Targeting the HVAC | TechSNAP 148

Targeting the HVAC | TechSNAP 148

We finally have the answer to how the Target network was physically breached, and it just might make you face-palm.

Plus some urgent Adobe news, the NSA ORCHESTRA program, and a big batch of your questions and our answers.

All that and a heck of a lot more, on this week’s TechSNAP!

Thanks to:



Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

Security Protocols and Evidence

  • Researchers at Cambridge propose a new way of thinking about security protocols, designing in to them the facilities required to generate proper evidence to be used in court for dispute resolution
  • The goal of the research is to highlight the types of design considerations that should be put into cryptocurrency systems like bitcoin and other payment systems like electronic banking and mobile payment apps
  • The research uses EMV (Chip&Pin) as an example and shows how it does not currently provide the evidence required for proper dispute resolution
  • The paper outlines 5 design considerations:
  • Principle 1: Retention and disclosure.
  • Protocols designed for evidence should allow all protocol data and the keys needed to authenticate them to be publicly disclosed, together with full documentation and a chain of custody
  • Principle 2: Test and debug evidential functionality.
  • When a protocol is designed for use in evidence, the designers should also specify, test and debug the procedures to be followed by police officers, defence lawyers and expert witnesses
  • Principle 3: Open description of TCB (trusted computing base)
  • Systems designed to produce evidence must have an open specification, including a concept of operations, a threat model, a security policy, a reference implementation and protection profiles for the evaluation of other implementations
  • Principle 4: Failure-evidentness.
  • Transaction systems designed to produce evidence must be failure-evident. Thus they must not be designed so that any defeat of the system entails the defeat of the evidence mechanism
  • Principle 5: Governance of forensic procedures
  • The forensic procedures for investigating disputed payments must be repeatable and be reviewed regularly by independent experts appointed by the regulator. They must have access to all security breach notifications and vulnerability disclosures
  • The paper then goes on to describe ways these principles could be applied to the existing EMV system to improve its security and dispute resolution facilities

Target Hackers Broke in Via HVAC Company

  • Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor.
  • Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.
  • Sources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.
  • The HVAC company president confirmed that the U.S. Secret Service visited his company’s offices in connection with the Target investigation
  • It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network.
  • According to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.
  • Sources said that between Nov. 15 and Nov. 28 (Thanksgiving and the day before Black Friday), the attackers succeeded in uploading their card-stealing malicious software to a small number of cash registers within Target stores.
  • Those same sources said the attackers used this time to test that their point-of-sale malware was working as designed.
  • While some reports on the Target breach said the stolen card data was offloaded via FTP communications to a location in Russia.
  • Sources close to the case say much of the purloined financial information was transmitted to several “drop” locations.
  • These were essentially compromised computers in the United States and elsewhere that were used to house the stolen data and that could be safely accessed by the suspected perpetrators in Eastern Europe and Russia.
  • These compromised hosts serve as cut-outs, after the stolen data is copied from them by the attacker, the logs can be erased to break the trail of evidence

Adobe announces emergency patch for Flash Player, flaw being exploited in the wild

  • Adobe has issues an emergency security advisory for all versions of Flash Player
  • Adobe released for Windows and Mac, and for Linux and FreeBSD
  • Bundled versions for Chrome ( and Internet Explorer ( were also updated to
  • “These updates resolve an integer underflow vulnerability that could be exploited to execute arbitrary code on the affected system (CVE-2014-0497).”
  • Researchers Alexander Polyakov and Anton Ivanov of Kaspersky Lab discovered an exploit for the vulnerability being used in the wild and reported it to Adobe
  • Adobe has released no further details about the ongoing attack
  • Researcher’s Post
  • “During the past months we have been busy analysing yet another sophisticated cyberespionage operation which has been going on at least since 2007, infecting victims in 27 countries. We deemed this operation “The Mask” for reasons to be explained later”
  • “The “Mask” is leveraging high-end exploits, an extremely sophisticated malware which includes a bootkit and rootkit, Mac and Linux versions and a customized attack against Kaspersky products. This is putting them above Duqu in terms of sophistication, making it one of the most advanced threats at the moment”
  • “Most interesting, the authors appears to be native in yet another language which has been observed very rarely in APT attacks.“
  • The language in question appears to be Korean
  • Kaspersky Labs have released more technical details about the exploit
  • Additional Coverage


Round Up:

Question? Comments? Contact us here!