How Not To Secure Your Company (Target Data Breach)
Вставка
- Опубліковано 5 чер 2024
- A look into how hackers stole 40 million credit and debit cards over a period of 2 weeks from Target in 2013.
Sources:
www.commerce.senate.gov/servi...
people.cs.vt.edu/danfeng/pape...
aroundcyber.files.wordpress.c...
krebsonsecurity.com/2015/09/i...
krebsonsecurity.com/2014/02/t...
www.malwarebytes.com/blog/new...
securityintelligence.com/targ...
www.crowdstrike.com/cybersecu...
Chapters:
0:00 Part 1: Phishing email
0:42 Part 2: Citadel trojan
1:48 Part 3: RCE exploit
3:50 Part 4: Entry into network
6:10 Part 5: POS malware
7:24 Part 6: Aftermath
Corrections:
-
Music:
- Finding the Balance by Kevin MacLeod
- Firecracker by LEMMiNO ( • LEMMiNO - Firecracker ... ) - Наука та технологія
It's crazy to think the CEO's severance pay was over 3x as large as the settlement value.
That is horrifically depressing
Goes to show you what paying for a good ceo gad save you.
I'm sure Elon musk wouldn't have had to pay anything. [/Sarcasm]
Bcz dude knows dirt on the company, and shoppers don't
Ahahahha
Also, its stock barely moved. In the end, only the consumer loses, every time.
@@Paulo27 Customers lost some time from the hassle, but banks issued new cards and refunded any money spent fraudulently. By law a customer is only liable for up to $50 of fraudulent charges, but nearly every bank sets the bar to zero.
"...after compromising a deli meat scale" has to be one of the funniest things I've ever heard
Let me get half a pound of boars head and ALL YOUR CUSTOMER CC DATA!
This is why things that don't need to be connected to the internet should not be connected to the internet lmao
@@pleasantvegetable but think of all the money Target could make from selling data regarding which customers like ham
Imagine having a network so unprotected that you can control a cash register with a damn deli scale from an entirely different store.
What target has a deli?
@@imabebebebe2496they used
to
@@imabebebebe2496 Super Targets
@@imabebebebe2496 It might be the American Target, they got themselves in a bit of strife financially.
@@imabebebebe2496it was from a nearby deli store
Please don't stop making these videos they fill a hole in the tech incident post mortem world that I never knew needed filling
Couldn't agree more!!!
it’s literally some of the best content on youtube
ahhhhhhhhhhhhh
He's got 90k organic subs he ain't going no where
What is the “tech incident post mortem world”
I love these videos, it feels like an extended cut of that scene where the hacker in a movie is explaining what theyre doing, but then it actually makes sense
And it is the real stuff
they're*
@@JorgetePanete I really do not care.
@@linux2420based
@@linux2420based
I had always wondered how they went from Target network to PoS systems. I had no idea it was a combo of weak passwords and... no segmentation.
It seems like a dumb mistake today, and that's because it is.
Oh and ignoring the malware alerts they probably paid tens thousands of dollars to receive
Yeah, airgaps and such are incredibly useful. The problem is that companies like Target have *very* little incentive to actually invest in security. Why would they care if their customers information/cards got stolen? Sure it's bad PR, but in reality stuff like that really doesn't have a huge effect on their bottom line over a year or so. Worst case scenario, they're found negligent and have to pay a fine that's equals a fraction of a percent of their profit that year. They do the math, and a huge reason they don't invest in better security is because they flat out make more money by not paying for better security unfortunately.
To quote another comment: " It's crazy to think the CEO's severance pay was over 3x as large as the settlement value. " @@Stealth86651
Flat networks are terrifyingly common. If you drive by a factory, chances are their machines are on the same LAN as the office PCs.
@@Stealth86651 There may have been some truth to that in 2013, but nowadays ransomware is the name of the game, and that can be hugely disruptive to just about any company.
*hundreds of thousands
Oddly enough I was involved in Targets post breach auditing and payments processor transition. Been to their IT monitoring center a few times, it’s crazy the level of security they incorporated afterwards. It’d be easier to rob a bank during rush hour
You say that but when I worked there in electronics they removed a security camera in the Apple storage aisle and just left the Ethernet cord hanging. Everyday I just wondered if they were dumb enough to have a single network.
0:36 I don't know why, but I find it funny that there are hackers out there that will pay for massively-distributed, licensed hacker tool kits that include a live support page and they still manage to hack a multi-billion dollar corporation. I guess it pays to be a script kiddie.
Would you steal from the people who created a software meant to steal
@@christopherquinonez3933good point
They probably have better tech support than normal legal companies as well LOL.
@@gblargg I work as an IT Specialist at a bank that uses mostly Microsoft products like Windows and Exchange and I would be lying to you if I said that what you said wasn't true.
@@christopherquinonez3933 Yeah those people seem like they'd make an example out of anyone trying to use their software without paying. They probably have their own vendors for boobytrapped versions of hacking tools
Well, you can't say that Target isn't aptly named
Underrated comment
😂
Ah yes, Microsoft, Active Directory and Office, the holy trinity of inevitable security incidents.
It‘s more of improper usage including default or weak passwords. Like they used a perfectly fine service in a way that degraded its potential safety.
My exhusband's card was compromised in this, and we got to find out when we were out buying groceries and his card suddenly didn't work. Called the bank and found out someone had tried making a $500 purchase at a Walmart in Illinois, and the bank had automatically blocked it and locked the card. He and I both got new cards sent to us. Not sure how much later it was that we found out Target (and Home Depot, which would have affected my card) had been compromised. :/
Great video!
i have always had a hard time conceptualizing these big ideas in security. sql injections, input sanitizing, database protections, its all just so high level, that it can be difficult for the layperson to understand what is really happening
that was, until i saw your representation of several amongus doing flips and shit inside of the database
Love your videos. IMHO I think you're sitting on a goldmine, eventually. You have an extremely good balance of comedy/fun to watch and informative, not to mention you're not just glossing over a few things you add some good info and details. I can see this channel getting very successful/large over a few years. Thanks for the work/effort, it's really appreciated.
A lot of UA-cam videos where the creator tries to be constantly funny just become annoying. Here the funny is funny because it's making fun of the dumb things that happen to companies, and it's so packed with technical information and expertise. The rapid-fire nature also causes some jokes to be gotten only after a few seconds, making them funnier. Ever since I saw one of these videos a few months ago I've been watching every one.
My only problem is that it also falls into the same annoying habit that FireShip also has which is condensing so much info into such a small amount of time that I end up learning barley anything but I guess you could argue that's the only way to get watch-time? Idk
@@kratosgodofwar777 It could be a 5000 IQ play so you re-watch the video
@@overreactengine I actually ended up watching all his previous videos lmao its just that this one is a little more fast paced then the rest
7:50 Lesson learned folks, always turn on malware auto-removal
But my cheat engine!
Kevin, I really want to thank you for your videos. I am a new cyber security student and these videos make learning about hacks and data breaches so entertaining
I just found this channel today and already blew through all the videos. This stuff is perfect for me, funny and informative. Please keep it up!
Please keep making these. They teach a LOT. highly appreciate your stuff
Fantastic video, you've balanced discussing a technical topic that might be otherwise difficult to understand for someone non-technical, while still having enough detail where the technical people don't feel like they wasted their time
This video is so good and the way you explained it was perfect. I am studying IT atm and from the beginning we are taught how to prevent these breaches from happening. Hilarious that payed and SALARIED individuals just disregarded the warnings signs. Tells you that security sometimes isn't the concern of major corporations
Non financial customer data. As someone who works in this exact industry, NEVER let a store scan your ID. When they say they don't store this data, they are LYING. A system we installed for a beer store stores all customer information that is pulled from a customers ID including your name, ID number, and Address. Some of the new software can even pull data from state servers for verification.
yeah this why data privacy laws are a big deal.
You cant trust old fucks to know what their doing
"My own world experiences dictate what happens everywhere everyday all the time."
Imma have to ask you to make more of these, they're really funny while also being hella informative
Your videos are epic, saves me so much time and effort reading into it myself. I can't believe how owned Target were. Imagine the attackers just deployed ransomware instead.
Rarely do I insta-click on content. Love your style of videos
Love your videos, have you looked into the Ukrainian power grid attack in 2015 or 2016. I read something on it a while ago and it seemed pretty wild. To lengthen the compromise they uploaded corrupted firmware to the UPS
It's mentioned briefly at 0:25
@@Epic_AviationI should pay more attention lol
@@Scie Lol 😂
I love your videos Kevin, the way you edit them always makes me chuckle multiple times and they also tell an interesting story.
He finally uploaded!
I absolutely love your videos, perfect combination of technical, funny and informative please make more
So many gems in these videos, like where lowly engineers take the bus and the CEO drives a Lambo 😂
imagine your credit card info is stolen you lose large amounts of money all because you shopped at target. then after months or years the class action settles and they pay you 46c as compensation
All while the former CEO gets a $61 million dollar retirement check
This is why there needs to be laws in place forbidding businesses from having customer data long term and there needs to be actions in place that allows consumers to not have their lives ruined from bad companies.
Changing the default password in an account is IT 101, it's literally the first thing you do when managing something especially with sensitive data. And any time someones credit details get stolen by someone, that business should be forced to pay out at least 3x that of what was in the persons bank account when their data got stolen.
"there needs to be laws in place forbidding businesses from having customer data long term". The EU did this with GDPR. But that's communism after all so it won't fly in freedomland unfortunately.
@@hyde4004 the EU can be extremely hit or miss with their laws, but ones that promote a standard phone cable and ones that prevent companies from using your personal information are always good as long as there are less strict laws for small businesses so they don't have their business ruined if they use a third party program to handle transactions and that 3rd party was the one to be hacked. But any business that's fully capable of affording their own in-house services should be required to face the full force of the law.
@@JimMilton-ej6zi The EU is definitely hit or miss but as far as holding companies up for fucking customers over and general rights to data privacy we are doing mostly well. Well, other than the fact that the EU is on the verge of forcing backdoors into all E2E encryption for instant messasing. Because we all know access to backdoors is never found or bought by anybody that would use them for any bad purpose and governments can always be trusted. *sigh*.
Or.. just don't go to target. Be informed and make good decisions instead of trying to get government to make good decisions for you.
That would be freedomland
@@AJStamand Ah yes... be informed of companies' internal systems and how robust they are against attacks. Got it.
Well presented, thank you for the breakdown of this huge breach!
This was a really interesting, well put together video. First time viewer. Great work bro
gotta love the detail and quality, really great video!
Just casually browsing UA-cam and found this really fun video. Keep it up bro!
This is amazing, please keep up the good work. Thank you so much
Thanks for the video. Not only great stories but I learned a lot aswell.
These videos are great!!! Don’t stop, these are awesome!
I never knew tech video can have this much explosion. Keep em coming
Thank you for the cool video! I really enjoy the way you present info
Love the channel, it's really funny, but also very informative about events and how hackers do thier thing.
dude this video style is 🔥 love it!
Point at the end is good but it is worth also mentioning that chip and pin cards as have been used in Europe for years are also protected against this sort of attack.
Can't wait until you discuss the hacking in Vegas.
Very well produced! Thanks 😊
bro you have captured a new niche of videos. can you recommend other channels with content like yours?
They had an IT department that didn't realise they were being hacked for 2 months? 😂😂😂
You have an excellent UA-cam way. Keep at it.
Don't know if it's intentional, but "kaptoxa" is looking suspiciously similar to "картоха", which translates as "potato" from russian
I’ve noticed that too and I’m sure this is international because the developers are Russian
so you're basically saying most of this wouldn't have happened if they changed their default passwords
Bro. This content is amazing! Keep it goin!
this is such a true upload thank you mr kevin fang
def one of the uploads that have been ever made
I follow you from you first video of this type from like 10 oder 20k subs. I i absolutly love this content
should do TJMax breach next, its one of the few prime examples of in the wild wifi hacking thats not just stealing your neighbors wifi
I am not that big of the cumputer guy, but you manage to excplain things that I somewhat understand
man i am rewatching your videos, come on drop one more already
Awesome video...shows how smart some people are (yet using their intelligence for illegal purposes)
It's a good day when there's a new Kevin Fang vid
Great content. Can you do the 2017 AWS S3 failure?
Even before watching I already know this is gonna be a banger
Awesome video, thank you! It always comes down to human error or laziness lol.
I'm once again amazed how the fuck my homelab is more advanced and secure than those giant companies
The memes per second value in this video is insanely high.
That was brilliantly insightful. Can I please ask what you use to make your animations
Amazing work. More like this please into real attacks that happaned.
Its wierd to be watching one of these with insider info that explains some of the questions.
The sad part is, thanks to this, it is now nearly impossible to access data internally within Target which makes real time data analysis basically impossible if you arent specificly assigned the role.
you have admin rights ?
Another excellent video, thank you
The use of memes just makes this soo entertaining. I loled hard at the use of the boss level up animation.
Need more videos like these.
As Targwt is massive corporation, I find the most unbelievable part of this is the free teir Malwarebytes, which also is somehow, entirely believable for a massive corporation
im doin a report on this one right now thx for all the sources and the qwick video :)
Thank you for making this video
Adding to this: My brother-in-law was a senior engineer at Symantec at the time. IIRC, target *also* used some Symantec security software as part of their defenses at the time. According to him, Target tried to go after them on the grounds of "Hey, what are we paying you guys for? Isn't your shit supposed to help stop things like this?" Symantec's response was roughly "Well, that'd be true if you were actually paying us. You haven't in 5 years and haven't updated your software in 10."
This was one of the first supply chain attacks I have heard of.
Edit: I am dumb. A supply chain attack targets software builds to compromise one or more targets. This is actually a third party attack, which uses a third party contractor to springboard into a larger target. They are surprisingly comparable.
I love ur vids so much, they are very well done c😭😭
Quality videos, Kevin boutta blow up soon
Do you have a Patreon? This has quickly become my favorite channel and would love to support your work.
Reminds me of the (i think it was Lowes or Home Depot, dont remember) data breach where they tunneled in through the A/C systems network controller.
One issue this data breach highlights is 'alert fatigue'. It's all too common to just see the anti-virus software pop up with something suspicious and not bother to look into it because of previous false positives & the fact it looks too generic. You just assume all is good, when in this case, it very much was not. Alert fatigue is something that needs to be mentioned more often and caught early.
i found this funny due to the fact that you used among us characters with happy faces, love the video, very interesting!
Fascinating! (Also, wow, trojan citadels?)
we need more videos like that! love it! :)
Really interesting video!
amazing as always
5:33 killed me
Thank you for the tutorial 😎
I love these animations
As admin, I disable RPC by default along with a cavalcade of other restrictions and security.
I had a professor who worked on fixing this. He told us about how it happened and how they fixed it.
Finally a new video from you:)
please keep making these videos
i have noticed the average time for the videos is 1.67 months
very cool
Man, 2010-2015 was really the wild west of IT. Network segmentation? DiD? Any basic semblance of EDR? Who needs that.
I guess thats why they were called target
A company this size with such amateur and irresponsible security, made my startup saas mvp of one man work, looks like national security level 😂😂😂
Best Channel.
The ad placement is perfect. Around 1:35 you ask what kind of method was used to hack the thing. Ad of Wix starts playing. I fall out of my chair due to laughing.
Did I get that right? It only affects cards if you use the magnet strip? In that case it‘s not even going to affect that many people…
I am happy that I can laugh about this instead of losing my sleep over this.
Love your videos!
Wake up babe, kevin fang just dropped another banger of a video
Another fantastic video! I feel like we're two steps away from the internet doomsday every day lol