Our HVAC vendor is much larger than theirs. The list they have access too must be massive. Very common to outsource this kind of thing in any large org, it isn't just a retail issue. HVAC systems are now beyond what the usual corporate maintenance department can handle. Same thing is happening with security systems for doors and camera's. It's a gray area between the IT department and building services.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Ziots, Edward Sent: Thursday, February 6, 2014 11:18 AM To: [email protected] Subject: RE: [NTSysADM] Epic Fail at Target Honestly, did you see the residual companies the same HVAC company had access too? But working in retail for a short amount of time, this type of thing does not surprise me. EZ Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer Lifespan Organization [email protected] Work:401-255-2497 This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Thursday, February 06, 2014 10:18 AM To: [email protected] Subject: RE: [NTSysADM] Epic Fail at Target They should have gone to my Derbycon talk last fall. I specifically talked about isolating HVAC systems. :) -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kurt Buff Sent: Thursday, February 6, 2014 10:17 AM To: [email protected] Subject: [NTSysADM] Epic Fail at Target http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/ By Brian Krebs Krebs on Security February 5, 2014 Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers. Sources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems. Fazio president Ross Fazio confirmed that the U.S. Secret Service visited his company’s offices in connection with the Target investigation, but said he was not present when the visit occurred. Fazio Vice President Daniel Mitsch declined to answer questions about the visit. According to the company’s homepage, Fazio Mechanical also has done refrigeration and HVAC projects for specific Trader Joe’s, Whole Foods and BJ’s Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia and West Virginia. Target spokeswoman Molly Snyder said the company had no additional information to share, citing a “very active and ongoing investigation.” It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.
