Slashdot Mirror

← Back to Stories (view on slashdot.org)

TJX Security Breach Described

Posted by kdawson on from the details-emerging dept.

Bunderfeld notes more details coming out about how bad guys got into the TJX network. Last time we discussed this, the best information indicated that a WEP crack had started the ball rolling. Now we learn that instead, or in addition: "Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company's IT systems, InformationWeek has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX's retail stores, let people apply for jobs electronically but also allowed direct access to the company's network, as they weren't protected by firewalls. 'The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals,' says the source. In a March filing with the Securities and Exchange Commission, TJX acknowledged finding 'suspicious software' on its computer systems."

8 of 104 comments (clear)

  1. Re:Tchoh by asphaltjesus · · Score: 2, Interesting

    You're a big company, pay for people to look after your infrastructure.

    1. They might do that. Only the problem may not have been in IT per-se. I can easily imagine someone from another department purchasing the kiosks then throwing the request to connect the kiosk to the store's network over the so-called wall to IT. That's just one plausible scenario.

    2. Don't be surprised when the kiosk manufacturer comes back and says, "Hey, I don't provide secured operating systems running on the computer inside the kiosk I manufacture."

    3. The likelihood the kiosk in question ran windows is high given the compromise.

    --
    Got Trader Joe's? friendwich.com RSS feeds work now!
  2. Re:Tchoh by Vancorps · · Score: 2, Interesting

    Sounds simply like an insecure kiosk. A lot of them are Windows based but you only need to setup one to be able to secure them all so the OS excuse doesn't really hold water especially with products like VMWare out there providing solid solutions for this very problem.

    I would also say number 1 is a likely scenario. Marketing made the decision to purchase the kiosks and misrepresented what the kiosk manufacturer was providing so IT let it slide because they're busy working. Course you can also argue that IT missed it's due diligence on this one.

  3. Re:Tchoh by BosstonesOwn · · Score: 2, Interesting

    as some one who worked there. they are retailers , they always cut corners. they have a small staff of it guys to overlook so many stores and it bit them in the ass.

    --
    This package Does Not Contain a Winner
  4. We're heading for an IT desaster by Opportunist · · Score: 4, Interesting

    It's only a matter of time. The problem described is not isolated, it's symptomatic for a very large amount of companies.

    What do we have:

    1. A company with many kiosks/outlets/POS
    2. A company network with the doctrine that everything "outside" needs to be kept out, while the "inside" has far too high privileges.
    3. Untrained, unskilled and "do we need to pay minimum wage?" staff at the POS.

    It is fairly easy to get a job at one of those POS. Hire and fire. You want it, you have it. No background check, no security check. You're simply assumed to be a vegetable because, well, if you had some kinda skill, you wouldn't work for 5 bucks an hour. You'd be a consultant for 50 an hour.

    It's usually trivial to circumvent the security between the company's computer network and the POS, if there is one at all. Let me ramble about an audit for a moment.

    We did an audit for some company. All went fairly well, an "outsider" would've had a very hard time getting past the walls and checks. All POS were VPN connected to the main network, secured again with various (IMO superfluous) encryption, so a mitm attack would've been fruitless either. Good security, overall.

    Until we checked the POS computers and found pretty much everything you needed to get access to the servers in the main office. You had the complete set of private keys (yes, all, including accounting, administration and the CEOs), the admin passwords were the same in every POS and inside the main network. You hack a POS, you hack the company.

    Facing this, the response was akin to "What do you want? The people in our POS' can barely turn the computer on, that's no threat."

    Maybe not. But if I wanted to hack that company (or any company), I'd first of all try to get a vegetable job at a POS. It's usually a quite good way to gain access to more than you could ask for.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. Oh, wait, this one's even better by Opportunist · · Score: 4, Interesting

    Another company I worked for. It uses a VB based tool to update the jobs of its traveling salesmen and repair staff. Said tool uses DCOM (don't ask...) to connect to its server, which runs an SQL database. The user used to make those connections has top privileges, including altering the database and any (not just the specific user's) data. Mostly because all the users use the same username/password combination, which is of course stored within the binary used to make the transfer.

    It's trivial to dig that user/pass combination out of the code. It's also trivial to get access to the code, all you have to do is to steal one of the notebooks. Or, to make it simple, just download it from the internal homepage (so everyone working in this company at the very least has access to the tool and thus to the user/pass combination). With it, you have all the necessary information to feed the database incorrect data, change prices, change orders and repair jobs, change car and tool assignments and of course, if you're so inclined, simply corrupt the database or drop it altogether.

    This is an international company, the stock of which is traded at the NY stock exchange. Thus, it complies (with this security hole large enough to shove planets through) with the requirements of the Sarbanes-Oxley Act.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. social engineering maybe? by eli+pabst · · Score: 2, Interesting

    You'd be surprised what people let you have access to if you're wearing some shirt that looks official (like TJMaxx or Verizon)..oh we're just upgrading the Kiosks.

  7. Who's next? by Anonymous Coward · · Score: 1, Interesting

    Ten to one, we hear next week that some large repository of Student papers is vulnerable too.

  8. Re:Yes. They Are :) by FoamingToad · · Score: 2, Interesting

    At my previous job at a telco, we'd just upgraded from NT4 to XP.

    Now please note that (1) this is anecdotal, (2) I wasn't affected by this user profile myself so had very little time to experiment and (3) I changed jobs shortly afterwards.

    But for the generic helpdesk accounts, the IT guys had seriously done their homework. A user had no access to the file system at all. You couldn't get to it via browser, and the start menu contained only the basic applications (notably, terminal emulators connected to Unix bigiron) that were used by the helpdesc.

    I experimented with a number of methods on to try and gain access to the system, but wasn't able to find anything that would permit access. Nada.

    Take from this what you will, but it's possible to secure a Windows system pretty damn well if you're prepared to take the time and effort. And that is where I believe this organisation has been lacking.

    If they had been using an alternative o/s, what evidence is there that the relevant management would have made an effort to secure it? None that I can see.