The massive Target breach led to revelations that many companies use Internet-connected heating, ventilation, and air conditioning (HVAC) systems without adequate security, giving hackers a potential gateway to key corporate systems, a security firm warned Thursday.Cloud security service provider Qualys said that its researchers have discovered that most of about 55,000 HVAC systems connected to the Internet over the past two years have flaws that can be easily exploited by hackers. In Target's case, hackers stole login credentials belonging to a company that provides it HVAC services and used that access to gain a foothold on the company's payment systems.HVAC systems connect to networks at various retail companies, government buildings and even hospitals, according to the security firm. HVAC vendors and other third parties often have remote access right to these systems for administrative and support purposes.Hackers can exploit these systems to gain access to enterprise networks and leapfrog onto other corporate systems, Qualys said.

The recent breach at Target, which resulted in the theft of data on 40-million credit and debit cards, is believed to have occurred in this way. According to security blogger Brian Krebs, who first reported the massive breach, hackers gained access to the Target network using login credentials stolen from a company that provides HVAC services to the retailer.The HVAC firm apparently had access rights to Target's network for carrying out tasks like remotely monitoring energy consumption and temperatures at various stores. The Target data thieves used the remote access rights to gain a foothold on the retailer's network and subsequently leapfrog onto the company's payment systems.Most companies have no idea HVAC systems are connected to the Internet and can serve as gateways into the corporate network and sensitive data, said Billy Rios director of intelligence at Qualys, in an email."This breach doesn't just affect Target. There are many other control systems for other companies that are exposed," Rios said.

After the disclosure about how attackers accessed the Target network, Qualys did some network scanning and found that that the HVAC system at Target's headquarters is still visible online. So too is the HVAC and energy management systems at the Sochi Olympics arena, he said."The Sochi system doesn't even require a password, so if you know the IP address, you're in. We've contacted the integrator to warn them of this problem," Rios noted.Often, the companies that have remote access to HVAC systems fail to realize that the systems can be used as a gateway to sensitive corporate networks. So they typically tend to have lax security measures, he said. For instance, many HVAC management companies use the same password to access systems belonging to multiple customers, he said.Qualys has been working with the DHS on this issue for three years, so the threat is not unknown to all, Rios said. "Most people just don't know about it yet," he added.Boatner Blankenstein, senior director of solutions engineering at Bomgar, a company that provides tools for securing remote access, said the Target breach shows why companies need to implement measures for controlling what third-parties can do on their networks.

Large enterprises often grant remote access rights to software, hardware, and numerous other vendors and external third parties. But few have measures in place for ensuring that the access is properly authenticated and secured. While many companies might routinely log remote access sessions, few have capabilities to audit the access from a security standpoint, he said.Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. air conditioning repair kit for carsFollow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . air conditioner split system components Window air units might keep you cool, but their design is the stuff of nightmares: heavy, awkward boxes that block your view, are a pain to install, and sound like a robot with pertussis. 3 ton ac electrical load

The Noria Air Conditioner is a reimagining of the window unit from the ground up, with the aim of alleviating all those problems. Easy to install, it has a low profile design that's less than 6" tall and lets you reclaim the view from your window. Quiet, efficient fans direct air upwards, creating a convective cycle that spreads the coolness throughout the room, and a fresh air mode lets in outside air on cool nights. You can set the temperature via the simple dial on the front, or open the app to access smart features like a scheduling system. And thanks to a special frame that lets you close the window before sliding the main unit into place, you don't have to worry about it tumbling through the open window onto unsuspecting objects/animals/people below. George & Willy Firestarter You took time picking out the right fireplace. So don't go lighting it with tools that look like they belong in an 1800s saloon. The George & Willy Firestarter is as effective as it is aesthetically pleasing.

The kit includes a simple retangular vessel that holds lamp oil and a matching firestone rod. You fill the vessel with the included oil, let the stone soak, roll it in the ashes, light it, set it underneath your wood for 15 minutes or so, and you're all set. The vessel also serves as a holder for the firestone, and both are finished in unassuming matte black. Now on its third generation, the Nest Thermostat isn't the only smart thermostat around anymore — but it's still one of the best. The latest model has a screen that's higher-res and 40 percent larger than the 2nd-gen, a fact that's put to full advantage by Farsight, a feature that displays the target temperature or time in large, easily-readable type when you walk in the room. It's thinner, too, still integrates well with the company's smoke/CO2 detector and cameras, and can now sense problems with your furnace ahead of time, so you're not left with an outrageous maintenance bill, or worse, a non-functioning heater.SAN FRANCISCO — Investigators say they believe they have identified the entry point through which hackers got into Target’s systems, zeroing in on the remote access granted through the retailer’s computerized heating and cooling software, according to two people briefed on the inquiry.

The latest revelation highlights the reality that a large company is actually a sprawling network of interconnected vendors, and that weak security at any one vendor can lead to a breach that costs hundreds of millions of dollars. Target, Neiman Marcus and the Michaels chain of arts and crafts stores are among the major retailers whose systems have been hacked with what investigators suspect is similar malware that invades the computerized register system and snatches consumer data, according to people with knowledge of the investigations. But it has not been disclosed whether other companies were possibly invaded through outside vendors with remotely controlled access.Target had already confirmed that hackers used a vendor’s stolen credentials to get inside its corporate network and crawl into a server containing 70 million customers’ names, mailing addresses and email addresses and into the company’s crown jewels: the in-store cash register systems that authorized 40 million customer’s credit and debit cards over the course of a few weeks during the holiday shopping season last year.

Using the vendor’s access, hackers were able to burrow into Target’s systems so thoroughly that even three days after Target thought it had expelled them, the retailer found malware on 25 registers, John J. Mulligan, Target’s chief financial officer, testified at a Senate hearing on Tuesday. Molly Snyder, a Target spokeswoman, said the company would not comment on its vendors or specific details of the investigation.  Brian Krebs, a security blogger who first reported the Target breach, was also the first on Wednesday to identify the vendor whose remote access had been compromised. But investigators would not confirm the vendor’s identity. Security experts say that it is common for heating, ventilation and air-conditioning companies — so-called HVAC companies — to be granted network access to clients so that they can monitor retail stores and diagnose problems remotely. “Remote access to these systems is really common and integrators are almost always on the corporate network,” said Billy Rios, director of threat intelligence at Qualys, a cloud security firm.

Mr. Rios said that the security at such companies tended to be poor and that vendors often used the same password across multiple customers.Over the last two years, Mr. Rios and Terry McCorkle, also of Qualys, said that they found 55,000 HVAC systems connected to the Internet. In most cases, they said, the systems contained basic security flaws that would allow hackers a way into companies’ corporate networks, or the companies installing and monitoring these systems reused the same remote access passwords across multiple clients. The payment card industry’s data security requirements dictate how employees, administrators and vendors can remotely connect to systems. They require that merchants like Target employ two-factor authentication — which adds a second, temporary password during the login process — for employees, administrators and vendors trying to gain entry to their systems remotely. Security specialists confirmed Wednesday that Target’s heating, ventilation and air-conditioning systems were connected to the Internet.