One of the realities of news that happens at Internet-speed is that it may not be wholly accurate. Much of what has come out about the Target breach contains factual errors that may not seem obvious, especially as they are repeated by many news outlets. So let us take a moment to examine some of the more common myths that have been flying around.
1. “People know who created the malware, so they also know who perpetrated the breach.”
Right now, we do not know who perpetrated the Target breach, or how they did it. But we have a whole lot of information about people who have allegedly been involved in other aspects of the breach. There was a Mexican couple that was arrested with several dozen fake cards with numbers that had been stolen in the Target breach. They were not the perpetrators.
There was a 17-year-old that was initially identified as the author of the BlackPOS malware (detected by ESET as Win32/Spy.POSCardStealer.R), which is similar to that which was used in the attack. But it turns out the primary author was actually a 23-year-old who used the same handle, but even as the alleged author of the malware used to perpetrate the breach, he is not likely to be behind this specific attack.
BlackPOS was only one tool in a whole arsenal of tools that the attacker or attackers used, and its presence in that toolkit is no more indicative of culpability for this specific breach than it would be for the authors of the legitimate admin tools that the attackers also used.
2. “The code was not detected in VirusTotal, so antivirus failed to stop the attack.”
The idea that VirusTotal can be used as an accurate test of whether up-to-date antivirus software would detect a piece of malware has been thoroughly debunked, including by VirusTotal itself. And yet, we still regularly see VirusTotal detection ratios quoted in articles as if they are a reliable indicator of whether malicious code would be detected. Let me sum up the situation briefly: VirusTotal uses on-demand, command-line scanners to scan files statically. No modern antivirus program actually works this way on a real person’s (or business’) machine – both the technologies involved in detection and the techniques used in attacks are far more complicated.
In real life, a piece of malware may or may not be detected by antivirus software, but VirusTotal results will not necessarily tell us this. In targeted attacks, malware authors may test the detection of the antivirus program(s) used by their target in order to develop countermeasures so the antivirus program may not initially detect their code. And sometimes, criminals may make use of legitimate, non-malicious tools to achieve much of what they are trying to accomplish. Indeed, several of the programs that were used by these particular criminals are not malicious, any more than a shoelace or a screwdriver is malicious.
Even shoelaces can be used for deadly purposes, but this is not what most people use them for, so we cannot really consider them a deadly weapon. But if they are being used for unintended purposes, or in suspicious ways, they may in fact be detected by something like behavioral detection within an antivirus product, by rules within an Intrusion Prevention System, or by a firewall.
3. “The people who broke into Target must be geniuses.”
There are so many unfortunate, wrongheaded stereotypes about malware authors, it can be hard to know where to start. Probably the most unfortunate one – probably one of the reasons why so many news outlets enthusiastically ran the story about the supposed teenage author of BlackPOS – is that malware authors are often thought of in the public eye as ethically-challenged mega-geniuses. That is not remotely accurate.
According to the author himself, he took readily available code and just added some additional features. What he describes is an incredibly common scenario. Most of the people who perpetrate these crimes are not brilliant coders, or in possession of information that is particularly obscure. Most of the attackers are simply resourceful about combining information that is widely available. That should perhaps impress upon us all the reality of the situation: Companies are not protecting themselves against attacks that can be perpetrated by a person with only average skills or resources.
4. “There is no way for businesses to stop credit card fraud.”
If an adversary is sufficiently determined, you may not be able to completely block an attack. But that situation is vanishingly rare. In most cases, attackers are able to take advantage of fairly low-hanging security-fruit. Security, especially in big companies, can be tremendously complicated. Ideally, you should know where everything is, and what everything and everyone is doing, all the time. It only takes a slip-up at the wrong time, noticed by the wrong person, to cause problems.
But that is not to say that it is impossible, and that is not to say it needs to be done perfectly. It simply needs to be done better than it is by the majority of other businesses. Apparently many news outlets are portraying this event as indication that we are all at the whims of teenage super-villains, and that we should all simply abandon hope. That is both fatalistic and simplistic.
The truth is that there are several things that could have been done that might have stopped or mitigated this attack before it affected such a sizable percentage of the American population. And those things are precisely what security people have been saying all along: Update your software, use layered defenses, and go by the Principle of Least Privilege. Smart cards might also have helped, or maybe not.
5. “Only big businesses are at risk for this sort of attack.”
Attacking a business that has financial and personal information relating to such a large percentage of the US population is certainly a huge payday for attackers. If it is so easy to attack such large businesses, why would attackers even bother with small or medium-sized businesses?
Simply put, lots of little attacks can quickly equal the same sort of payday, especially because smaller businesses may be less well-defended and take longer to discover intruders on their systems. And a smaller business ripe for attack is easy to locate - attackers can use popular search engines to find systems that have common vulnerabilities, so they do not need to have heard of your boutique poodle grooming-supply business in rural Montana in order to attack it. But the good news is, when a business is small, it is also simpler to secure. (Check out Stephen Cobb's cyber security road map for smaller businesses.)
Conclusion
All of this boils down to one simple idea: It is entirely possible for businesses to better protect their customers against this sort of breach. The protective technology and techniques exist already, and some organizations are already putting them to good use. But a surprising number are not, yet. Hopefully high-profile breaches like this (and the costs those vendors incur because of them!) will show other businesses that it genuinely is worth the expense to improve their security in order to safeguard customers’ data.
