Slashdot Mirror

← Back to Stories (view on slashdot.org)

TJX Security Breach Described

Posted by kdawson on from the details-emerging dept.

Bunderfeld notes more details coming out about how bad guys got into the TJX network. Last time we discussed this, the best information indicated that a WEP crack had started the ball rolling. Now we learn that instead, or in addition: "Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company's IT systems, InformationWeek has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX's retail stores, let people apply for jobs electronically but also allowed direct access to the company's network, as they weren't protected by firewalls. 'The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals,' says the source. In a March filing with the Securities and Exchange Commission, TJX acknowledged finding 'suspicious software' on its computer systems."

8 of 104 comments (clear)

  1. Tchoh by Gricey · · Score: 3, Insightful

    Sounds to me like incompetence. You're a big company, pay for people to look after your infrastructure... ... I hate it when publicly traded companies cut corners to put that stock price up just a fraction of a nanocent.

    -- incubus

    --
    Sticking feathers up your butt does not make you a chicken.
  2. Firewalls are fail by Anonymous Coward · · Score: 0, Insightful

    Once again, a firewall would not help. If these kiosks can connect to a central computer for their normal business, then the attack vector could be through that.

    I'm sick of people saying firewalls cure everything. They do not. More often they cause problems. The real issue is application security. Always has been.

    1. Re:Firewalls are fail by Lloyd_Bryant · · Score: 2, Insightful

      The kiosk manufacturer should have made sure that these machines were secure. I've worked for a kiosk manufacturer and there are things that can be done to make sure the system is secure. For starters, lock down whatever user account the primary application runs on. So even if they can get out of that app, they can't do anything beyond clicking start and shut down. Also, there are software applications that lock down the system for you. The one we used completely locked the desktop out. It was a pain to support, but it was secure. I'd classify that as +5 "waste of effort". You're presuming that having the securing the kiosk is reliable way to secure the network. It ain't.

      Consider this scenario: An insider (the 2nd shift manager, a night security guard, whatever) lets a few friends in after-hours. These friends can, with a few hours effort, bypass *any* security you have established on that kiosk. The only way to prevent this is to armor the stupid thing like an ATM (and with enough time and effort, even *that* won't stop them).

      The way to secure the kiosks to to secure the network to which they are attached. Consider them to be potentially hostile devices, and act accordingly. If the network is properly secured, then the only potential damage from a hacked kiosk involves only those transactions that occurred at that kiosk.

      Yes, you *do* need to secure the kiosks against "casual" penetration. But don't rely on that security - assume that these devices *will* be subverted. Because if there's enough money to be made by subverting one, then somebody will do it.

      --
      Don't tell me to get a life. I had one once. It sucked.
  3. storing secrets; security through obscurity by Schraegstrichpunkt · · Score: 4, Insightful

    However, Visa indicated in February, through a number of documents sent to financial institutions that issue cards and manage Visa transactions, that TJX was storing card number, expiration date, and card verification value codes, all of which are prohibited by PCI. As for its efforts at encryption, "We believe the intruder had access to the decryption algorithm for the encryption software we utilize," TJX said in its annual report.

    I love it how people talk about how they're using "encryption" when possessing the algorithm is enough to break it.

    Idiots.

    --
    http://outcampaign.org/
  4. Wardriving == poaching? by billdar · · Score: 2, Insightful

    "In May, The Wall Street Journal cited a separate entry point, reporting that data thieves had accessed an improperly secured Wi-Fi network from the parking lot of a Marshall's store in St. Paul, Minn. The thieves reportedly used a wireless data poaching tactic called "wardriving" and exploited the deficiencies of the aging Wired Equivalent Privacy wireless security protocol."(Emphasis mine)

    Was shaping up to be a decent tech article until this. I don't know what irks me more about this quote:

    - Needing to define an old-ass term like wardriving
    - defining it as poaching
    - "putting" the "word" in "quotes" (I can just see the author's fingers in the air)

    Firewalls, disabling usb, corporate LAN, etc are tossed around freely... why jack with wardrivers?

    --
    I am billdar, and I approve this message.
    1. Re:Wardriving == poaching? by Radon360 · · Score: 3, Insightful

      Because proper tech journalism is about using buzzwords to sound techy!



      If you're an incompetent, technologically ignorant journalist, then you go out and look for some terms that sound appropriate and cool, then include them in your story. Heck, as a journalist, your job is to describe and explain something to the uninformed. Since the uninformed are largely a technologically challenged audience,they'll accept your cool usage of terms, usually considered passé by the real tech crowd, as an insightful look into the sophisticated technical world.



      So, if you want to be a cool tech writer, just liberally toss in a couple terms like, nano, blog, cyber, online, real-time, data mining, and Google (the last one especially used as a verb).

  5. more than network security by icebones · · Score: 2, Insightful

    'The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals'

    No one noticed the guys opening the backs of these terminals in the middle of the store? Sounds like there store security is worse than the network security. I would hate to see how much they write off each year to theft.

    --
    Life is pain. Anyone who says differently is selling something.
  6. I'm SURE the customers will be taken care of by IronChef · · Score: 4, Insightful

    Who here has gotten a free year with a credit watchdog service due to your information having been leaked by some company you dealt with? (The letter I got actually said that my information was put at risk due to some kind of sloppy law enforcement access. WTF?)

    I normally hate calling for more laws but there should be more severe penalties for this kind of error. Otherwise... it will keep happening.