TJX Security Breach Described

Bunderfeld notes more details coming out about how bad guys got into the TJX network. Last time we discussed this, the best information indicated that a WEP crack had started the ball rolling. Now we learn that instead, or in addition: "Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company's IT systems, InformationWeek has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX's retail stores, let people apply for jobs electronically but also allowed direct access to the company's network, as they weren't protected by firewalls. 'The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals,' says the source. In a March filing with the Securities and Exchange Commission, TJX acknowledged finding 'suspicious software' on its computer systems."

We're heading for an IT desaster

[Opportunist]

It's only a matter of time. The problem described is not isolated, it's symptomatic for a very large amount of companies.

What do we have:

1. A company with many kiosks/outlets/POS
2. A company network with the doctrine that everything "outside" needs to be kept out, while the "inside" has far too high privileges.
3. Untrained, unskilled and "do we need to pay minimum wage?" staff at the POS.

It is fairly easy to get a job at one of those POS. Hire and fire. You want it, you have it. No background check, no security check. You're simply assumed to be a vegetable because, well, if you had some kinda skill, you wouldn't work for 5 bucks an hour. You'd be a consultant for 50 an hour.

It's usually trivial to circumvent the security between the company's computer network and the POS, if there is one at all. Let me ramble about an audit for a moment.

We did an audit for some company. All went fairly well, an "outsider" would've had a very hard time getting past the walls and checks. All POS were VPN connected to the main network, secured again with various (IMO superfluous) encryption, so a mitm attack would've been fruitless either. Good security, overall.

Until we checked the POS computers and found pretty much everything you needed to get access to the servers in the main office. You had the complete set of private keys (yes, all, including accounting, administration and the CEOs), the admin passwords were the same in every POS and inside the main network. You hack a POS, you hack the company.

Facing this, the response was akin to "What do you want? The people in our POS' can barely turn the computer on, that's no threat."

Maybe not. But if I wanted to hack that company (or any company), I'd first of all try to get a vegetable job at a POS. It's usually a quite good way to gain access to more than you could ask for.

Oh, wait, this one's even better

[Opportunist]

Another company I worked for. It uses a VB based tool to update the jobs of its traveling salesmen and repair staff. Said tool uses DCOM (don't ask...) to connect to its server, which runs an SQL database. The user used to make those connections has top privileges, including altering the database and any (not just the specific user's) data. Mostly because all the users use the same username/password combination, which is of course stored within the binary used to make the transfer.

It's trivial to dig that user/pass combination out of the code. It's also trivial to get access to the code, all you have to do is to steal one of the notebooks. Or, to make it simple, just download it from the internal homepage (so everyone working in this company at the very least has access to the tool and thus to the user/pass combination). With it, you have all the necessary information to feed the database incorrect data, change prices, change orders and repair jobs, change car and tool assignments and of course, if you're so inclined, simply corrupt the database or drop it altogether.

This is an international company, the stock of which is traded at the NY stock exchange. Thus, it complies (with this security hole large enough to shove planets through) with the requirements of the Sarbanes-Oxley Act.