@@Paulo27 Customers lost some time from the hassle, but banks issued new cards and refunded any money spent fraudulently. By law a customer is only liable for up to $50 of fraudulent charges, but nearly every bank sets the bar to zero.
I love these videos, it feels like an extended cut of that scene where the hacker in a movie is explaining what theyre doing, but then it actually makes sense
I had always wondered how they went from Target network to PoS systems. I had no idea it was a combo of weak passwords and... no segmentation. It seems like a dumb mistake today, and that's because it is. Oh and ignoring the malware alerts they probably paid tens thousands of dollars to receive
Yeah, airgaps and such are incredibly useful. The problem is that companies like Target have *very* little incentive to actually invest in security. Why would they care if their customers information/cards got stolen? Sure it's bad PR, but in reality stuff like that really doesn't have a huge effect on their bottom line over a year or so. Worst case scenario, they're found negligent and have to pay a fine that's equals a fraction of a percent of their profit that year. They do the math, and a huge reason they don't invest in better security is because they flat out make more money by not paying for better security unfortunately.
@@Stealth86651 There may have been some truth to that in 2013, but nowadays ransomware is the name of the game, and that can be hugely disruptive to just about any company.
Love your videos. IMHO I think you're sitting on a goldmine, eventually. You have an extremely good balance of comedy/fun to watch and informative, not to mention you're not just glossing over a few things you add some good info and details. I can see this channel getting very successful/large over a few years. Thanks for the work/effort, it's really appreciated.
A lot of RUclips videos where the creator tries to be constantly funny just become annoying. Here the funny is funny because it's making fun of the dumb things that happen to companies, and it's so packed with technical information and expertise. The rapid-fire nature also causes some jokes to be gotten only after a few seconds, making them funnier. Ever since I saw one of these videos a few months ago I've been watching every one.
My only problem is that it also falls into the same annoying habit that FireShip also has which is condensing so much info into such a small amount of time that I end up learning barley anything but I guess you could argue that's the only way to get watch-time? Idk
0:36 I don't know why, but I find it funny that there are hackers out there that will pay for massively-distributed, licensed hacker tool kits that include a live support page and they still manage to hack a multi-billion dollar corporation. I guess it pays to be a script kiddie.
@@gblargg I work as an IT Specialist at a bank that uses mostly Microsoft products like Windows and Exchange and I would be lying to you if I said that what you said wasn't true.
@@christopherquinonez3933 Yeah those people seem like they'd make an example out of anyone trying to use their software without paying. They probably have their own vendors for boobytrapped versions of hacking tools
Oddly enough I was involved in Targets post breach auditing and payments processor transition. Been to their IT monitoring center a few times, it’s crazy the level of security they incorporated afterwards. It’d be easier to rob a bank during rush hour
You say that but when I worked there in electronics they removed a security camera in the Apple storage aisle and just left the Ethernet cord hanging. Everyday I just wondered if they were dumb enough to have a single network.
@@TheDarkfighter101? A single store letting a cable available has literally nothing to do with the advanced IT center in which they invested hundreds of millions.
Kevin, I really want to thank you for your videos. I am a new cyber security student and these videos make learning about hacks and data breaches so entertaining
i have always had a hard time conceptualizing these big ideas in security. sql injections, input sanitizing, database protections, its all just so high level, that it can be difficult for the layperson to understand what is really happening that was, until i saw your representation of several amongus doing flips and shit inside of the database
This video is so good and the way you explained it was perfect. I am studying IT atm and from the beginning we are taught how to prevent these breaches from happening. Hilarious that payed and SALARIED individuals just disregarded the warnings signs. Tells you that security sometimes isn't the concern of major corporations
Fantastic video, you've balanced discussing a technical topic that might be otherwise difficult to understand for someone non-technical, while still having enough detail where the technical people don't feel like they wasted their time
The ad placement is perfect. Around 1:35 you ask what kind of method was used to hack the thing. Ad of Wix starts playing. I fall out of my chair due to laughing.
My exhusband's card was compromised in this, and we got to find out when we were out buying groceries and his card suddenly didn't work. Called the bank and found out someone had tried making a $500 purchase at a Walmart in Illinois, and the bank had automatically blocked it and locked the card. He and I both got new cards sent to us. Not sure how much later it was that we found out Target (and Home Depot, which would have affected my card) had been compromised. :/ Great video!
Your videos are epic, saves me so much time and effort reading into it myself. I can't believe how owned Target were. Imagine the attackers just deployed ransomware instead.
This is why there needs to be laws in place forbidding businesses from having customer data long term and there needs to be actions in place that allows consumers to not have their lives ruined from bad companies. Changing the default password in an account is IT 101, it's literally the first thing you do when managing something especially with sensitive data. And any time someones credit details get stolen by someone, that business should be forced to pay out at least 3x that of what was in the persons bank account when their data got stolen.
"there needs to be laws in place forbidding businesses from having customer data long term". The EU did this with GDPR. But that's communism after all so it won't fly in freedomland unfortunately.
@@hyde4004 the EU can be extremely hit or miss with their laws, but ones that promote a standard phone cable and ones that prevent companies from using your personal information are always good as long as there are less strict laws for small businesses so they don't have their business ruined if they use a third party program to handle transactions and that 3rd party was the one to be hacked. But any business that's fully capable of affording their own in-house services should be required to face the full force of the law.
@@JimMilton-ej6zi The EU is definitely hit or miss but as far as holding companies up for fucking customers over and general rights to data privacy we are doing mostly well. Well, other than the fact that the EU is on the verge of forcing backdoors into all E2E encryption for instant messasing. Because we all know access to backdoors is never found or bought by anybody that would use them for any bad purpose and governments can always be trusted. *sigh*.
Or.. just don't go to target. Be informed and make good decisions instead of trying to get government to make good decisions for you. That would be freedomland
imagine your credit card info is stolen you lose large amounts of money all because you shopped at target. then after months or years the class action settles and they pay you 46c as compensation
Adding to this: My brother-in-law was a senior engineer at Symantec at the time. IIRC, target *also* used some Symantec security software as part of their defenses at the time. According to him, Target tried to go after them on the grounds of "Hey, what are we paying you guys for? Isn't your shit supposed to help stop things like this?" Symantec's response was roughly "Well, that'd be true if you were actually paying us. You haven't in 5 years and haven't updated your software in 10."
One issue this data breach highlights is 'alert fatigue'. It's all too common to just see the anti-virus software pop up with something suspicious and not bother to look into it because of previous false positives & the fact it looks too generic. You just assume all is good, when in this case, it very much was not. Alert fatigue is something that needs to be mentioned more often and caught early.
Point at the end is good but it is worth also mentioning that chip and pin cards as have been used in Europe for years are also protected against this sort of attack.
Love your videos, have you looked into the Ukrainian power grid attack in 2015 or 2016. I read something on it a while ago and it seemed pretty wild. To lengthen the compromise they uploaded corrupted firmware to the UPS
As Targwt is massive corporation, I find the most unbelievable part of this is the free teir Malwarebytes, which also is somehow, entirely believable for a massive corporation
Its wierd to be watching one of these with insider info that explains some of the questions. The sad part is, thanks to this, it is now nearly impossible to access data internally within Target which makes real time data analysis basically impossible if you arent specificly assigned the role.
Non financial customer data. As someone who works in this exact industry, NEVER let a store scan your ID. When they say they don't store this data, they are LYING. A system we installed for a beer store stores all customer information that is pulled from a customers ID including your name, ID number, and Address. Some of the new software can even pull data from state servers for verification.
This was one of the first supply chain attacks I have heard of. Edit: I am dumb. A supply chain attack targets software builds to compromise one or more targets. This is actually a third party attack, which uses a third party contractor to springboard into a larger target. They are surprisingly comparable.
7:58 That's funny how they used a generic name to make it seem like a test mode of the software. I like to name WiFi networks like that, so people think it's an error or not working (e.g. name it "No signal" or "DNS Error").
CEO: we don’t need devs. AI will replace all of them. All these software are so delicate and important that I feel like not many people know what it needs to maintain them. AI is a tool not a replacer
I get the feeling that every time someone builds backend services with windows, it always gets hacked to pieces because 1- Windows is not secure by default 2- Windows users don't take security seriously 3- Malware for windows is much more abundant 4- MS software tends to be released in a haste and often not entirely finished, resulting in multiple vulnerabilities 5- MS tends to make terrible decisions when building software, such as allowing the database software to run arbitrary shell commands Of course, I am certain that Linux can be hacked to pieces too, but it appears to be much less common, probably because vulnerabilities won't come from the OS itself, but from poor software architecture
It's crazy to think the CEO's severance pay was over 3x as large as the settlement value.
That is horrifically depressing
Goes to show you what paying for a good ceo gad save you.
I'm sure Elon musk wouldn't have had to pay anything. [/Sarcasm]
Bcz dude knows dirt on the company, and shoppers don't
Ahahahha
Also, its stock barely moved. In the end, only the consumer loses, every time.
@@Paulo27 Customers lost some time from the hassle, but banks issued new cards and refunded any money spent fraudulently. By law a customer is only liable for up to $50 of fraudulent charges, but nearly every bank sets the bar to zero.
Imagine having a network so unprotected that you can control a cash register with a damn deli scale from an entirely different store.
What target has a deli?
@@imabebebebe2496they used
to
@@imabebebebe2496 Super Targets
@@imabebebebe2496 It might be the American Target, they got themselves in a bit of strife financially.
@@imabebebebe2496it was from a nearby deli store
"...after compromising a deli meat scale" has to be one of the funniest things I've ever heard
Let me get half a pound of boars head and ALL YOUR CUSTOMER CC DATA!
This is why things that don't need to be connected to the internet should not be connected to the internet lmao
@@pleasantvegetable but think of all the money Target could make from selling data regarding which customers like ham
itd be hilarious if not so terrifying
Please don't stop making these videos they fill a hole in the tech incident post mortem world that I never knew needed filling
Couldn't agree more!!!
it’s literally some of the best content on youtube
ahhhhhhhhhhhhh
He's got 90k organic subs he ain't going no where
What is the “tech incident post mortem world”
I love these videos, it feels like an extended cut of that scene where the hacker in a movie is explaining what theyre doing, but then it actually makes sense
And it is the real stuff
they're*
@@JorgetePanete I really do not care.
@@aeaeaeaeoaeaeaeaeaebased
@@aeaeaeaeoaeaeaeaeaebased
I had always wondered how they went from Target network to PoS systems. I had no idea it was a combo of weak passwords and... no segmentation.
It seems like a dumb mistake today, and that's because it is.
Oh and ignoring the malware alerts they probably paid tens thousands of dollars to receive
Yeah, airgaps and such are incredibly useful. The problem is that companies like Target have *very* little incentive to actually invest in security. Why would they care if their customers information/cards got stolen? Sure it's bad PR, but in reality stuff like that really doesn't have a huge effect on their bottom line over a year or so. Worst case scenario, they're found negligent and have to pay a fine that's equals a fraction of a percent of their profit that year. They do the math, and a huge reason they don't invest in better security is because they flat out make more money by not paying for better security unfortunately.
To quote another comment: " It's crazy to think the CEO's severance pay was over 3x as large as the settlement value. " @@Stealth86651
Flat networks are terrifyingly common. If you drive by a factory, chances are their machines are on the same LAN as the office PCs.
@@Stealth86651 There may have been some truth to that in 2013, but nowadays ransomware is the name of the game, and that can be hugely disruptive to just about any company.
*hundreds of thousands
Love your videos. IMHO I think you're sitting on a goldmine, eventually. You have an extremely good balance of comedy/fun to watch and informative, not to mention you're not just glossing over a few things you add some good info and details. I can see this channel getting very successful/large over a few years. Thanks for the work/effort, it's really appreciated.
A lot of RUclips videos where the creator tries to be constantly funny just become annoying. Here the funny is funny because it's making fun of the dumb things that happen to companies, and it's so packed with technical information and expertise. The rapid-fire nature also causes some jokes to be gotten only after a few seconds, making them funnier. Ever since I saw one of these videos a few months ago I've been watching every one.
My only problem is that it also falls into the same annoying habit that FireShip also has which is condensing so much info into such a small amount of time that I end up learning barley anything but I guess you could argue that's the only way to get watch-time? Idk
@@kratosgodofwar777 It could be a 5000 IQ play so you re-watch the video
@@overreactengine I actually ended up watching all his previous videos lmao its just that this one is a little more fast paced then the rest
0:36 I don't know why, but I find it funny that there are hackers out there that will pay for massively-distributed, licensed hacker tool kits that include a live support page and they still manage to hack a multi-billion dollar corporation. I guess it pays to be a script kiddie.
Would you steal from the people who created a software meant to steal
@@christopherquinonez3933good point
They probably have better tech support than normal legal companies as well LOL.
@@gblargg I work as an IT Specialist at a bank that uses mostly Microsoft products like Windows and Exchange and I would be lying to you if I said that what you said wasn't true.
@@christopherquinonez3933 Yeah those people seem like they'd make an example out of anyone trying to use their software without paying. They probably have their own vendors for boobytrapped versions of hacking tools
Oddly enough I was involved in Targets post breach auditing and payments processor transition. Been to their IT monitoring center a few times, it’s crazy the level of security they incorporated afterwards. It’d be easier to rob a bank during rush hour
You say that but when I worked there in electronics they removed a security camera in the Apple storage aisle and just left the Ethernet cord hanging. Everyday I just wondered if they were dumb enough to have a single network.
@@TheDarkfighter101?
A single store letting a cable available has literally nothing to do with the advanced IT center in which they invested hundreds of millions.
Ah yes, Microsoft, Active Directory and Office, the holy trinity of inevitable security incidents.
It‘s more of improper usage including default or weak passwords. Like they used a perfectly fine service in a way that degraded its potential safety.
Kevin, I really want to thank you for your videos. I am a new cyber security student and these videos make learning about hacks and data breaches so entertaining
i have always had a hard time conceptualizing these big ideas in security. sql injections, input sanitizing, database protections, its all just so high level, that it can be difficult for the layperson to understand what is really happening
that was, until i saw your representation of several amongus doing flips and shit inside of the database
This video is so good and the way you explained it was perfect. I am studying IT atm and from the beginning we are taught how to prevent these breaches from happening. Hilarious that payed and SALARIED individuals just disregarded the warnings signs. Tells you that security sometimes isn't the concern of major corporations
Fantastic video, you've balanced discussing a technical topic that might be otherwise difficult to understand for someone non-technical, while still having enough detail where the technical people don't feel like they wasted their time
I just found this channel today and already blew through all the videos. This stuff is perfect for me, funny and informative. Please keep it up!
The ad placement is perfect. Around 1:35 you ask what kind of method was used to hack the thing. Ad of Wix starts playing. I fall out of my chair due to laughing.
My exhusband's card was compromised in this, and we got to find out when we were out buying groceries and his card suddenly didn't work. Called the bank and found out someone had tried making a $500 purchase at a Walmart in Illinois, and the bank had automatically blocked it and locked the card. He and I both got new cards sent to us. Not sure how much later it was that we found out Target (and Home Depot, which would have affected my card) had been compromised. :/
Great video!
Well, you can't say that Target isn't aptly named
Underrated comment
😂
Imma have to ask you to make more of these, they're really funny while also being hella informative
Please keep making these. They teach a LOT. highly appreciate your stuff
Rarely do I insta-click on content. Love your style of videos
This was a really interesting, well put together video. First time viewer. Great work bro
Your videos are epic, saves me so much time and effort reading into it myself. I can't believe how owned Target were. Imagine the attackers just deployed ransomware instead.
I love your videos Kevin, the way you edit them always makes me chuckle multiple times and they also tell an interesting story.
The memes per second value in this video is insanely high.
This is why there needs to be laws in place forbidding businesses from having customer data long term and there needs to be actions in place that allows consumers to not have their lives ruined from bad companies.
Changing the default password in an account is IT 101, it's literally the first thing you do when managing something especially with sensitive data. And any time someones credit details get stolen by someone, that business should be forced to pay out at least 3x that of what was in the persons bank account when their data got stolen.
"there needs to be laws in place forbidding businesses from having customer data long term". The EU did this with GDPR. But that's communism after all so it won't fly in freedomland unfortunately.
@@hyde4004 the EU can be extremely hit or miss with their laws, but ones that promote a standard phone cable and ones that prevent companies from using your personal information are always good as long as there are less strict laws for small businesses so they don't have their business ruined if they use a third party program to handle transactions and that 3rd party was the one to be hacked. But any business that's fully capable of affording their own in-house services should be required to face the full force of the law.
@@JimMilton-ej6zi The EU is definitely hit or miss but as far as holding companies up for fucking customers over and general rights to data privacy we are doing mostly well. Well, other than the fact that the EU is on the verge of forcing backdoors into all E2E encryption for instant messasing. Because we all know access to backdoors is never found or bought by anybody that would use them for any bad purpose and governments can always be trusted. *sigh*.
Or.. just don't go to target. Be informed and make good decisions instead of trying to get government to make good decisions for you.
That would be freedomland
@@SaxSage Ah yes... be informed of companies' internal systems and how robust they are against attacks. Got it.
imagine your credit card info is stolen you lose large amounts of money all because you shopped at target. then after months or years the class action settles and they pay you 46c as compensation
All while the former CEO gets a $61 million dollar retirement check
Adding to this: My brother-in-law was a senior engineer at Symantec at the time. IIRC, target *also* used some Symantec security software as part of their defenses at the time. According to him, Target tried to go after them on the grounds of "Hey, what are we paying you guys for? Isn't your shit supposed to help stop things like this?" Symantec's response was roughly "Well, that'd be true if you were actually paying us. You haven't in 5 years and haven't updated your software in 10."
I absolutely love your videos, perfect combination of technical, funny and informative please make more
One issue this data breach highlights is 'alert fatigue'. It's all too common to just see the anti-virus software pop up with something suspicious and not bother to look into it because of previous false positives & the fact it looks too generic. You just assume all is good, when in this case, it very much was not. Alert fatigue is something that needs to be mentioned more often and caught early.
7:50 Lesson learned folks, always turn on malware auto-removal
But my cheat engine!
So many gems in these videos, like where lowly engineers take the bus and the CEO drives a Lambo 😂
Point at the end is good but it is worth also mentioning that chip and pin cards as have been used in Europe for years are also protected against this sort of attack.
He finally uploaded!
Just casually browsing RUclips and found this really fun video. Keep it up bro!
They had an IT department that didn't realise they were being hacked for 2 months? 😂😂😂
You have an excellent RUclips way. Keep at it.
Well presented, thank you for the breakdown of this huge breach!
I am not that big of the cumputer guy, but you manage to excplain things that I somewhat understand
Love your videos, have you looked into the Ukrainian power grid attack in 2015 or 2016. I read something on it a while ago and it seemed pretty wild. To lengthen the compromise they uploaded corrupted firmware to the UPS
It's mentioned briefly at 0:25
@@Epic_AviationI should pay more attention lol
@@Scie Lol 😂
Thanks for the video. Not only great stories but I learned a lot aswell.
It's a good day when there's a new Kevin Fang vid
Love the channel, it's really funny, but also very informative about events and how hackers do thier thing.
This is amazing, please keep up the good work. Thank you so much
I never knew tech video can have this much explosion. Keep em coming
As Targwt is massive corporation, I find the most unbelievable part of this is the free teir Malwarebytes, which also is somehow, entirely believable for a massive corporation
These videos are great!!! Don’t stop, these are awesome!
I'm once again amazed how the fuck my homelab is more advanced and secure than those giant companies
Its wierd to be watching one of these with insider info that explains some of the questions.
The sad part is, thanks to this, it is now nearly impossible to access data internally within Target which makes real time data analysis basically impossible if you arent specificly assigned the role.
you have admin rights ?
Non financial customer data. As someone who works in this exact industry, NEVER let a store scan your ID. When they say they don't store this data, they are LYING. A system we installed for a beer store stores all customer information that is pulled from a customers ID including your name, ID number, and Address. Some of the new software can even pull data from state servers for verification.
yeah this why data privacy laws are a big deal.
You cant trust old fucks to know what their doing
"My own world experiences dictate what happens everywhere everyday all the time."
should do TJMax breach next, its one of the few prime examples of in the wild wifi hacking thats not just stealing your neighbors wifi
bro you have captured a new niche of videos. can you recommend other channels with content like yours?
dude this video style is 🔥 love it!
4:01 security is erased for everyone but me 🗣️
Can't wait until you discuss the hacking in Vegas.
This was one of the first supply chain attacks I have heard of.
Edit: I am dumb. A supply chain attack targets software builds to compromise one or more targets. This is actually a third party attack, which uses a third party contractor to springboard into a larger target. They are surprisingly comparable.
The use of memes just makes this soo entertaining. I loled hard at the use of the boss level up animation.
how these two teens hacked into the gobernment:
admin
admin
Don't know if it's intentional, but "kaptoxa" is looking suspiciously similar to "картоха", which translates as "potato" from russian
I’ve noticed that too and I’m sure this is international because the developers are Russian
Awesome video, thank you! It always comes down to human error or laziness lol.
Awesome video...shows how smart some people are (yet using their intelligence for illegal purposes)
so you're basically saying most of this wouldn't have happened if they changed their default passwords
these videos are actually so entertaining
Very well produced! Thanks 😊
this is such a true upload thank you mr kevin fang
def one of the uploads that have been ever made
I am happy that I can laugh about this instead of losing my sleep over this.
Do you have a Patreon? This has quickly become my favorite channel and would love to support your work.
Wake up babe, kevin fang just dropped another banger of a video
Amazing work. More like this please into real attacks that happaned.
I follow you from you first video of this type from like 10 oder 20k subs. I i absolutly love this content
i have noticed the average time for the videos is 1.67 months
very cool
I had a professor who worked on fixing this. He told us about how it happened and how they fixed it.
Need more videos like these.
Reminds me of the (i think it was Lowes or Home Depot, dont remember) data breach where they tunneled in through the A/C systems network controller.
As admin, I disable RPC by default along with a cavalcade of other restrictions and security.
If the government didn't notify Target about this, who knows how long this might have gone on for...
Bro. This content is amazing! Keep it goin!
Great content. Can you do the 2017 AWS S3 failure?
completely missed opportunity of inserting flowey monstrous face for the among us imposter
I'm commander Shepard and this is my favorite Trojan on the citadel
i found this funny due to the fact that you used among us characters with happy faces, love the video, very interesting!
A fun event to go over is Microsoft's reply-all outlook outage!
That was brilliantly insightful. Can I please ask what you use to make your animations
Fascinating! (Also, wow, trojan citadels?)
7:58 That's funny how they used a generic name to make it seem like a test mode of the software. I like to name WiFi networks like that, so people think it's an error or not working (e.g. name it "No signal" or "DNS Error").
I wish if I fuck up bad and get fired, I can get a modest $61m severance package too
5:38 never thought I'd show up in a video like this, that was probably an HLX scale, which runs Windows Embedded on an AMD Geode
Saving credit cards..
In dll files...
Everything in my body currently hurts from hearing that
CEO: we don’t need devs. AI will replace all of them.
All these software are so delicate and important that I feel like not many people know what it needs to maintain them. AI is a tool not a replacer
A company this size with such amateur and irresponsible security, made my startup saas mvp of one man work, looks like national security level 😂😂😂
Did I get that right? It only affects cards if you use the magnet strip? In that case it‘s not even going to affect that many people…
Another excellent video, thank you
Giving the virus stand stats is sooo funny to me :)
I love ur vids so much, they are very well done c😭😭
babe wake up new kevin fang video just dropped
I really hope all Malware is referenced like a JoJo stand 0:44
5:10 Seriously? Even a retail giant like Target didn't do network segmentation for things like this?
Honey, another Kevin Fang video dropped!
god this guy's voice is awesome
I get the feeling that every time someone builds backend services with windows, it always gets hacked to pieces because
1- Windows is not secure by default
2- Windows users don't take security seriously
3- Malware for windows is much more abundant
4- MS software tends to be released in a haste and often not entirely finished, resulting in multiple vulnerabilities
5- MS tends to make terrible decisions when building software, such as allowing the database software to run arbitrary shell commands
Of course, I am certain that Linux can be hacked to pieces too, but it appears to be much less common, probably because vulnerabilities won't come from the OS itself, but from poor software architecture
Ha, Petco has the same vulnerability. Wonder if they fixed it yet.