The simple elevation of user and application privileges lies at the heart of many breaches.

We must hope that January’s huge data breach at Target will be a turning point in the history of data breaches. For the first time, businesses are starting to ask difficult questions - might the fact that one of the US retail sector’s most respected retailers can be breached with such ease not be telling us that something is profoundly wrong with enterprise security?

To its credit, Target has been relatively open about the technical failings that aided the hackers. The firm’s CIO Beth Jacob even resigned as part of a security overhaul. Clearly, executives are now in the firing line when things go wrong. The astonishing thing about Target’s woes is that not only are large data breaches nothing new they are starting to become normal.

Historically, the top ten data breaches run in the following order of size:

  • Heartland Payment Systems (2009 – 130 million accounts)
  • Target (2014- 110 million)
  • TK/TJ Maxx (2007 – 94 million)
  • AOL (2014 - 92 million)
  • Sony PlayStation Network (2011 – 77 million)
  • US Military Veterans (2014 – 70 million)
  • LivingSocial (2013 – 50 million)
  • Evernote (2013 – 50 million)
  • CardSystems (2005 – 40 million)
  • Adobe (2013 – 38 million)

Looking at this list, a number of themes jump out. First, every single one of these incidents was in the US, which we have to assume is more to do with the disclosure laws than that country being more likely to suffer a large breach. Put more pessimistically, these are simply the breaches we hear about.

Second, although size grabs attention, it shouldn’t be assumed that scale always equates to severity. All data breaches are serious but as a recent breach that revealed personal details of only 10,000 women seeking help from the UK’s British Pregnancy Advisory Service underlines, tiny data breaches can also be incredibly serious.

It’s also intriguing that six of these major breaches have happened in the last 12 months. It could be that hackers are just trying their luck more often than in the past or, as many suspect, organizations are just getting better at spotting them. Either way, we have to assume that the search for weak security has become an industrial-scale business model for the criminal underworld.

The Target hack

This attack was only one of at least half a dozen that affected large US retailers in 2013, which as far as we can tell all involved planting malware on PCs connected to point-of-sale (POS) terminals. The malware used in the Target hack was a popular Russian toolkit called BlackPOS, sold specifically for use against retailers. That is the really chilling part of the Target incident; there are now several dedicated toolkits sold for attacks on this sector alone.

We can only infer the precise engineering of the attack, but it is clear it had several layers, starting with a reported compromise of a third-party contractor whose credentials were phished to gain access to the network. The current assumption is that multi-factor authentication was probably not in place.

Next, using only that one credential and the access rights it afforded, the criminals were able to move around the network, gaining access to deeper layers. A number of techniques could have been used but past POS attacks have exploited admin-level default passwords for specific applications the attackers either know or guess will be present. The attack complete, the criminals then made off with 110 million customer account records without being detected until they were long gone.

As in so many attacks, the underlying theme is simply the abuse of privileges, first of the contractor, then at the application level. Although this attack was external, the same risk of failing to control accounts and privileges would have applied to a rogue insider too. The fact that this problem is well understood, makes its constant re-occurrence in new attacks unbelievable. Allowing this to continue would be a failure to learn on a grand scale.