Target and Neiman Marcus Breaches

The theft of personal financial data of tens of millions of people from Target and Neiman Marcus is being widely reported in the press. Security experts suspect that the bad guys were able to convert credit card terminals into a giant botnet.  Writing on the IntelCrawler website,  IntelCrawler CEO Andrey Komarov wrote on December 5, 2013:

The unique side of our case is that it is a real botnet with C&C functions, which is active close to half a year and controlled by a group of criminals which has a new type of Dexter. The infected PoS merchants are installed in different places and cities… which makes it different as the bad actors infected them separately and then organized a botnet from it.

In a stark example of how time favors the bad guys, Arbor Networks observed:

Dexter, first documented by Seculert in December 2012, is a Windows-based malware used to steal credit card data from PoS systems. The exact method of compromise is not currently known, however PoS systems suffer from the same security challenges that any other Windows-based deployment does. Network and host-based vulnerabilities (such as default or weak credentials accessible over Remote Desktop and open wireless networks that include a PoS machine), misuse, social engineering and physical access are likely candidates for infection.

Time favors the bad guys.  Securosis provides the following chart that shows the complex work that highly trained professionals must undertake to respond to an attack:

It is important to note the two steps that come before notification — the attack and the discovery of the attack. It is common to discover the remnants of an attack long after the attackers have moved on to other mischief.