Ride the Lightning
Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.
Target Breach Appears Linked to an HVAC Vendor
February 12, 2014
According to an Information Week article, it is likely that the Target breach was caused by a heating, ventilation and air conditioning (HVAC) vendor called Fazio Mechanical Services based in Pennsylvania.
Secret Service investigators visited Fazio's office, a visit which Fazio confirmed but otherwise declined to comment on. According to unnamed sources cited by security report Brian Krebs (hat tip to Dave Ries for sending me that information), investigators believe that Target's attackers first accessed the retailer's network on November 15, 2013, using access credentials that they had stolen from Fazio Mechanical Services. The theory is that those access credentials allowed the hackers to gain a foothold inside Target's network, and from there they were able to access and detect other Target systems, including payment processing and point-of-sale (POS) checkout systems.
Although Fazio's website was unavailable for a time last week, a cached verion indicated that it was serving as a contractor to particular Target stores as well as other stores such as Shop 'n Save, Trader Joe's and Whole Foods stores.
Many modern facilities rely on refrigeration and HVAC systems that can be remotely managed by a third party, monitoring and adjusting environmental controls and watching refrigeration systems. "HVACs are IP-addressable appliances now, which means they have network access and logins," Dwayne Melancon, CTO of Tripwire, said in an e-mailed statement. Accordingly, "it wouldn't be unusual for contractors to have an HVAC login," to be able to remotely manage settings, or troubleshoot related device or network problems. Such logins are often shared among multiple employees working for the vendor.
Questions relating to the Target hack will surely center on the security processes in place at Fazio, as well as the controls in place at Target. Under Payment Card Industry Data Security Standards (PCI-DSS) regulations, Target is liable for any of its third-party contractors' security shortcomings. Target was required to "incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties."
Did Target secure Fazio's access to its network using two-factor authentication? What level of network access did Target grant to Fazio, and was Target actively monitoring that access? Were Target's HVAC appliances located on an isolated network segment that should have prevented attackers from accessing other network-connected systems? Thus far, we have no clear answers.
Listen to the Podcast
