NEWS ANALYSIS: Although 2014 has been the year of the retail breach, consumers looking to do some holiday shopping have very little to worry about.
On Black Friday in 2013, millions of consumers shopped at retailers that had been breached by point-of-sale (POS) malware. A year later, has anything changed?
Target admitted in December 2013 that it was breached between Nov. 27 and Dec. 15 of that year in an incident in which 70 million customers were impacted. The breach also cost Target $148 million in expenses and took the jobs of Target's CIO and CEO.
As it turns out, the Target breach was only the leading edge of an avalanche
of retail breaches that were disclosed in 2014. Grocery chain SuperValu, UPS, Michaels, Dairy Queen, Goodwill, Staples and Home Depot are among the retailers that admitted being breached during the year.
Surprisingly, while the Target breach was reported last December and was the subject of intense scrutiny and discussion in the first half of this year, lessons learned from that incident apparently were not enough to stem the tide.
Home Depot, for example, reported its breach in September, with the actual attack lasting from April to September. That means that Home Depot's systems were breached long after Target's disclosure and long after the retailer should have been able to discern lessons and best practices from that incident.
With Home Depot, the retailer has admitted that a third-party vendor's username and password were compromised. That credential compromise was then leveraged by the attacker to gain access to the Home Depot network. Once inside, a privilege escalation flaw was exploited, giving the attacker broader access. With that access, some form of POS malware was deployed, which is how the customer information was stolen.
The problem with the Home Depot breach scenario is that it is likely the same as what happened at Target. It is also likely the same scenario that has played out at other retailers as well, including some that consumers will shop at on Black Friday.
While this has been a year of disclosures and discussion about retail breaches, the simple truth is this: Little has changed. POS malware is still widely deployed, with the Backoff POS malware alone infecting a thousand retailers, according to the U.S. Secret Service.
Going a step further, privilege escalation vulnerabilities, which in my view are at the root of many retail breaches, remain difficult to deal with. Case in point, it was just last week that Microsoft issued
an emergency out-of-band patch for a Kerberos authentication flaw identified as CVE-2014-6324. That vulnerability could potentially enable an attacker to elevate his or her privileges to control an entire system. While there is a patch available, Microsoft itself warned
that a complete fix of a potentially compromised domain requires the organization to completely rebuild its domain. Given the proximity to Black Friday and the complexity of rebuilding domains, I suspect that not all retailers that run Windows have actually heeded Microsoft's advice.
While there are likely still privilege escalation risks present in some retailer networks and there are also likely still many undetected POS infections, not all is lost.
While the risk of retailer breaches on Black Friday is still present, there is much reason for optimism too.
Thanks to the Target breach and those like it, there has been heightened awareness among law enforcement and credit card issuers. While as yet unknown breaches and POS malware might well be lurking on Black Friday retailer systems, the "good guys" are watching for bad things.