Let's take a quick look at the latest reports of how the Target situation materialized. Target is now saying that the cyberthieves "stole a vendor's credentials, which were used to access our system," but the chain didn't say which vendor was involved. A few suspected vendor systems have emerged. The Wall Street Journal has reported that Target "shut down remote access to two websites used by employees and suppliers in a move to tighten security following a massive breach of customer data over the holidays. One system is a human resources website for employees called eHR. The other is a database called Info Retriever that suppliers use to access sales data for their products in Target."
And KrebsOnSecurity, which broke the initial story about Target having been breached, had a different vendor in mind. "An examination of the malware used in the Target breach suggests that the attackers may have had help from a poorly secured feature built into a widely-used IT management software product that was running on the retailer's internal network," KrebsOnSecurity reported.
The Krebs report starts with clues from a Symantec ThreatExpert analysis—which was quickly taken offline by Symantec—said that "the malware was responsible for moving stolen data from the compromised cash registers to that shared central repository, which had the internal address of 10.116.240.31. The 'ttcopscli3acs' bit is the Windows domain name used on Target's network. The user account 'Best1_user' and password 'BackupU$r' were used to log in to the shared drive. That 'Best1_user' account name seems an odd one for the attackers to have picked at random, but there is a better explanation: That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas base BMC Software — includes administrator-level user account called 'Best1_user.'"
My money is that Krebs is right on this one, as he's drawing very hard to argue with connections. But what Target has confirmed is that access piggybacked on an authorized third-party program, one that wouldn't have automatically set off alarm bells.
And a new Krebs report points out that the POS malware used in Target—called BlackPOS—has an interesting history and modus operandi. Among other things, it grabs the data when the data is unencrypted and then—you gotta love this—it encrypts it. Why? So as to not set off alarm bells if someone notices tens of millions of unencrypted payment card details trying to leave the system. Unless it's closely examined, the theory goes, all encrypted data looks alike.
The Krebs report has lots of good details—and an HP report also sheds some light on precise methodology, but the thief-created-encryption was the most awe-inspiring element.
Getting back to the third-party software scenario, that also what caused Starbucks no shortage of headaches this month, when a security researcher looked at the Starbucks iPhone mobile app and discovered lots of data goodies—including password, geolocation history, account name and E-mail address—being stored on the phone in clear text.
In Starbuck's case, the data was being collected and saved in clear-text by a third-party crash analysis app from a company called Crashlytics, which was purchased by Twitter last year. Starbucks is officially saying that he didn't know that the program was saving that data in that way. Once the problem was disclosed, the app was updated and the clear-text issue was fixed—within one day.
Whether it's a backdoor used to break into your system (Target) or it's the third-party itself that is doing something bad (Starbucks), third-party apps are proving to be quite the security rascals. Two big shouts that IT needs to do full security evaluations of all third-party apps right away, including those that likely populate most of your mobile app code. Trust me: cyberthieves have already started looking.