Como perder 40 milhões de cartões de crédito

Segundo Brian Krebs, o ataque à Target no qual foram roubados 40 milhões de registos de cartões de pagamento foi feito através da rede de um fornecedor. Uma segunda empresa tinha uma ligação à rede da Target e autenticação fraca, o que permitiu aos atacantes entrar na rede. A rede da Target não estava segregada de modo que o acesso permitiu chegar aos dados sem dificuldades...

excerto do artigo Did the crooks who broke into Target tailgate the cleaners? (Naked Security):

Rather casually oversimplified, the crooks tailgated the cleaners.

Actually, that wasn't what happened - neither literally, of course, because the crooks did their dirty work remotely; nor figuratively, because it was supposedly an HVAC company (heating, ventilation and air conditioning), not a cleaning company.

Nevertheless, it was tailgating of a sort, and it might well be a slip-up that could happen in your own organisation.

Having said that, my first thought, on reading Brian's piece, was that his explanation sounded preposterous.

Why would someone who maintains your aircon need remote access to your network?

Emergency access to the server room, perhaps, to tweak the settings on the plant itself if there's a snowstorm (or a heatwave) between Christmas and New Year.

But remote access to your whole corporate network?

It turns out, however, that heating and cooling in retail stores aren't just important services: they're as vital to opening for business, and taking money off customers, as your cash registers.

More vital, perhaps: if your cash registers are offline at 2am when no-one is shopping, you won't lose any sales, but if your air conditioning gets out of whack overnight, you might not be able to admit customers to your store at all in the morning.

Apparently, therefore, many HVAC companies have remote access to retail company networks in order to keep their eye out for heating and cooling problems.

That needn't be a recipe for disaster, but in Target's case, it sounds as though:

The third-party company wasn't required to use any sort of two factor authentication.
The network used by the third-party company and the network used for retail payments weren't segregated.