On Target and other Breaches

These days one of the top IT security news is the one concerning the Target breach which allowed the criminals to steal up to 40 million credit and debit cards data (see Krebs On Security for details). What is very interesting is the complexity of the entire operation. This is not someone who stumbles almost by accident on a bug or a security weakness and exploits it. This, and other similar ones (it is at least a couple of years that similar frauds have been known to be realized), are really criminal operations, well designed, carefully planned and implemented.

It is enough to mention a few details of this breach to understand the complexity of the operation. The malware has been designed and/or modified to fit exactly the environment in which it has been installed. The way of accessing the the IT systems has been carefully studied and most probably has been through a most unlikely third part. The stealthiness of the operation has been extremely good, including the way of exporting the extracted credit/debit card data from the company network into the criminals’ systems.

These are targeted attacks which adopt the best of technologies, included IT technologies but not limited to the IT world. The biggest issue is that the target of the frauds is not the IT, but is the everyday business which must understand that these new kind of frauds are very real and can target everyone.