TJX Breach Began With WEP Crack

An anonymous reader sends us to the Wall Street Journal for a detailed report on what is known to date about the TJX data breach. It seems that the loss of over 45 million credit card numbers and more than 450,000 SSNs, driver's license numbers, and military identifications began with someone using a "telescope-shaped" antenna at a wireless link at a Marshall's near St. Paul, Minnesota in July 2005. The link was encrypted using WEP, which had been known to be broken since 2001. The crackers who got into the TJX central databases are believed to be Romanians or Russians with ties to the Russian mobs. The eventual cost of the TXJ fiasco could exceed $1 billion — not including the numerous lawsuits filed against the retailer.

Why isn't WEP recalled?

[krbvroc1]

WEP is seriously flawed. What hasn't it been recalled and all router manufacturers forced to replace the hardware (or firmware)?
In most industries if you ship such a flawed product, the manufacturer has some liability. They are still selling them today too.

Of course shame on TJ Max and the whole handling of this fiasco. Not that I ever did previously, but I would never shop there.

Re:Why isn't WEP recalled?

[smittyoneeach]

WEP is 'good enough' for running your home network. It lets the neighbors now to keep out, like a lock on the door.
Like any lock, (including WPA, no?) you can beat it with enough hardware.
If you're that paranoid, you're running a wired network anyway, right?

Re:Why isn't WEP recalled?

[_Sharp'r_]

At this point in time, WEP is more like the lock on your bathroom door. Fine to let people know that you don't want visitors, but not really designed to keep anyone out who wants to get in.

WPA is more like a front-door with a keylock and a deadbolt. Someone could break in, but they'd have to at least take a little more trouble than pulling a coin out of their pocket like you can do with "interior" locks.

If it's something you need to be secure, then yeah, you should be running encrypted traffic over a physically secure wired connection, not broadcasting everything to the neighborhood.

Re:Why isn't WEP recalled?

[blhack]

Because some people still depend on it. I've got a handful of inventory tracking devices built in the late 1990's that depend upon WEP if you want any sort of security at all. What needs to become that standard is VPN. Put all your wifi devices onto a separate lan, and only allow access to your "real" network via VPN. With companies like AML producing hand held inventory tracking devices build on debian, doing this with openvpn could actually become a reality. I recently demoed the model linked to above and the thing is really slick. Telnet access to it (with SSH available), a full shell available, and a generally rock solid device. The only reason we are still stuck with the late 1990's models is that the industry standard for inventory tracking devices has become an imager for a bar code reader, which isn't very well suited to scanning VIN barcodes through windshields (i work in the automotive industry).

Re:Why isn't WEP recalled?

[arth1]

There's plenty of older hardware that doesn't have the processing power to do WPA, and has to rely on WEP. This is especially true for embedded devices (like print servers and bar code scanners) and PDAs. And for larger companies, replacing every single access point AND WiFi-device isn't a small thing.
Could you imagine being the IT manager who has to tell upper management that the big expense you added to the budget two years ago, which was supposed to last five years before being incrementally replaced, now has to be completely trashed and replaced in one go because the encryption turned out to not be safe?

The best thing many companies can do short term is to limit the damage, by restricting the use of WEP to data that they can afford losing. But even that requires admitting flaws, and is likely to get your head chopped off for bringing the bad news.

Re:Why isn't WEP recalled?

[seaturnip]

Have you bothered to read the article? These kinds of devices were one of the main sources of information.

Maybe instead of being terrified and covering their ass at the expense of the company and its customers, these IT managers should do their jobs.

Re:Why isn't WEP recalled?

[smittyoneeach]

So WEP is like jaywalking, and WPA is using the crosswalk.
Yet getting smacked by a bus is likely fatal in either case.
Just getting hardware that is compatible and configuring it for proper use is daunting.
Under Gentoo, my ipw3945 has been an absolute mother to get configured. Udev this, regulatory daemon that, kernel driver the other, firmware the fourth. Good thing that I'm into pain and suffering. ;)

Re:Why isn't WEP recalled?

[Kelz]

You must be new here (to IT).

Re:Why isn't WEP recalled?

[krbvroc1]

Could you imagine being the IT manager who has to tell upper management that the big expense you added to the budget two years ago, which was supposed to last five years before being incrementally replaced, now has to be completely trashed and replaced in one go because the encryption turned out to not be safe? Except WEP has been known to be broken since 2001. Also your IT manager example is putting profit above the safeguard of customer information such as their credit cards. Didn't Ford Motor company balk at the expense of adding an $11 fuel bladder to prevent the Ford Pinto from exploding? They figured they would just pay whatever damages, but when they were punished by a jury, the damages for a single death totaled more than their entire estimate. The damages were so high partly because the jury was made aware that Ford actually made a thought process like your IT manager that they understood the risks, but didn't want to spend money on the problem.

If there are older devices that only support WEP, those can be moved to a separate router and firewalled/VLAN/etc.

I wonder how much money the 'Credit Monitoring' services make out with all these breeches?

It seems to me the only solution to this is to pass strong data ownership protections for consumers. Right now, the companies place very little value on the data (except for marketing/advertising purposes), but this needs to change somehow.

Re:Why isn't WEP recalled?

[Daishiman]

Said IT manager could point at this very disaster as a good reason for upgrading all your hardware. Really Bad PR + Lawsuits by the dozen Replacement of WEP-enable hardware (because there's just so much of it lying around, right?). If said company's a good customer of some hardware provider they could even inquire about discounts on new inventory for this very reason to spice things up in their favor.

Re:Why isn't WEP recalled?

I don't think you understand just how bad WEP is. It's not a matter of calculating, throwing hardware at it, or anything like that. You just wait for the right packets to get sent and look for the keys.

Re:Why isn't WEP recalled?

[jlarocco]

Could you imagine being the IT manager who has to tell upper management that the big expense you added to the budget two years ago, which was supposed to last five years before being incrementally replaced, now has to be completely trashed and replaced in one go because the encryption turned out to not be safe?

Can you imagine being the IT manager who has to tell upper managment that criminals just got millions upon millions of credit card numbers and SSNs off of the network? Oh, and then tell them you not only knew it was possible, but you knew it was easy to do, and you chose not to do nothing.

Re:Why isn't WEP recalled?

[maxume]

There needs to be some sort of data protection regulation, but there also needs to be some legislation that says that I'm not responsible for anything and everything that somebody impersonating me does, simply because I'm in no position to prevent those attempts. At the moment, individuals bear the brunt of the consequences when a credit card issuer gives a card to somebody committing fraud; that's insane, the issuer should be forced to face the consequences, because then they would quickly become much more careful about finding out who their customers are.

Re:Why isn't WEP recalled?

[jlarocco]

and you chose not to do nothing.

God damn lack of coffee. Should read: "and you chose to do nothing."

Re:Why isn't WEP recalled?

[smittyoneeach]

OK, so WEP is the United Nations of encryption schemes--only slightly better than no encryption at all.
This December 2005 blog post (the first google hit for "WPA hack") http://blogs.ittoolbox.com/wireless/networks/archi ves/cracking-wpapsk-6730
says

The other tools that caught my interest are Aircrack and Airdecap because they work for both WEP and WPA encryption, which in my experience thus far hacking tools are typically limited to WEP.

Fine. Bash WEP. But what's the point of killing myself getting WPA configured when it buys me, at most, a bit of time?
If I'm worried about packet security, better just trot out the CAT 5 cable, near I can tell.
Certainly would cut down on the configuration agony experienced across all the operating systems I use.

Re:Why isn't WEP recalled?

[wizardforce]

Hm, Newton also becomes significantly flawed as we approach c/10. Time to force all publishers to recall all those classical mechanics textbooks.

bad analogy, relativistic effects are irrelevant, stolen credit cards are not.

Re:Why isn't WEP recalled?

[lordDallan]

Sure, or maybe the "I have a business major and/or MBA!" Senior Execs who the IT managers undoubtedly report to, need to get a clue and allocate a real budget to their IT staff.

I bet replacing/upgrading/changing the hardware/software that was to blame across TJX's entire corporate infrastructure would have cost much less than the $1 billion dollars that dealing with the current situation could purportedly cost.

[Rant begins here]Now I'm not saying the IT management were blameless either. But the greater issue IMHO is that IT is treated with disdain. IT managers are often treated as something to be tolerated by businesses. This is a horrible backwards, outdated mindset. Unfortunately, IT professionals seem to be doing very little to change this.

At this point, IT is vital, vital to any $10M/year or higher in revenues (to pick an arbitrary number) business. But it is often treated as though it's some glorified janitorial service. Attention MBAs, IT is not there to clean up your screwed up PC and make sure your blackberry works. Sure, that's part of their bailiwick, but until corporate managers start realizing that their business live and die by their IT infrastructure (as the TJX debacle clearly demonstrates), these mistakes will happen over and over again.

The other side of the coin are the people who work in IT itself. I don't know if it's because we were the ones who were picked on in junior high, or what. But I do know that IT professionals are the most ill-treated group of highly-skilled professionals around. Why there isn't some sort of real guild/league/association of IT professionals eludes me. Look at doctors and lawyers. They have the AMA, and the bar (forgive me if my details here aren't exactly correct, but I think my point is clear), they have specialized degrees, and they don't take sh*t from anyone. Why because they know they have unique knowledge and they expect to be compensated accordingly. And when someone tries to muck up their good racket they have going, their professional organizations lobby groups kick into high gear and start shredding whoever it is that wants to take their candy.

On the other hand, when anyone even tries to mention the idea of some formalized "union-like" IT organization, all of the IT types start screaming bloody murder, and all this weird pseudo-libertarian, free market babble starts gurgling out from their pie holes. Attention IT professionals, this isn't about political philosophy. It's about fighting, scratching, "give me my piece of the pie you *sshole" capitalism. IT professionals need to wake up and take control of their situation. I assure you the big boys at the top of the heap love watching you scramble about at their beckon call while their billions of dollars are funneled through systems you keep running with wire and glue because you don't want to rock the boat by asking for a bigger, strike that, realistic budget.

I'm not sure what the right steps would be to start moving towards forming a professional IT organization with real power (as in you can't get jack done on your computers unless you use someone from our guild anymore than you can litigate or perform surgery with out a bar certified lawyer or board certified doctor), but until that happens, IT workers will be thralls and TJX's and TSA laptop debacles, and IBM outsourcing hoo-ha's etc. will happen based solely on the whims of people who think that Excel macros are software and phone cords are what connect computers on a LAN. And just to be clear, Microsoft, ITT Tech, COMP-TIA, CISCO certifications do not cut the mustard as they do not exist to help you in anyway. The benefit you gain is a sliver of what the organizations who dole them out make from your labor.[Rant ends here]

Re:Why isn't WEP recalled?

Have YOU bothered to read the article?

        The security issue was not the existence of WEP on the network. The issue was having a wireless network with full access to the rest of the network including financial systems etc.. (plus, as the article vaguely mentions, not implementing some other security they had available... VPN? SSL? Who knows.)

          WPA (particularly WPA-PSK, which is a relatively common form of WPA, due to less support for WPA-Radius etc.) is not crack-proof. It's stronger than WEP, but with a payday of millions of CC #s, it would be worth these guys' time to burn some CPU cycles for a WPA crack.

          Most of the old WEP-only bar code scanners etc. these guys are talking about are not the ones at checkout counters, they are the little inventory-control barcode scanners. Someone could crack in then and tell how much stuff you have in your store. But, if properly setup, I would think the financial systems would be accessible only from an internal *wired* network, not via Internet or wireless.

          I've seen some slop though.. a local store, who shall remain nameless.. well, it was Hy-Vee.. setup a rig like this. They ran an extension cord out into the parking lot where flowers were being sold, and plugged a register into it. With CC reader. They did not run ethernet (or serial? Some of the registers look pretty old) out to it. I had my notebook in the car.. yup, they were running WEP. I wasn't about to crack it but I did advise the people with me to pay cash.

Re:Why isn't WEP recalled?

[jd]

IPSec, SK/IP or even just an SSL tunnel should be used in any wireless environment in which you want meaningful security. SK/IP has better recovery, but isn't quite as tough.

WEP and WPA should - by now - be entirely replaced with 802.1x at the very least. Neither of those has any business being used on a modern wireless network. I can accept that not everyone can upgrade to firmware that supports adequate security, but that only excuses the users. The manufacturers have no such excuse, because they're the ones who write the software and strong wireless security has existed for many years now.

Re:Why isn't WEP recalled?

[smittyoneeach]

should - by now - be entirely replaced with 802.1x at the very least.

Which, too, shall be compromised eventually.

Re:Why isn't WEP recalled?

[cheater512]

Windows is still being sold isnt it?

Re:Why isn't WEP recalled?

[bberens]

It's entirely possible that a random key generator gets lucky on the first try. What's that, like 1 millisecond?

Re:Why isn't WEP recalled?

[Gordonjcp]

Not everything is on the Internet, you know. Sometimes you have to go out into the Big Blue Room. And no, it's not a random number generator getting lucky. I'll give you a clue - the card doing the cracking needs slightly funny firmware.

Re:Why isn't WEP recalled?

[sumdumass]

The real way to secure a wireless connection is to set the wireless devices outside the network and VPN any access that needs to be inside the network. It is difficult and sometimes expensive but thats what really needs to be done. End then your not completley safe, you just have one more layer to defeat. And if you IDS is functioning properly, it should alert you to most attempts and possible sever the connection.

I have talked to (business) customers who had their "son" or neighbor who is a part time rocket scientist put wireless in because they didn't want to run cables and I have cracked it while letting them tell us how secure it is. I'm not using anything special either, it is just commonly available script kiddie tools.

I'm not knocking WPA, I just know physical access to the network is a key part of any security. You wouldn't run a couple ports out to the street for anyone to connect to and do whatever. This is essentially what your doing with wireless. And once they do "whatever", you need another layer that you can detect intrusions with before the real network gets accessed in order to remain secure.

Re:Why isn't WEP recalled?

[chihowa]

So you're either referring to this dictionary attack or you're just making stuff up. All of the reported WPA cracks are for WPA-PSK and are brute force cracks. I don't see why you'd need modified firmware to do a brute force attack (although I guess you could make it faster that way, but ideally you'd do the attack on captured traffic, so it wouldn't make a difference). If you're instead referring to some super secret uberleet method to take advantage of a flaw in the crypto of WPA (like the weak IV's or small keyspace of WEP) then out with it! Pretending like you've solved a very difficult problem but refuse to tell people how you did it screams of you making it all up.

And a brute force attack isn't a real crack, either. Quoting MechaBlue on this site:

WPA-PSK may be vulnerable to a brute force attack but, with the choice of the right password, it becomes unfeasible. Assuming a decent utility is used, a 31 character long password of random upper- and lowercase letters and numbers results in 62^31, or 3.7x10^55 possible combinations. If we assume 60 attempts per second, it will take more that 1.3x10^36 times the age of the universe (15 billion years) to attempt every possible combination. The average time would be half that, or 6.5x10^35 times the age of the universe. Even if someone were to come up with a scheme that reduced the bruteforce time to 1 trillionth of what would be required otherwise, it would still take 6.5x10^23 times the age of the universe. And so on... Unless someone find another way to get the password (e.g., can determine from traffic (like with WEP), beats it out of me, hacks my laptop, etc.), my WAP will remain secure until long after I'm dead. And that's good enough for me.

Thinking about it, though, I'd bet you could pick up traces of the unencrypted datastream in poorly designed cards. That's hardly a crack for the crypto, though.

Re:Why isn't WEP recalled?

[band-aid-brand]

What most people don't realize is that WPA isn't much better unless you use RADIUS. Where cracking wep requires you to catch thousands of IV's, cracking WPA requires only the 4 way handshake and the use of a decent dictionary or brute force attack AWAY FROM THE SITE. WPA requires less "sitting outside the store creepy-ness". Not broadcasting the ssid is of little use either. An attacker can simply wait for a computer to connect to the network or spray a bunch of deauth packets then get it when it reauths. If its WPA they'll also get the 4-way handshake at this time. If you have important information on a network, DO NOT PUT YOUR WIRELESS IN THE TRUSTED AREA.

Re:Why isn't WEP recalled?

[jd]

Oh, certainly. 802.1x isn't perfect, by any means. The first rule of IT security, though, is to always be two steps ahead of those doing the compromising. One step means that you're secure when you install, but will have indefinite periods of uncertainty when you COULD be vulnerable. This is typically the way things are done, and it is stupid beyond belief.

No, the logical method is to expect some component - any component - of the security to be compromised between now and the end of use. You then have a second, wholly independent, component which must simultaneously be compromised in order to be vulnerable. You upgrade when EITHER fails. It is then virtually certain that both have not failed, so everything remains intact, and you use that lead time to perform the upgrade.

You could regard this as a variant on the Byzantine General's Problem. There, some number of components are "traitors" (in this case, compromised), yet you have to make sure that the orders (data) received come from an authorized source alone. Other variants of this problem deal with making sure that that data does not fall into the wrong hands, such as using Byzantine key distribution.

Three algorithms, three block ciphers, three hashing functions. Any one of those gets broken, simply roll onto the next in the list. If you're sneaky enough, you have some mechanism for automatically switching combinations when the key is refreshed, making it much harder for an attacker to know which combination is actually being used at the time.

Security doesn't have to be perfect to be truly secure, it just has to be impassable in the time you detect an attacker bypassing one component and the time you can replace what has been broken. The defender in a real-time situation always has the advantage when it comes to what happens next. The attacker ONLY has the advantage when it comes to what has already happened. So long as there is no usable relationship, the attacker must always lose.

Re:Why isn't WEP recalled?

[JasonBee]

> Not that I ever did previously, but I would never shop there.

Almost every piece of clothing I currently have has been purchased through Winners at some point (in Canada - a subsidiary of TJX). I am pretty much on the brink of never shopping there again either. I haven't purchased anything from them since news of this broke. And I always use credit with them - ouch.

I've never given out my postal (zip for you guys) code whenever they asked after a purchase. That makes the existing breach so much more damning. Given that it's very improper for any retailer to KEEP your card number after the transaction (Canadian law generally forbids it), now that I know their internal practices I'm readying my attempts to go back to cash only purchases for everything.

The gist for any security conscious consumer should be that credit or card based transactions are now used to track you ad infinitum. If it isn't for marketing reasons, it could be used for national security purposes...that means a VERY long list of your financial activities. Since major companies are all trying to keep such data, any one could be vulnerable to any attack of this nature, and you're back to fixing your credit history again and again.

Go back to cash while you can. in hindsight it is starting to make those Starbucks (or insert your favourite store here) cash cards seem like a better deal when you used cash to fill them up to begin with.

JB

Re:Why isn't WEP recalled?

[JasonBee]

>At this point, IT is vital, vital to any $10M/year or higher in revenues

Very good point...perhaps this is why a Business-Centric refocus of IT resources is occurring worldwide. ITIL, ISO, and many other standards are part of the effort to ensure that IT is PART of the decision making process. I bet that TJXs IT department, if it did NOT have a seat in the boardroom, does now.

IT, like plumbing, has always been a service component, and regarded as important. Sure you need electricity to run a company, but are there any electrical engineers in the executive in say, Mattel Inc.? If your business people don't speak your language then no wonder you might get ignored. that mysterious tech-speak is either far above their heads or far below it. If you ignorant of the issues it makes no difference which direction. You're uninformed either way.

Give it a few years and you'll see more effective business-minded IT professionals up top...and they will fall on their swords for such goof ups.

JB

Re:Why isn't WEP recalled?

[smittyoneeach]

That's quite a good exposition, and mod points are certainly in order.
Meanwhile, back on the simple use-case of Joe The Non-security Geek User, whose chief goal is to run a wireless network, to which no one can inadvertently connect...

Re:Why isn't WEP recalled?

[DrSkwid]

> It is difficult and sometimes expensive but thats what really needs to be done.
If you consider it difficult, I suggest you advertise for a new member of staff for the IT Dept.

Re:Why isn't WEP recalled?

[bentcd]

cracking WPA requires only the 4 way handshake and the use of a decent dictionary or brute force attack
You seem to have left something out: Cracking WPA also requires that the administrator decided to use a weak key, i.e. one that is susceptible to brute force or dictionary attacks. But if you are allowed to assume this, then any encryption is "easily" cracked. Even OTP is trivially cracked if the key sequence is easy to guess.

Re:Why isn't WEP recalled?

[Architect_sasyr]

Isn't there a rainbow table you can generate against a WPA network based on it's SSID or something to that effect?

I've cracked WPA-PSK in under 3 minutes, but I got lucky on the dictionary key and I had, of course, gotten even luckier when I caught the initial 4 packets (amazing what happens when you power cycle an entire house :D), so I don't think he's BS'ing. Don't believe there is a way around a proper WPA enterprise installation (client and server certificates for verification and a RADIUS server etc.) but I've not really been on top of wireless lately. Of course, if you weren't using certificates but were using RADIUS then I'm sure there's a brute force in there much like PPP. I know of at least one network that requires your domain logon to access it... perhaps a vector there? That's not strictly attacking WPA, that's attacking the implementation, but if it nets me a few billion in credit cards, who really cares for the details!

Re:Why isn't WEP recalled?

[kemo_by_the_kilo]

If you're that paranoid, you're running a wired network anyway, right?

no im running all fiber, no taps in my wires....also, 3des chips on my nics.... encrypt what?

Re:Why isn't WEP recalled?

[sumdumass]

The difficult part is convincing management is needs to be done because of the wireless connections (they insisted on) and when you look at the options available for your current setup, they aren't always clear and workable.

Not every desktop operating system support the same feature in an VPN connection and some have alternative clients already installed that you have to account for. I have one setup were I need to un-install one VPN client to use another (internal conflicts and neither work with both installed) because a company went with a propriatary solution over some of the more generic-universal/open solutions. To say it is easy even for a skilled tech is disingenuous at best when having to consider all the possible interactions necessary for the connection. And the native XP/2000 support in windows is a joke by most standards. It is lacking deeply on several levels and will leave portions of available security features unusable.

It is quite possible that the same company who runs a wirless network because it is cheaper then laying lines, would still be using or have customers using windows 98, Linux, 2000 or XP and maybe even Vista to connect let alone the different access levels each connection's options needs to have. I have one system were I block all access to everything but the Internet to everyone who doesn't have a specific login and then only give certain people access to specific servers that they need access to when they connect. Adn this process get even more detailed and difficult when you have a customer with an existing VPN like with an avaya ip connect remote services with a 4602 phone across town at a satellite office.

Saying it isn't difficult is foolish. Saying it can be easy in some situations is better. Even for a seasoned tech.

Re:Why isn't WEP recalled?

[band-aid-brand]

ALL keys are susceptible to brute force attacks, its all a matter of time.

Now unless I'm horribly wrong, a WPA-PSK key is 256 binary bits. Meaning 64 hex characters. Because you don't have to be on site like you do with WEP, an attacker can take is loot home and crack it at his leisure. Heck start one brute force at the beginning and work forward and have another machine start at the end and work back. In todays world computing power is cheap and its only going to get cheaper. Its obvious the guy knew what he was doing and had his target in mind. Had he encountered WPA it would have been little more than an inconvenience. I don't think that a change in encryption would have made much of a difference here.

Re:Why isn't WEP recalled?

[mjwise]

Yeah, right. By the time you crack my 63-random character key, the Sun will have long gone dark. All the computers in the world won't be able to help.

Re:Why isn't WEP recalled?

[bentcd]

Your use of "all a matter of time" somewhat overlooks the sheer scale of the problem at hand.

Quoting MechaBlue (from http://blogs.ittoolbox.com/wireless/networks/archi ves/cracking-wpapsk-6730):

Assuming a decent utility is used, a 31 character long password of random upper- and lowercase letters and numbers results in 62^31, or 3.7x10^55 possible combinations.
If we assume 60 attempts per second, it will take more that 1.3x10^36 times the age of the universe (15 billion years) to attempt every possible combination. The average time would be half that, or 6.5x10^35 times the age of the universe.
Even if someone were to come up with a scheme that reduced the bruteforce time to 1 trillionth of what would be required otherwise, it would still take 6.5x10^23 times the age of the universe. And so on...

That is perfectly good enough for me to secure my home network :-)

Re:Why isn't WEP recalled?

[Gordonjcp]

Don't believe there is a way around a proper WPA enterprise installation (client and server certificates for verification and a RADIUS server etc.)

There isn't.

Isn't there a rainbow table you can generate against a WPA network based on it's SSID or something to that effect?

It's something like that. In answer to the grandparent post, I don't actually know *how* it works. It's something to do with not all the bits in the key being significant, but in a rolling pattern. So I suspect it's some sort of replay attack coupled with snarfing a weak key, rather similar to the WEP cracks.

Re:Why isn't WEP recalled?

[RockDoctor]

If you're that paranoid, you're running a wired network anyway, right?

s/paranoid/sensible/

Re:Why isn't WEP recalled?

[smittyoneeach]

I don't know if it's Cox cable or too much interference, buy I've been having some hellish stability problems lately. May have to go back to wired just so the junk works.

Re:Why isn't WEP recalled?

[RockDoctor]

I don't know if it's Cox cable or too much interference, buy I've been having some hellish stability problems lately.

A few months ago - maybe a year ago - a bunch of my colleagues were having a chin-wag during a course at work. One is a proper radio ham (Morse code license, 10m antenna hanging out of him parents house, that sort of thing), and the other was a serious hi-fi dork (one of "silver-coated power lead" brigade). All of us were bitching about how the reception on the (FM) radio has been getting worse over the last few years.
The most likely suspect to our minds was the amount of RF garbage leaking out from all sorts of sub-GHz clocks and signals wafting through the sub-ether. [GROUP SIGH] [GROUP reluctantly looks at the looming need to get into digital radio] Then again, would that be so bad? 13:15-13:30 A Short History of Ireland ... Episodes 81-82 of 240. Maybe not.

45 million or 200 million?

[E+IS+mC(Square)]

TFA says "A person familiar with the firm's internal investigation says they may have grabbed as many as 200 million card numbers all told from four years' records."

Gets better, doesn't it?

Re:45 million or 200 million?

[BoberFett]

Not to belittle the problem here, but do that many people really shop at TJ Maxx/Marshall's? I know there are a few in my area, but they seem to be crappy little stores in crappy little strip malls. I didn't realize 45 million people shopped there, let alone 200 million.

Re:45 million or 200 million?

[Antique+Geekmeister]

They're a pretty big chain. They've filled some of the clothing market niches in places where a Wal-mart or a K-mart or an S-mart would be just too big. I've bought cheap socks and underwear there when traveling and running out of clean clothes on a business trip.

Re:45 million or 200 million?

[DrSkwid]

TJX is one of those Global Multinationals

http://en.wikipedia.org/wiki/TJX_Companies

Net income $690,420,000 (2006)

http://news.bbc.co.uk/1/hi/business/6508983.stm
The company also told the BBC that 100 files were moved from its UK computer system in 2003, and two files were later stolen.
However, a spokesperson admitted that the firm may never know what was in those files.

The data was accessed on TJX's systems in Watford, Hertfordshire, and Massachusetts over a 16-month period from July 2005 and covers transactions made by credit and debit card dating as far back as December 2002.

5 years of data
$500,000,000 of transactions per year = $25 billion of transaction history.

Pretty good haul if you ask me!

Terrorism

[HomelessInLaJolla]

The damage that such a recall would have in terms of liability, lost profit, and plain flat out admitting that they royally screwed the pooch is so enormous that, in the interest of promoting the free world, we simply can't allow it.

If you continue to press your treasonous assertions you can and will be sent to Gitmo for social reconditioning: do not mess with their profit margin.

Re:Terrorism

[sumdumass]

It isn't even that far into it. There is a spec. They sold you a product that meets the spec. The spec turned out to be flawed but their product still meets the spec. The manufacturers have provided you with exactly what they claimed they would.

This is different from say, a laptop battery that by spec shouldn't burst violently into flames. When the flaw doesn't meet the spec, it is a recall. But like the 802.11N products. They conditioned the sales with PreN or something else describing how it doesn't meet the spec (mostly because the spec wasn't available.)

Sue?

[PetriBORG]

So, as someone who had at least their CC number stolen thanks to these ass hats, when can we sue them and take a major chunk out of their ass? People in TJX should be jailed...

Re:Sue?

[ChrisMaple]

In all likelihood, the managers were assured by the IT people that their system was safe. Should they be jailed for believing their hired experts?

The IT people are not paid to take the sort of risk that involves being jailed for mistakes.

A large part of the penalty cost here is likely to be covered by insurance. This is the sort of thing that insurance companies, in their own defense, should correct. Insurance companies like to give medical exams for high value policies involving their customer's health; they ought to be able to substantially discount rates if they can certify computer system security.

Re:Ok?

[pchan-]

TJX - commonly known to American consumers as TJ Max and Marshalls retail stores. If you made purchases at these stores, you could be affected.

They got lucky

[MechaShiva]

Fortunately, the mobsters only used a telescope shaped device to improve their range.

Imagine if they had known enough to make a satellite dish, of sorts...

Why are SSNs Being Sent Wirelessly? WEP or no WEP

[MaizeMan]

Which brings us to the question of why a major retailler is using wireless in the first place. I'm personally no more than an interested amatur, but I've read professionals running corperate networks who, if they have to include a wireless component at all, keep it completely seperate from the secure, WIRED, network. You get internet access, but no accessing the company databases from the wireless. Can anyone come up with a scenario where it would be ESSENTIAL for store operations to be able to send SSNs and drivers license #s over a wireless connection?

Ironic

[segedunum]

It's ironic really. Many thought it might be some insider job, a complicated back door, some flaw in an internet facing system - but no. The company was daft enough to put their internal data over a network that is explicitly designed to get around physical barriers to access, and no one, and I mean no one, seems to understand this.

A friend of mine has a reasonable but small IT business in the UK, and recently he started pushing the wireless expertise side - setting up wireless networks, explaining why they are a bigger risk than a wired network, securing them (and what do do if you are really paranoid) and trying to guarantee QoS more by setting it up correctly. Positioning your access points properly, doing wireless scanning to pick out any interference spots etc.

No one is interested, and I don't just mean small businesses, but some quite large companies who should know an awful lot better. It's not a UK thing either, because most people believe setting up a wireless network is about popping down to the local store, picking up a Netgear, switching it on and letting Windows attach you to the nearest wireless network it can find. Astonishing.

The only thing that shocks me is that this doesn't happen all the time, because many networks are just an open invitation. I mean OK, it's not that easy because you have to watch the network traffic and find out where the useful juicy bits of data are. That isn't completely straightforward, but once you are inside an average company's network it's doable because everything tends to act as if it is safe and fenced off.

Re:Ironic

It wasn't that sensitive info was going over WEP, it's that getting in through WEP allowed them to install a sniffer on wired router. The weakness of WEP is only the first link in an insecure chain. No servers were compromised because none needed to be.

Re:Ironic

[trav242]

The only thing that shocks me is that this doesn't happen all the time, because many networks are just an open invitation. I'm with you there. It's really unfortunate that people seem to think this is an isolated incident. I mean, it's not like these guys are your average junior high kids with a laptop and some time to kill -- they are professionals. This is an industrial-strength cracking operation where people are out there in search of networks to exploit. It's a business. For every TJX that we hear about, I'm sure there are many, many more that go under the radar.

Re:Ironic

[timonbraun]

No one is interested, because this problem is only marginally IT related. The beginning and the end of the issue is that merchants and credit card companies are authorizing ten $450 gift certificates at a time from Wal-Mart, and would rather not have to pay either for their mistakes or for the hassle of authenticating their customers at the point of sale. So they make a dramatic fuss about compromised databases and then use that as a springboard for overturning centuries of common law. If Wal-Mart lets Ivan Russky walk out the door with ten refrigerators because Ivan told them he was me, that is frankly not my problem. We have become so accustomed to corporate talking-point bullshit that we tolerate phrases like "identity theft," when what we mean is "theft from corporate fuckwits who are too lazy to make sure they are giving the merchandise to the right person."

Re:Ironic

[that+this+is+not+und]

I verbally thank any sales clerk who does more than the average amount of ID checking when I make a credit card purchase. In this way I hope to do a little bit to help them be more vigilant with other customers.

Everybody should do this: Tell them you're glad they checked, because you don't want anybody else using your card.

Re:Ironic

[Klinky]

You may be surprised at how many customers whine at any inconvenience, even for their own good. Start questioning Bob Smith about his card and he's going to get huffy at the inconvenience of having to pull out some photo ID or answer some security questions or get upset over the "accusation" of being a thief. "Well, I am Bob Smith, I know who I am.". Yeah, OK. I do customer service over the phone. We require the last 4 of the CC# we have on file to verify people calling in are who they are. We let people know that we'll need the last 4 numbers while they're listening to the hold music. But I still get numerous customers who don't have it ready & then get upset that they really are going to have to get their wallet out & read those last 4 digits off as hard as that is to do. Also it's not only a consumer issue. While there is a data mine to be had with insecure commercial operations, there's quite a bit that can be had at insecure or stupid personal locations. A person can have their ID stolen from their own insecure network connection, or from not logging out of their MySpace account on a public computer. Also plain old non technological ways as well, such as throwing bank statements or sensitive info into a garbage bin w/o shredding it. So no, it's not just about "lazy corporate fuckwits".

Re:Ironic

[timonbraun]

Any company can make whatever security-convenience trade-offs it wants (and of course the fuckwit language is an exaggeration). If being strict costs you more custom than the fraud you might prevent, don't be strict. But what I find so repellent is this fiction of "Identitiy theft," which apparently means blaming third parties when companies give their goods to the wrong person.

Re:Ironic

[Klinky]

I still don't get why you're so appalled over the use of the phrase "identity theft". While true that companies messing up like TJX is just plain dumb & stupid. I don't think it's their business model to fumble consumer data. It's going to cost them a lot of money to clean up this mess. Regardless they may have neglected to protect their customers data properly, but the certainly didn't give the OK for someone break in and steal it. This is the same with you leaving your door unlocked at night, just because it's unlocked doesn't mean it gives someone the right to break in and steal all your stuff, even if you should know better to lock your door. Also as I posted above identity thieves do not always get their information from corporate entities. Either they scam it from their victim or snoop it out from their garbage or by other means.

As for companies verifying who you are before you purchase, I am wondering what your suggestion is as to how they go about this? As was stated SSNs, drivers license numbers & credit card numbers were all stolen. If someone has your drivers license, SSN & CC# you're pretty much screwed. I don't see how a company could protect themselves or the victim unless the victim is proactive in keeping an eye on what purchases are showing up on their credit card statement(many do not).

Re:Ironic

[timonbraun]

If you have my drivers license, ssn & CC#, and you use that information to defraud a vendor, that is a crime and you should be punished - I shouldn't be, especially by some credit agency that then proceeds to tell the world that I defaulted on my $45,000 purchase at Farid's Rugs in Warsaw. Why doesn't the law say, for example, that credit agencies have 30 days to fix their fuck-ups, instead of giving me a little window to do it for them? There are a number of ways of authenticating - a purchase above a certain amount should trigger a call where I have to verify some pre-shared information. Whatever, the thing is that "identity theft" is a marketing phrase used by people who throw credit around like tinsel and should just be called "credit fraud." How much we want to let ourselves suffer for yet another cretinous industry's business model (minimal checking, pre-approved cards sent to pets, etc) is unfortunately a recurring problem lately!

Re:Ironic

[DrSkwid]

My favourite is them leaving themselves logged in to MSN in Cyber Cafes (lol that sounds so retro!)
I almost always strike up conversations with their logged in buddies, it's quite a hoot.

Re:Ironic

[DrSkwid]

If your door is unlocked, it's not breaking in, a distinction that is made in law here in the U.K.
I can even take your stuff so long as I am not intending to permanently deprive you of it and I don't damage it (proving the former is obviously a tricky prospect but it is a valid defence).

Re:Ironic

[ockegheim]

...minimal checking, pre-approved cards sent to pets...

Oooh... Muffy wants one please!

The real question is....

[3seas]

.... will there be another story on slashdot today about another data leak?

Re:The real question is....

[dpiven]

Yep.

Leave the WEP out for a moment

[Actually,+I+do+RTFA]

WEP comprimised the communication of one retail store. Apparently enough information was stored in that one store to compromise a database with 4 years of records. So, an inside job at that level (assistant cashier probably had enough access to their wires) would be trivial. A better question... why would 4 years of CC number, etc. be accessible over the internet at all. Why not have that server offline, with updates posted occassionally via sneakernet? And hash the CC numbers. And otherwise, protect consumer information.

Re:Leave the WEP out for a moment

[Radon360]

Good point. What's to say that some employee, either through a plant or bribe simply plugs a wireless access point into a spare RJ-45 jack in the back room.

As for their databases, they should be shamed for not improving the security for accessing them, such as tiered levels of access (what in hell is a store employee/manager doing with full database access?), adding something like RSA SecerID pin generators and the like.

Re:Leave the WEP out for a moment

[DrSkwid]

The attackers got the keys from the US but the data was partly stored in the UK.
Always discount the bandwidth of a suitcase full of tapes on a transatlantic flight.

do a search for TKMAXX and see the BBC stories

Re:The USA is fucking pathetic..

[Mr+Chund+Man]

"and our retarted government"

People in glass houses...

Well, I Wouldn't Shop With Them - Ever

[segedunum]

Just read through the article more thoroughly, and several things worry me:

TJX declined to comment on those numbers, but says it is undertaking a "thorough, painstaking investigation of the breach," hiring a team of 50 data security experts in December and taking a charge of $5 million in its first fiscal quarter.

Well, we all know how brilliant data security experts are, and I really hope that sentence doesn't mean that they are simply throwing $5 million at them. You know what consultants are like - give them enough money and they will tell you everything you want to hear, even if the reality is a horror show.

It says it will also pay for a credit-card fraud monitoring service to help avert identity theft for customers whose Social Security numbers were stolen. "We believe customers should feel safe shopping in our stores," says a letter from Chief Executive Carol Meyrowitz posted on TJX's Web site.

The whole bloody point of this is that you don't get to that point in the first place. Stable door, horse bolted?

The TJX hackers did leave some electronic footprints that show most of their break-ins were done during peak sales periods to capture lots of data, according to investigators.

What the hell were they using this wireless network for?

The TJX hackers did leave some electronic footprints that show most of their break-ins were done during peak sales periods to capture lots of data, according to investigators. They first tapped into data transmitted by hand-held equipment that stores use to communicate price markdowns and to manage inventory.

So they were using an unsecured wireless network to enable hand-held equipment to function - and they used this to run their day-to-day business?! Christ. At first I thought this was just some wireless network someone had plugged into the network somewhere arbitrarily, not something they actually used in day-to-day operations.

The company says the hackers may even have lifted bank-card information as customers making purchases waited for their transactions to be approved. TJX transmitted that data to banks "without encryption," it acknowledged in an SEC filing.

I'm not 100% sure what system is used for credit card purchases in the US now, but this highlights why I like using cash a bit more with the advent of chip and pin. I would also never, ever use a debit card in one of these things. You transmit your card details, and the pin as well. Brilliant. Access to your bank account, and that hard earned pay that just went in today. I'm slightly confused though, because surely this communication with banks would all happen on another network?

At that point, TJX hired forensics experts from International Business Machines Corp. and General Dynamics Corp. and notified the U.S. Secret Service, which spent a month trying to catch the hackers in the act.

So you take no responsibility for your own systems, and you have no internal expertise? Wonderful.

Massachusetts Rep. Barney Frank, chairman of the House Financial Services Committee, said in March he believes Congress will move to require a company responsible for allowing a breach to bear the costs of notifying customers and reissuing cards.

That's probably the only way, because some companies simply believe they don't have to take responsibility for IT, data, security and especially wireless security. It's something that is best swept under the carpet, and setting up a wireless network is as easy as spending a bit of money on a little access point you've seen at a local store, right? Why spend money doing it properly?

Re:Well, I Wouldn't Shop With Them - Ever

[adrenalinekick]

Actually I would guess that now TJX stores will be one of the safest to shop in. This isn't to say that they are perfect, but I'd guess that their current system would beat out 99% of the rest of resellers in terms of security. After all, if a second breach were to occur at the same company in the next 5-10 years, they might as well file bankruptcy now. I know it's sad that the industry is such that they get even one 'get out of jail free' card, but that is the way things are right now.

The company says the hackers may even have lifted bank-card information as customers making purchases waited for their transactions to be approved. TJX transmitted that data to banks "without encryption," it acknowledged in an SEC filing.

Wait one minute here... what the hell happened to PCI standards? Wouldn't this be a huge violation...(never mind the fact they had a wireless access point with WEP encryption attached to a cardholder environment)? This so-called "standard" needs to be seriously reviewed and updated, and any company found not to be in compliance needs to be held accountable and have their card-using privileges revoked.

At that point, TJX hired forensics experts from International Business Machines Corp. and General Dynamics Corp. and notified the U.S. Secret Service, which spent a month trying to catch the hackers in the act. So you take no responsibility for your own systems, and you have no internal expertise? Wonderful.

Being as their 'internal expertise' did such a wonderful job the first time around, wouldn't you be happy that they brought in 3 outside sources that have at least SOME experience in the security field? I know you are angry about the whole situation, but let's be realistic here - would you want them to handle this internally?

Re:Pringles ....

[DaMattster]

Well, I could only hope that further intrusion from the government and Homeland Security will not happen. Well, at least I try to be optimistic. Realistically, TJX should be punished because it was widely known that WEP is weak encryption. Presumably, TJX should have a competent IT Department. At my job, we have wireless, which on its face appears to be open. It is instead protected by IPSec. Anyone can get an IP address but without IPSec, you'll get absolutely nowhere. I would really like to see consumer models incorporate this ability. It is not difficult to implement. Linksys could even provide a setup wizard that would automatically configure IPSec on the client side. In home networks, simply take the CD from computer to computer and run the wizard. This is by far the best way to secure a wireless network. No need to muck with WPA and its poor hardware support or WPA+radius (a bear to configure for the home user.)

Re:Can someone explain to me

[noidentity]

Yes, why the fuck are they keeping the credit card number more than a few weeks after the transaction? Credit card companies should provide and require processing systems that never allow the business to get a hold of the number, only at most a hash of it (so the business can do their oh-so-important customer tracking). It'd be something like paypal, where the recipient never gets your login information, just the money. And for online purchases, fuck one-click shopping; I'd rather have to re-enter my card information each time than have it stored on an irresponsible company's servers for eternity.

trillion dollar three-piece cluster-fuss

[epine]

The entire credit industry is complicit in the design of the credit-card as an open invitation to replay attacks. Then this distract our attention from the fact that this horrendous credential is being compromised exactly in the manner the design dictates while telling us that it's *our* identities that are under fire. Let's get this straight: my indentity remains secure, it's only my credit-card credential is additionally compromised with every use.

The central problem here is the architecture of the human brain. We're programmed to function within status hierarchies. The banks have cleverly positioned themselves within the equation that credit equals status. This move serves to bypass normal human scepticism, so one time after another, in the all-too-predictable aftermath of one of the stupidest replay protocols ever devised, we sit around and debate the weaknesses of WEP, rather than point the finger where credit is due.

WEP != VPN

[FuryG3]

A lot of people are going to be criticizing the wireless link and arguing that they should have used a physical link for this kind of stuff. The fact is, at some point you're going to have to get secure data over an insecure network, whether it be the internet or a wireless link.

If you're building a wifi link, you really should be using VPN over your WPA (not WEP!) link. If this was a database backup between servers then the protocol they were using should have been secure (SCP). If it was a client accessing resources on a server, the protocol should have been secure (https, or other ssl link).

Re:WEP != VPN

[ASBands]

Everyone that wants to make credit-card purchases should be issued a long string of random characters. Before submitting the request to make the purchase, data would be XORed such that the encryption is perfect. The credit card companies already have a method of issuing access to their networks, would adding this one be that much harder? I wouldn't mind carrying around a second credit card (SecureVisa instead of Visa, perhaps) until everybody got their systems changed over to the new kind (I'm thinking 10 years or so - companies have little incentive to actually do this without government intervention). The amount of purchases being made with credit cards hasn't significantly increased and probably won't anytime soon, whereas computing power has and always will.

And while we're on one-time pads (not technically ONE time), why don't any wireless encryption algorithms do this? When a device connects with the correct encryption key, exchange a 256-bit pad and communicate through that. Bam! Harder to break than AACS, because you're not broadcasting the initial private key. From what I've read, this is just the wireless form of the Wi-Fi Protected Startup method of key generation from WPA.

Re:WEP != VPN

[pe1chl]

You should understand that it is not always possible to do this because of limitations in the devices.

When you want to use a wireless scanner or handheld terminal (as was the case in this shop) you can yell 'use a VPN' but what if the device does not offer that option?

Similarly, when you want to link two offices using a point-to-point wireless link bridging between switches, where do you implement the VPN? You would need to put routers inbetween, an extra purchase.

So it is not always that simple.

Re:WEP != VPN

[DrSkwid]

They started at a store in the US and got all the way to the data centres in the UK and US and then took the data for $25,000,000,000.00 of transactions from the US, UK, Eire and Puerto Rico and more data that TJX don't even know the contents of !

A system that allows that path just shouldn't even exist, VPN or no VPN.

Re:WEP != VPN

[azrider]

And while we're on one-time pads (not technically ONE time), why don't any wireless encryption algorithms do this? When a device connects with the correct encryption key, exchange a 256-bit pad and communicate through that.

802.1x (WPA-Enterprise): Provides for keys to be negotiated based on an exchange of PKI information (AH-ESP). TKIP CKMP (WPA-Personal): Provides for keys to be negotiated (and rotated) based on a pre-shared key. Done.

Re:Why are SSNs Being Sent Wirelessly? WEP or no W

[Heembo]

Which brings us to the question of why a major retailler is using wireless in the first place. Major retailers do not attract the best IT staff, it's really cheap and easy to set up WEP, and the moment you get into WPA 2 and a Radius server it becomes a more complex, expensive and administrative-heavy issue to deal with. I say, run wires, baby! Wireless is just a insecure easily DOS'able crap technology!

Re:Pringles ....

[taniwha]

well my comment was intended to be tongue-in-cheek ... but you're right the only way to think of wireless is open - it's by definition outside your corporate fire wall even if the hardware is physically inside your building - you have to treat it always as such - so WEP to make it hard to get in but a VPN of some sort as real security

Put Management's Data In The Databases

[NeverVotedBush]

And shareholder's data. Make a law that puts the money-grubbing CEO and other officer's data in the databases with the customer's data. Then sit back and see what kind of directives management gives to their IT departments to secure data, networks, and workstations. But put their personal data to the same risk as what they deem is sufficient for all the people they don't know or care about. Then see how responsible they get.

Re:Put Management's Data In The Databases

[Overzeetop]

Exactly the reason for a law. Once you get to a position of power, your personal financial stake is such that proper implementation takes money out of your own pocket. You have an incentive to not implement expensive operations which have a realitvely low probably of occuring.

Re:Can someone explain to me

[C_L_Lk]

I run a small business and this is exactly how the credit card transactions take place. A customer comes in to the store and purchases something and wishes to use their credit card - the card is swiped through a terminal that uses a dial-up modem connection back to the bank's clearing house - a conversation takes place between the terminal and the remote server (at a mighty 9600bps) - and either a "approved" or "declined" is returned and a *PAPER* receipt (2 part) is thermally printed. The customer gets one copy of that and one copy of the register receipt. I keep one copy of the register receipt for proof of what they purchased, along with the signed copy of their purchase. The credit card companies (Visa/MC/Am Ex) all require I keep those paper records for 1 year in case of charge backs, etc. Each evening when the business closes the paper receipts are collected and put in a manilla envelope marked with the day's date and the envelope is placed in a locked filing cabinet in the back office. At the beginning of each month, credit card purchase receipts more than 1 year past are burned in the incinerator - the filing cabinet never has more than 12 past months data, and none if it is stored in electronic format anywhere on premise. The point of sale software's database has a record of all transactions ever taken place as far as inventory, amount paid, taxes collected - but it has nothing that can tie the purchase to a customer or that customer's financial information. I don't see why any size business of any type couldn't follow that method of doing business.

The real issue isn't WEP, though.

[Artifex]

(the following is speculation. TJMaxx, don't sue me, I'm not claiming to know what really went on, or real details of your network. This is just my impression from reading the story)

Yes, WEP is insecure for real stuff. It's like the little latch on a high school display case. It's to keep honest people honest. It shouldn't be used in a commercial network as the only encryption.

But what the heck kind of network design allows IPs from local stores direct access to central databases? The big issue here isn't that a few dozen or hundreds of cards were snagged by being sent through WEP -- we don't know, maybe the company ran a tunnel across that WEP link for those transactions, and they didn't get anything locally. The big issue is that it looks like the company was storing historical data on transactions online, and in databases that apparently were accessible from that link. WEP was a weak entry point to the network. But where was the security inside the network?

It sounds like possibly either the designers of the overall network hadn't limited access sufficiently to just IPs/MACs from their account department, on a secure network, or the hackers managed to break through security layers in between, perhaps by knocking over a server that was straddling networks or something. If they designed in layers, with firewalls as gatekeepers between layers and IDS and IPS monitoring, I don't think they would have servers straddling, to start. IDS and IPS would also help them notice, for example, if someone spoofed an email from a store to an accounting department person, included a trojan, and attempted to gain access that way.

I'm saying this not so much just to point out what sound like potential design issues with this company's networks, but to get people thinking about their own networks, instead of blowing this off as a WEP issue. If you administer a small network, and haven't had training on how to set it up and maintain it securely, you ought to look into Cisco's SAFE blueprint at bare minimum. It's free and the lessons can be applied to almost any brand of networking gear out there. It basically builds the network up from modules, which are easy to figure out. If you're administering a large network, well, as someone with CCSP training, I'd suggest you hire someone who's been properly trained, obviously. Cisco's track or someone else's. At the very least, everyone should consider thinking in terms of layers, like an onion, and discreet modules residing in, but not crossing, those layers. You should be really wary of any packets from across any WAN link to your core systems, obviously, but you should also set up security policies so that you know which administrative departments have access to which internal networks, too. Ask yourself, if an attacker can get into my network, what can he or she do?

One last thing: network security can't just be set up and left. It has to be monitored and maintained, both to respond to immediate attacks, and to see when people are just poking around, doing reconnaissance.

RBC Visa

[jjohnson]

pre-emptively changed my Visa card number a couple months before this became public. I found out that I was not affected by this break-in later, so I'm unsure whether or not it was in response to

The question in my mind is, given the basic vulnerability of a long-term CC number, why they don't move to something like SecureId token one-time passwords? If you can have a different six digit number every sixty seconds for five years on one device, surely the same (now public domain) algorithms could be embedded in a credit card. The infrastructure for real-time verification is already in place. With one stroke, the whole CC# theft business could be out of business, and the first mover CC company on this would have a huge marketing advantage: "No one can ever steal your Visa number again".

Re:RBC Visa

[sam0737]

Do you mean this: http://it.slashdot.org/article.pl?sid=07/05/01/175 9235?

Re:RBC Visa

[Anonymous+Sniper]

Because it's cheaper to keep things as they are, and pay the costs of fraud rather than replacing the whole infrastructure.

Re:Why are SSNs Being Sent Wirelessly? WEP or no W

[hankwang]

Can anyone come up with a scenario where it would be ESSENTIAL for store operations to be able to send SSNs and drivers license #s over a wireless connection?

If you had read the article, you would have noted this passage:

After they used that data to crack the [WEP] encryption code the hackers digitally eavesdropped on employees logging into TJX's central database in Framingham and stole one or more user names and passwords, [...] collected transaction data including credit-card numbers [...] They were able to go into the TJX system remotely from any computer on the Internet, probers say.

Whether the cash registers transmitted this sensitive data over wifi is less relevant. The problem would have been much less severe if connections to the central database had been over https or ssh.

Re:Ok?

[oliphaunt]

Do you love it? I love it. I got [your credit card number] at Ross!

Its our own fault.

[LibertineR]

"I don't know if it's because we were the ones who were picked on in junior high, or what. But I do know that IT professionals are the most ill-treated group of highly-skilled professionals around."

This is because as a group, we are the LEAST professional of the professional vocations. With our paper MCSE's to our lack of communication skills, our refusal in some cases to "dress for success" and sometimes questionable bathing habits. Everybody who has worked in IT knows someone personally who fits this description.

You are correct, we do need organizations to screen our professionals as much as any other field. The 'soft' skills are just as important as technical prowess to be a true professional. It always helps when people assume that instead of spending all of your free time memorizing Battlestar Gallactica scripts, that you might actually have time for a girlfriend.

We did this to ourselves.

Re:Its our own fault.

[T-Bucket]

"I don't know if it's because we were the ones who were picked on in junior high, or what. But I do know that IT professionals are the most ill-treated group of highly-skilled professionals around." Clearly you don't know any professional pilots. At least you guys get paid.... eesh...

Re:Its our own fault.

[Antique+Geekmeister]

Hmm. We're a mixed lot.

I'm not sure an "organization" to certify us will help, though. It's likely to be another MCSE-like, useless paper trail to protect managers for hirinig "certified" engineersw, instead of the real necessary skill sets to do solid work.

And I've seen, recently, exactly the kind of hapless corporate security that leads to unencrypted or WEP-based wireless traffic. As a visitor at a corporate office, my jaw dropped to the floor upon discovering that they were using WEP in a first-floor office with a cafe across the street where any casual wireless user could probe their network. Then I noticed they were using FTP for internal file transfers of user accounts, encouraging packet sniffing and password theft. They then proceeded to explain to me how their non-discluser agreements and employee contracts prevented abuse.

I recommended against buying *any* technical expertise or software from that company, for this and other reasons. But it was hard for me to get the idea across to my own paycheck signers that if they're this stupid in their office, we can't hope to secure their software products in the field.

Re:Its our own fault.

[cerberusss]

This is because as a group, we [IT professionals] are the LEAST professional of the professional vocations

That's what I used to think as well. Then I found out that most vocations have their share of nerds. Take lawyers, auditors, econometrists -- I've met some that were so totally focused on their job that they couldn't talk about anything else.
Nerds are everywhere.

Re:Its our own fault.

[lordDallan]

To be fair, when claiming IT professionals were the "worst treated evah!", I did put my comments inside a [rant] tag ;)

Absolutely, there are other mistreated/maligned professionals in the world. But to be fair (and please correct me if I'm wrong), if you're a pilot - you're manager can't decide to replace you with "Bob's kid who's real smart with planes". Unfortunately that's exactly what can happen in the IT field. A more likely scenario is that Bob's aforementioned progeny would be thrust upon you to "learn the ropes".

Sure, the idea of having an unlicensed, neighborhood kid co-pilot a commercial flight seems absurd. But doesn't having a similarly unqualified, unlicensed, untested kid/young adult be in charge of securing highly sensitive data seem similarly foolish? But it happens all the time. And what's worse, as long as it doesn't blow up in anybodys face, the PHBs think everything is just hunky-dory. This makes them feel justified in getting rid of qualified individuals, and they relish their cost savings (until 1,000/100,000/10,000,000 CC#s or SS#s are lost).

Re:Its our own fault.

[Firefly1]

...our refusal in some cases to "dress for success"...

A Pertruchio quote ('The Taming of the Shrew') seems very apt here: "She's marrying me, not my clothes!" Quite aside from (say) an Armani suit and expensively styled hair not being a reliable indicator of competence.

It always helps when people assume that instead of spending all of your free time memorizing Battlestar Gallactica scripts, that you might actually have time for a girlfriend.

This is relevant, how?

The processors KNEW

[kilodelta]

I can tell you beyond a shadow of a doubt both the big card processors and many banks knew what was going on. But they were loathe to admit it because to do so would be to admit the gaping holes in bank security. It's all based on the demand draft principle. In essence, if I knew your account number I could write it on a napkin and the bank is pretty much honor bound to cash it. Same is true for credit and debit cards except in those cases, no tangible evidence is required since it's purely electronic.

This paragraph really got me:

They were so confident of being undetected that they left encrypted messages to each other on the company's network, to tell one another which files had already been copied and avoid duplicating work. The company says the hackers may even have lifted bank-card information as customers making purchases waited for their transactions to be approved. TJX transmitted that data to banks "without encryption," it acknowledged in an SEC filing. That violates credit-card company guidelines, experts say.

So in other words, the card processor didn't care that the incoming stream wasn't encrypted? Had to be First Data or whatever they call themselves now.

Re:The processors KNEW

[Ritchie70]

Depending on the connection type, there may be no requirement that the stream into the A/P be encrypted. For example, it might be a dedicated circuit from TJX's data center to the A/P data center. In that case, as in the case of a dial-up connection to the A/P, I don't believe PCI requires encryption.

I don't believe PCI requires encryption on a private network, either. It might be recognized as a "compensating control" but I don't think it's required.

I of a system that is considered PCI compliant with no encryption of cardholder data on the retail LAN.

Re:The processors KNEW

[kilodelta]

Intermediate encryption is relatively cheap. But since card services and banks are all about profit, they don't see the need to upgrade any of the gear.

Then of course there's security in the stores themselves. We recently had a breach of the POS credit card terminals at Stop & Shop in RI and MA. In essence the perps replaced the terminals. If encryption were used, the probability of success would be much lower.

How old is the IT profession again?

[wimmi]

The art of medicine and law is hundreds of years old, while being in "IT" spans mere decades.
We happen to be considered the so-called "quacks" of our profession: you cannot see or certify the charlatans (eg. MSCE) from the real educated people in IT.

Wait a few more decades to see the organisations emerge, IF the profession of computer-guy is being seen as an occupation in itself at all!

Payment Card Industry... where are you?

[binaryspiral]

We've been getting our balls busted by customers to become PCI compliant so they can maintain their status with the Credit Card industry... where the hell are they when this crap goes down? Four years running a weak wep protected network and nobody bothered to question them on it?

Wii

[antdude]

Even Wii uses WEP. What's up with that? Saving cost for Nintendo?

Re:Wii

[brain159]

Even Wii uses WEP. What's up with that? Saving cost for Nintendo? The Wii is entirely capable of using WPA - provided you don't use any super-badass characters which you can't enter using the on-screen keyboard, naturally (but it does support upper+lowercase, numbers and basic punctuation).

However, as far as I can tell, the Nintendo DS is utterly incapable of WPA.

In fact... *fiddle, taptaptap, *poke*. Yep, since I moved my wlan over to WPA (I used to use a cruddy old .11B wifi adaptor, which only supported WEP - the recent "sub-1-minute" developments spurred me into buying a new .11G dongle to fix that), the WFC Settings menu in MarioKart DS just throws a "The access point's security settings are not supported" error.

But, as I said, the Wii supports it with zero issues whatsoever.

Re:Wii

[antdude]

Ahh thanks. Maybe I got confused with DS, not Wii.

you can do this yourself for online transactions

[Artifex]

Many credit card companies now allow you to generate temporary card numbers with user-set caps on spending, on their websites.

Re:Why are SSNs Being Sent Wirelessly? WEP or no W

[LordSnooty]

Which brings us to the question of why a major retailler is using wireless in the first place

It's so all the poncey salespeople & marketers can "hot-desk" about and make themselves look important.

WEP is encrypted... and...

[madsheep]

The link was encrypted using WEP, which had been known to be broken since 2001. The crackers who got into the TJX central databases are believed to be Romanians or Russians with ties to the Russian mobs. The eventual cost of the TXJ fiasco could exceed $1 billion -- not including the numerous lawsuits filed against the retailer. Well first WEP does encrypt the link. That's kind of part of the point of it. So saying "the link was unencrypted using WEP" makes absolutely no sense. Second when I read a different article yesterday, it seemed to cite a standard open network. So there seems to be conflicting reports. In any event whether or not it had WEP or not, it still shows they should have better security. WEP *is* better than nothing, and it shows intent to hack/illegaly access the network. However, WPA(2) should always be favored over WEP.. well so long as you don't use WPA Personal with the password being a dictionary word. :P

Also, isn't it funny that their cheap discount brand is the one they rode in through? Ironic huh? The discount store using discount wireless security! hahaha...

Clear data over WEP?

[kherr]

It's a rather frightening notion that people think of WEP or WPA as their sole means of security. The underlying data were apparently unencrypted, which implies open protocols like telnet and http. WEP was intended to make wireless as "secure" as wired networking, which means not much. WEP shouldn't be used because it's completely compromised, but even WPA shouldn't be the sole level of security. WPA should be viewed as a means to thwart casual snooping of network traffic, but I'd still hope secure data layer protocols like ssh and https are being employed, not to mention encrypting data files that contain sensitive data.

Re:Clear data over WEP?

[Antique+Geekmeister]

This is a very relevant point, sir or madam. Unfortunately, the reason for *that* is a nasty legal one. The US remains the biggest software creating country in the world, and the export of encryption technologies is oddly regulated. The result is that basic software tools, such as Windows and web authorship tools and file-sharing tools, rarely include good encryption built-in.

Take a look at the history of PGP and Phil Zimmerman's legal troubles to see why people don't include robust security by default. It seems clear that the US government's avowed desire to remain able to crack overseas traffic by limiting cryptography both imperils their own citizens' security, and protects their ability to monitor their own citizens' traffic without warrants or detection. (This was demonstrated forcibly in the discovery of the monitoring rooms of the NSA at various major network provider's network backbones, which is still a nasty matter in the courts.)

Even new router encryption may not work

[flyingfsck]

Just a week ago, I bought a set of equipment from a well known 5-letter corp that shall remain nameless, that doesn't work. It has WEP and 3 modes of WPA and not one of those actually work. The only way I can get a connection between the USB adaptor and the home router is in plain text. That problem used to be common some years ago, but in 2007? Sigh...

Re:Even new router encryption may not work

[Overzeetop]

Don't feel too bad. I run my home network unencrypted so that I can use a 2005 iogear print server which cannot negotiate any tupe of wireless encryption. Luckily, I (a) don't live in a dense area and (b) have nothing of particular interest on my home network, which gets backed up remotely. Someday I'll get a new printserver - my epson actually doesn't work well with it, but I don't have space for a cheap computer - and fix it, but for now. I just walk around naked.

End to end encryption

[flyingfsck]

Companies should use end-to-end encryption for data links and should not rely on the simple encryption built into WiFi devices anyway. It should not matter whether WEP is working or broken. The data stream should be encrypted all the way, not just over the air.

Re:ATM Transactions

[Douglas+Goodall]

A while back I worked at a bank (actually a holding company that owned 23 banks). ATM transactions are heavily encrypted and to the best of my knowledge are fairly safe. What is less safe is having point of sale employees with momentary access to your card (depending on their memory). Anyway, I don't worry about the ATM link encryption. Others aspects bother me though. The entire process deserves review.

Re:Why are SSNs Being Sent Wirelessly? WEP or no W

[llefler]

Retailers use wireless for things like the portable scanners they use for inventory functions. In the past I have noticed Walmart, Target, and KMart all using Symbol PDT 6800s. As to why they only use WEP, that's all the scanners support. Early models only supported 40-bit WEP. Later releases supported 128-bit WEP and Symbol's proprietary KeyGuard, which requires using (expensive) Symbol access points. Although the PDT6800s have been end-of-lifed, you aren't going to rush out and replace them with newer tech if they are getting the job done. Not at $3k a piece. And even with the replacement, MC9000s, you have to ask yourself why their Windows Mobile OS is running a web server.

Of course a network engineer would wonder why the cash register network wasn't a secure, separate network. But rarely are networks designed by network engineers. They simply grow out of necessity.

IEEE members should be ashamed

[renoX]

One of the real question is: why IEEE standardised the WEP in the first place?
If they made such basic mistakes in security on one standard, what prevents them to do other identical mistakes.

Sure, it tough to devise 100% secure scheme, but there is a huge difference between coming with say MD5 which took years to be broken and WEP which was seen as broken as soon as it was studied by security experts..

Re:IEEE members should be ashamed

[salahx]

Because WEP is "Wired equivalent Privacy". It was created to compensate for the security loss of not have to physically plug into a jack - which isn't much. And for the purpose, WEP does it job. But now experience has shown that wireless security has to be greater than "Wired equivalent". Hindsight to 20/20 though.

The fact that anyone with an Ethernet connection to that network - inside job or not - could have done this is much more disturbing than the weakness of WEP.

Re:So what?

[pe1chl]

It could become a problem for you when the merchant goes out of business because of accumulated losses due to fraud, or stops accepting credit cards to avoid incurring more losses.

It could be a nuisance for you when the merchant decides to increase prices to cover for losses or to add a service charge.
(of course this is already happening, but you are going to pay more and more)

So, it still is your problem, and you want the credit card company to do something about it. E.g. end all service where two-factor authentication is not required.
(you cannot use your credit card by only mentioning its number, you must prove physical possession of the card)

Re:Pringles ....

[DrSkwid]

The UK's biggest cable supplier ntl: / Telewest bars the use of VPNs on their home DSL. Yes, you read that right, the right to bar ntl: from browsing your data is forbidden.

They also want you to pay 4x the price if you want a fixed IP.

Re:well

[DrSkwid]

What's the point of all that crap. How are you going to make the wire from the POS to the Bank totally shielded and MiM proof ?
If you can't trust the bank employees not to steal your money there's no point in having any stored there.

in all likelihood?

[Gary+W.+Longsine]

My experience as a consultant delivering the bad news like (and even specificially including): "WEP has been cracked, you need to replace all your wireless access points immediately because they don't support WPA" indicates otherwise. Managers are often given many goals which are difficult to balance. Short term budget constraints are typically the foremost issue for them. Replacing systems that "work just fine" because they are vulnerable to a security defect which they don't understand is seldom high on thier "to do" list.

If I had been providing security consulting to TJX, managers all the way up the chain to the CIO would have been told over and over and over that they must consider WEP networks to be insecure and replace them.

I don't know what happened at TJX, but your assumption doesn't match my experience with other managers in orther organizations. Most IT staff and managers really didn't take the WEP crack seriously for a long, long time. Many security people had to actually demonstate the WEP crack to their managers or clents before they would take it seriously.

The only part of this story that surprises me is that we haven't heard a couple dozen identical stories from other organizations. There is no possible way that TJX is the only company to fall victim to a WEP crack.

Re:well

[ShooterNeo]

uhh...because the key sent over the wire is a temporary transaction code only good for 1 minute.

"telescope-shaped"

[N3Z]

Interesting euphemism for a Pringles can.

Re:well

[DrSkwid]

1 minute = 180,000,000,000 clock cycles @ 3Ghz

Which is enough to do plenty of things.