit or debit card numbers used, their expiration dates and encrypted security codes.

Dec 20: Target says it has received “very few” reports of credit-card fraud extending from the breach and extends an offer of 10% off in-store purchases for U.S. customers during the last weekend of holiday shopping.

Dec. 21: Banks, including J.P. Morgan Chase alert debit card customers affected by the Target breach that it will place daily limits on spending and withdrawals as it works to reissue cards.

Jan. 10, 2014: Target issued a statement saying that an additional 70 million customers had their personal information stolen during data breach. The stolen information may include names, mailing addresses, phone numbers, or emails.

Targets Pickled POS Potato

Paranoid Android or Serious Ass Covering?

That same day that krebsonsecurity.com broke the news of the Target hack, a malware sample was submitted to threatexpert.com, a Symantec-owned service, however the public report that the Symantec service generated has since vanished.

The Symantic report was a technical description of how the Target malware functioned, including network drive maps, an IP address and a login and password for an internal Target server.

Last week, iSight Partners, a Dallas-based cybersecurity company working with the USSecret Service, published a series of questions and answers on its website related to the attacks on POS devices at US retailers. That too vanished on Thursday.

Spooked yet? in another example, Intel-owned McAfee redacted a blog post from last week that contained technical details similar to the threatexpert.com report.

Threatexpert.com is an automated service, it analyses submitted files to figure out how they behave. It hold an archive of searchable reports as a resource for the security community.

Brian Krebs, from krebsonsecurity.com, noted threatexpert.com’s report on the Target attack had been removed, more mysteriously though all-traces also disappeared from Google’s cache shortly after he published his post on January 15. He preserved a PDF of it, below.

When questioned on the removal, a Symantec spokeswoman said “we took the initiative to remove it because we didn’t want the information to compromise the ongoing investigation.”

Target: Threatexpert.com Report Google Cache

Alex Holden, founder of Hold Security, said it was the right move for Symantec to pull the report, as attackers might have been able to use the information to compromise other point-of-sale devices at other retailers.

“I was surprised that this information was posted on the Internet in the first place,” Holden said. “Besides having a Target machine’s name and its IP address, system structure and drive mapping, it discloses a very vital set of credentials setup specifically for exploitation of the device.”

Mcafee Labs Analyzing the Target Point of Sale Malware

Although the threatexpert.com report remains offline, McAfee published similar data last week. McAfee’s revision removed the IP address, substituting instead the phrase “EPOS_IPaddr,” or electronic point-of-sale IP address.

The information published on iSight Partners’ website didn’t contain the level of technical detail matching either threatexpert.com or McAfee. It wasn’t clear what might have triggered its disappearance, but it did describe the malware as using a “a new kind of attack method” that made it more difficult to forensically detect.

An iSight spokesperson didn’t directly address the question of why the information was withdrawn. “As this evolves, we are working on the best way to get the most important information out to people,” she wrote via email on Sunday.

As many as six other U.S. companies are believed to be victims of point-of-sale related attacks, where malware intercepts unencrypted card details. So far, Target and high-end retailer Neiman Marcus have acknowledged the attacks.

RAM Raided

Investigators believe the hacks are linked, saying that attackers used similar techniques and malware to steal data from other retailers. One of the pieces of malware they used was something known as a RAM scraper, or memory-parsing software, which enables the grabbing of encrypted data, capturing it as it travels through the live memory of a computer.

The technology has been around for a bunch of years, its use however has increased in recent years.

Credit Card giant Visa, issued two alerts last year about a surge in cyber attacks on retailers that specifically warned about the threat from memory parsing malware. The Visa alerts, published in April and August, provided retailers with technical details on how the attacks were launched and advice on thwarting them.

It’s unclear if Target’s cyber-security team had implemented the measures Visa had outlined to mitigate the risks of attacked.

A law enforcement source familiar with the Target breach said that even if the retailer had implemented those steps, the efforts may not have succeeded in stopping the attack, because the attackers were more sophisticated than the ones in the previous attacks described in the Visa alerts. The source asked to remain anonymous because they were not authorised to discuss the matter publicly.

Ass Covered, But Timeline Skewed

One security writer has questioned not only Targets recount of the crime, it’s timeline, but also who committed the crime. John Casaretto – writing for siliconangle.com – has serious doubts over Targets forthrightness.

“Sources close to the Target retail hack investigation have information that seemingly contradicts the public stance on what Target knew and when they knew it, in addition to a host of other details,” Mr Casaretto writes. “Information lost in the breach obviously escaped the environment somehow, through some egress, and it is unfathomable that the perimeter security would not have some sort of Data Loss Prevention (DLP) system in place that would have detected this activity, especially given the type of data and volume of data that was lost.”

A statement from Target CEO Gregg Steinhafel later conceded that the compromise involved malware at their point of sale systems. Mr Steinhafel had previously described a specific 4-day timeline beginning December 15, 2013, then later admitted that blogger, Brian Krebs, had accelerated the companies public disclosure of the breach.

Watson’s on the case

According to another account, anomalous detection actually triggered warnings and Target was notified immediately.

Target reacted quickly, calling in IBM Services to help find what was going on. IBM’s groundbreaking Watson intelligence services was reportedly deployed into the environment, most likely analyzing information trails to try and discover all that it could.

Details on what that may have uncovered are likely to remain confidential, but according to the account, the plug was pulled after ten days of analysis as costs were mounting or because an ultimate result was determined.

The division of IBM that lines up most with this series of events is IBM’s Business Continuity and Resilience Services, which offers Watson integration in order to scan for vulnerabilities and weaknesses.

That’s where all alternate timeline ends, December 15th when Targets public disclosure kicks in.

Targets Pickled Russian Potato

Whose POS?

The scope of attacks across multiple retailers brings up more big questions. Who launched this attack? TheEastern European ‘suspicion’ is there for good historical reason, it is however important to keep all possibilities open.

As mentioned when this story first broke, Target had recently updated its POS systems.

Target and Neiman Marcus were not the only US retailers whose networks were breached over the holiday shopping season last year, according to sources familiar with attacks on other merchants that have yet to be publicly disclosed.

Smaller breaches on at least three other well-known US retailers took place, conducted using similar techniques as the Target attack, according to the people familiar with the attacks.  The sources said that they involved retailers with outlets in malls, but declined to elaborate.

Law enforcement sources have said they suspect the ring leaders are from Eastern Europe, which is where most big cyber crime cases have been hatched over the past decade.

Only one other well-known retailer, Neiman Marcus, has said that they too have been victim of a cyber attack since Targets disclosure, Neiman Marcus says that some 40 million payment card numbers have been stolen in the cyber attack.

The investigation has so far found that the personal information of at least 110 million customers has been compromised, including names, mailing addresses, telephone numbers and email addresses. Neiman Marcus said it was not sure if the breach was related to the Target incident.

Most US states have consumer protection laws that require business’ to contact customers when personal information is compromised, in many cases the task of notification falls on the credit card issuer.

Merchants are required to report breaches of personal information including social security numbers. It was not immediately clear if that was the case with the retailers who were attacked around the same time as Target. The Secret Service and Department of Justice, which are investigating the Target breach, declined to comment.

UPDATE! Neiman Marcus Speaks Up

Neiman Marcus says it was unaware attackers had harvested payment card details until six weeks after the activity had ended, when its merchant processor zeroed in on a fraudulent spending pattern.

The retailer gave its most complete account yet of its data breach in a letter Wednesday to U.S. Sen. Richard Blumenthal, a Democrat from Connecticut, who has pushed Neiman Marcus and Target for more details on how they’ve responded to the attacks.

Neiman Marcus characterized the malware involved as “complex” and described in part how it collected card details despite security measures that the retailer says exceeded industry recommendations.

As many as 1.1 million payment cards may have been exposed, and so far 2,400 cards have been fraudulently used, wrote Neiman Marcus CIO Michael R. Kingston in the letter, posted on Blumenthal’s website.

Forensic investigators have determined that malicious software that “scrapes” payment card details was installed, he wrote :: Read the full update »»»»


RELATED! Snowden’s Secure Email Provider Shuts Down

Snowden’s Secure Email Provider Shuts DownThe encrypted email service used by US fugitive, Edward Snowden has abruptly shut down, amid a legal fight involving US government attempts to win access to user information.

“I have been forced to make a difficult decision: to become complicit in crimes against the American people, or walk away from nearly 10 years of hard work by shutting down Lavabit,” Lavabit owner Ladar Levison wrote in a letter posted on the Texas-based company’s website.

Lavabit was founded in 2004 by Texas-based programmers, allegedly prompted by privacy concerns about Gmail, Google’s free, widely-used web-based email service, and their use of the content of users’ email to generate advertisements and marketing data.

Lavabit offered significant privacy protection for their users’ email, including asymmetric encryption. The strength of the cryptographic methods used was of a level that is difficult for even intelligence agencies to crack.

Notorious hacker and founder of Ghacks called the secure email service “probably the most secure, private email service right now”. In July 2013, Lavabit had about 350,000 users, it offered free and paid accounts with levels of storage ranging from 128 megabytes to 8 gigabytes :: Read the full article »»»»

RELATED! USA Has ‘Villain Spy’ Egg All Over it’s Face

USA Has ‘Villain Spy’ Egg All Over it’s FaceThe second largest economy on the planet – and arguably the most powerful – China, has launched a venomous attack on the United States, labelling it an “espionage villain” after former US spy Edward Snowden raised new allegations on the far-reaching US cyber-surveillance program, PRISM.

Snowden’s latest allegations have the US spy-program directed squarely at  Chinese targets.

The US is seeking to extradite the 30-year-old technician from Hong Kong, where he is holed up after leaking details of secret US intelligence programs to international media outlets.

Snowden’s leaks revealed that the National Security Agency – NSA – has access to vast amounts of internet data such as emails, chat rooms and video under a government program known as PRISM. The South China Morning Post says documents and statements by Snowden show PRISM also hacked major Chinese telecom companies to access text messages and targeted China’s top Tsinghua University.

US privacy proponents have blasted Prism as unconstitutional government surveillance, they’ve called for a review of the program. The US Centre for Constitutional Rights says it believes PRISM to be the broadest surveillance order issued in American history. The Bashing China has received over the past decade on civil liberty, internet censorship and human rights now looks like COMPLETE hypocrisy. The scale of PRISM is daunting, it’s flow-on affect for US allies is likely to haunt us for the foreseeable future, ironically.

In an absolutely ironic twist, Snowden’s revelations come just weeks after US president Barack Obama and Chinese leader Xi Jinping held meeting on the subject of China/US relations where the US president took the Chinese leader to task on hacking charges :: Read the full article »»»»

RELATED! Facebook a Sorry Site After 6 Million Users Private Data Shared

Facebook a Sorry Site After 6 Million Users Private Data SharedFacebook says it’s “upset and embarrassed” that it allowed a software bug to share the phone numbers and email addresses of  6 million users. However the social network says no financial or other information was revealed to others, and there is “no evidence that this bug has been exploited maliciously”. Facebook says affected users are being notified by email.

The social media behemoth has stressed that the practical impact is likely to be “minimal,”  because improper data sharing would only have occurred between users who already had some connection.

In a statement Facebook said the bug “may have allowed some of a person’s contact information to be accessed by people who either had some contact information about that person or some connection to them”. It said the unwarranted sharing would have occurred when a Facebook user went to download an archive of their Facebook account through the social network’s Download Your Information  tool :: Read the full article »»»»


Sorry, can’t resist this chance (my first Technoid Post) to reveal a much darker side of myself, bad humour…

A Pickled Russian Potato walks into a bar, pulls up a stool next to a penis, the pickled potato looked down, blue.

The penis turned to the pickled potato and asked “why so down?”

The pickled potato said “my life sucks, I got lazy, got big, fat. So they threw me into a jar and poured vinegar over me, stuck me in a dark cupboard and forgot all about me!”

The penis turned to the Pickled Russian Potato and said, “geez, same, when I get big and fat they throw a plastic bang over me, shove me in a dark damp place and bang my head against the walls til I throw-up and pass out!”

twitter facebook stumble linkedin tumblr blog

source: reuters
source: businessinsider
source: wsj
source: siliconagle
timeline source: wsj
image source: reuters/indeepmedia

Comments are closed.