@@Paulo27 Customers lost some time from the hassle, but banks issued new cards and refunded any money spent fraudulently. By law a customer is only liable for up to $50 of fraudulent charges, but nearly every bank sets the bar to zero.
I love these videos, it feels like an extended cut of that scene where the hacker in a movie is explaining what theyre doing, but then it actually makes sense
I had always wondered how they went from Target network to PoS systems. I had no idea it was a combo of weak passwords and... no segmentation. It seems like a dumb mistake today, and that's because it is. Oh and ignoring the malware alerts they probably paid tens thousands of dollars to receive
Yeah, airgaps and such are incredibly useful. The problem is that companies like Target have *very* little incentive to actually invest in security. Why would they care if their customers information/cards got stolen? Sure it's bad PR, but in reality stuff like that really doesn't have a huge effect on their bottom line over a year or so. Worst case scenario, they're found negligent and have to pay a fine that's equals a fraction of a percent of their profit that year. They do the math, and a huge reason they don't invest in better security is because they flat out make more money by not paying for better security unfortunately.
@@Stealth86651 There may have been some truth to that in 2013, but nowadays ransomware is the name of the game, and that can be hugely disruptive to just about any company.
0:36 I don't know why, but I find it funny that there are hackers out there that will pay for massively-distributed, licensed hacker tool kits that include a live support page and they still manage to hack a multi-billion dollar corporation. I guess it pays to be a script kiddie.
@@gblargg I work as an IT Specialist at a bank that uses mostly Microsoft products like Windows and Exchange and I would be lying to you if I said that what you said wasn't true.
@@christopherquinonez3933 Yeah those people seem like they'd make an example out of anyone trying to use their software without paying. They probably have their own vendors for boobytrapped versions of hacking tools
Oddly enough I was involved in Targets post breach auditing and payments processor transition. Been to their IT monitoring center a few times, it’s crazy the level of security they incorporated afterwards. It’d be easier to rob a bank during rush hour
You say that but when I worked there in electronics they removed a security camera in the Apple storage aisle and just left the Ethernet cord hanging. Everyday I just wondered if they were dumb enough to have a single network.
Love your videos. IMHO I think you're sitting on a goldmine, eventually. You have an extremely good balance of comedy/fun to watch and informative, not to mention you're not just glossing over a few things you add some good info and details. I can see this channel getting very successful/large over a few years. Thanks for the work/effort, it's really appreciated.
A lot of RUclips videos where the creator tries to be constantly funny just become annoying. Here the funny is funny because it's making fun of the dumb things that happen to companies, and it's so packed with technical information and expertise. The rapid-fire nature also causes some jokes to be gotten only after a few seconds, making them funnier. Ever since I saw one of these videos a few months ago I've been watching every one.
My only problem is that it also falls into the same annoying habit that FireShip also has which is condensing so much info into such a small amount of time that I end up learning barley anything but I guess you could argue that's the only way to get watch-time? Idk
i have always had a hard time conceptualizing these big ideas in security. sql injections, input sanitizing, database protections, its all just so high level, that it can be difficult for the layperson to understand what is really happening that was, until i saw your representation of several amongus doing flips and shit inside of the database
Kevin, I really want to thank you for your videos. I am a new cyber security student and these videos make learning about hacks and data breaches so entertaining
My exhusband's card was compromised in this, and we got to find out when we were out buying groceries and his card suddenly didn't work. Called the bank and found out someone had tried making a $500 purchase at a Walmart in Illinois, and the bank had automatically blocked it and locked the card. He and I both got new cards sent to us. Not sure how much later it was that we found out Target (and Home Depot, which would have affected my card) had been compromised. :/ Great video!
Fantastic video, you've balanced discussing a technical topic that might be otherwise difficult to understand for someone non-technical, while still having enough detail where the technical people don't feel like they wasted their time
This video is so good and the way you explained it was perfect. I am studying IT atm and from the beginning we are taught how to prevent these breaches from happening. Hilarious that payed and SALARIED individuals just disregarded the warnings signs. Tells you that security sometimes isn't the concern of major corporations
Adding to this: My brother-in-law was a senior engineer at Symantec at the time. IIRC, target *also* used some Symantec security software as part of their defenses at the time. According to him, Target tried to go after them on the grounds of "Hey, what are we paying you guys for? Isn't your shit supposed to help stop things like this?" Symantec's response was roughly "Well, that'd be true if you were actually paying us. You haven't in 5 years and haven't updated your software in 10."
This is why there needs to be laws in place forbidding businesses from having customer data long term and there needs to be actions in place that allows consumers to not have their lives ruined from bad companies. Changing the default password in an account is IT 101, it's literally the first thing you do when managing something especially with sensitive data. And any time someones credit details get stolen by someone, that business should be forced to pay out at least 3x that of what was in the persons bank account when their data got stolen.
"there needs to be laws in place forbidding businesses from having customer data long term". The EU did this with GDPR. But that's communism after all so it won't fly in freedomland unfortunately.
@@hyde4004 the EU can be extremely hit or miss with their laws, but ones that promote a standard phone cable and ones that prevent companies from using your personal information are always good as long as there are less strict laws for small businesses so they don't have their business ruined if they use a third party program to handle transactions and that 3rd party was the one to be hacked. But any business that's fully capable of affording their own in-house services should be required to face the full force of the law.
@@JimMilton-ej6zi The EU is definitely hit or miss but as far as holding companies up for fucking customers over and general rights to data privacy we are doing mostly well. Well, other than the fact that the EU is on the verge of forcing backdoors into all E2E encryption for instant messasing. Because we all know access to backdoors is never found or bought by anybody that would use them for any bad purpose and governments can always be trusted. *sigh*.
Or.. just don't go to target. Be informed and make good decisions instead of trying to get government to make good decisions for you. That would be freedomland
imagine your credit card info is stolen you lose large amounts of money all because you shopped at target. then after months or years the class action settles and they pay you 46c as compensation
Your videos are epic, saves me so much time and effort reading into it myself. I can't believe how owned Target were. Imagine the attackers just deployed ransomware instead.
The ad placement is perfect. Around 1:35 you ask what kind of method was used to hack the thing. Ad of Wix starts playing. I fall out of my chair due to laughing.
Love your videos, have you looked into the Ukrainian power grid attack in 2015 or 2016. I read something on it a while ago and it seemed pretty wild. To lengthen the compromise they uploaded corrupted firmware to the UPS
Point at the end is good but it is worth also mentioning that chip and pin cards as have been used in Europe for years are also protected against this sort of attack.
Non financial customer data. As someone who works in this exact industry, NEVER let a store scan your ID. When they say they don't store this data, they are LYING. A system we installed for a beer store stores all customer information that is pulled from a customers ID including your name, ID number, and Address. Some of the new software can even pull data from state servers for verification.
As Targwt is massive corporation, I find the most unbelievable part of this is the free teir Malwarebytes, which also is somehow, entirely believable for a massive corporation
Its wierd to be watching one of these with insider info that explains some of the questions. The sad part is, thanks to this, it is now nearly impossible to access data internally within Target which makes real time data analysis basically impossible if you arent specificly assigned the role.
This was one of the first supply chain attacks I have heard of. Edit: I am dumb. A supply chain attack targets software builds to compromise one or more targets. This is actually a third party attack, which uses a third party contractor to springboard into a larger target. They are surprisingly comparable.
One issue this data breach highlights is 'alert fatigue'. It's all too common to just see the anti-virus software pop up with something suspicious and not bother to look into it because of previous false positives & the fact it looks too generic. You just assume all is good, when in this case, it very much was not. Alert fatigue is something that needs to be mentioned more often and caught early.
CEO: we don’t need devs. AI will replace all of them. All these software are so delicate and important that I feel like not many people know what it needs to maintain them. AI is a tool not a replacer
I get the feeling that every time someone builds backend services with windows, it always gets hacked to pieces because 1- Windows is not secure by default 2- Windows users don't take security seriously 3- Malware for windows is much more abundant 4- MS software tends to be released in a haste and often not entirely finished, resulting in multiple vulnerabilities 5- MS tends to make terrible decisions when building software, such as allowing the database software to run arbitrary shell commands Of course, I am certain that Linux can be hacked to pieces too, but it appears to be much less common, probably because vulnerabilities won't come from the OS itself, but from poor software architecture
I hope that this was a large reason why the USA slowly started moving away from magstripe credit cards and towards chipped credit cards. But I do remember a lot of kicking and screaming about the change.
Imagine having a network so unprotected that you can control a cash register with a damn deli scale from an entirely different store.
What target has a deli?
@@imabebebebe2496they used
to
@@imabebebebe2496 Super Targets
@@imabebebebe2496 It might be the American Target, they got themselves in a bit of strife financially.
@@imabebebebe2496it was from a nearby deli store
It's crazy to think the CEO's severance pay was over 3x as large as the settlement value.
That is horrifically depressing
Goes to show you what paying for a good ceo gad save you.
I'm sure Elon musk wouldn't have had to pay anything. [/Sarcasm]
Bcz dude knows dirt on the company, and shoppers don't
Ahahahha
Also, its stock barely moved. In the end, only the consumer loses, every time.
@@Paulo27 Customers lost some time from the hassle, but banks issued new cards and refunded any money spent fraudulently. By law a customer is only liable for up to $50 of fraudulent charges, but nearly every bank sets the bar to zero.
"...after compromising a deli meat scale" has to be one of the funniest things I've ever heard
Let me get half a pound of boars head and ALL YOUR CUSTOMER CC DATA!
This is why things that don't need to be connected to the internet should not be connected to the internet lmao
@@pleasantvegetable but think of all the money Target could make from selling data regarding which customers like ham
itd be hilarious if not so terrifying
Please don't stop making these videos they fill a hole in the tech incident post mortem world that I never knew needed filling
Couldn't agree more!!!
it’s literally some of the best content on youtube
ahhhhhhhhhhhhh
He's got 90k organic subs he ain't going no where
What is the “tech incident post mortem world”
I love these videos, it feels like an extended cut of that scene where the hacker in a movie is explaining what theyre doing, but then it actually makes sense
And it is the real stuff
they're*
@@JorgetePanete I really do not care.
@@aeaeaeaeoaeaeaeaeaebased
@@aeaeaeaeoaeaeaeaeaebased
I had always wondered how they went from Target network to PoS systems. I had no idea it was a combo of weak passwords and... no segmentation.
It seems like a dumb mistake today, and that's because it is.
Oh and ignoring the malware alerts they probably paid tens thousands of dollars to receive
Yeah, airgaps and such are incredibly useful. The problem is that companies like Target have *very* little incentive to actually invest in security. Why would they care if their customers information/cards got stolen? Sure it's bad PR, but in reality stuff like that really doesn't have a huge effect on their bottom line over a year or so. Worst case scenario, they're found negligent and have to pay a fine that's equals a fraction of a percent of their profit that year. They do the math, and a huge reason they don't invest in better security is because they flat out make more money by not paying for better security unfortunately.
To quote another comment: " It's crazy to think the CEO's severance pay was over 3x as large as the settlement value. " @@Stealth86651
Flat networks are terrifyingly common. If you drive by a factory, chances are their machines are on the same LAN as the office PCs.
@@Stealth86651 There may have been some truth to that in 2013, but nowadays ransomware is the name of the game, and that can be hugely disruptive to just about any company.
*hundreds of thousands
0:36 I don't know why, but I find it funny that there are hackers out there that will pay for massively-distributed, licensed hacker tool kits that include a live support page and they still manage to hack a multi-billion dollar corporation. I guess it pays to be a script kiddie.
Would you steal from the people who created a software meant to steal
@@christopherquinonez3933good point
They probably have better tech support than normal legal companies as well LOL.
@@gblargg I work as an IT Specialist at a bank that uses mostly Microsoft products like Windows and Exchange and I would be lying to you if I said that what you said wasn't true.
@@christopherquinonez3933 Yeah those people seem like they'd make an example out of anyone trying to use their software without paying. They probably have their own vendors for boobytrapped versions of hacking tools
Well, you can't say that Target isn't aptly named
Underrated comment
😂
Oddly enough I was involved in Targets post breach auditing and payments processor transition. Been to their IT monitoring center a few times, it’s crazy the level of security they incorporated afterwards. It’d be easier to rob a bank during rush hour
You say that but when I worked there in electronics they removed a security camera in the Apple storage aisle and just left the Ethernet cord hanging. Everyday I just wondered if they were dumb enough to have a single network.
Love your videos. IMHO I think you're sitting on a goldmine, eventually. You have an extremely good balance of comedy/fun to watch and informative, not to mention you're not just glossing over a few things you add some good info and details. I can see this channel getting very successful/large over a few years. Thanks for the work/effort, it's really appreciated.
A lot of RUclips videos where the creator tries to be constantly funny just become annoying. Here the funny is funny because it's making fun of the dumb things that happen to companies, and it's so packed with technical information and expertise. The rapid-fire nature also causes some jokes to be gotten only after a few seconds, making them funnier. Ever since I saw one of these videos a few months ago I've been watching every one.
My only problem is that it also falls into the same annoying habit that FireShip also has which is condensing so much info into such a small amount of time that I end up learning barley anything but I guess you could argue that's the only way to get watch-time? Idk
@@kratosgodofwar777 It could be a 5000 IQ play so you re-watch the video
@@overreactengine I actually ended up watching all his previous videos lmao its just that this one is a little more fast paced then the rest
i have always had a hard time conceptualizing these big ideas in security. sql injections, input sanitizing, database protections, its all just so high level, that it can be difficult for the layperson to understand what is really happening
that was, until i saw your representation of several amongus doing flips and shit inside of the database
Ah yes, Microsoft, Active Directory and Office, the holy trinity of inevitable security incidents.
It‘s more of improper usage including default or weak passwords. Like they used a perfectly fine service in a way that degraded its potential safety.
Kevin, I really want to thank you for your videos. I am a new cyber security student and these videos make learning about hacks and data breaches so entertaining
My exhusband's card was compromised in this, and we got to find out when we were out buying groceries and his card suddenly didn't work. Called the bank and found out someone had tried making a $500 purchase at a Walmart in Illinois, and the bank had automatically blocked it and locked the card. He and I both got new cards sent to us. Not sure how much later it was that we found out Target (and Home Depot, which would have affected my card) had been compromised. :/
Great video!
Fantastic video, you've balanced discussing a technical topic that might be otherwise difficult to understand for someone non-technical, while still having enough detail where the technical people don't feel like they wasted their time
This video is so good and the way you explained it was perfect. I am studying IT atm and from the beginning we are taught how to prevent these breaches from happening. Hilarious that payed and SALARIED individuals just disregarded the warnings signs. Tells you that security sometimes isn't the concern of major corporations
7:50 Lesson learned folks, always turn on malware auto-removal
But my cheat engine!
Adding to this: My brother-in-law was a senior engineer at Symantec at the time. IIRC, target *also* used some Symantec security software as part of their defenses at the time. According to him, Target tried to go after them on the grounds of "Hey, what are we paying you guys for? Isn't your shit supposed to help stop things like this?" Symantec's response was roughly "Well, that'd be true if you were actually paying us. You haven't in 5 years and haven't updated your software in 10."
This is why there needs to be laws in place forbidding businesses from having customer data long term and there needs to be actions in place that allows consumers to not have their lives ruined from bad companies.
Changing the default password in an account is IT 101, it's literally the first thing you do when managing something especially with sensitive data. And any time someones credit details get stolen by someone, that business should be forced to pay out at least 3x that of what was in the persons bank account when their data got stolen.
"there needs to be laws in place forbidding businesses from having customer data long term". The EU did this with GDPR. But that's communism after all so it won't fly in freedomland unfortunately.
@@hyde4004 the EU can be extremely hit or miss with their laws, but ones that promote a standard phone cable and ones that prevent companies from using your personal information are always good as long as there are less strict laws for small businesses so they don't have their business ruined if they use a third party program to handle transactions and that 3rd party was the one to be hacked. But any business that's fully capable of affording their own in-house services should be required to face the full force of the law.
@@JimMilton-ej6zi The EU is definitely hit or miss but as far as holding companies up for fucking customers over and general rights to data privacy we are doing mostly well. Well, other than the fact that the EU is on the verge of forcing backdoors into all E2E encryption for instant messasing. Because we all know access to backdoors is never found or bought by anybody that would use them for any bad purpose and governments can always be trusted. *sigh*.
Or.. just don't go to target. Be informed and make good decisions instead of trying to get government to make good decisions for you.
That would be freedomland
@@AJStamand Ah yes... be informed of companies' internal systems and how robust they are against attacks. Got it.
Please keep making these. They teach a LOT. highly appreciate your stuff
I just found this channel today and already blew through all the videos. This stuff is perfect for me, funny and informative. Please keep it up!
Imma have to ask you to make more of these, they're really funny while also being hella informative
imagine your credit card info is stolen you lose large amounts of money all because you shopped at target. then after months or years the class action settles and they pay you 46c as compensation
All while the former CEO gets a $61 million dollar retirement check
Rarely do I insta-click on content. Love your style of videos
Your videos are epic, saves me so much time and effort reading into it myself. I can't believe how owned Target were. Imagine the attackers just deployed ransomware instead.
The ad placement is perfect. Around 1:35 you ask what kind of method was used to hack the thing. Ad of Wix starts playing. I fall out of my chair due to laughing.
Love your videos, have you looked into the Ukrainian power grid attack in 2015 or 2016. I read something on it a while ago and it seemed pretty wild. To lengthen the compromise they uploaded corrupted firmware to the UPS
It's mentioned briefly at 0:25
@@Epic_AviationI should pay more attention lol
@@Scie Lol 😂
So many gems in these videos, like where lowly engineers take the bus and the CEO drives a Lambo 😂
Point at the end is good but it is worth also mentioning that chip and pin cards as have been used in Europe for years are also protected against this sort of attack.
They had an IT department that didn't realise they were being hacked for 2 months? 😂😂😂
You have an excellent RUclips way. Keep at it.
The memes per second value in this video is insanely high.
Non financial customer data. As someone who works in this exact industry, NEVER let a store scan your ID. When they say they don't store this data, they are LYING. A system we installed for a beer store stores all customer information that is pulled from a customers ID including your name, ID number, and Address. Some of the new software can even pull data from state servers for verification.
yeah this why data privacy laws are a big deal.
You cant trust old fucks to know what their doing
"My own world experiences dictate what happens everywhere everyday all the time."
I'm once again amazed how the fuck my homelab is more advanced and secure than those giant companies
I am not that big of the cumputer guy, but you manage to excplain things that I somewhat understand
As Targwt is massive corporation, I find the most unbelievable part of this is the free teir Malwarebytes, which also is somehow, entirely believable for a massive corporation
I love your videos Kevin, the way you edit them always makes me chuckle multiple times and they also tell an interesting story.
Its wierd to be watching one of these with insider info that explains some of the questions.
The sad part is, thanks to this, it is now nearly impossible to access data internally within Target which makes real time data analysis basically impossible if you arent specificly assigned the role.
you have admin rights ?
This was one of the first supply chain attacks I have heard of.
Edit: I am dumb. A supply chain attack targets software builds to compromise one or more targets. This is actually a third party attack, which uses a third party contractor to springboard into a larger target. They are surprisingly comparable.
He finally uploaded!
so you're basically saying most of this wouldn't have happened if they changed their default passwords
should do TJMax breach next, its one of the few prime examples of in the wild wifi hacking thats not just stealing your neighbors wifi
This was a really interesting, well put together video. First time viewer. Great work bro
Can't wait until you discuss the hacking in Vegas.
I absolutely love your videos, perfect combination of technical, funny and informative please make more
It's a good day when there's a new Kevin Fang vid
Well presented, thank you for the breakdown of this huge breach!
Just casually browsing RUclips and found this really fun video. Keep it up bro!
Don't know if it's intentional, but "kaptoxa" is looking suspiciously similar to "картоха", which translates as "potato" from russian
I’ve noticed that too and I’m sure this is international because the developers are Russian
bro you have captured a new niche of videos. can you recommend other channels with content like yours?
man i am rewatching your videos, come on drop one more already
One issue this data breach highlights is 'alert fatigue'. It's all too common to just see the anti-virus software pop up with something suspicious and not bother to look into it because of previous false positives & the fact it looks too generic. You just assume all is good, when in this case, it very much was not. Alert fatigue is something that needs to be mentioned more often and caught early.
I never knew tech video can have this much explosion. Keep em coming
how these two teens hacked into the gobernment:
admin
admin
Thanks for the video. Not only great stories but I learned a lot aswell.
These videos are great!!! Don’t stop, these are awesome!
I am happy that I can laugh about this instead of losing my sleep over this.
This is amazing, please keep up the good work. Thank you so much
I had a professor who worked on fixing this. He told us about how it happened and how they fixed it.
Great content. Can you do the 2017 AWS S3 failure?
A company this size with such amateur and irresponsible security, made my startup saas mvp of one man work, looks like national security level 😂😂😂
If the government didn't notify Target about this, who knows how long this might have gone on for...
Wake up babe, kevin fang just dropped another banger of a video
this is why i use cash
The use of memes just makes this soo entertaining. I loled hard at the use of the boss level up animation.
dude this video style is 🔥 love it!
these videos are actually so entertaining
Do you have a Patreon? This has quickly become my favorite channel and would love to support your work.
Awesome video...shows how smart some people are (yet using their intelligence for illegal purposes)
Awesome video, thank you! It always comes down to human error or laziness lol.
Thank you for the cool video! I really enjoy the way you present info
i have noticed the average time for the videos is 1.67 months
very cool
Love the channel, it's really funny, but also very informative about events and how hackers do thier thing.
Amazing work. More like this please into real attacks that happaned.
Reminds me of the (i think it was Lowes or Home Depot, dont remember) data breach where they tunneled in through the A/C systems network controller.
That was brilliantly insightful. Can I please ask what you use to make your animations
this is such a true upload thank you mr kevin fang
def one of the uploads that have been ever made
Stealing customer data is definitely a side quest
Very well produced! Thanks 😊
Even before watching I already know this is gonna be a banger
Need more videos like these.
I guess thats why they were called target
Saving credit cards..
In dll files...
Everything in my body currently hurts from hearing that
Fascinating! (Also, wow, trojan citadels?)
You could say the hackers were "on Target".
I wish if I fuck up bad and get fired, I can get a modest $61m severance package too
CEO: we don’t need devs. AI will replace all of them.
All these software are so delicate and important that I feel like not many people know what it needs to maintain them. AI is a tool not a replacer
I'm commander Shepard and this is my favorite Trojan on the citadel
As admin, I disable RPC by default along with a cavalcade of other restrictions and security.
I follow you from you first video of this type from like 10 oder 20k subs. I i absolutly love this content
i found this funny due to the fact that you used among us characters with happy faces, love the video, very interesting!
I get the feeling that every time someone builds backend services with windows, it always gets hacked to pieces because
1- Windows is not secure by default
2- Windows users don't take security seriously
3- Malware for windows is much more abundant
4- MS software tends to be released in a haste and often not entirely finished, resulting in multiple vulnerabilities
5- MS tends to make terrible decisions when building software, such as allowing the database software to run arbitrary shell commands
Of course, I am certain that Linux can be hacked to pieces too, but it appears to be much less common, probably because vulnerabilities won't come from the OS itself, but from poor software architecture
babe wake up new kevin fang video just dropped
I hope that this was a large reason why the USA slowly started moving away from magstripe credit cards and towards chipped credit cards. But I do remember a lot of kicking and screaming about the change.
It's America. There's always going to be kicking and screaming against change.
Its sad when even Ft Lauderdale city falls for a phishing scam.
Bro. This content is amazing! Keep it goin!
im doin a report on this one right now thx for all the sources and the qwick video :)
this is why json is better than sql
5:33 killed me
Honey, another Kevin Fang video dropped!
A fun event to go over is Microsoft's reply-all outlook outage!