Slashdot Mirror

← Back to Stories (view on slashdot.org)

TJX Security Breach Described

Posted by kdawson on from the details-emerging dept.

Bunderfeld notes more details coming out about how bad guys got into the TJX network. Last time we discussed this, the best information indicated that a WEP crack had started the ball rolling. Now we learn that instead, or in addition: "Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company's IT systems, InformationWeek has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX's retail stores, let people apply for jobs electronically but also allowed direct access to the company's network, as they weren't protected by firewalls. 'The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals,' says the source. In a March filing with the Securities and Exchange Commission, TJX acknowledged finding 'suspicious software' on its computer systems."

6 of 104 comments (clear)

  1. Re:They won't be the only people by Locutus · · Score: 4, Informative

    but businesses are not even trying. American Express was/is running Microsoft Internet Explorer on their customer service reps desktops AND they have internet access. With all the holes found every day in this combination, these customer service reps use the same browser to access AMEX customer databases.

    I don't know if you remember but a few years ago, there was a massive security hole in MS IE and Microsoft didn't/couldn't fix it for about 6 months. The Dept of Homeland Security even put out a recommendation to not use MS Internet Explorer because of this unpatched flaw. AMEX did nothing about it and continued as normal.

    Move about a year later and all of a sudden, CNN is on the air with no computer systems and spend the hours on the air discussing how their Windows computers are rebooting on their own. City governments across the country have the same problem and so does AMEX. The cause, a Windows spyware kit, having been installed on all these computers and many more, was crashing on some subset of the computers it was installed on and causing those to reboot. The spyware was already on a bunch of computers and only because there was a flaw which caused it to crash SOME of the computers, was it found out about.

    There is no security in corporate America or the various governments. Sure, there are some areas where smart people are doing what's right but it looks like 90% of the rest are feak'n MCSE's with one finger up their ass and the other on the mouse. click, click, click.

    These businesses should be made to pay $10,000 every time they lose customer data and for every customer. That doesn't even begin to pay for the hardships of dealing with identity theft, not even close but it would add up to millions quickly and it just might make them think about who's running the company IT department and what they are running.

    LoB

    --
    "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
  2. A lot of kiosks are easy marks! by Anonymous Coward · · Score: 1, Informative

    I've applied for job in retail once before. I went to a store and they had placed the units near a corner next to the bathroom. Their view was obscurred by a rack of greeting cards. Even though they had the application blocking access to the desktop; I could have easily rebooted the machine by either pressing reset.

    After that I could have worked quickly to either access the BIOS and slip in a password wiping utility disk and create an account for myself. I guess after that; installing third party apps to establish access to it from home would have been the next step. Probably restarting(after the aforementioned)the system and claiming the machine had died while I was writting to the application would have made it looked like I genuinely had a problem.

    I've never done this (I'm probably clueless but I don't think it's hard, right?)but if people working in teams took similar steps; their profile would have been reduced. They could easily accomplish some major damage over long period of time.

    In fact if they constructed a special application on a USB stick that wrote to the Windows SAM on a reboot and wiped out the admin password, or created and an administrative account which in turn relayed system information remotely via smtp or another way; then the hard work is over. All it would take was for someone to go to the kiosk. Pretend to write to the store application, drop their pen, bend over under the desk, and insert the USB device, and reset the computer. Next, send someone later to retrieve the USB stick to remove the evidence.

    I've never done this but If I can imagine this; then I would take precautions as best I could to prevent this. I'm sure the techncians would have gotten around to securing the kiosks but like most IT departments; they are really pressed for time and stretched dangeroulsy thin. Scary stuff!

  3. Re:storing secrets; security through obscurity by flosofl · · Score: 2, Informative

    Well , knowing the encryption algo. makes it easier to guess passwords.
    Not at all. One of the key features of cryptographic algorithms is that knowing what algorithm is being used has absolutely no impact on the strength. Unless it's one of those snake oil "proprietary" crypts, which is a horse of an entirely different color. However, I can't think of any enterprise class crypto systems that use closed algorithms. Most use AES, Blowfish for block cipher, RSA and ElGamal for async and signing (maybe DSA for signing as well), DH for key exchange and SHA-1, TIGER or RIPEMD for hashing (you'll see 3DES and MD series on older systems).

    The algorithm is usually never the vector of attack. With crypto it's things like key exchange, poor coding (caching the key in memory for instance), people, sidechannel, or systems whose *methodology* in implementing crypto is weak. In the case of wireless encryption, I'm guessing they used WEP, which has weak key scheduling (If key discovery is what you meant by "password guessing") instead of 802.11i.

    In respect to the TJX incident, they *never* should have wireless connecting to any kind of internal production network that handles financial/personal data. The kiosks should have everything needed local to the machine, or have a dedicated and isolated network for kiosks only. Oh, and lock the damn cabinet that house the kiosks.
    --
    "This calls for a very special blend of psychology and extreme violence" - Vyvyan "The Young Ones"
  4. Yes. They Are :) by asphaltjesus · · Score: 3, Informative

    Linux?
    Let's assume the kiosk distro has hotplugging enabled. Flash drive mounts, But the files.... Are not executable! So, the hostile doesn't have the opportunity to change permissions much less execute something on a flash drive.

    OSX?
    Flashdrive mounts. Hmmm can't install anything without su/sudo.

    Windows?
    Hmm... Sure, there is an enourmously complicated policy system. But none of which sets noexec on everything on a flash drive... http://support.microsoft.com/default.aspx?scid=kb; en-us;555324&sd=rss&spid=3198 And then there's the very permeable "user mode" security that isn't what it claims to be.

    --
    Got Trader Joe's? friendwich.com RSS feeds work now!
  5. Oh my, there really is a "TJX Effect" by fishbowl · · Score: 2, Informative

    I called this the "TJ Maxx Effect". Yes, I shop there; it's near my house and I can usually do better on housewares and necessary items than I could do even in thrift stores.

    So anyway, the "Effect" is this: If you are shopping, and you take an interest in some category of items, say, curtain rods, and another shopper sees you checking out curtain rods, all of a sudden *they* are interested in curtain rods. Same thing happens if you look in the towel aisle. Someone who wasn't looking at towels suddenly needs to crowd into your space to look at towels as well. I've observed this phenomenon numerous times and particularly at TJ Maxx, and I believe the psychology of it is "they" don't want "you" to get a deal that they missed out on.

    To be fair, sometimes there really are awesome deals to be had, because the people setting the prices don't tend to be particularly savvy as to desirability of certain kinds of items. For instance, I got a JA Henckel knife set -- a really high quality made in Spain set -- that was priced the same as another made in China set. These are completely different products, massively differently priced in retail stores, and the TJ Maxx manager didn't know. (I'm not above capitalizing on the misfortune of others.)

    Anyway, as for the article, I got as far as realizing that physical access means you have the keys to the store, so to speak. At my local store, the clerks watch the application machine, as well as everything else in the shop, like a hawk. I get the impression that shoplifting is more common in discount stores than in regular retail stores; maybe I can study this and name THAT effect as well.

    --
    -fb Everything not expressly forbidden is now mandatory.
  6. Re:Why is identity theft so damaging? by Alioth · · Score: 2, Informative

    Actually, the merchant usually DOES take the loss (although it's seldom the merchant who leaks the information who gets it in the shorts).

    Basically, if you manage to fraudulently obtain a credit card, run up a huge bill, well - the person whose credit card you stole tends to get their money back. The credit card company also gets its money back, because it simply passes the chargeback to the merchant where the stolen credit card was used.

    So there is little incentive for credit card companies to do anything about the problem, since it costs them little. The merchant, on the other hand, who had absolutely no reason to believe the credit card that was presented to him was fraudulent, ends up eating the cost.

    --
    Oolite: Elite-like game. For Mac, Linux and Windows