Bloomberg:Target failed to stop hackers from stealing the credit card

The November data breach that impacted 40 million Target customers could have been stopped in its tracks, according to a story published Thursday by Bloomberg.

Speaking with more than ten former Target employees and eight people with knowledge of the hack, Bloomberg said that Target already had in place a sophisticated malware detection system designed by security firm FireEye. The $1.6 million system was set up specifically to identify hacks and cyberattacks before they had a chance to do real damage.

Highlighting the ingenuity of FireEye's detection system, Bloomberg explained that it creates a parallel network on virtual machines. As such, the hackers are led to believe they're actually breaking into the real thing, thus exposing their attack methods and other breadcrumbs without jeopardizing the true network, at least not initially.

A team of security professionals was set up in Bangalore to monitor Target's network servers and alert security operators in Minneapolis of any detected malware. And this process worked as expected during the November hack. After detecting the hack, the people in Bangalore alerted the people in Minneapolis. But that's where the ball got dropped, according to Bloomberg. The hack continued on its merry way.

The FireEye system could have been programmed to automatically remove the malware upon detection. But that option was turned off, requiring someone to manually delete it. That's not unusual, according to one security officer interviewed by Bloomberg who explained that security professionals typically want that decision to be in their hands. But that means the security team must act quickly enough.Why was the hack successful despite all the warning signs? Bloomberg's sources pointed to a few reasons.

Two people "familiar with Target's security operations" also told Bloomberg that the company's security people may have viewed FireEye's system with some skepticism at the time of the hack. Testing of the system had just completed in May, leading to its initial rollout. Even further, the manager of Target's security operations center, Brian Bobo, had left the company in October, with no replacement to manage things.

Ultimately, though, the alerts from FireEye and from Target's Symantec Endpoint Protection system should have driven Target's security people to stop the hack before it spread.

"The malware utilized is absolutely unsophisticated and uninteresting," Jim Walter, director of threat intelligence operations at McAfee, told Bloomberg. "If Target had had a firm grasp on its network security environment, they absolutely would have observed this behavior occurring on its network."

CNET contacted Target for comment on Bloomberg's report and will update our story with any further information.

good, the bad and the oddities of MWC 2014

SAN FRANCISCO -- What started as a one-man boycott of the annual RSA Conference here in response to the confab's parent company's ties to the National Security Agency has begun to blossom into a broader movement to reclaim the trust of technology and Internet users.

Alex Stamos, co-organizer of the event -- nicknamed TrustyCon -- and chief technology officer at the security firm Artemis, took the stage in Theater 14 at the AMC Metreon multiplex to explain just why the Trustworthy Computing Conference was needed in the first place. After all, with Security B-Sides earlier in the week, it's not even the first counter-conference programmed against RSA.

"How do we build trustworthy systems?" he asked the crowd. Citing viruses, malware, and the post-Snowden leaks environment, he said, "We have failed."The goal, he said, was not to have "another" security conference, "but a trust conference." It was also a fundraiser for the Electronic Frontier Foundation, scoring $20,000 for the group.

TrustyCon's roots are tied to the rebellion of Mikko Hypponen, an unlikely source of dissent. Hypponen, the chief technology officer at Finnish security firm F-Secure and a computer virus and malware expert, has spoken at the RSA Conference for the past eight years and was the first major speaker to withdraw from the show.

"I'm not expecting to participate in the future," he said, although he later revealed after TrustyCon that the RSA Conference organizers had pleaded with him privately to stay on board.

"I'm not expecting to participate in the future," he told the TrustyCon attendees. He said he had published openly his letter to the RSA Conference organizers as a challenge to other speakers.

I wasn't expecting anyone else to cancel...The ones with the balls have canceled."
--Mikko Hypponen, CTO at F-Secure

"I wasn't expecting anyone else to cancel, wasn't expecting American speakers to cancel," he said, saying at the time that it was an issue of national pride.

To his surprise, he told TrustyCon, "the ones with the balls have canceled."

His TrustyCon speech focused on the simmering international conflict. He pointed out that thanks to Snowden and to the Stuxnet revelations, we've learned that governments were actively writing and delivering malware.

"Ten years ago this would've been science fiction," he said.

He noted that he wasn't against all government spying and said that high-profile political leaders such as Angela Merkel of Germany have a reasonable expectation to be the targets of surveillance.

"The problem," he said, "is listening to the traffic of people on the street. Why is it being collected? Because it's technically possible. We created the monster."

Other speakers also focused on the issue of trust, and of otherwise trustworthy computing systems exploited by governments, including the US.

Christopher Soghoian, a senior policy analyst at the American Civil Liberties Union who has spoken often against domestic spying since the Snowden leaks, used the example of automatic software updates exploited by the US government as compromising the trust in both technology and government.

TrustyCon co-organizer and host Alex Stamos encourages attendees to rethink how to build trustworthy computing systems at the AMC Metreon, San Francisco, on Thursday, February 27, 2014.

(Credit: Seth Rosenblatt/CNET)

A talk by civil liberties attorney Marcia Hoffman emphasized the government's legal logic and how it's based on laws that are far behind the technology they're governing. Google's Chris Palmer, of the Chrome secure usability team, gave a technical explanation of why it's so difficult to build encryption tools that are easy for the general public to use.

During an onstage interview with Joseph Menn, the reporter who first broke the story of RSA's connections to the NSA, independent security expert Bruce Schneier sounded a call to action to build better tools.

"Twenty years of PGP has taught us that one-click encryption is one click too many," Schneier said.

He also echoed Hypponen's point that not all spying is bad, something that tends to get lost in the outrage over the leaked document revelations. "If the Snowden docs had shown the NSA spying on North Korea and the Taliban, nobody would've cared because that's their job," he said.

The show ended on talks by Def Con founder and Homeland Security adviser Jeff Moss and noted technologist and Princeton professor Ed Felten. Moss focused on empowering the gathering of hackers and information security experts, explaining that while everybody "needs the Net to work," "the only ones" interested in "knowledge" are hackers, researchers, and academics.

You have to read every word carefully," he said, "and especially every word by an intelligence official under oath."
--Ed Felten, technologist and Princeton professor

Felten, who has testified in front of the US Senate on the issue, reminded those who wanted to get involved that fixing the NSA meant paying attention to what NSA officials have said.

"You have to read every word carefully," he said, "and especially every word by an intelligence official under oath."

"I haven't spent this long in a movie theater since I was a teenager and hid in the back all day," quipped Stamos as he closed the conference by promising the return of TrustyCon.

"This was not a one-time thing," he said, "because the issue is not a one-time thing."