TJX Breach Began With WEP Crack

An anonymous reader sends us to the Wall Street Journal for a detailed report on what is known to date about the TJX data breach. It seems that the loss of over 45 million credit card numbers and more than 450,000 SSNs, driver's license numbers, and military identifications began with someone using a "telescope-shaped" antenna at a wireless link at a Marshall's near St. Paul, Minnesota in July 2005. The link was encrypted using WEP, which had been known to be broken since 2001. The crackers who got into the TJX central databases are believed to be Romanians or Russians with ties to the Russian mobs. The eventual cost of the TXJ fiasco could exceed $1 billion — not including the numerous lawsuits filed against the retailer.

Why isn't WEP recalled?

[krbvroc1]

WEP is seriously flawed. What hasn't it been recalled and all router manufacturers forced to replace the hardware (or firmware)?
In most industries if you ship such a flawed product, the manufacturer has some liability. They are still selling them today too.

Of course shame on TJ Max and the whole handling of this fiasco. Not that I ever did previously, but I would never shop there.

Re:Why isn't WEP recalled?

[smittyoneeach]

WEP is 'good enough' for running your home network. It lets the neighbors now to keep out, like a lock on the door.
Like any lock, (including WPA, no?) you can beat it with enough hardware.
If you're that paranoid, you're running a wired network anyway, right?

Re:Why isn't WEP recalled?

[_Sharp'r_]

At this point in time, WEP is more like the lock on your bathroom door. Fine to let people know that you don't want visitors, but not really designed to keep anyone out who wants to get in.

WPA is more like a front-door with a keylock and a deadbolt. Someone could break in, but they'd have to at least take a little more trouble than pulling a coin out of their pocket like you can do with "interior" locks.

If it's something you need to be secure, then yeah, you should be running encrypted traffic over a physically secure wired connection, not broadcasting everything to the neighborhood.

Re:Why isn't WEP recalled?

[arth1]

There's plenty of older hardware that doesn't have the processing power to do WPA, and has to rely on WEP. This is especially true for embedded devices (like print servers and bar code scanners) and PDAs. And for larger companies, replacing every single access point AND WiFi-device isn't a small thing.
Could you imagine being the IT manager who has to tell upper management that the big expense you added to the budget two years ago, which was supposed to last five years before being incrementally replaced, now has to be completely trashed and replaced in one go because the encryption turned out to not be safe?

The best thing many companies can do short term is to limit the damage, by restricting the use of WEP to data that they can afford losing. But even that requires admitting flaws, and is likely to get your head chopped off for bringing the bad news.

Re:Why isn't WEP recalled?

[krbvroc1]

Could you imagine being the IT manager who has to tell upper management that the big expense you added to the budget two years ago, which was supposed to last five years before being incrementally replaced, now has to be completely trashed and replaced in one go because the encryption turned out to not be safe? Except WEP has been known to be broken since 2001. Also your IT manager example is putting profit above the safeguard of customer information such as their credit cards. Didn't Ford Motor company balk at the expense of adding an $11 fuel bladder to prevent the Ford Pinto from exploding? They figured they would just pay whatever damages, but when they were punished by a jury, the damages for a single death totaled more than their entire estimate. The damages were so high partly because the jury was made aware that Ford actually made a thought process like your IT manager that they understood the risks, but didn't want to spend money on the problem.

If there are older devices that only support WEP, those can be moved to a separate router and firewalled/VLAN/etc.

I wonder how much money the 'Credit Monitoring' services make out with all these breeches?

It seems to me the only solution to this is to pass strong data ownership protections for consumers. Right now, the companies place very little value on the data (except for marketing/advertising purposes), but this needs to change somehow.

Re:Why isn't WEP recalled?

[maxume]

There needs to be some sort of data protection regulation, but there also needs to be some legislation that says that I'm not responsible for anything and everything that somebody impersonating me does, simply because I'm in no position to prevent those attempts. At the moment, individuals bear the brunt of the consequences when a credit card issuer gives a card to somebody committing fraud; that's insane, the issuer should be forced to face the consequences, because then they would quickly become much more careful about finding out who their customers are.

Re:Why isn't WEP recalled?

[lordDallan]

Sure, or maybe the "I have a business major and/or MBA!" Senior Execs who the IT managers undoubtedly report to, need to get a clue and allocate a real budget to their IT staff.

I bet replacing/upgrading/changing the hardware/software that was to blame across TJX's entire corporate infrastructure would have cost much less than the $1 billion dollars that dealing with the current situation could purportedly cost.

[Rant begins here]Now I'm not saying the IT management were blameless either. But the greater issue IMHO is that IT is treated with disdain. IT managers are often treated as something to be tolerated by businesses. This is a horrible backwards, outdated mindset. Unfortunately, IT professionals seem to be doing very little to change this.

At this point, IT is vital, vital to any $10M/year or higher in revenues (to pick an arbitrary number) business. But it is often treated as though it's some glorified janitorial service. Attention MBAs, IT is not there to clean up your screwed up PC and make sure your blackberry works. Sure, that's part of their bailiwick, but until corporate managers start realizing that their business live and die by their IT infrastructure (as the TJX debacle clearly demonstrates), these mistakes will happen over and over again.

The other side of the coin are the people who work in IT itself. I don't know if it's because we were the ones who were picked on in junior high, or what. But I do know that IT professionals are the most ill-treated group of highly-skilled professionals around. Why there isn't some sort of real guild/league/association of IT professionals eludes me. Look at doctors and lawyers. They have the AMA, and the bar (forgive me if my details here aren't exactly correct, but I think my point is clear), they have specialized degrees, and they don't take sh*t from anyone. Why because they know they have unique knowledge and they expect to be compensated accordingly. And when someone tries to muck up their good racket they have going, their professional organizations lobby groups kick into high gear and start shredding whoever it is that wants to take their candy.

On the other hand, when anyone even tries to mention the idea of some formalized "union-like" IT organization, all of the IT types start screaming bloody murder, and all this weird pseudo-libertarian, free market babble starts gurgling out from their pie holes. Attention IT professionals, this isn't about political philosophy. It's about fighting, scratching, "give me my piece of the pie you *sshole" capitalism. IT professionals need to wake up and take control of their situation. I assure you the big boys at the top of the heap love watching you scramble about at their beckon call while their billions of dollars are funneled through systems you keep running with wire and glue because you don't want to rock the boat by asking for a bigger, strike that, realistic budget.

I'm not sure what the right steps would be to start moving towards forming a professional IT organization with real power (as in you can't get jack done on your computers unless you use someone from our guild anymore than you can litigate or perform surgery with out a bar certified lawyer or board certified doctor), but until that happens, IT workers will be thralls and TJX's and TSA laptop debacles, and IBM outsourcing hoo-ha's etc. will happen based solely on the whims of people who think that Excel macros are software and phone cords are what connect computers on a LAN. And just to be clear, Microsoft, ITT Tech, COMP-TIA, CISCO certifications do not cut the mustard as they do not exist to help you in anyway. The benefit you gain is a sliver of what the organizations who dole them out make from your labor.[Rant ends here]

Re:Why isn't WEP recalled?

[sumdumass]

The real way to secure a wireless connection is to set the wireless devices outside the network and VPN any access that needs to be inside the network. It is difficult and sometimes expensive but thats what really needs to be done. End then your not completley safe, you just have one more layer to defeat. And if you IDS is functioning properly, it should alert you to most attempts and possible sever the connection.

I have talked to (business) customers who had their "son" or neighbor who is a part time rocket scientist put wireless in because they didn't want to run cables and I have cracked it while letting them tell us how secure it is. I'm not using anything special either, it is just commonly available script kiddie tools.

I'm not knocking WPA, I just know physical access to the network is a key part of any security. You wouldn't run a couple ports out to the street for anyone to connect to and do whatever. This is essentially what your doing with wireless. And once they do "whatever", you need another layer that you can detect intrusions with before the real network gets accessed in order to remain secure.

Re:Why isn't WEP recalled?

[jd]

Oh, certainly. 802.1x isn't perfect, by any means. The first rule of IT security, though, is to always be two steps ahead of those doing the compromising. One step means that you're secure when you install, but will have indefinite periods of uncertainty when you COULD be vulnerable. This is typically the way things are done, and it is stupid beyond belief.

No, the logical method is to expect some component - any component - of the security to be compromised between now and the end of use. You then have a second, wholly independent, component which must simultaneously be compromised in order to be vulnerable. You upgrade when EITHER fails. It is then virtually certain that both have not failed, so everything remains intact, and you use that lead time to perform the upgrade.

You could regard this as a variant on the Byzantine General's Problem. There, some number of components are "traitors" (in this case, compromised), yet you have to make sure that the orders (data) received come from an authorized source alone. Other variants of this problem deal with making sure that that data does not fall into the wrong hands, such as using Byzantine key distribution.

Three algorithms, three block ciphers, three hashing functions. Any one of those gets broken, simply roll onto the next in the list. If you're sneaky enough, you have some mechanism for automatically switching combinations when the key is refreshed, making it much harder for an attacker to know which combination is actually being used at the time.

Security doesn't have to be perfect to be truly secure, it just has to be impassable in the time you detect an attacker bypassing one component and the time you can replace what has been broken. The defender in a real-time situation always has the advantage when it comes to what happens next. The attacker ONLY has the advantage when it comes to what has already happened. So long as there is no usable relationship, the attacker must always lose.

Re:Ok?

[pchan-]

TJX - commonly known to American consumers as TJ Max and Marshalls retail stores. If you made purchases at these stores, you could be affected.

Why are SSNs Being Sent Wirelessly? WEP or no WEP

[MaizeMan]

Which brings us to the question of why a major retailler is using wireless in the first place. I'm personally no more than an interested amatur, but I've read professionals running corperate networks who, if they have to include a wireless component at all, keep it completely seperate from the secure, WIRED, network. You get internet access, but no accessing the company databases from the wireless. Can anyone come up with a scenario where it would be ESSENTIAL for store operations to be able to send SSNs and drivers license #s over a wireless connection?

Ironic

[segedunum]

It's ironic really. Many thought it might be some insider job, a complicated back door, some flaw in an internet facing system - but no. The company was daft enough to put their internal data over a network that is explicitly designed to get around physical barriers to access, and no one, and I mean no one, seems to understand this.

A friend of mine has a reasonable but small IT business in the UK, and recently he started pushing the wireless expertise side - setting up wireless networks, explaining why they are a bigger risk than a wired network, securing them (and what do do if you are really paranoid) and trying to guarantee QoS more by setting it up correctly. Positioning your access points properly, doing wireless scanning to pick out any interference spots etc.

No one is interested, and I don't just mean small businesses, but some quite large companies who should know an awful lot better. It's not a UK thing either, because most people believe setting up a wireless network is about popping down to the local store, picking up a Netgear, switching it on and letting Windows attach you to the nearest wireless network it can find. Astonishing.

The only thing that shocks me is that this doesn't happen all the time, because many networks are just an open invitation. I mean OK, it's not that easy because you have to watch the network traffic and find out where the useful juicy bits of data are. That isn't completely straightforward, but once you are inside an average company's network it's doable because everything tends to act as if it is safe and fenced off.

Leave the WEP out for a moment

[Actually,+I+do+RTFA]

WEP comprimised the communication of one retail store. Apparently enough information was stored in that one store to compromise a database with 4 years of records. So, an inside job at that level (assistant cashier probably had enough access to their wires) would be trivial. A better question... why would 4 years of CC number, etc. be accessible over the internet at all. Why not have that server offline, with updates posted occassionally via sneakernet? And hash the CC numbers. And otherwise, protect consumer information.

Well, I Wouldn't Shop With Them - Ever

[segedunum]

Just read through the article more thoroughly, and several things worry me:

TJX declined to comment on those numbers, but says it is undertaking a "thorough, painstaking investigation of the breach," hiring a team of 50 data security experts in December and taking a charge of $5 million in its first fiscal quarter.

Well, we all know how brilliant data security experts are, and I really hope that sentence doesn't mean that they are simply throwing $5 million at them. You know what consultants are like - give them enough money and they will tell you everything you want to hear, even if the reality is a horror show.

It says it will also pay for a credit-card fraud monitoring service to help avert identity theft for customers whose Social Security numbers were stolen. "We believe customers should feel safe shopping in our stores," says a letter from Chief Executive Carol Meyrowitz posted on TJX's Web site.

The whole bloody point of this is that you don't get to that point in the first place. Stable door, horse bolted?

The TJX hackers did leave some electronic footprints that show most of their break-ins were done during peak sales periods to capture lots of data, according to investigators.

What the hell were they using this wireless network for?

The TJX hackers did leave some electronic footprints that show most of their break-ins were done during peak sales periods to capture lots of data, according to investigators. They first tapped into data transmitted by hand-held equipment that stores use to communicate price markdowns and to manage inventory.

So they were using an unsecured wireless network to enable hand-held equipment to function - and they used this to run their day-to-day business?! Christ. At first I thought this was just some wireless network someone had plugged into the network somewhere arbitrarily, not something they actually used in day-to-day operations.

The company says the hackers may even have lifted bank-card information as customers making purchases waited for their transactions to be approved. TJX transmitted that data to banks "without encryption," it acknowledged in an SEC filing.

I'm not 100% sure what system is used for credit card purchases in the US now, but this highlights why I like using cash a bit more with the advent of chip and pin. I would also never, ever use a debit card in one of these things. You transmit your card details, and the pin as well. Brilliant. Access to your bank account, and that hard earned pay that just went in today. I'm slightly confused though, because surely this communication with banks would all happen on another network?

At that point, TJX hired forensics experts from International Business Machines Corp. and General Dynamics Corp. and notified the U.S. Secret Service, which spent a month trying to catch the hackers in the act.

So you take no responsibility for your own systems, and you have no internal expertise? Wonderful.

Massachusetts Rep. Barney Frank, chairman of the House Financial Services Committee, said in March he believes Congress will move to require a company responsible for allowing a breach to bear the costs of notifying customers and reissuing cards.

That's probably the only way, because some companies simply believe they don't have to take responsibility for IT, data, security and especially wireless security. It's something that is best swept under the carpet, and setting up a wireless network is as easy as spending a bit of money on a little access point you've seen at a local store, right? Why spend money doing it properly?

Put Management's Data In The Databases

[NeverVotedBush]

And shareholder's data. Make a law that puts the money-grubbing CEO and other officer's data in the databases with the customer's data. Then sit back and see what kind of directives management gives to their IT departments to secure data, networks, and workstations. But put their personal data to the same risk as what they deem is sufficient for all the people they don't know or care about. Then see how responsible they get.

RBC Visa

[jjohnson]

pre-emptively changed my Visa card number a couple months before this became public. I found out that I was not affected by this break-in later, so I'm unsure whether or not it was in response to

The question in my mind is, given the basic vulnerability of a long-term CC number, why they don't move to something like SecureId token one-time passwords? If you can have a different six digit number every sixty seconds for five years on one device, surely the same (now public domain) algorithms could be embedded in a credit card. The infrastructure for real-time verification is already in place. With one stroke, the whole CC# theft business could be out of business, and the first mover CC company on this would have a huge marketing advantage: "No one can ever steal your Visa number again".

Its our own fault.

[LibertineR]

"I don't know if it's because we were the ones who were picked on in junior high, or what. But I do know that IT professionals are the most ill-treated group of highly-skilled professionals around."

This is because as a group, we are the LEAST professional of the professional vocations. With our paper MCSE's to our lack of communication skills, our refusal in some cases to "dress for success" and sometimes questionable bathing habits. Everybody who has worked in IT knows someone personally who fits this description.

You are correct, we do need organizations to screen our professionals as much as any other field. The 'soft' skills are just as important as technical prowess to be a true professional. It always helps when people assume that instead of spending all of your free time memorizing Battlestar Gallactica scripts, that you might actually have time for a girlfriend.

We did this to ourselves.