Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Home Depot Breach Expands, Privilege Escalation Flaw to Blame

    Written by

    Sean Michael Kerner
    Published November 8, 2014
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Home Depot revealed new information on Nov. 6 about its data breach that it first officially confirmed in September. Home Depot initially reported that the breach, which lasted from April to September of this year, impacted 56 million credit card holders. The scope of the breach has now been expanded to include 53 million user emails. Home Depot has not publicly disclosed how many of the breached emails overlap with the credit card account users.

      For those 53 million accounts, the attackers only stole the email addresses, and Home Depot has stated that no additional payment card, passwords or personal information was stolen.

      The new secondary disclosure that email information was stolen in addition to payment card information follows the same pattern that the Target breach took. Target initially disclosed in December 2013 that 40 million payment cards were stolen in its data breach. In January, Target increased that number and revealed that the personal information of 70 million customers was taken.

      Home Depot is providing some insight into how the attacker was able to get inside its network. A third-party vendor’s username and password were somehow compromised, giving the attacker access to the network.

      The attacker having third-party access, however, is not the end of the story. Home Depot revealed that the third-party credentials enabled the attacker to get into its network perimeter and from there had to exploit another vulnerability in order to do damage.

      “These stolen credentials alone did not provide direct access to the company’s point-of-sale devices,” Home Depot stated in a press release. “The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom built malware on its self check out systems in the U.S. and Canada.”

      That’s the real root cause, in my view—a privilege escalation flaw. Getting into the network itself is interesting, but without the right privileges, which the third-party vendor did not have, the attacker could not do any damage.

      We don’t not know the specifics of the privilege escalation flaw used, though there are myriad techniques that hackers can use. Among the different techniques that an attacker can deploy on Windows systems, for example, to advance privileges is the NTLM (Windows NT LAN Manager) Pass-the Hash attack, in which credential access can be elevated. There are other types of privilege escalation attacks that work on Linux and Unix systems as well. The bottom line though is that a proper change management system and access policy management system might have noticed the privilege escalation. Apparently in the Home Depot incident, the privilege escalation flaw was not detected when it initially occurred.

      Home Depot has also reiterated that the malware that was deployed by the attackers, once they had executed their privilege escalation attack, was malware that had previously been unknown. That means it was not the Backoff malware that has impacted 1,000 retailers.

      What the new Home Depot breach details clearly show is that the breach was a multistage attack that wasn’t just about any one failure but rather several defensive inadequacies. Third-party access was breached by an attacker, so that’s one point of failure. The privilege escalation issue is the second. The undetected malware itself is the third point of failure. Finally, the fact that the data was taken out from the network without detection is the icing on the cake.

      All of this breach activity comes with a cost that Home Depot will need to pay. At this point those costs are unknown.

      “The company is not able to estimate the costs, or a range of costs, related to the breach,” Home Depot stated.

      As the holiday shopping season is almost here, other retailers would do well to learn quickly from the lessons of Home Depot and other breaches to protect themselves and their customers.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and writer for several leading IT business web sites.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×