TJX Security Breach Described

Bunderfeld notes more details coming out about how bad guys got into the TJX network. Last time we discussed this, the best information indicated that a WEP crack had started the ball rolling. Now we learn that instead, or in addition: "Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company's IT systems, InformationWeek has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX's retail stores, let people apply for jobs electronically but also allowed direct access to the company's network, as they weren't protected by firewalls. 'The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals,' says the source. In a March filing with the Securities and Exchange Commission, TJX acknowledged finding 'suspicious software' on its computer systems."

Re:They won't be the only people

[Locutus]

but businesses are not even trying. American Express was/is running Microsoft Internet Explorer on their customer service reps desktops AND they have internet access. With all the holes found every day in this combination, these customer service reps use the same browser to access AMEX customer databases.

I don't know if you remember but a few years ago, there was a massive security hole in MS IE and Microsoft didn't/couldn't fix it for about 6 months. The Dept of Homeland Security even put out a recommendation to not use MS Internet Explorer because of this unpatched flaw. AMEX did nothing about it and continued as normal.

Move about a year later and all of a sudden, CNN is on the air with no computer systems and spend the hours on the air discussing how their Windows computers are rebooting on their own. City governments across the country have the same problem and so does AMEX. The cause, a Windows spyware kit, having been installed on all these computers and many more, was crashing on some subset of the computers it was installed on and causing those to reboot. The spyware was already on a bunch of computers and only because there was a flaw which caused it to crash SOME of the computers, was it found out about.

There is no security in corporate America or the various governments. Sure, there are some areas where smart people are doing what's right but it looks like 90% of the rest are feak'n MCSE's with one finger up their ass and the other on the mouse. click, click, click.

These businesses should be made to pay $10,000 every time they lose customer data and for every customer. That doesn't even begin to pay for the hardships of dealing with identity theft, not even close but it would add up to millions quickly and it just might make them think about who's running the company IT department and what they are running.

LoB

Yes. They Are :)

[asphaltjesus]

Linux?
Let's assume the kiosk distro has hotplugging enabled. Flash drive mounts, But the files.... Are not executable! So, the hostile doesn't have the opportunity to change permissions much less execute something on a flash drive.

OSX?
Flashdrive mounts. Hmmm can't install anything without su/sudo.

Windows?
Hmm... Sure, there is an enourmously complicated policy system. But none of which sets noexec on everything on a flash drive... http://support.microsoft.com/default.aspx?scid=kb; en-us;555324&sd=rss&spid=3198 And then there's the very permeable "user mode" security that isn't what it claims to be.