TJX Security Breach Described

Bunderfeld notes more details coming out about how bad guys got into the TJX network. Last time we discussed this, the best information indicated that a WEP crack had started the ball rolling. Now we learn that instead, or in addition: "Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company's IT systems, InformationWeek has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX's retail stores, let people apply for jobs electronically but also allowed direct access to the company's network, as they weren't protected by firewalls. 'The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals,' says the source. In a March filing with the Securities and Exchange Commission, TJX acknowledged finding 'suspicious software' on its computer systems."

Tchoh

[Gricey]

Sounds to me like incompetence. You're a big company, pay for people to look after your infrastructure... ... I hate it when publicly traded companies cut corners to put that stock price up just a fraction of a nanocent.

-- incubus

storing secrets; security through obscurity

[Schraegstrichpunkt]

However, Visa indicated in February, through a number of documents sent to financial institutions that issue cards and manage Visa transactions, that TJX was storing card number, expiration date, and card verification value codes, all of which are prohibited by PCI. As for its efforts at encryption, "We believe the intruder had access to the decryption algorithm for the encryption software we utilize," TJX said in its annual report.

I love it how people talk about how they're using "encryption" when possessing the algorithm is enough to break it.

Idiots.

Wardriving == poaching?

[billdar]

"In May, The Wall Street Journal cited a separate entry point, reporting that data thieves had accessed an improperly secured Wi-Fi network from the parking lot of a Marshall's store in St. Paul, Minn. The thieves reportedly used a wireless data poaching tactic called "wardriving" and exploited the deficiencies of the aging Wired Equivalent Privacy wireless security protocol."(Emphasis mine)

Was shaping up to be a decent tech article until this. I don't know what irks me more about this quote:

- Needing to define an old-ass term like wardriving
- defining it as poaching
- "putting" the "word" in "quotes" (I can just see the author's fingers in the air)

Firewalls, disabling usb, corporate LAN, etc are tossed around freely... why jack with wardrivers?

Re:Wardriving == poaching?

[Radon360]

Because proper tech journalism is about using buzzwords to sound techy!

If you're an incompetent, technologically ignorant journalist, then you go out and look for some terms that sound appropriate and cool, then include them in your story. Heck, as a journalist, your job is to describe and explain something to the uninformed. Since the uninformed are largely a technologically challenged audience,they'll accept your cool usage of terms, usually considered passé by the real tech crowd, as an insightful look into the sophisticated technical world.

So, if you want to be a cool tech writer, just liberally toss in a couple terms like, nano, blog, cyber, online, real-time, data mining, and Google (the last one especially used as a verb).

more than network security

[icebones]

'The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals'

No one noticed the guys opening the backs of these terminals in the middle of the store? Sounds like there store security is worse than the network security. I would hate to see how much they write off each year to theft.

I'm SURE the customers will be taken care of

[IronChef]

Who here has gotten a free year with a credit watchdog service due to your information having been leaked by some company you dealt with? (The letter I got actually said that my information was put at risk due to some kind of sloppy law enforcement access. WTF?)

I normally hate calling for more laws but there should be more severe penalties for this kind of error. Otherwise... it will keep happening.

Re:Firewalls are fail

[Lloyd_Bryant]

The kiosk manufacturer should have made sure that these machines were secure. I've worked for a kiosk manufacturer and there are things that can be done to make sure the system is secure. For starters, lock down whatever user account the primary application runs on. So even if they can get out of that app, they can't do anything beyond clicking start and shut down. Also, there are software applications that lock down the system for you. The one we used completely locked the desktop out. It was a pain to support, but it was secure. I'd classify that as +5 "waste of effort". You're presuming that having the securing the kiosk is reliable way to secure the network. It ain't.

Consider this scenario: An insider (the 2nd shift manager, a night security guard, whatever) lets a few friends in after-hours. These friends can, with a few hours effort, bypass *any* security you have established on that kiosk. The only way to prevent this is to armor the stupid thing like an ATM (and with enough time and effort, even *that* won't stop them).

The way to secure the kiosks to to secure the network to which they are attached. Consider them to be potentially hostile devices, and act accordingly. If the network is properly secured, then the only potential damage from a hacked kiosk involves only those transactions that occurred at that kiosk.

Yes, you *do* need to secure the kiosks against "casual" penetration. But don't rely on that security - assume that these devices *will* be subverted. Because if there's enough money to be made by subverting one, then somebody will do it.