Slashdot Log In
TJX Security Breach Described
Posted by
kdawson
on Thu Aug 16, 2007 05:22 PM
from the details-emerging dept.
from the details-emerging dept.
Bunderfeld notes more details coming out about how bad guys got into the TJX network. Last time we discussed this, the best information indicated that a WEP crack had started the ball rolling. Now we learn that instead, or in addition: "Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company's IT systems, InformationWeek has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX's retail stores, let people apply for jobs electronically but also allowed direct access to the company's network, as they weren't protected by firewalls. 'The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals,' says the source. In a March filing with the Securities and Exchange Commission, TJX acknowledged finding 'suspicious software' on its computer systems."
Related Stories
[+]
Hardware: TJX Breach Began With WEP Crack 164 comments
An anonymous reader sends us to the Wall Street Journal for a detailed report on what is known to date about the TJX data breach. It seems that the loss of over 45 million credit card numbers and more than 450,000 SSNs, driver's license numbers, and military identifications began with someone using a "telescope-shaped" antenna at a wireless link at a Marshall's near St. Paul, Minnesota in July 2005. The link was encrypted using WEP, which had been known to be broken since 2001. The crackers who got into the TJX central databases are believed to be Romanians or Russians with ties to the Russian mobs. The eventual cost of the TXJ fiasco could exceed $1 billion — not including the numerous lawsuits filed against the retailer.
[+]
TJX Fires Employee For Disclosing Vulnerability 217 comments
I Don't Believe in Imaginary Property writes "A TJX employee was fired for an online post mentioning that TJX hasn't beefed up security after the recent, massive data breach that saw 94 million credit card numbers copied by criminals and money from their accounts stolen. The employee mentioned that, at first, their usernames were the same as their passwords. After they required stronger passwords, some managers complained, so they 'compromised' by allowing blank passwords. The whistleblower said he discussed his concerns with management, but that it was like talking to a brick wall. In spite of the weak internal security, TJX now has a firm that scours the internet to find bad things posted about them, which is how they found the message and fired him for it. Too bad they don't appear to have hired anyone to beef up operational security or to convince people to use strong passwords."
[+]
Your Rights Online: 11 Charged In TJX, Other Breaches 77 comments
coondoggie writes "The Justice Department has charged 11 people in connection with the massive theft of credit card numbers from various retailers, including TJX, BJs and OfficeMax. Authorities say the group charged was involved in the theft of more than 40 million credit and debit card numbers. In an indictment returned today by a federal grand jury in Boston, Albert 'Segvec' Gonzalez, of Miami, was charged with computer fraud, wire fraud, access device fraud, aggravated identity theft, and conspiracy for his role in the scheme. Others indicted are from the US, Estonia, China, and Belarus." We've been following the TJX breach since the beginning.
[+]
Three Indicted In Huge Identity/Data Breach 101 comments
ScentCone and other readers let us know about an indictment just unsealed in federal court for stealing 130 million credit cards and other data useful in identity theft, or just plain money theft. The breaches were at payment processor Heartland (accounting for the bulk of the 130M), Hannaford, 7-11, and two unnamed "national retailers." Interestingly, the focus of the indictment, Albert "Segvec" Gonzalez, is currently awaiting trial for masterminding the TJX break-in, which until Heartland counted as the largest credit-card theft ever. The indictment cites SQL injection attacks as the entry vector. Two unnamed Russia-based conspirators were also indicted. Securosis has analysis of the security implications of the breach ("These appear to be preventable attacks using common security controls. It's possible some advanced techniques were used, but I doubt it") and the attackers' methodology.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Tchoh (Score:3, Insightful)
-- incubus
Re: (Score:3, Interesting)
1. They might do that. Only the problem may not have been in IT per-se. I can easily imagine someone from another department purchasing the kiosks then throwing the request to connect the kiosk to the store's network over the so-called wall to IT. That's just one plausible scenario.
2. Don't be surprised when the kiosk manufacturer comes back and says, "Hey, I don't provide secured operating systems running on the computer inside th
Re: (Score:3, Interesting)
Sounds simply like an insecure kiosk. A lot of them are Windows based but you only need to setup one to be able to secure them all so the OS excuse doesn't really hold water especially with products like VMWare out there providing solid solutions for this very problem.
I would also say number 1 is a likely scenario. Marketing made the decision to purchase the kiosks and misrepresented what the kiosk manufacturer was providing so IT let it slide because they're busy working. Course you can also argue that I
Re: (Score:2)
Yes. They Are :) (Score:4, Informative)
Let's assume the kiosk distro has hotplugging enabled. Flash drive mounts, But the files.... Are not executable! So, the hostile doesn't have the opportunity to change permissions much less execute something on a flash drive.
OSX?
Flashdrive mounts. Hmmm can't install anything without su/sudo.
Windows?
Hmm... Sure, there is an enourmously complicated policy system. But none of which sets noexec on everything on a flash drive... http://support.microsoft.com/default.aspx?scid=kb
Parent
Re: (Score:2, Interesting)
It's time for... (Score:2, Funny)
That's an interesting feature (Score:5, Funny)
They won't be the only people (Score:2)
This is a really crappy situation; it shouldn't have happened and frankly the entry points described here are a result of negligence plain and simple! But its hard; its hard to manage a large organisation and to enforce correct and watertight procedures; security is a hard concept, one o
Re: (Score:2)
</doom_and_gloom>
The point at the end of the article cannot be overstated; noone can steal from you what you do not have. In desktop terms; don't be afraid of the Delete button!
Re:They won't be the only people (Score:5, Informative)
I don't know if you remember but a few years ago, there was a massive security hole in MS IE and Microsoft didn't/couldn't fix it for about 6 months. The Dept of Homeland Security even put out a recommendation to not use MS Internet Explorer because of this unpatched flaw. AMEX did nothing about it and continued as normal.
Move about a year later and all of a sudden, CNN is on the air with no computer systems and spend the hours on the air discussing how their Windows computers are rebooting on their own. City governments across the country have the same problem and so does AMEX. The cause, a Windows spyware kit, having been installed on all these computers and many more, was crashing on some subset of the computers it was installed on and causing those to reboot. The spyware was already on a bunch of computers and only because there was a flaw which caused it to crash SOME of the computers, was it found out about.
There is no security in corporate America or the various governments. Sure, there are some areas where smart people are doing what's right but it looks like 90% of the rest are feak'n MCSE's with one finger up their ass and the other on the mouse. click, click, click.
These businesses should be made to pay $10,000 every time they lose customer data and for every customer. That doesn't even begin to pay for the hardships of dealing with identity theft, not even close but it would add up to millions quickly and it just might make them think about who's running the company IT department and what they are running.
LoB
Parent
Re: (Score:2)
Re: (Score:2)
Security costs manpower. Security is not a tool that you buy and install with the default features set. Security is not something you set in stone today until the end of times. But that's something you can hardly explain to a manager. Because he doesn't see the immediate benefit of security. In fact, if the security is really good and no breaches are allowed ever, he might never see the benefit because, well, nothing happens.
You only get to see that yo
Re: (Score:2)
Or know it but can't say anything about it.
First, there's your department within the company. Who wants to be the first person to step up and report to the BOD that 'we' have screwed up and possibly cost the company millions? Next, once corporate knows it, they are not highly motivated to
Re: (Score:2)
I'm pretty sure you're right. It's a high value target to hit and a hard target to secure. First, you have stores that move things around frequently, tempting them to go wireless (ala Best Buy's fiasco). Next, you have a low margin highly competitive business where cutting cost on employees, hardware, security, etc, (especially in the stores where each dollar spent is multiplied by thousands) is good for business. Then you have
storing secrets; security through obscurity (Score:5, Insightful)
I love it how people talk about how they're using "encryption" when possessing the algorithm is enough to break it.
Idiots.
Re: (Score:2)
But that's ok. This report will only be read by people who don't have a clue about encryption, so they will read "encryption was broken" and be satisfied with it. Yes, anyone with at least half a clue in encryption technology would immediately call it bullshit. But nobody who can see the difference between a geek code and a PGP encrypted message will ever get to question this re
Re: (Score:2)
They can if it's ROT13.
Seriously, though, I'd expect that kind of comment from a mainstream news story or a press release, but the quote is attributed to the company's annual report -- not somewhere where you get to fudge without consequences.
Re: (Score:2)
Re: (Score:2)
Wrong [pcisecuritystandards.org] (see Preface summary table). Only CCV2, PIN and the full magnetic stripe are prohibited. Account number, expiration date and name are permitted, although must be protected.
Re: (Score:2)
Re: (Score:3, Informative)
Not at all. One of the key features of cryptographic algorithms is that knowing what algorithm is being used has absolutely no impact on the strength. Unless it's one of those snake oil "proprietary" crypts, which is a horse of an entirely different color. However, I can't think of any enterprise class crypto systems that use closed algorithms. Most use AES, Blowfish for block cipher, RSA and ElGamal for async and signing (maybe DSA f
Re: (Score:2)
Kerckhoff's Principle states that a crypto system should be secure even if the attacker knows the algorithm. The strength of the algorithm rests solely on the secrecy of the key.
If they even used encryption (which is still a question) they probably used a home-grown solution with no cryptographic review of the algorithms, the process, or of simpler things such as key management. Perhaps they baked a symmetric key in their source
Re: (Score:2)
If you've never d
Wardriving == poaching? (Score:3, Insightful)
Was shaping up to be a decent tech article until this. I don't know what irks me more about this quote:
- Needing to define an old-ass term like wardriving
- defining it as poaching
- "putting" the "word" in "quotes" (I can just see the author's fingers in the air)
Firewalls, disabling usb, corporate LAN, etc are tossed around freely... why jack with wardrivers?
Re:Wardriving == poaching? (Score:4, Insightful)
Because proper tech journalism is about using buzzwords to sound techy!
If you're an incompetent, technologically ignorant journalist, then you go out and look for some terms that sound appropriate and cool, then include them in your story. Heck, as a journalist, your job is to describe and explain something to the uninformed. Since the uninformed are largely a technologically challenged audience,they'll accept your cool usage of terms, usually considered passé by the real tech crowd, as an insightful look into the sophisticated technical world.
So, if you want to be a cool tech writer, just liberally toss in a couple terms like, nano, blog, cyber, online, real-time, data mining, and Google (the last one especially used as a verb).
Parent
We're heading for an IT desaster (Score:5, Interesting)
What do we have:
1. A company with many kiosks/outlets/POS
2. A company network with the doctrine that everything "outside" needs to be kept out, while the "inside" has far too high privileges.
3. Untrained, unskilled and "do we need to pay minimum wage?" staff at the POS.
It is fairly easy to get a job at one of those POS. Hire and fire. You want it, you have it. No background check, no security check. You're simply assumed to be a vegetable because, well, if you had some kinda skill, you wouldn't work for 5 bucks an hour. You'd be a consultant for 50 an hour.
It's usually trivial to circumvent the security between the company's computer network and the POS, if there is one at all. Let me ramble about an audit for a moment.
We did an audit for some company. All went fairly well, an "outsider" would've had a very hard time getting past the walls and checks. All POS were VPN connected to the main network, secured again with various (IMO superfluous) encryption, so a mitm attack would've been fruitless either. Good security, overall.
Until we checked the POS computers and found pretty much everything you needed to get access to the servers in the main office. You had the complete set of private keys (yes, all, including accounting, administration and the CEOs), the admin passwords were the same in every POS and inside the main network. You hack a POS, you hack the company.
Facing this, the response was akin to "What do you want? The people in our POS' can barely turn the computer on, that's no threat."
Maybe not. But if I wanted to hack that company (or any company), I'd first of all try to get a vegetable job at a POS. It's usually a quite good way to gain access to more than you could ask for.
Oh, wait, this one's even better (Score:5, Interesting)
It's trivial to dig that user/pass combination out of the code. It's also trivial to get access to the code, all you have to do is to steal one of the notebooks. Or, to make it simple, just download it from the internal homepage (so everyone working in this company at the very least has access to the tool and thus to the user/pass combination). With it, you have all the necessary information to feed the database incorrect data, change prices, change orders and repair jobs, change car and tool assignments and of course, if you're so inclined, simply corrupt the database or drop it altogether.
This is an international company, the stock of which is traded at the NY stock exchange. Thus, it complies (with this security hole large enough to shove planets through) with the requirements of the Sarbanes-Oxley Act.
Parent
Re: (Score:2)
I'm just thinking that there's so *many* exploits out there, that simply being exploitable isn't enough, it has to actually be exploited regularly and/or significantly enough to matter.
more than network security (Score:2, Insightful)
'The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals'
No one noticed the guys opening the backs of these terminals in the middle of the store? Sounds like there store security is worse than the network security. I would hate to see how much they write off each year to theft.
social engineering maybe? (Score:3, Interesting)
We had an expression where I worked (Score:2)
I'm SURE the customers will be taken care of (Score:5, Insightful)
I normally hate calling for more laws but there should be more severe penalties for this kind of error. Otherwise... it will keep happening.
Web based apps and thin clients (Score:2)
Most thin clients out of the box boot with a low-privilege account. You can even set up some to "reimage" their flash memory on each boot (or boot disklessly from a central image server). Think someone compromised a system? Lockdown passwords on your master image and reboot all the terminals. No changes should be able to be made to the
Why is identity theft so damaging? (Score:2)
Instant credit at stores, Drive the car off the lot today, get a cell phone in 10 minutes...
Maybe, instead of the consumers credit rating being damaged when a business gives credit without solid proof of indentity, the company needs to eat the loss.
I wonder if anyones tried sueing a company for Slander/Libel over a false credit report entry...
Re: (Score:3, Informative)
Basically, if you manage to fraudulently obtain a credit card, run up a huge bill, well - the person whose credit card you stole tends to get their money back. The credit card company also gets its money back, because it simply passes the chargeback to the merchant where the stolen credit card was used.
So there is little incentive for credit card companies to do anything
Oh my, there really is a "TJX Effect" (Score:2, Informative)
So anyway, the "Effect" is this: If you are shopping, and you take an interest in some category of items, say, curtain rods, and another shopper sees you checking out curtain rods, all of a sudden *they* are interested in curtain rods. Same thing happens if you look in the towel aisle. Someone who wasn't looking at towels suddenly n
Re: (Score:2)
Re: (Score:2)
still no excuse for the kiosk being able to access data from the rest of the network!
Re: (Score:2)
The point of a kiosk is for the public to put their hands on the hardware. No, the problem here was incompetence on both the company and kiosk manufacturer.
The company should have made sure that these kiosks were segmented off the general network and even if they could crack their way onto the general network, these machines should have no permission to do anything. Also, a standard keyboard should never be hooked up to a kiosk. It sh
Re: (Score:2)
Re: (Score:2)
Take a look at internet banking. And let's ignore the ever popular trojan based attacks for now. There is NOTHING a user can do to manipulate a bank account beyond his own (and this only to his own damage, never to the bank's). And here the hardware used to interface with the bank is fully under the user's control. Ok, more or less, but it can be if the user wants
Re: (Score:3, Insightful)
The kiosk manufacturer should have made sure that these machines were secure. I've worked for a kiosk manufacturer and there are things that can be done to make sure the system is secure. For starters, lock down whatever user account the primary application runs on. So even if they can get out of that app, they can't do anything beyond clicking start and shut down. Also, there are software applications that lock down the system for you. The one we used completely locked the desktop out. It was a pain to support, but it was secure.
I'd classify that as +5 "waste of effort". You're presuming that having the securing the kiosk is reliable way to secure the network. It ain't.
Consider this scenario: An insider (the 2nd shift manager, a night security guard, whatever) lets a few friends in after-hours. These friends can, with a few hours effort, bypass *any* security you have established on that kiosk. The only way to prevent this is to armor the stupid thing like an ATM (and with enough time and effort, even *that* won't stop them).
Re: (Score:2)
Re: (Score:2)
But even if it is staff-only, you cannot trust those machines. Those machines are to be seen as "foreign" not "own" in any security concept, and thus are by definition not to be trusted. Such machines may interface with the internal network only through defined and monitored channels and should most definitly not have access to internal data beyond their needs.
The p
Re: (Score:2)
Re:owned (Score:5, Funny)
Geez, if you're going to troll, you should at least go for teh funneh when it's right in front of you. Razz with "T. J. HAXXXXX", or something. Don't be so lame at being lame.
Helping AC's troll properly, check. Now to find an old lady and help her turn on her left blinker.
Parent
Re: (Score:2)
2. If you were paying attention, every article for the past 6 months has been referring to it as TJX (it is the corporate name after all). The first articles about it included something about it being TJ Maxx/Marshalls/etc.
Re: (Score:2)
Re: (Score:2)