TJX Security Breach Described

Bunderfeld notes more details coming out about how bad guys got into the TJX network. Last time we discussed this, the best information indicated that a WEP crack had started the ball rolling. Now we learn that instead, or in addition: "Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company's IT systems, InformationWeek has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX's retail stores, let people apply for jobs electronically but also allowed direct access to the company's network, as they weren't protected by firewalls. 'The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals,' says the source. In a March filing with the Securities and Exchange Commission, TJX acknowledged finding 'suspicious software' on its computer systems."

Tchoh

[Gricey]

Sounds to me like incompetence. You're a big company, pay for people to look after your infrastructure... ... I hate it when publicly traded companies cut corners to put that stock price up just a fraction of a nanocent.

-- incubus

Re:Tchoh

Never attribute to malice what can be accomplished by incompetence.
/lose the holier than thou attidude, right this is /.

Re:Tchoh

Sorry, but that's a dumb comment. You're totally speculating that it's incompetence, but it's easy to say that now.

Then you go on to complain about corporations wanting to save a buck as the reason for this (all from speculation).

People make oversights like this all the time, but are fortunately lucky enough that nothing serious happens. It could probably happen to you just as easily...

Re:Tchoh

[asphaltjesus]

You're a big company, pay for people to look after your infrastructure.

1. They might do that. Only the problem may not have been in IT per-se. I can easily imagine someone from another department purchasing the kiosks then throwing the request to connect the kiosk to the store's network over the so-called wall to IT. That's just one plausible scenario.

2. Don't be surprised when the kiosk manufacturer comes back and says, "Hey, I don't provide secured operating systems running on the computer inside the kiosk I manufacture."

3. The likelihood the kiosk in question ran windows is high given the compromise.

Re:Tchoh

[Vancorps]

Sounds simply like an insecure kiosk. A lot of them are Windows based but you only need to setup one to be able to secure them all so the OS excuse doesn't really hold water especially with products like VMWare out there providing solid solutions for this very problem.

I would also say number 1 is a likely scenario. Marketing made the decision to purchase the kiosks and misrepresented what the kiosk manufacturer was providing so IT let it slide because they're busy working. Course you can also argue that IT missed it's due diligence on this one.

Re:Tchoh

[BosstonesOwn]

as some one who worked there. they are retailers , they always cut corners. they have a small staff of it guys to overlook so many stores and it bit them in the ass.

Re:Tchoh

[TechForensics]

I think you mean "D'OH!!"

Re:Tchoh

[indian_rediff]

And, in particular, TJX is a DISCOUNT retailer. They cut corners everywhere - and obviously IT planning and support and infrastructure etc. is looked upon as unnecessary overhead.

Surprised? No. It was something that was inevitable - just waiting to happen.

Re:Tchoh

[toadlife]

3. The likelihood the kiosk in question ran windows is high given the compromise. Because other operating systems are so much more resistant to attackers with physical access, right?

Re:Tchoh

[Arthur+Grumbine]

I blame the people that are always finding fault in others without knowing, or thinking about the depth of the situation. They're the true criminals.

Re:Tchoh

[eh2o]

Any machine can be a vector -- whatever form, intentional or otherwise -- a dumb virus, a buggy app, a faulty NIC, or a clever hacker with a USB drive. Nobody in their right mind expects a computer with MSIE running in kiosk mode to be tamper proof. Sure, the kiosk could have been more secure, but even so that is only the first line of defense. The real problem was the connection from the kiosk straight into the corporate intranet, which is an absurd transgression to even the most basic security policy -- don't grant more access than is needed. 30% of buglaries are not forced entry... clearly these guys didn't even know how to shut the door.

Insecure kiosks, open connections to the internal network, insecure wireless networks, and insufficient access logs to figure out what happened later -- I'm not sure what to make of the false PIN entry devices but clearly TXJ didn't have an effective policy in place for network ops.

Re:Tchoh

[SuperQ]

Yep, I discovered a retail sporting goods chain had some kiosks made of thin client termains (wyse winterms) that used a custom striped-down browser using the embedded IE rendering engine. It was very well locked down to prevent you from leaving the store's internal website. All it took was one URL I found after about 10min of digging through various pages that was a link to an outside site (I think it was the vendor that built the web server for the kiosk system) to find a URL that would let me save a file, and launch it with the normal copy of IE, and of course, leave the terminal with a full screen IE with the slashdot homepage open.

Re:Tchoh

[mrsteveman1]

You seriously think a competent IT manager could not have seen this coming?

End user terminals should NEVER have direct access to any segment or area of a network that holds databases, services, or customer info.

Re:Tchoh

[dave562]

I agree with that assessment. The same thing happened where I work. The store brought in a kiosk from a particular vendor to sell a certain type of merchandise. They needed the thing connected to the network so that it could have Internet access to validate credit card transactions. Nobody bothered to tell us that the damn thing was showing up until it was already here. The attitude from the store people was, "We're just going to plug it into the network. Make it work." We ended up making them pay for the cost of enabling an optional port on the Sonicwall 3060 so we could throw the thing on it's own isolated network segment.

I can only imagine the kind of headache that such a kiosk implementation would cause in an organization like TJX with stores spread across the nation. It also makes me wonder how many other retailers that have similar kiosks (Home Depot, Target, etc) also have similarly insecure setups.

owned

THE HAXXXXXXXX

Re:owned

[RobertB-DC]

THE HAXXXXXXXX

Geez, if you're going to troll, you should at least go for teh funneh when it's right in front of you. Razz with "T. J. HAXXXXX", or something. Don't be so lame at being lame.

Helping AC's troll properly, check. Now to find an old lady and help her turn on her left blinker.

Re:owned

~8 i r dobernala geeklord terd on my hunnies they heart this! *l*

Firewalls are fail

Once again, a firewall would not help. If these kiosks can connect to a central computer for their normal business, then the attack vector could be through that.

I'm sick of people saying firewalls cure everything. They do not. More often they cause problems. The real issue is application security. Always has been.

Re:Firewalls are fail

[LiquidCoooled]

Application security is only part of the problem.
It appears as though a physical breach occurred.

As you know once you have your hands on the hardware, all bets are off.

"The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals,"

Re:Firewalls are fail

[swright]

all bets are off for the data on that hardware

still no excuse for the kiosk being able to access data from the rest of the network!

Re:Firewalls are fail

[ArcherB]

As you know once you have your hands on the hardware, all bets are off.

The point of a kiosk is for the public to put their hands on the hardware. No, the problem here was incompetence on both the company and kiosk manufacturer.

The company should have made sure that these kiosks were segmented off the general network and even if they could crack their way onto the general network, these machines should have no permission to do anything. Also, a standard keyboard should never be hooked up to a kiosk. It should be locked away in a drawer behind a counter in whatever department the kiosk resides. Any text entry can be done via onscreen keyboard. If that is not an option, an employee should have to plug the keyboard in so that they are aware to keep an eye on the kiosk while the keyboard is attached.

The kiosk manufacturer should have made sure that these machines were secure. I've worked for a kiosk manufacturer and there are things that can be done to make sure the system is secure. For starters, lock down whatever user account the primary application runs on. So even if they can get out of that app, they can't do anything beyond clicking start and shut down. Also, there are software applications that lock down the system for you. The one we used completely locked the desktop out. It was a pain to support, but it was secure.

Of course, none of these are full-proof, but when you combine them all, they make it nearly impossible, or at least not worth it to get into a corporate network.

Re:Firewalls are fail

[Opportunist]

Problem is, if I read this correctly, everyone had access to that hardware. Unless I'm mistaken, it was to be used by customers, not just staff.

But even if it is staff-only, you cannot trust those machines. Those machines are to be seen as "foreign" not "own" in any security concept, and thus are by definition not to be trusted. Such machines may interface with the internal network only through defined and monitored channels and should most definitly not have access to internal data beyond their needs.

The problem isn't that people could manipulate the hardware in the store. That's a given. The problem is that this hardware enjoyed a level of trust that was by no means warranted.

Re:Firewalls are fail

[Joe+The+Dragon]

touch screen suck for when you have to do a lot of typing as you do when trying to get a low wage job at a store and most POS / kiosk apps are codes poorly so they need admin to run and some times they just a desktop in side of a counter that has no lock on it. And you can blame intel / dell and others for needing USB ports as they like to cut out PS2 ports even know the older POS hardware needs ps2 ports.

Re:Firewalls are fail

[Opportunist]

Combine that with a sensible security concept and a secure data exchange protocol and there's nearly nothing that could be done with those kiosks.

Take a look at internet banking. And let's ignore the ever popular trojan based attacks for now. There is NOTHING a user can do to manipulate a bank account beyond his own (and this only to his own damage, never to the bank's). And here the hardware used to interface with the bank is fully under the user's control. Ok, more or less, but it can be if the user wants to.

Still, no way to do an online bank robbery. Because the interface limits the user to the point where he simply cannot do anything to damage the bank.

Re:Firewalls are fail

[Lloyd_Bryant]

The kiosk manufacturer should have made sure that these machines were secure. I've worked for a kiosk manufacturer and there are things that can be done to make sure the system is secure. For starters, lock down whatever user account the primary application runs on. So even if they can get out of that app, they can't do anything beyond clicking start and shut down. Also, there are software applications that lock down the system for you. The one we used completely locked the desktop out. It was a pain to support, but it was secure. I'd classify that as +5 "waste of effort". You're presuming that having the securing the kiosk is reliable way to secure the network. It ain't.

Consider this scenario: An insider (the 2nd shift manager, a night security guard, whatever) lets a few friends in after-hours. These friends can, with a few hours effort, bypass *any* security you have established on that kiosk. The only way to prevent this is to armor the stupid thing like an ATM (and with enough time and effort, even *that* won't stop them).

The way to secure the kiosks to to secure the network to which they are attached. Consider them to be potentially hostile devices, and act accordingly. If the network is properly secured, then the only potential damage from a hacked kiosk involves only those transactions that occurred at that kiosk.

Yes, you *do* need to secure the kiosks against "casual" penetration. But don't rely on that security - assume that these devices *will* be subverted. Because if there's enough money to be made by subverting one, then somebody will do it.

Re:Firewalls are fail

[dbIII]

Personally I think the hardware should be as hard to get to as the coin box in a video game. That is a solved problem so the kiosk manufacturers are not trying hard enough (just like the voting machine people). The next thing of course is that there is a remote network connection in a spot that can't always be watched running directly into the LAN - I wouldn't even let it send packets to anywhere other than the system it is supposed to talk to.

Re:Firewalls are fail

[Antique+Geekmeister]

Oh, if you want to see that sort of physical security violation, think back to high school and the candy machines and ice cream freezers for the cafeteria. Or go visit Defcon and see how many hacker wanna-be's try, and occasionally succeed, in breaking into the telephone closets or go riding on elevator rooftops.

Re:Firewalls are fail

[Codifex+Maximus]

Agreed! You have to consider the kiosk to be a hostile device and assume that it is going to be cracked no matter what you do. Limit it's access over the network and secure the server/daemon it connects to.

I'd mod parent one up if I had mod points.

Re:Firewalls are fail

[sumdumass]

There is a real false sense of security in these situations. These machines are inside a cabinet and the only access a normal person would or should have is a webpage in a browser with maybe a keyboard and mouse (or a touch screen). The USB and case and everything else is locked away and you usually need to key to access them.

I have seen a few and they don't even use a full shell or normal desktop. In most of them, if you crash out of the browser applications (usually IE) you get dumped to a plain desktop with no icons or start menu. Those ones I have seen also check for the browser app and reboot if it isn't running. It makes a non-geek think that the application program thing is the only thing that can run on it.

I agree with your trust position. it is just that for these things resemble more like a VCR or a coin operated video game then a computer so I can understand (uninformed) management being highly stupid about them. I don't think the IT department has much of an excuse though. And of course this is all with a hind sight is 2020 attitude.

Re:Firewalls are fail

[ArcherB]

You copied my third paragraph and retyped my second and fourth. Here is what I said:

The company should have made sure that these kiosks were segmented off the general network and even if they could crack their way onto the general network, these machines should have no permission to do anything. and

Of course, none of these are full-proof, but when you combine them all, they make it nearly impossible, or at least not worth it to get into a corporate network Would you spend real money paying off some low wage employee so you and your buddies can spend hours breaking into a kiosk, cracking the software protection on that kiosk, gaining root/admin access, so you could get onto a corporate network where you have no permissions? Um... Wouldn't it just be easier to unplug the kiosk from the network and plug in a notebook?

Re:Firewalls are fail

[Opportunist]

Ok, now couple that with the latest exploits against browsers which allow you to run arbitrary code on the machine, and presto, malware on the computer that allows you to remote control it. Even giving the admins the benefit of doubt, i.e. that they weren't stupid enough to let the kiosk machine run with administrator privileges, if you have a good idea just what you're looking for, you can craft some code that needs only user permissions to run while giving you full access to the machine, at least to the point where you get to decide what data to retrieve, to send or to manipulate.

Re:Firewalls are fail

[sumdumass]

I don't doubt you or deny what your saying. I'm just saying that it is easy to think they are safer then they are. I can understand someone thinking they were fancy VCRs or something like them. No one would automatically think their VCR could be used to hack they network and steal credit card info.

Re:Firewalls are fail

[Opportunist]

Take a computer based VCR and you're there.

The problem is that those machines are actually multi purpose, not single purpose. They are not "dumb" machines like a VCR, a CD-Player or a TV set, which can only execute their preprogrammed function and cannot be reconfigured.

Re:Firewalls are fail

[sumdumass]

Sure, And I agree with that. It is just easy not to notice it.

As I said in my first post, you can get a false sense security from them. they appear to the un-under-educated and some educated people at first to be a dumb machine like a VCR, a CD-Player or a TV set.

I'm not saying they aren't dangerous or anything. I'm just saying that people can get the wrong impression about them leaving them open to something like an attack. Their design misleads someone who doesn't know better into a false sense of security.

Re:Firewalls are fail

[Opportunist]

Actually, now that our applicances become "smarter", they also become more prone to attacks. You certainly know about that pipedreams of "intelligent" fridges that tell you what's about to reach its best before date, or even gets connected to the 'net and orders new potatoes when you're runnign out of them, and that "intelligent" stoves that notice when you're burning something. But what does that mean? It necessarily means that those "dumb" devices get some kind of computer fitted into them. And that can open a completely different can of worms.

It all depends on how "mod-able" such an appliance will be. The more something should be able to do, the more functionality it must have. The more functionality something has, the more room for exploiting it.

Re:Firewalls are fail

[sumdumass]

Ehh. I didn't really think of that. Good point.

It might be interesting to here a defense like: Honestly, it wasn't me, the Fridge got infected with the "I_love_Milk" and "W32.spoiled.yogurt" virus and it caused it to attack the NSA and CIA networks. Meanwhile the judge is remembering the time that his Stove became the target of a denial of service attack and it made him lose 10 lbs.

Humor aside, your probably right and it is only a matter of time.

It's time for...

[taupin]

the blame game!

That's an interesting feature

[jeebee]

The same kiosks that print out gift registries can be turned into kiosks that print out credit cards to pay for the purchase!

They won't be the only people

[swright]

I'm rapidly strengthening my belief that this will not be the only company (large or small) to go through this - that many, many other companies are probably having the same done to them *right now* and don't even know it!

This is a really crappy situation; it shouldn't have happened and frankly the entry points described here are a result of negligence plain and simple! But its hard; its hard to manage a large organisation and to enforce correct and watertight procedures; security is a hard concept, one of continuous cat and mouse - but played out in your mind - hoping to God never in reality.

Everything gets more complex, and things are more often set up and run by muppets. There will be many more of these :(

Re:They won't be the only people

[swright]

hmm.

</doom_and_gloom>

The point at the end of the article cannot be overstated; noone can steal from you what you do not have. In desktop terms; don't be afraid of the Delete button!

Re:They won't be the only people

[Locutus]

but businesses are not even trying. American Express was/is running Microsoft Internet Explorer on their customer service reps desktops AND they have internet access. With all the holes found every day in this combination, these customer service reps use the same browser to access AMEX customer databases.

I don't know if you remember but a few years ago, there was a massive security hole in MS IE and Microsoft didn't/couldn't fix it for about 6 months. The Dept of Homeland Security even put out a recommendation to not use MS Internet Explorer because of this unpatched flaw. AMEX did nothing about it and continued as normal.

Move about a year later and all of a sudden, CNN is on the air with no computer systems and spend the hours on the air discussing how their Windows computers are rebooting on their own. City governments across the country have the same problem and so does AMEX. The cause, a Windows spyware kit, having been installed on all these computers and many more, was crashing on some subset of the computers it was installed on and causing those to reboot. The spyware was already on a bunch of computers and only because there was a flaw which caused it to crash SOME of the computers, was it found out about.

There is no security in corporate America or the various governments. Sure, there are some areas where smart people are doing what's right but it looks like 90% of the rest are feak'n MCSE's with one finger up their ass and the other on the mouse. click, click, click.

These businesses should be made to pay $10,000 every time they lose customer data and for every customer. That doesn't even begin to pay for the hardships of dealing with identity theft, not even close but it would add up to millions quickly and it just might make them think about who's running the company IT department and what they are running.

LoB

Re:They won't be the only people

[Opportunist]

This was carelessness and cutting corners. Nothing else.

Security costs manpower. Security is not a tool that you buy and install with the default features set. Security is not something you set in stone today until the end of times. But that's something you can hardly explain to a manager. Because he doesn't see the immediate benefit of security. In fact, if the security is really good and no breaches are allowed ever, he might never see the benefit because, well, nothing happens.

You only get to see that your security isn't good enough when something like this happens, which is immediately blamed on the admin. The admin, who didn't create a through security concept and who didn't audit it. Which he can't. He's already working 50+ hours a week juggling the network and keeping it afloat because, you guessed it, the network design is just as sloppy and quick'n'dirty as the security concept and he now has to invest all his time available to keep it from falling down.

And until managers realize that IT security is a key issue to data security, nothing will change. And nothing will change until managers become actually liable for it when data gets leaked because they didn't allot sufficient funds for technology and security people.

Instead, they hire the cheapest guy who can somehow configure some Windows Server to make it work, somehow, more or less, most of the time. Who doesn't even know how to audit the system for security, because he doesn't know the difference between PGP and PCP.

Re:They won't be the only people

[Torvaun]

When I was there a few months ago, AMEX was still running IE6 as their browser of choice. There was a separate program that hooked up to the databases, though.

Re:They won't be the only people

[PPH]

I'm rapidly strengthening my belief that this will not be the only company (large or small) to go through this - that many, many other companies are probably having the same done to them *right now* and don't even know it!

Or know it but can't say anything about it.

First, there's your department within the company. Who wants to be the first person to step up and report to the BOD that 'we' have screwed up and possibly cost the company millions? Next, once corporate knows it, they are not highly motivated to divulge such information to the public until circumstances force them to do so. The company reputation and goodwill (i.e. market value) will be damaged. Finally, there's the NDA problem. Sometimes, IT people can't reveal problems with software packages due to contractual restrictions imposed upon them by the system vendors.

Re:They won't be the only people

[bhmit1]

I'm rapidly strengthening my belief that this will not be the only company

I'm pretty sure you're right. It's a high value target to hit and a hard target to secure. First, you have stores that move things around frequently, tempting them to go wireless (ala Best Buy's fiasco). Next, you have a low margin highly competitive business where cutting cost on employees, hardware, security, etc, (especially in the stores where each dollar spent is multiplied by thousands) is good for business. Then you have customers that want speed and convenience or they will go elsewhere so credit cards are handled with less than desirable security. And there's the store wan that is usually too slow and unreliable to use good security practices like centralized storage of all customer data and network booting of unsecured devices. Any company that moves first to fix all of these issues will go out of business because of their high costs, long before customers go to them for the benefit of security.

For just one example, ponder for a second when you've recently returned an item purchased with a credit card. How many times was the refund given to you on your credit card without you giving them your card. This means they still have your full card number on file for that receipt. The POS software is usually where the credit card charge and refund is processed from, so from that machine, they have access to your number (not centrally like you would need to be secure). And therefore, from any machine you can get on the store network, you have access to every credit card number handled by them if you can crack the POS software (which is always produced by a 3rd party). With the wireless hand-held devices (or even the cart mounted onces I've seen at home improvement stores) to check inventory, the easy thing is to put the wireless on the store WAN as well, so you have an easy access point for any determined cracker. The store WAN also tends to have access to every other store in the company plus nonfirewalled access to multiple high priority servers at the corporate side.

I've consulted for multiple retail organizations, TJX included, and none of them are perfect. The example above is only looking at the stores, and not the corporate PC's, and laptops, and vendors laptops that are prime jumping off points for worms and trojans. I think the question isn't how many will be breached in the future, but rather how many have been breached and we don't know it, and more importantly, how many have been breached and they don't even know it.

Re:They won't be the only people

While I'm sure this applies to other companies, Amex is probably not one of them. Their network is layered like an onion, and the real meat of their data is so deep that I doubt anyone has access to it via something like IE. I would be surprised if there was even a connection from their corporate intranet to their mainframes.

Their data centers are actually really cool, though. The one I've seen looks like a regular building on their campus, but inside there's another sub-building. The entire outside is a facade.

Another bank I've worked on is quite the opposite though. They 'upgraded' all of their ATMs to Windows from OS/2 a couple years ago. They decided it was also a good time to put them on the regular intranet, complete with sharing the normal DHCP servers. I'm sure that'll end well.

storing secrets; security through obscurity

[Schraegstrichpunkt]

However, Visa indicated in February, through a number of documents sent to financial institutions that issue cards and manage Visa transactions, that TJX was storing card number, expiration date, and card verification value codes, all of which are prohibited by PCI. As for its efforts at encryption, "We believe the intruder had access to the decryption algorithm for the encryption software we utilize," TJX said in its annual report.

I love it how people talk about how they're using "encryption" when possessing the algorithm is enough to break it.

Idiots.

Re:storing secrets; security through obscurity

[BosstonesOwn]

Well , knowing the encryption algo. makes it easier to guess passwords. These guys were an overworked understaffed operation. And in retail this is normal and an on going issue.

The truth is there is no real way to solve these issues. They need a igger staff and good IT workers are very hard to come by when you value only the resume and not the persons abilities. This should make every retailer reconsider thier staff. This should also make every company reconsider what they think of IT workers.

We for to long have been the department that they just sink money into. Hell there it was called the black hole. Money goes in but they don't understand what it buys and what good it does, that is typical at most companies. They have bean counters over seeing a technical department. Companies need to realize without it companies grind to a hault and hiring a good quality candidate is more then a resume.

Re:storing secrets; security through obscurity

[rpax9000]

the joys of not working for a "value added" dept.

eventually, as consumers become more savvy (remember for the non-techie folks how NEW all of this is) you'll see people begin to gravitate toward companies that sell the idea that they are a "Secure" place to do business.

this started happening a few years ago on the web... soon it will be occuring in the brick and mortar stores. until then, it's the wild west.

and...
JOB APPLICATION KIOSKS connected to the network? WHY? i have had this conversation with various employers/managers over my career when security comes up... WHY DOES THIS MACHINE HAVE TO BE CONNECTED TO YOUR NETWORK (or at least, to your "main" network)? it should always be the first question whenever a new machine is installed, ESPECIALLY when any tom, dick and/or harry can walk in and mash buttons on the keyboard.

Re:storing secrets; security through obscurity

[Opportunist]

Hey, the manager couldn't read it anymore, so it was encrypted. I once got by with ROT13'ing because I couldn't finish the project.

But that's ok. This report will only be read by people who don't have a clue about encryption, so they will read "encryption was broken" and be satisfied with it. Yes, anyone with at least half a clue in encryption technology would immediately call it bullshit. But nobody who can see the difference between a geek code and a PGP encrypted message will ever get to question this report.

Re:storing secrets; security through obscurity

[value_added]

I love it how people talk about how they're using "encryption" when possessing the algorithm is enough to break it.

They can if it's ROT13.

Seriously, though, I'd expect that kind of comment from a mainstream news story or a press release, but the quote is attributed to the company's annual report -- not somewhere where you get to fudge without consequences.

Re:storing secrets; security through obscurity

[Opportunist]

Depends entirely on the question who gets to read it.

Re:storing secrets; security through obscurity

[flosofl]

Well , knowing the encryption algo. makes it easier to guess passwords.

Not at all. One of the key features of cryptographic algorithms is that knowing what algorithm is being used has absolutely no impact on the strength. Unless it's one of those snake oil "proprietary" crypts, which is a horse of an entirely different color. However, I can't think of any enterprise class crypto systems that use closed algorithms. Most use AES, Blowfish for block cipher, RSA and ElGamal for async and signing (maybe DSA for signing as well), DH for key exchange and SHA-1, TIGER or RIPEMD for hashing (you'll see 3DES and MD series on older systems).

The algorithm is usually never the vector of attack. With crypto it's things like key exchange, poor coding (caching the key in memory for instance), people, sidechannel, or systems whose *methodology* in implementing crypto is weak. In the case of wireless encryption, I'm guessing they used WEP, which has weak key scheduling (If key discovery is what you meant by "password guessing") instead of 802.11i.

In respect to the TJX incident, they *never* should have wireless connecting to any kind of internal production network that handles financial/personal data. The kiosks should have everything needed local to the machine, or have a dedicated and isolated network for kiosks only. Oh, and lock the damn cabinet that house the kiosks.

Re:storing secrets; security through obscurity

[fishbowl]

"Not at all. One of the key features of cryptographic algorithms is that knowing what algorithm is being used has absolutely no impact on the strength."

A layer of obscurity makes a secure cipher no less secure.

Re:storing secrets; security through obscurity

[mybecq]

However, Visa indicated in February, through a number of documents sent to financial institutions that issue cards and manage Visa transactions, that TJX was storing card number, expiration date, and card verification value codes, all of which are prohibited by PCI.

Wrong (see Preface summary table). Only CCV2, PIN and the full magnetic stripe are prohibited. Account number, expiration date and name are permitted, although must be protected.

Re:storing secrets; security through obscurity

[StikyPad]

Bu lrnu? Vs lbh'er fb fzneg, gel gb penpx zl 1337 plcure!

Re:storing secrets; security through obscurity

[plover]

Well , knowing the encryption algo. makes it easier to guess passwords.

Kerckhoff's Principle states that a crypto system should be secure even if the attacker knows the algorithm. The strength of the algorithm rests solely on the secrecy of the key.

If they even used encryption (which is still a question) they probably used a home-grown solution with no cryptographic review of the algorithms, the process, or of simpler things such as key management. Perhaps they baked a symmetric key in their source code, or something equally stupid. Or maybe they encrypted the account on the authorization requests, but not in the transaction data that was stored.

But don't lay 100% of the blame at TJX's feet. I partly blame Visa, Mastercard and the entire payment card industry for failing to standardize on an encryption solution. Right now the PCI CSP audits simply state nebulous crap like "you must encrypt some stuff". They don't say "how" to encrypt them, they don't say precisely what to encrypt, and they certainly don't provide encryption formats, routines, key management practices or anything that would be useful to a retailer trying to implement encryption. If Visa really wanted security, they'd provide a secure end-to-end encrypted transaction format and require retailers to conform to it (anyone remember SET?) But no, they let TJX install something like a ROT13 cypher, and then TJX likely hired the cheapest PCI auditing firm they could find consisting of a drunk guy with a Cap'n Crunch Decoder Ring who claimed to be an encryption expert. (I've heard that some retailers who failed their PCI audits have shopped around for a more lenient auditor.)

Don't get me wrong -- PCI has some very solid security requirements that can go a long way towards thwarting attackers. If properly designed. And properly implemented. And properly maintained. And properly audited. But that's a whole lot of "if".

Re:storing secrets; security through obscurity

[Antique+Geekmeister]

Don't blame the industries solely. There have been repeated attempts to organize robust encryption in network protocols, for use in data storage, and for various basic computer operations. On the corporate side, it tends to run headlong into the US encryption export regulations, which deal with encryption technologies as materials of war and keep us all safe by trying to make sure we don't provide any to anyone else unless they promise, honest and for real, that they are allowed to have it.

If you've never dealt with this, go try to download the Kerberos source code, at http://web.mit.edu/kerberos/dist/index.html. While the regulations against exporting encryption have already been ruled unconstitutional at least once, they were simply transferred to another regulatory department and are once again winding their way through the courts,and have been for years.

The desire by various software vendors to have robust built-in encryption and its kissing cousins, authentication and DRM, are the force behind the "Trusted Computing" tools by Microsoft. The desire to have central control over a registered database of keys that can be accessed at any time by law enforcement or governments, at any time they wish and by any authority they can bring to bear, explains why they use the approaches they've published. Centralized keys for everyone's machines in a Microsoft signed master repository, with the master keys able to unlock or revoke other keys, is at the heart of the technology.

It may be extremely helpful to prevent this kind of casual hackery: the technology is being built into the latest Intel and AMD CPU's. But you should be very, very frightened of the centralized database and who has official and unofficial access to it.

Re:storing secrets; security through obscurity

[flosofl]

That's not what I was saying. I was responding to the OP's point that knowing what algorithm is being used can help you "guess" the password/passphrase (I'm thinking he meant key). It doesn't, and trying to attack an alogorithm like AES or Blowfish is almost always a complete waste of resources and time.

Re:storing secrets; security through obscurity

[darkmeridian]

The PCI guidelines forbid merchants from storing personal information with credit card numbers and the CVV2 (three digit number printed on the back of the card) at all. Encryption isn't supposed to be allowed at all, but hashing is.

I can't go into too much detail, but there are reasons a merchant would have to retain all of this information. The most significant one is fraud. Not only do you have to detect fraud, but you also have to be able to present evidence when you prosecute the criminals.

Re:storing secrets; security through obscurity

[plover]

EAR / ITAR and government monitoring discussions are completely irrelevant. The industries have both the cryptographic know-how as well as full access to the technology. Plus, the industry has no particular concern that the government not be able to monitor or decrypt the communications. They'd be fine with a key escrow based solution. Trust me: the U.S. government isn't keeping Visa from having access to RSA or AES.

The problem is strictly one of Visa's origin. 9 years ago Mastercard created the Secure Electronic Transaction (SET) protocol, which was a robust public-key based encryption scheme. It spelled out precisely the algorithms to use, and exactly the message envelope structure. It appeared to be cryptographically secure. So what happened to it? Visa killed it. The envelope was so secure that merchants could communicate directly with banks, completely bypassing any need for the message to travel over their closely-guarded proprietary VisaNet. And messages that don't flow over VisaNet don't generate revenue for Visa.

It's strictly Visa's greed that has permitted the current intolerable situation to appear. And until SET or an equivalent standard is adopted (and believe me Visa will try hard to kill it) it's likely to remain the status quo. Whether or not the government wishes to mandate an escrow key on top of the protocol will make no difference.

Re:storing secrets; security through obscurity

[cduffy]

The OP is right, if the key is nonrandom. If the key is a hash of a password or passphrase and you know the algorithm in use, one can then attempt a dictionary attack.

Stupid way to implement anything that's supposed to be secure (and you're right that there are better attack vectors), but that's not to say it isn't sometimes done that way.

Wardriving == poaching?

[billdar]

"In May, The Wall Street Journal cited a separate entry point, reporting that data thieves had accessed an improperly secured Wi-Fi network from the parking lot of a Marshall's store in St. Paul, Minn. The thieves reportedly used a wireless data poaching tactic called "wardriving" and exploited the deficiencies of the aging Wired Equivalent Privacy wireless security protocol."(Emphasis mine)

Was shaping up to be a decent tech article until this. I don't know what irks me more about this quote:

- Needing to define an old-ass term like wardriving
- defining it as poaching
- "putting" the "word" in "quotes" (I can just see the author's fingers in the air)

Firewalls, disabling usb, corporate LAN, etc are tossed around freely... why jack with wardrivers?

Re:Wardriving == poaching?

[Radon360]

Because proper tech journalism is about using buzzwords to sound techy!

If you're an incompetent, technologically ignorant journalist, then you go out and look for some terms that sound appropriate and cool, then include them in your story. Heck, as a journalist, your job is to describe and explain something to the uninformed. Since the uninformed are largely a technologically challenged audience,they'll accept your cool usage of terms, usually considered passé by the real tech crowd, as an insightful look into the sophisticated technical world.

So, if you want to be a cool tech writer, just liberally toss in a couple terms like, nano, blog, cyber, online, real-time, data mining, and Google (the last one especially used as a verb).

We're heading for an IT desaster

[Opportunist]

It's only a matter of time. The problem described is not isolated, it's symptomatic for a very large amount of companies.

What do we have:

1. A company with many kiosks/outlets/POS
2. A company network with the doctrine that everything "outside" needs to be kept out, while the "inside" has far too high privileges.
3. Untrained, unskilled and "do we need to pay minimum wage?" staff at the POS.

It is fairly easy to get a job at one of those POS. Hire and fire. You want it, you have it. No background check, no security check. You're simply assumed to be a vegetable because, well, if you had some kinda skill, you wouldn't work for 5 bucks an hour. You'd be a consultant for 50 an hour.

It's usually trivial to circumvent the security between the company's computer network and the POS, if there is one at all. Let me ramble about an audit for a moment.

We did an audit for some company. All went fairly well, an "outsider" would've had a very hard time getting past the walls and checks. All POS were VPN connected to the main network, secured again with various (IMO superfluous) encryption, so a mitm attack would've been fruitless either. Good security, overall.

Until we checked the POS computers and found pretty much everything you needed to get access to the servers in the main office. You had the complete set of private keys (yes, all, including accounting, administration and the CEOs), the admin passwords were the same in every POS and inside the main network. You hack a POS, you hack the company.

Facing this, the response was akin to "What do you want? The people in our POS' can barely turn the computer on, that's no threat."

Maybe not. But if I wanted to hack that company (or any company), I'd first of all try to get a vegetable job at a POS. It's usually a quite good way to gain access to more than you could ask for.

Re:We're heading for an IT desaster

Haha, truly...at my work, I know that if I wanted to I could break into the computers upstairs without having any difficulty. It's a fact that most of the people using the stuff in the office don't *really* know how to use it, and they aren't the $5 an hour peons you make everyone else out to be. ;)

Re:We're heading for an IT desaster

[Opportunist]

It's less me, more the managers. Actually, I do know that 99% of the office workers know less, not more, than the average squeaky-voiced teenager employed in one of such POS about computers.

Still, they are considered "skilled" workers by management, thus security against them is higher than against the POS people. Yes, it's backwards. Yes, that's management's understanding of security.

more than network security

[icebones]

'The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals'

No one noticed the guys opening the backs of these terminals in the middle of the store? Sounds like there store security is worse than the network security. I would hate to see how much they write off each year to theft.

Incentive

[LameAssTheMity]

Well, if THAT isn't an incentive to go start looking for work, I don't know what is!

Oh, wait, this one's even better

[Opportunist]

Another company I worked for. It uses a VB based tool to update the jobs of its traveling salesmen and repair staff. Said tool uses DCOM (don't ask...) to connect to its server, which runs an SQL database. The user used to make those connections has top privileges, including altering the database and any (not just the specific user's) data. Mostly because all the users use the same username/password combination, which is of course stored within the binary used to make the transfer.

It's trivial to dig that user/pass combination out of the code. It's also trivial to get access to the code, all you have to do is to steal one of the notebooks. Or, to make it simple, just download it from the internal homepage (so everyone working in this company at the very least has access to the tool and thus to the user/pass combination). With it, you have all the necessary information to feed the database incorrect data, change prices, change orders and repair jobs, change car and tool assignments and of course, if you're so inclined, simply corrupt the database or drop it altogether.

This is an international company, the stock of which is traded at the NY stock exchange. Thus, it complies (with this security hole large enough to shove planets through) with the requirements of the Sarbanes-Oxley Act.

Re:Oh, wait, this one's even better

[swb]

It sounds serious, but I guess I have to ask if its being widely exploited and who has significant motivation to exploit and to what gain?

I'm just thinking that there's so *many* exploits out there, that simply being exploitable isn't enough, it has to actually be exploited regularly and/or significantly enough to matter.

Re:Oh, wait, this one's even better

[Opportunist]

Erh... hello? SOX compliancy? The very act that's bugging developers and giving admins a nightmare, which we grin and bear with because it should actually make companies more "transparent", but in their financial behaviour, not their data!

This hole allows an outsider to manipulate the financial situation of a company, not just a manager. We're not talking about some garage company with an annual business volume of a few 100k, this is an international company where the average business case runs that amount. Do you want to tell me it's not tempting to lower a bill from 5m to only 1m?

social engineering maybe?

[eli+pabst]

You'd be surprised what people let you have access to if you're wearing some shirt that looks official (like TJMaxx or Verizon)..oh we're just upgrading the Kiosks.

Re:social engineering maybe?

[sexybomber]

... if you're wearing some shirt that looks official (like TJMaxx or Verizon)...

... both of which can be found very easily at your neighborhood Goodwill or Salvation Army, because when the techs get fired (former Circuit City tech here), what are they gonna do with the shirts besides give them away?

I'm SURE the customers will be taken care of

[IronChef]

Who here has gotten a free year with a credit watchdog service due to your information having been leaked by some company you dealt with? (The letter I got actually said that my information was put at risk due to some kind of sloppy law enforcement access. WTF?)

I normally hate calling for more laws but there should be more severe penalties for this kind of error. Otherwise... it will keep happening.

Re:I'm SURE the customers will be taken care of

[camusflage]

I normally hate calling for more laws but there should be more severe penalties for this kind of error. Otherwise... it will keep happening.

Glen: Outsiders have kidnapped some of our property. We must respond with our deadliest weapon.
Jane: [Sinister] The lawyers.

You won't have to worry about that. Banks are suing TJ Haxx to collect on their out of pocket costs in replacing all those cards. Laws would simply result in fines paid to the FTC. Lawsuits will hit the bottom line. Lawsuits = fear, and fear = action.

They had physical access...

[thejuggler]

So let me get this straight, the data thieves had physical access to a computer on the stores network. Sounds like a physical security issue that a security guard should have noticed. Not all computer and network security is electronics and software. Sometimes you gotta watch who you let in the store and watch what they are doing once inside.

A lot of kiosks are easy marks!

I've applied for job in retail once before. I went to a store and they had placed the units near a corner next to the bathroom. Their view was obscurred by a rack of greeting cards. Even though they had the application blocking access to the desktop; I could have easily rebooted the machine by either pressing reset.

After that I could have worked quickly to either access the BIOS and slip in a password wiping utility disk and create an account for myself. I guess after that; installing third party apps to establish access to it from home would have been the next step. Probably restarting(after the aforementioned)the system and claiming the machine had died while I was writting to the application would have made it looked like I genuinely had a problem.

I've never done this (I'm probably clueless but I don't think it's hard, right?)but if people working in teams took similar steps; their profile would have been reduced. They could easily accomplish some major damage over long period of time.

In fact if they constructed a special application on a USB stick that wrote to the Windows SAM on a reboot and wiped out the admin password, or created and an administrative account which in turn relayed system information remotely via smtp or another way; then the hard work is over. All it would take was for someone to go to the kiosk. Pretend to write to the store application, drop their pen, bend over under the desk, and insert the USB device, and reset the computer. Next, send someone later to retrieve the USB stick to remove the evidence.

I've never done this but If I can imagine this; then I would take precautions as best I could to prevent this. I'm sure the techncians would have gotten around to securing the kiosks but like most IT departments; they are really pressed for time and stretched dangeroulsy thin. Scary stuff!

Who's next?

Ten to one, we hear next week that some large repository of Student papers is vulnerable too.

TJX?

[rbrome]

What the heck is TJX? I've never heard of it.

(checks article)

Oh... the none-name corporate parent of TJ Maxx and Marshalls... why the heck didn't the author just say so? I mean seriously... how many people have ever heard of that company name? It's hardly a tech company, either, so it's not like Slashdot is some unusual audience where TJX is a company on the tip of everyone's tongue.

Re:TJX?

[bhmit1]

1. What's so bad about RTFA?

2. If you were paying attention, every article for the past 6 months has been referring to it as TJX (it is the corporate name after all). The first articles about it included something about it being TJ Maxx/Marshalls/etc.

Re:TJX?

[Bill,+Shooter+of+Bul]

Oh, everyone knows what tjx is these days. The biggest credit card theft ever. Its like not knowing who sco is a couple months after the law suite started. Well, maybe not but this is going down as the biggest security screw up ever. Thats big.

Re:TJX?

[nogginthenog]

Or TK Maxx as they're known in Europe.

Re:TJX?

[Fred_A]

Maybe your part of Europe but on the continent I've never seen that name anywhere. Nor have I ever heard of J Maxx and Marshalls or of TJX for which I have always substituted "large retail company" when reading those stories. Not that any of this matters much though...

Re:TJX?

[nogginthenog]

Sorry, it seems they're only in the UK & Republic of Ireland.

Web based apps and thin clients

[zerofoo]

are designed for this type of system. If your application is secure enough to live on the internet, then it is secure enough to be used on an intranet with thin clients.

Most thin clients out of the box boot with a low-privilege account. You can even set up some to "reimage" their flash memory on each boot (or boot disklessly from a central image server). Think someone compromised a system? Lockdown passwords on your master image and reboot all the terminals. No changes should be able to be made to the system without elevating to root or administrator.

Seriously - carving up your network and firewalling everything two ways to sunday is great, but this problem could have been simply solved with a little bit of thought ahead of implementation.

-ted

Why is identity theft so damaging?

[Kaenneth]

We gave up our financial security for convienence.

Instant credit at stores, Drive the car off the lot today, get a cell phone in 10 minutes...

Maybe, instead of the consumers credit rating being damaged when a business gives credit without solid proof of indentity, the company needs to eat the loss.

I wonder if anyones tried sueing a company for Slander/Libel over a false credit report entry...

Re:Why is identity theft so damaging?

[crazybasenji]

I'm going to take a pretty educated guess (since I don't feel like looking up the US Code). Since the credit reporting system is regulated at the federal level, me thinks that Congress shut that door long ago.

Re:Why is identity theft so damaging?

[Alioth]

Actually, the merchant usually DOES take the loss (although it's seldom the merchant who leaks the information who gets it in the shorts).

Basically, if you manage to fraudulently obtain a credit card, run up a huge bill, well - the person whose credit card you stole tends to get their money back. The credit card company also gets its money back, because it simply passes the chargeback to the merchant where the stolen credit card was used.

So there is little incentive for credit card companies to do anything about the problem, since it costs them little. The merchant, on the other hand, who had absolutely no reason to believe the credit card that was presented to him was fraudulent, ends up eating the cost.

Re:Why is identity theft so damaging?

The Fair Credit Reporting Act essentially creates a safe harbor for credit reporting agencies against libel/slander if they do certain things (contest the data, give copies if credit denied, etc.). It would have better been titled the Credit Reporting Agency Libel Protection act

Yes. They Are :)

[asphaltjesus]

Linux?
Let's assume the kiosk distro has hotplugging enabled. Flash drive mounts, But the files.... Are not executable! So, the hostile doesn't have the opportunity to change permissions much less execute something on a flash drive.

OSX?
Flashdrive mounts. Hmmm can't install anything without su/sudo.

Windows?
Hmm... Sure, there is an enourmously complicated policy system. But none of which sets noexec on everything on a flash drive... http://support.microsoft.com/default.aspx?scid=kb; en-us;555324&sd=rss&spid=3198 And then there's the very permeable "user mode" security that isn't what it claims to be.

Re:Yes. They Are :)

[FoamingToad]

At my previous job at a telco, we'd just upgraded from NT4 to XP.

Now please note that (1) this is anecdotal, (2) I wasn't affected by this user profile myself so had very little time to experiment and (3) I changed jobs shortly afterwards.

But for the generic helpdesk accounts, the IT guys had seriously done their homework. A user had no access to the file system at all. You couldn't get to it via browser, and the start menu contained only the basic applications (notably, terminal emulators connected to Unix bigiron) that were used by the helpdesc.

I experimented with a number of methods on to try and gain access to the system, but wasn't able to find anything that would permit access. Nada.

Take from this what you will, but it's possible to secure a Windows system pretty damn well if you're prepared to take the time and effort. And that is where I believe this organisation has been lacking.

If they had been using an alternative o/s, what evidence is there that the relevant management would have made an effort to secure it? None that I can see.

Oh my, there really is a "TJX Effect"

[fishbowl]

I called this the "TJ Maxx Effect". Yes, I shop there; it's near my house and I can usually do better on housewares and necessary items than I could do even in thrift stores.

So anyway, the "Effect" is this: If you are shopping, and you take an interest in some category of items, say, curtain rods, and another shopper sees you checking out curtain rods, all of a sudden *they* are interested in curtain rods. Same thing happens if you look in the towel aisle. Someone who wasn't looking at towels suddenly needs to crowd into your space to look at towels as well. I've observed this phenomenon numerous times and particularly at TJ Maxx, and I believe the psychology of it is "they" don't want "you" to get a deal that they missed out on.

To be fair, sometimes there really are awesome deals to be had, because the people setting the prices don't tend to be particularly savvy as to desirability of certain kinds of items. For instance, I got a JA Henckel knife set -- a really high quality made in Spain set -- that was priced the same as another made in China set. These are completely different products, massively differently priced in retail stores, and the TJ Maxx manager didn't know. (I'm not above capitalizing on the misfortune of others.)

Anyway, as for the article, I got as far as realizing that physical access means you have the keys to the store, so to speak. At my local store, the clerks watch the application machine, as well as everything else in the shop, like a hawk. I get the impression that shoplifting is more common in discount stores than in regular retail stores; maybe I can study this and name THAT effect as well.

Re:Oh my, there really is a "TJX Effect"

[HikingStick]

Watching those kiosks like hawks? I don't know how busy your store is, but the stores I see (not exclusive to TJMax) have those kiosks near their customer service desks. They might be able to watch them during their slow periods, if they thought it was important enough, but go in when that service desk is busy and it is unlikely that the employees even care what is going on there since they are dealing with Mr. or Ms. "I-got-this-and-it-works-fine-but-its-broke-and-I- don't-need-it-because-my-uncle's-friend-bought-one -like-it-and-it-just-doesn't-match-my-decor-and-no -I-don't have-a-receipt-because-it-was-a-gift-and-all-I-wan t-is-cash-because-I-don't-buy-anything-from-your-s tore-because-of-your-position-on-union-labor-and-y ou-don't-carry-it-in-my-size, please."

In fact, check out Wal-Mart stores. Those kiosks are (9 times out of 10) located in the former layaway area near the rear of the store. Since they no longer offer layawy service, that area is often used to store overstock goods, rarely has anyone in it (unless they're cleaning the bathrooms or going to/from the back room), and would provide ample opportunities for a little kiosk-tampering. Of course, there are security cameras, but it is unlikely anyone would be watching that particular area long enough to figure out something odd was happening--those cameras are more often used after-the-fact to provide evidence, or in cases where they are actively trying to follow a suspected (read: observed) shoplifter.

Law trumps NDA

If you are aware of a serious crime that has gone down,. you are supposed to report it. No NDA shields you from that responsibility. You are not required to do anything about it, but you have to report it.

Re:Law trumps NDA

[PPH]

That may be true, but that will not protect you from a subsequent civil suit for breach of contract. Or even criminal charges. If your employer decides that your turning data over to the authorities in the course of reporting criminal activity constitutes theft of their property, they can have you arrested and charged even if they are the ones guilty of said criminal activity. If they committed no crimes, but the release of such data is simply damaging to their reputation, and they can show damages, then you are truly SOL.

Yes. They Are :)-Diversions.

Try harder!

Re:Yes. They Are :)-Diversions.

[toadlife]

And in typical slashdot fashion, anti-windows advocate gets the the +2 mod, despite being proven completely wrong by two separate posters.

We had an expression where I worked

[phorm]

A set of coveralls and a nametag that says "Bob" will get you access that a suit and tie never would.

Windows 'noexec' AKA SRP

I take it you aren't a Windows sysadmin then. You can very easily set 'noexec' on a flash drive (or any other path / volume) using Software Restriction Policy built into XP and Server 2003. That link is a quick tutorial for setting up SRP for a 'default disallow' that only allows the execution of files in the program files and windows directories, all other areas are 'noexec'. When used in combination with a Windows LUA account (restricted user) this will stop the execution of unauthorised files, since LUA accounts can only write to their own profile (home) folders.

Yes. They Are :)-Hardening Windows.

I'm surprised that no one has come out with Bastille-like hardening scripts for Windows?

The article has mis-quoted PCI requirements.

PCI compliancy does not prohibit the storage of major cardholder information. As quoted form teh PCI Audit Procedures document:

3.1 Keep cardholder data storage
to a minimum. Develop a data
retention and disposal policy. Limit
storage amount and retention time to
that which is required for business,
legal, and/or regulatory purposes, as
documented in the data retention
policy.