Slashdot Mirror
TJX Security Breach Described
Bunderfeld notes more details coming out about how bad guys got into the TJX network. Last time we discussed this, the best information indicated that a WEP crack had started the ball rolling. Now we learn that instead, or in addition: "Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company's IT systems, InformationWeek has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX's retail stores, let people apply for jobs electronically but also allowed direct access to the company's network, as they weren't protected by firewalls. 'The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals,' says the source. In a March filing with the Securities and Exchange Commission, TJX acknowledged finding 'suspicious software' on its computer systems."
Sounds to me like incompetence. You're a big company, pay for people to look after your infrastructure... ... I hate it when publicly traded companies cut corners to put that stock price up just a fraction of a nanocent.
-- incubus
Sticking feathers up your butt does not make you a chicken.
the blame game!
The same kiosks that print out gift registries can be turned into kiosks that print out credit cards to pay for the purchase!
I'm rapidly strengthening my belief that this will not be the only company (large or small) to go through this - that many, many other companies are probably having the same done to them *right now* and don't even know it!
:(
This is a really crappy situation; it shouldn't have happened and frankly the entry points described here are a result of negligence plain and simple! But its hard; its hard to manage a large organisation and to enforce correct and watertight procedures; security is a hard concept, one of continuous cat and mouse - but played out in your mind - hoping to God never in reality.
Everything gets more complex, and things are more often set up and run by muppets. There will be many more of these
Application security is only part of the problem.
It appears as though a physical breach occurred.
As you know once you have your hands on the hardware, all bets are off.
"The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals,"
liqbase
all bets are off for the data on that hardware
still no excuse for the kiosk being able to access data from the rest of the network!
I love it how people talk about how they're using "encryption" when possessing the algorithm is enough to break it.
Idiots.
http://outcampaign.org/
THE HAXXXXXXXX
Geez, if you're going to troll, you should at least go for teh funneh when it's right in front of you. Razz with "T. J. HAXXXXX", or something. Don't be so lame at being lame.
Helping AC's troll properly, check. Now to find an old lady and help her turn on her left blinker.
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
Was shaping up to be a decent tech article until this. I don't know what irks me more about this quote:
- Needing to define an old-ass term like wardriving
- defining it as poaching
- "putting" the "word" in "quotes" (I can just see the author's fingers in the air)
Firewalls, disabling usb, corporate LAN, etc are tossed around freely... why jack with wardrivers?
I am billdar, and I approve this message.
It's only a matter of time. The problem described is not isolated, it's symptomatic for a very large amount of companies.
What do we have:
1. A company with many kiosks/outlets/POS
2. A company network with the doctrine that everything "outside" needs to be kept out, while the "inside" has far too high privileges.
3. Untrained, unskilled and "do we need to pay minimum wage?" staff at the POS.
It is fairly easy to get a job at one of those POS. Hire and fire. You want it, you have it. No background check, no security check. You're simply assumed to be a vegetable because, well, if you had some kinda skill, you wouldn't work for 5 bucks an hour. You'd be a consultant for 50 an hour.
It's usually trivial to circumvent the security between the company's computer network and the POS, if there is one at all. Let me ramble about an audit for a moment.
We did an audit for some company. All went fairly well, an "outsider" would've had a very hard time getting past the walls and checks. All POS were VPN connected to the main network, secured again with various (IMO superfluous) encryption, so a mitm attack would've been fruitless either. Good security, overall.
Until we checked the POS computers and found pretty much everything you needed to get access to the servers in the main office. You had the complete set of private keys (yes, all, including accounting, administration and the CEOs), the admin passwords were the same in every POS and inside the main network. You hack a POS, you hack the company.
Facing this, the response was akin to "What do you want? The people in our POS' can barely turn the computer on, that's no threat."
Maybe not. But if I wanted to hack that company (or any company), I'd first of all try to get a vegetable job at a POS. It's usually a quite good way to gain access to more than you could ask for.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
'The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals'
No one noticed the guys opening the backs of these terminals in the middle of the store? Sounds like there store security is worse than the network security. I would hate to see how much they write off each year to theft.
Life is pain. Anyone who says differently is selling something.
As you know once you have your hands on the hardware, all bets are off.
The point of a kiosk is for the public to put their hands on the hardware. No, the problem here was incompetence on both the company and kiosk manufacturer.
The company should have made sure that these kiosks were segmented off the general network and even if they could crack their way onto the general network, these machines should have no permission to do anything. Also, a standard keyboard should never be hooked up to a kiosk. It should be locked away in a drawer behind a counter in whatever department the kiosk resides. Any text entry can be done via onscreen keyboard. If that is not an option, an employee should have to plug the keyboard in so that they are aware to keep an eye on the kiosk while the keyboard is attached.
The kiosk manufacturer should have made sure that these machines were secure. I've worked for a kiosk manufacturer and there are things that can be done to make sure the system is secure. For starters, lock down whatever user account the primary application runs on. So even if they can get out of that app, they can't do anything beyond clicking start and shut down. Also, there are software applications that lock down the system for you. The one we used completely locked the desktop out. It was a pain to support, but it was secure.
Of course, none of these are full-proof, but when you combine them all, they make it nearly impossible, or at least not worth it to get into a corporate network.
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
Another company I worked for. It uses a VB based tool to update the jobs of its traveling salesmen and repair staff. Said tool uses DCOM (don't ask...) to connect to its server, which runs an SQL database. The user used to make those connections has top privileges, including altering the database and any (not just the specific user's) data. Mostly because all the users use the same username/password combination, which is of course stored within the binary used to make the transfer.
It's trivial to dig that user/pass combination out of the code. It's also trivial to get access to the code, all you have to do is to steal one of the notebooks. Or, to make it simple, just download it from the internal homepage (so everyone working in this company at the very least has access to the tool and thus to the user/pass combination). With it, you have all the necessary information to feed the database incorrect data, change prices, change orders and repair jobs, change car and tool assignments and of course, if you're so inclined, simply corrupt the database or drop it altogether.
This is an international company, the stock of which is traded at the NY stock exchange. Thus, it complies (with this security hole large enough to shove planets through) with the requirements of the Sarbanes-Oxley Act.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
You'd be surprised what people let you have access to if you're wearing some shirt that looks official (like TJMaxx or Verizon)..oh we're just upgrading the Kiosks.
Who here has gotten a free year with a credit watchdog service due to your information having been leaked by some company you dealt with? (The letter I got actually said that my information was put at risk due to some kind of sloppy law enforcement access. WTF?)
I normally hate calling for more laws but there should be more severe penalties for this kind of error. Otherwise... it will keep happening.
Problem is, if I read this correctly, everyone had access to that hardware. Unless I'm mistaken, it was to be used by customers, not just staff.
But even if it is staff-only, you cannot trust those machines. Those machines are to be seen as "foreign" not "own" in any security concept, and thus are by definition not to be trusted. Such machines may interface with the internal network only through defined and monitored channels and should most definitly not have access to internal data beyond their needs.
The problem isn't that people could manipulate the hardware in the store. That's a given. The problem is that this hardware enjoyed a level of trust that was by no means warranted.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So let me get this straight, the data thieves had physical access to a computer on the stores network. Sounds like a physical security issue that a security guard should have noticed. Not all computer and network security is electronics and software. Sometimes you gotta watch who you let in the store and watch what they are doing once inside.
I've applied for job in retail once before. I went to a store and they had placed the units near a corner next to the bathroom. Their view was obscurred by a rack of greeting cards. Even though they had the application blocking access to the desktop; I could have easily rebooted the machine by either pressing reset.
After that I could have worked quickly to either access the BIOS and slip in a password wiping utility disk and create an account for myself. I guess after that; installing third party apps to establish access to it from home would have been the next step. Probably restarting(after the aforementioned)the system and claiming the machine had died while I was writting to the application would have made it looked like I genuinely had a problem.
I've never done this (I'm probably clueless but I don't think it's hard, right?)but if people working in teams took similar steps; their profile would have been reduced. They could easily accomplish some major damage over long period of time.
In fact if they constructed a special application on a USB stick that wrote to the Windows SAM on a reboot and wiped out the admin password, or created and an administrative account which in turn relayed system information remotely via smtp or another way; then the hard work is over. All it would take was for someone to go to the kiosk. Pretend to write to the store application, drop their pen, bend over under the desk, and insert the USB device, and reset the computer. Next, send someone later to retrieve the USB stick to remove the evidence.
I've never done this but If I can imagine this; then I would take precautions as best I could to prevent this. I'm sure the techncians would have gotten around to securing the kiosks but like most IT departments; they are really pressed for time and stretched dangeroulsy thin. Scary stuff!
touch screen suck for when you have to do a lot of typing as you do when trying to get a low wage job at a store and most POS / kiosk apps are codes poorly so they need admin to run and some times they just a desktop in side of a counter that has no lock on it. And you can blame intel / dell and others for needing USB ports as they like to cut out PS2 ports even know the older POS hardware needs ps2 ports.
Combine that with a sensible security concept and a secure data exchange protocol and there's nearly nothing that could be done with those kiosks.
Take a look at internet banking. And let's ignore the ever popular trojan based attacks for now. There is NOTHING a user can do to manipulate a bank account beyond his own (and this only to his own damage, never to the bank's). And here the hardware used to interface with the bank is fully under the user's control. Ok, more or less, but it can be if the user wants to.
Still, no way to do an online bank robbery. Because the interface limits the user to the point where he simply cannot do anything to damage the bank.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Ten to one, we hear next week that some large repository of Student papers is vulnerable too.
Consider this scenario: An insider (the 2nd shift manager, a night security guard, whatever) lets a few friends in after-hours. These friends can, with a few hours effort, bypass *any* security you have established on that kiosk. The only way to prevent this is to armor the stupid thing like an ATM (and with enough time and effort, even *that* won't stop them).
The way to secure the kiosks to to secure the network to which they are attached. Consider them to be potentially hostile devices, and act accordingly. If the network is properly secured, then the only potential damage from a hacked kiosk involves only those transactions that occurred at that kiosk.
Yes, you *do* need to secure the kiosks against "casual" penetration. But don't rely on that security - assume that these devices *will* be subverted. Because if there's enough money to be made by subverting one, then somebody will do it.
Don't tell me to get a life. I had one once. It sucked.
What the heck is TJX? I've never heard of it.
(checks article)
Oh... the none-name corporate parent of TJ Maxx and Marshalls... why the heck didn't the author just say so? I mean seriously... how many people have ever heard of that company name? It's hardly a tech company, either, so it's not like Slashdot is some unusual audience where TJX is a company on the tip of everyone's tongue.
are designed for this type of system. If your application is secure enough to live on the internet, then it is secure enough to be used on an intranet with thin clients.
Most thin clients out of the box boot with a low-privilege account. You can even set up some to "reimage" their flash memory on each boot (or boot disklessly from a central image server). Think someone compromised a system? Lockdown passwords on your master image and reboot all the terminals. No changes should be able to be made to the system without elevating to root or administrator.
Seriously - carving up your network and firewalling everything two ways to sunday is great, but this problem could have been simply solved with a little bit of thought ahead of implementation.
-ted
We gave up our financial security for convienence.
Instant credit at stores, Drive the car off the lot today, get a cell phone in 10 minutes...
Maybe, instead of the consumers credit rating being damaged when a business gives credit without solid proof of indentity, the company needs to eat the loss.
I wonder if anyones tried sueing a company for Slander/Libel over a false credit report entry...
Linux?
; en-us;555324&sd=rss&spid=3198 And then there's the very permeable "user mode" security that isn't what it claims to be.
Let's assume the kiosk distro has hotplugging enabled. Flash drive mounts, But the files.... Are not executable! So, the hostile doesn't have the opportunity to change permissions much less execute something on a flash drive.
OSX?
Flashdrive mounts. Hmmm can't install anything without su/sudo.
Windows?
Hmm... Sure, there is an enourmously complicated policy system. But none of which sets noexec on everything on a flash drive... http://support.microsoft.com/default.aspx?scid=kb
Got Trader Joe's? friendwich.com RSS feeds work now!
Personally I think the hardware should be as hard to get to as the coin box in a video game. That is a solved problem so the kiosk manufacturers are not trying hard enough (just like the voting machine people). The next thing of course is that there is a remote network connection in a spot that can't always be watched running directly into the LAN - I wouldn't even let it send packets to anywhere other than the system it is supposed to talk to.
I called this the "TJ Maxx Effect". Yes, I shop there; it's near my house and I can usually do better on housewares and necessary items than I could do even in thrift stores.
So anyway, the "Effect" is this: If you are shopping, and you take an interest in some category of items, say, curtain rods, and another shopper sees you checking out curtain rods, all of a sudden *they* are interested in curtain rods. Same thing happens if you look in the towel aisle. Someone who wasn't looking at towels suddenly needs to crowd into your space to look at towels as well. I've observed this phenomenon numerous times and particularly at TJ Maxx, and I believe the psychology of it is "they" don't want "you" to get a deal that they missed out on.
To be fair, sometimes there really are awesome deals to be had, because the people setting the prices don't tend to be particularly savvy as to desirability of certain kinds of items. For instance, I got a JA Henckel knife set -- a really high quality made in Spain set -- that was priced the same as another made in China set. These are completely different products, massively differently priced in retail stores, and the TJ Maxx manager didn't know. (I'm not above capitalizing on the misfortune of others.)
Anyway, as for the article, I got as far as realizing that physical access means you have the keys to the store, so to speak. At my local store, the clerks watch the application machine, as well as everything else in the shop, like a hawk. I get the impression that shoplifting is more common in discount stores than in regular retail stores; maybe I can study this and name THAT effect as well.
-fb Everything not expressly forbidden is now mandatory.
Oh, if you want to see that sort of physical security violation, think back to high school and the candy machines and ice cream freezers for the cafeteria. Or go visit Defcon and see how many hacker wanna-be's try, and occasionally succeed, in breaking into the telephone closets or go riding on elevator rooftops.
A set of coveralls and a nametag that says "Bob" will get you access that a suit and tie never would.
Agreed! You have to consider the kiosk to be a hostile device and assume that it is going to be cracked no matter what you do. Limit it's access over the network and secure the server/daemon it connects to.
I'd mod parent one up if I had mod points.
Codifex Maximus ~ In search of... a shorter sig.
There is a real false sense of security in these situations. These machines are inside a cabinet and the only access a normal person would or should have is a webpage in a browser with maybe a keyboard and mouse (or a touch screen). The USB and case and everything else is locked away and you usually need to key to access them.
I have seen a few and they don't even use a full shell or normal desktop. In most of them, if you crash out of the browser applications (usually IE) you get dumped to a plain desktop with no icons or start menu. Those ones I have seen also check for the browser app and reboot if it isn't running. It makes a non-geek think that the application program thing is the only thing that can run on it.
I agree with your trust position. it is just that for these things resemble more like a VCR or a coin operated video game then a computer so I can understand (uninformed) management being highly stupid about them. I don't think the IT department has much of an excuse though. And of course this is all with a hind sight is 2020 attitude.
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
Ok, now couple that with the latest exploits against browsers which allow you to run arbitrary code on the machine, and presto, malware on the computer that allows you to remote control it. Even giving the admins the benefit of doubt, i.e. that they weren't stupid enough to let the kiosk machine run with administrator privileges, if you have a good idea just what you're looking for, you can craft some code that needs only user permissions to run while giving you full access to the machine, at least to the point where you get to decide what data to retrieve, to send or to manipulate.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
And in typical slashdot fashion, anti-windows advocate gets the the +2 mod, despite being proven completely wrong by two separate posters.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
That may be true, but that will not protect you from a subsequent civil suit for breach of contract. Or even criminal charges. If your employer decides that your turning data over to the authorities in the course of reporting criminal activity constitutes theft of their property, they can have you arrested and charged even if they are the ones guilty of said criminal activity. If they committed no crimes, but the release of such data is simply damaging to their reputation, and they can show damages, then you are truly SOL.
Have gnu, will travel.
I don't doubt you or deny what your saying. I'm just saying that it is easy to think they are safer then they are. I can understand someone thinking they were fancy VCRs or something like them. No one would automatically think their VCR could be used to hack they network and steal credit card info.
Take a computer based VCR and you're there.
The problem is that those machines are actually multi purpose, not single purpose. They are not "dumb" machines like a VCR, a CD-Player or a TV set, which can only execute their preprogrammed function and cannot be reconfigured.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Sure, And I agree with that. It is just easy not to notice it.
As I said in my first post, you can get a false sense security from them. they appear to the un-under-educated and some educated people at first to be a dumb machine like a VCR, a CD-Player or a TV set.
I'm not saying they aren't dangerous or anything. I'm just saying that people can get the wrong impression about them leaving them open to something like an attack. Their design misleads someone who doesn't know better into a false sense of security.
Actually, now that our applicances become "smarter", they also become more prone to attacks. You certainly know about that pipedreams of "intelligent" fridges that tell you what's about to reach its best before date, or even gets connected to the 'net and orders new potatoes when you're runnign out of them, and that "intelligent" stoves that notice when you're burning something. But what does that mean? It necessarily means that those "dumb" devices get some kind of computer fitted into them. And that can open a completely different can of worms.
It all depends on how "mod-able" such an appliance will be. The more something should be able to do, the more functionality it must have. The more functionality something has, the more room for exploiting it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Ehh. I didn't really think of that. Good point.
It might be interesting to here a defense like: Honestly, it wasn't me, the Fridge got infected with the "I_love_Milk" and "W32.spoiled.yogurt" virus and it caused it to attack the NSA and CIA networks. Meanwhile the judge is remembering the time that his Stove became the target of a denial of service attack and it made him lose 10 lbs.
Humor aside, your probably right and it is only a matter of time.