HVAC vendor investigated as part of Target breach

Posted at 6:14 PM, Feb 06, 2014
and last updated 2014-02-06 18:14:26-05

NEW YORK (CNNMoney) — A heating and air conditioning contractor may have provided the opening hackers exploited in the massive breach of Target’s computer network.

And they didn’t even know it.

This new information about the Target breach highlights the potential for serious vulnerabilities at other major U.S. retailers. It also raises a head-scratcher: How could a heating contractor’s password open up the secure systems used to process customer payments?

The contractor — first identified by independent security researcher Brian Krebs — said Thursday it was the victim of a breach and was cooperating with federal officials investigating the Target hack.

“Like Target, we are a victim of a sophisticated cyber attack operation,” said Ross Fazio, president of Fazio Mechanical Services, in a statement. “We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach.”

Fazio declined to elaborate on the nature of the attack, but Target said last week stolen vendor credentials were used in the breach of payment and personal information for as many as 110 million customers.

The company connects to Target’s networks for for billing and contracts, he said.

It clearly does not handle customer credit or debit card payments for Target, but security experts say the vendor’s stolen credentials helped hackers get past the hard part: getting through companies’ fortified outer walls.

“Once an attacker gets in, lateral movement is really difficult to detect because most organizations are perimeter-focused,” said Eddie Schwartz, vice president of global security solutions at Verizon Enterprise Solutions. He said networks guard against intrusion, but “there’s a general expectation of trust once you’re inside those walls.”

Think of a network as a house, Schwartz said: You can have several doors, each with a different lock, but if just one key is stolen, the perpetrator can get in. Once inside, he can move between rooms and easily hide to avoid detection.

While retailers build defenses around their payment systems, they may not invest as heavily in protecting the systems used by building management.

“They haven’t been engineered with security in mind,” said Mike Weber, the managing director of Coalfire Labs. “They haven’t been built to be secure from a dedicated hacker. They’ve been built for availability needs, to be up all the time.”

His firm audits and performs security tests on corporate networks. He advises clients to build walls between their systems and not use default passwords.

Fazio said his company’s “IT system and security measures are in full compliance with industry practices.” A law enforcement official familiar with the investigation said the Secret Service was working to determine whether the contractor was involved in the Target breach.

When asked about the contractor’s possible role, Target spokeswoman Molly Snyder said she could not comment, citing the ongoing investigation.