Home Depot IT: Get hacked, blame Windows, switch execs to MacBooks

If IT can't deploy patches in a timely fashion, then take a page from Home Depot and blame Windows after getting hacked.

Home Depot
Mike Mozart (Creative Commons BY or BY-SA)

You may have received an email from Home Depot notifying customers that along with compromising 56 million credit card accounts, attackers stole 53 million email addresses.

Home Depot emailed notice to customers Home Depot

If you shop at Home Depot but haven’t received an email yet, then according to the FAQs (pdf):

Even if you do not receive an email notification from us, it’s safe to assume your email address could have been stolen. We recommend that you be on the alert for phony emails requesting personal or sensitive information.

Last week, Home Depot released additional findings revealed during the payment data breach investigation.

Criminals used a third-party vendor's user name and password to enter the perimeter of Home Depot's network. These stolen credentials alone did not provide direct access to the company's point-of-sale devices. The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada.

Although the cyber crooks first broke in by stealing credentials from a third-party vendor, that alone was not enough to crack into and plant malware in point-of-sale devices at 7,500 self-checkout lanes. The Wall Street Journal reported that once inside Home Depot’s network, the hackers exploited a vulnerability in Microsoft Windows. Home Depot patched the hole, but not until after the breach occurred.

WSJ added:

Four days after the company had been alerted, Home Depot's investigators discovered evidence that malware had been deleted from a store computer. The company was able to confirm a breach, but it couldn't be sure its critical business information was out of danger. An IT employee bought two dozen new, secure iPhones and MacBooks for senior executives, who referred to their new devices as "Bat phones."

MacBook keyboard David Mulder

The IT staff may have made the company’s top dogs feel better by switching to new Apple products, but it’s a bit like putting a smiley face Band-Aid on a gunshot wound. In reality, the cyber crooks didn’t break into executive’s computers to gain access. It’s not like OS X and iOS are invulnerable; for example, users who don’t keep their Apple OS updated are vulnerable to Wirelurker. Windows may be used by more businesses, making it low-hanging fruit targeted by more attackers, but it’s now a myth to claim that increasingly popular Apple products are exempt from exploitation. OS X and iOS malware is here to stay.

Seculert’s CTO Aviv Raff said the attackers jumped "from a third-party, vendor-specific environment to the corporate environment using a zero-day vulnerability in Microsoft Windows." Slow patch management can bite businesses and users alike. It seems ridiculous for IT to take the position of get hacked, blame Windows, and switch to Macs. Regarding early detection being the key, Raff added, “If you can not only evade detection on the way in, but live there for five months, it’s more like a blind cavern than a blind spot.”

After deploying the patch too late, it took Home Depot five months to detect the attack. Even then, it was the U.S. Secret Service that informed the company of a potential breach after credit card numbers went up for sale in September. Home Depot's former chief executive Mr. Blake told WSJ, "If we rewind the tape, our security systems could have been better. Data security just wasn’t high enough in our mission statement."

"Home Depot is massively underestimating the cost of dealing with this breach," said Jeff Williams, CTO of Contrast Security, in an email. "They estimate that they will pay $62 million to recover from the breach. However, Ponemon puts the cost per record at $188. Even assuming that Home Depot has a CISO, formal incident response plan, and hires consultants, and assuming some economies of scale, the cost has to be at least $10 per record, or $560 million total. Maybe more if you include email addresses that were just discovered and there isn’t a perfect overlap with the cards breached.”

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)