TJX Security Breach Described

Bunderfeld notes more details coming out about how bad guys got into the TJX network. Last time we discussed this, the best information indicated that a WEP crack had started the ball rolling. Now we learn that instead, or in addition: "Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company's IT systems, InformationWeek has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX's retail stores, let people apply for jobs electronically but also allowed direct access to the company's network, as they weren't protected by firewalls. 'The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals,' says the source. In a March filing with the Securities and Exchange Commission, TJX acknowledged finding 'suspicious software' on its computer systems."

Tchoh

[Gricey]

Sounds to me like incompetence. You're a big company, pay for people to look after your infrastructure... ... I hate it when publicly traded companies cut corners to put that stock price up just a fraction of a nanocent.

-- incubus

Re:Tchoh

[asphaltjesus]

You're a big company, pay for people to look after your infrastructure.

1. They might do that. Only the problem may not have been in IT per-se. I can easily imagine someone from another department purchasing the kiosks then throwing the request to connect the kiosk to the store's network over the so-called wall to IT. That's just one plausible scenario.

2. Don't be surprised when the kiosk manufacturer comes back and says, "Hey, I don't provide secured operating systems running on the computer inside the kiosk I manufacture."

3. The likelihood the kiosk in question ran windows is high given the compromise.

Re:Tchoh

[Vancorps]

Sounds simply like an insecure kiosk. A lot of them are Windows based but you only need to setup one to be able to secure them all so the OS excuse doesn't really hold water especially with products like VMWare out there providing solid solutions for this very problem.

I would also say number 1 is a likely scenario. Marketing made the decision to purchase the kiosks and misrepresented what the kiosk manufacturer was providing so IT let it slide because they're busy working. Course you can also argue that IT missed it's due diligence on this one.

Re:Tchoh

[BosstonesOwn]

as some one who worked there. they are retailers , they always cut corners. they have a small staff of it guys to overlook so many stores and it bit them in the ass.

It's time for...

[taupin]

the blame game!

That's an interesting feature

[jeebee]

The same kiosks that print out gift registries can be turned into kiosks that print out credit cards to pay for the purchase!

storing secrets; security through obscurity

[Schraegstrichpunkt]

However, Visa indicated in February, through a number of documents sent to financial institutions that issue cards and manage Visa transactions, that TJX was storing card number, expiration date, and card verification value codes, all of which are prohibited by PCI. As for its efforts at encryption, "We believe the intruder had access to the decryption algorithm for the encryption software we utilize," TJX said in its annual report.

I love it how people talk about how they're using "encryption" when possessing the algorithm is enough to break it.

Idiots.

Re:storing secrets; security through obscurity

[flosofl]

Well , knowing the encryption algo. makes it easier to guess passwords.

Not at all. One of the key features of cryptographic algorithms is that knowing what algorithm is being used has absolutely no impact on the strength. Unless it's one of those snake oil "proprietary" crypts, which is a horse of an entirely different color. However, I can't think of any enterprise class crypto systems that use closed algorithms. Most use AES, Blowfish for block cipher, RSA and ElGamal for async and signing (maybe DSA for signing as well), DH for key exchange and SHA-1, TIGER or RIPEMD for hashing (you'll see 3DES and MD series on older systems).

The algorithm is usually never the vector of attack. With crypto it's things like key exchange, poor coding (caching the key in memory for instance), people, sidechannel, or systems whose *methodology* in implementing crypto is weak. In the case of wireless encryption, I'm guessing they used WEP, which has weak key scheduling (If key discovery is what you meant by "password guessing") instead of 802.11i.

In respect to the TJX incident, they *never* should have wireless connecting to any kind of internal production network that handles financial/personal data. The kiosks should have everything needed local to the machine, or have a dedicated and isolated network for kiosks only. Oh, and lock the damn cabinet that house the kiosks.

Re:owned

[RobertB-DC]

THE HAXXXXXXXX

Geez, if you're going to troll, you should at least go for teh funneh when it's right in front of you. Razz with "T. J. HAXXXXX", or something. Don't be so lame at being lame.

Helping AC's troll properly, check. Now to find an old lady and help her turn on her left blinker.

Re:They won't be the only people

[Locutus]

but businesses are not even trying. American Express was/is running Microsoft Internet Explorer on their customer service reps desktops AND they have internet access. With all the holes found every day in this combination, these customer service reps use the same browser to access AMEX customer databases.

I don't know if you remember but a few years ago, there was a massive security hole in MS IE and Microsoft didn't/couldn't fix it for about 6 months. The Dept of Homeland Security even put out a recommendation to not use MS Internet Explorer because of this unpatched flaw. AMEX did nothing about it and continued as normal.

Move about a year later and all of a sudden, CNN is on the air with no computer systems and spend the hours on the air discussing how their Windows computers are rebooting on their own. City governments across the country have the same problem and so does AMEX. The cause, a Windows spyware kit, having been installed on all these computers and many more, was crashing on some subset of the computers it was installed on and causing those to reboot. The spyware was already on a bunch of computers and only because there was a flaw which caused it to crash SOME of the computers, was it found out about.

There is no security in corporate America or the various governments. Sure, there are some areas where smart people are doing what's right but it looks like 90% of the rest are feak'n MCSE's with one finger up their ass and the other on the mouse. click, click, click.

These businesses should be made to pay $10,000 every time they lose customer data and for every customer. That doesn't even begin to pay for the hardships of dealing with identity theft, not even close but it would add up to millions quickly and it just might make them think about who's running the company IT department and what they are running.

LoB

Wardriving == poaching?

[billdar]

"In May, The Wall Street Journal cited a separate entry point, reporting that data thieves had accessed an improperly secured Wi-Fi network from the parking lot of a Marshall's store in St. Paul, Minn. The thieves reportedly used a wireless data poaching tactic called "wardriving" and exploited the deficiencies of the aging Wired Equivalent Privacy wireless security protocol."(Emphasis mine)

Was shaping up to be a decent tech article until this. I don't know what irks me more about this quote:

- Needing to define an old-ass term like wardriving
- defining it as poaching
- "putting" the "word" in "quotes" (I can just see the author's fingers in the air)

Firewalls, disabling usb, corporate LAN, etc are tossed around freely... why jack with wardrivers?

Re:Wardriving == poaching?

[Radon360]

Because proper tech journalism is about using buzzwords to sound techy!

If you're an incompetent, technologically ignorant journalist, then you go out and look for some terms that sound appropriate and cool, then include them in your story. Heck, as a journalist, your job is to describe and explain something to the uninformed. Since the uninformed are largely a technologically challenged audience,they'll accept your cool usage of terms, usually considered passé by the real tech crowd, as an insightful look into the sophisticated technical world.

So, if you want to be a cool tech writer, just liberally toss in a couple terms like, nano, blog, cyber, online, real-time, data mining, and Google (the last one especially used as a verb).

We're heading for an IT desaster

[Opportunist]

It's only a matter of time. The problem described is not isolated, it's symptomatic for a very large amount of companies.

What do we have:

1. A company with many kiosks/outlets/POS
2. A company network with the doctrine that everything "outside" needs to be kept out, while the "inside" has far too high privileges.
3. Untrained, unskilled and "do we need to pay minimum wage?" staff at the POS.

It is fairly easy to get a job at one of those POS. Hire and fire. You want it, you have it. No background check, no security check. You're simply assumed to be a vegetable because, well, if you had some kinda skill, you wouldn't work for 5 bucks an hour. You'd be a consultant for 50 an hour.

It's usually trivial to circumvent the security between the company's computer network and the POS, if there is one at all. Let me ramble about an audit for a moment.

We did an audit for some company. All went fairly well, an "outsider" would've had a very hard time getting past the walls and checks. All POS were VPN connected to the main network, secured again with various (IMO superfluous) encryption, so a mitm attack would've been fruitless either. Good security, overall.

Until we checked the POS computers and found pretty much everything you needed to get access to the servers in the main office. You had the complete set of private keys (yes, all, including accounting, administration and the CEOs), the admin passwords were the same in every POS and inside the main network. You hack a POS, you hack the company.

Facing this, the response was akin to "What do you want? The people in our POS' can barely turn the computer on, that's no threat."

Maybe not. But if I wanted to hack that company (or any company), I'd first of all try to get a vegetable job at a POS. It's usually a quite good way to gain access to more than you could ask for.

more than network security

[icebones]

'The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals'

No one noticed the guys opening the backs of these terminals in the middle of the store? Sounds like there store security is worse than the network security. I would hate to see how much they write off each year to theft.

Oh, wait, this one's even better

[Opportunist]

Another company I worked for. It uses a VB based tool to update the jobs of its traveling salesmen and repair staff. Said tool uses DCOM (don't ask...) to connect to its server, which runs an SQL database. The user used to make those connections has top privileges, including altering the database and any (not just the specific user's) data. Mostly because all the users use the same username/password combination, which is of course stored within the binary used to make the transfer.

It's trivial to dig that user/pass combination out of the code. It's also trivial to get access to the code, all you have to do is to steal one of the notebooks. Or, to make it simple, just download it from the internal homepage (so everyone working in this company at the very least has access to the tool and thus to the user/pass combination). With it, you have all the necessary information to feed the database incorrect data, change prices, change orders and repair jobs, change car and tool assignments and of course, if you're so inclined, simply corrupt the database or drop it altogether.

This is an international company, the stock of which is traded at the NY stock exchange. Thus, it complies (with this security hole large enough to shove planets through) with the requirements of the Sarbanes-Oxley Act.

social engineering maybe?

[eli+pabst]

You'd be surprised what people let you have access to if you're wearing some shirt that looks official (like TJMaxx or Verizon)..oh we're just upgrading the Kiosks.

I'm SURE the customers will be taken care of

[IronChef]

Who here has gotten a free year with a credit watchdog service due to your information having been leaked by some company you dealt with? (The letter I got actually said that my information was put at risk due to some kind of sloppy law enforcement access. WTF?)

I normally hate calling for more laws but there should be more severe penalties for this kind of error. Otherwise... it will keep happening.

Re:Firewalls are fail

[Lloyd_Bryant]

The kiosk manufacturer should have made sure that these machines were secure. I've worked for a kiosk manufacturer and there are things that can be done to make sure the system is secure. For starters, lock down whatever user account the primary application runs on. So even if they can get out of that app, they can't do anything beyond clicking start and shut down. Also, there are software applications that lock down the system for you. The one we used completely locked the desktop out. It was a pain to support, but it was secure. I'd classify that as +5 "waste of effort". You're presuming that having the securing the kiosk is reliable way to secure the network. It ain't.

Consider this scenario: An insider (the 2nd shift manager, a night security guard, whatever) lets a few friends in after-hours. These friends can, with a few hours effort, bypass *any* security you have established on that kiosk. The only way to prevent this is to armor the stupid thing like an ATM (and with enough time and effort, even *that* won't stop them).

The way to secure the kiosks to to secure the network to which they are attached. Consider them to be potentially hostile devices, and act accordingly. If the network is properly secured, then the only potential damage from a hacked kiosk involves only those transactions that occurred at that kiosk.

Yes, you *do* need to secure the kiosks against "casual" penetration. But don't rely on that security - assume that these devices *will* be subverted. Because if there's enough money to be made by subverting one, then somebody will do it.

Yes. They Are :)

[asphaltjesus]

Linux?
Let's assume the kiosk distro has hotplugging enabled. Flash drive mounts, But the files.... Are not executable! So, the hostile doesn't have the opportunity to change permissions much less execute something on a flash drive.

OSX?
Flashdrive mounts. Hmmm can't install anything without su/sudo.

Windows?
Hmm... Sure, there is an enourmously complicated policy system. But none of which sets noexec on everything on a flash drive... http://support.microsoft.com/default.aspx?scid=kb; en-us;555324&sd=rss&spid=3198 And then there's the very permeable "user mode" security that isn't what it claims to be.

Re:Yes. They Are :)

[FoamingToad]

At my previous job at a telco, we'd just upgraded from NT4 to XP.

Now please note that (1) this is anecdotal, (2) I wasn't affected by this user profile myself so had very little time to experiment and (3) I changed jobs shortly afterwards.

But for the generic helpdesk accounts, the IT guys had seriously done their homework. A user had no access to the file system at all. You couldn't get to it via browser, and the start menu contained only the basic applications (notably, terminal emulators connected to Unix bigiron) that were used by the helpdesc.

I experimented with a number of methods on to try and gain access to the system, but wasn't able to find anything that would permit access. Nada.

Take from this what you will, but it's possible to secure a Windows system pretty damn well if you're prepared to take the time and effort. And that is where I believe this organisation has been lacking.

If they had been using an alternative o/s, what evidence is there that the relevant management would have made an effort to secure it? None that I can see.

Oh my, there really is a "TJX Effect"

[fishbowl]

I called this the "TJ Maxx Effect". Yes, I shop there; it's near my house and I can usually do better on housewares and necessary items than I could do even in thrift stores.

So anyway, the "Effect" is this: If you are shopping, and you take an interest in some category of items, say, curtain rods, and another shopper sees you checking out curtain rods, all of a sudden *they* are interested in curtain rods. Same thing happens if you look in the towel aisle. Someone who wasn't looking at towels suddenly needs to crowd into your space to look at towels as well. I've observed this phenomenon numerous times and particularly at TJ Maxx, and I believe the psychology of it is "they" don't want "you" to get a deal that they missed out on.

To be fair, sometimes there really are awesome deals to be had, because the people setting the prices don't tend to be particularly savvy as to desirability of certain kinds of items. For instance, I got a JA Henckel knife set -- a really high quality made in Spain set -- that was priced the same as another made in China set. These are completely different products, massively differently priced in retail stores, and the TJ Maxx manager didn't know. (I'm not above capitalizing on the misfortune of others.)

Anyway, as for the article, I got as far as realizing that physical access means you have the keys to the store, so to speak. At my local store, the clerks watch the application machine, as well as everything else in the shop, like a hawk. I get the impression that shoplifting is more common in discount stores than in regular retail stores; maybe I can study this and name THAT effect as well.

Re:Why is identity theft so damaging?

[Alioth]

Actually, the merchant usually DOES take the loss (although it's seldom the merchant who leaks the information who gets it in the shorts).

Basically, if you manage to fraudulently obtain a credit card, run up a huge bill, well - the person whose credit card you stole tends to get their money back. The credit card company also gets its money back, because it simply passes the chargeback to the merchant where the stolen credit card was used.

So there is little incentive for credit card companies to do anything about the problem, since it costs them little. The merchant, on the other hand, who had absolutely no reason to believe the credit card that was presented to him was fraudulent, ends up eating the cost.