182 Chapter 8 ■ Trojans, Viruses, Worms, and Covert Channels
What enabled this breach? Initial reports point strongly to the fact that the attack was
made possible, at least in part, by malware that found its way onto the point-of-sale
systems used at checkout.The aftermath of this attack has been manifold. Target’s public image has been tarnished,
its stock price hit a new 52-week low, and sales have dropped as customers have
questioned whether they can trust Target with their information. Additionally, Target
has had to offer credit monitoring to its customers; and many of those same customers’
credit cards and associated accounts have been closed and reissued by their banks as a
precautionary measure. Finally, the U.S. Congress is initiating hearings in the Senate to
find out more about the breach, with assistance from the U.S. Secret Service and Federal
Trade Commission.Another interesting footnote to this incident is the flow of information that has been
available in the aftermath. The scope of the attack and the fact that it was unprecedented
caught the retail industry as a whole off guard. This resulted in a lot of information
about the attack becoming public in the hours and days following the detection and
reporting of the breach. As days have extended into weeks and months, many of the
initial reports have vanished from the Web, and sources have gone quiet. Although it may
seem fishy that such information would disappear, the intention is benign. Much of the
detailed information that was reported has been so as not to interfere with the ongoing
investigation and to prevent a potential copycat from carrying out another attack (or at
least make it tougher to do). The wisdom of this move is being debated, but it highlights
one of the issues of being an ethical hacker: You must be careful with information and
mindful of the harm that can be caused if it falls into the wrong hands.The scope of this breach and the resulting fallout is still being calculated at the time of
this writing, but it gives you an idea of how serious the problem of malware and the need
for greater cybersecurity have become.Malware and the Law
Ethical hackers should be mindful of the web of laws that relates to the deployment and
use of malware. Over the years, malware has been subjected to increasing legal attention
as the technology has evolved from being harmless to much more malicious and expansive
in its abilities. The creation and use of malware have led to the enactment of some very
strict laws; many countries have passed or modified laws to deter the use of malware. In the
United States, the laws that have been enacted include the following:The Computer Fraud and Abuse Act This law was originally passed to address federal
computer-related offenses and the cracking of computer systems. The act applies to cases
that involve federal interests, or situations involving federal government computers or those
of financial institutions. Additionally, the law covers computer crime that crosses state lines
or jurisdictions.