TJX's failure to secure Wi-Fi could cost $1B

TJX's failure to secure Wi-Fi could cost $1B

Summary: The news of the TJ Maxx data breach has rocked the retail and banking industry, and many estimate that it will cost hundreds of millions or even a billion-plus dollars in financial damage. It was already widely reported back in March that the TJ Maxx breach was probably due to an insecure wireless network, but the Wall Street Journal is now reporting that it happened outside of a St.

SHARE:

The news of the TJ Maxx data breach has rocked the retail and banking industry, and many estimate that it will cost hundreds of millions or even a billion-plus dollars in financial damage. It was already widely reported back in March that the TJ Maxx breach was probably due to an insecure wireless network, but the Wall Street Journal is now reporting that it happened outside of a St. Paul, MN, Marshalls discount store in July 2005 (Marshalls is owned by TJX Cos.)  WSJ is reporting that investigators believe that the hacker used a laptop and a telescope-shaped antenna.

Joseph Pereira of the WSJ writes:
The $17.4-billion retailer's wireless network had less security than many people have on their home networks, and for 18 months the company -- which also owns T.J. Maxx, Home Goods and A.J. Wright -- had no idea what was going on. The hackers, who have not been found, downloaded at least 45.7 million credit- and debit-card numbers from about a year's worth of records, the company says. A person familiar with the firm's internal investigation says they may have grabbed as many as 200 million card numbers all told from four years' records.

[Update 4:45AM - While Pereira cited research firm Forrester's estimate, Boston.com quotes a $1.35 billion dollar estimate from Forrester.  Others like Dark Reading are reporting that the fine could be as high as $4.5B.

IPLocks, a compliance and database security company, is basing the estimate on the accumulated costs of fines, legal fees, notification expenses and brand impairment, according to Adrian Lane, the company's chief technology officer. He added that $100 per lost record is an average figure for major data breaches, but they calculated expenses particular to TJX and came out with the same figure.

The Ponemon Institute, a think tank focused on record privacy and data protection, expects the TJX breach costs to be even higher. They cite costs in the range of $182.00 per record, based on research from November 2006 of the cost of breaches incurred in 31 separate incidents. For TJX, this translates to $8.6 billion.]

WEP was originally demonstrated to be broken back in 2001 and it was broken even worse by a factor of 20 in early 2005 and then broken again by another factor of 20 last month by German researchers. WEP 104-bit encryption can now be cracked in under a minute on an 802.11g network using active ARP-replay packet-injection techniques. Since the TJX breach started around mid 2005, the attackers could have easily cracked the network within half an hour using second-generation of WEP cracking tools.

What's most alarming about this is that most of the major retailers during that time were running WEP and many are STILL running some form of WEP. There's no reason to believe the same attackers didn't try this sort of attack on many other retailers and are still actively attacking networks today. Many businesses and organizations, including hospitals, are STILL running WEP or some other useless form of security.  Some are running a slightly better enterprise version of WEP, which uses per-session per-user dynamic keys that supposedly rotate every hour, but even that's worthless since the third-generation of WEP cracking tools can break WEP in under a minute.

When I worked as a security consultant for major retailers and organizations during 2004 to 2005, I knew this was a time bomb waiting to go off because the vast majority of businesses and retailers were running bad wireless LAN security with blatantly weak security. Many businesses refused to fix their security and refuse to this day, through a combination of ignorance and denial. Some businesses and retailers listened and upgraded their security to WPA; others flat-out refused. I actually had one client go the extra mile to buy all-new WPA-capable equipment, only to be told in the end that they would only implement WEP because that was the "standard" their corporate head quarters used.

Getting people to upgrade their security and educate them was hard enough as it was, but the fact that many security professionals and security training courses are still recommending the worst kinds of wireless LAN security exacerbated the situation. I've done my best to spread the word about wireless LAN security, and even published a 10-article Guide to enterprise wireless LAN security, which is basically a free eBook. It is essential that businesses and organizations implement the kind of security I describe in my enterprise guide.

For homes and small home offices, wireless LAN security can be summed up in a single paragraph. All you need to do is use WPA-PSK security with a RANDOM alphanumeric pass-phrase that has a MINIMUM of 10 characters. I estimated that a truly random alphanumeric 10-character WPA-PSK pass-phrase using modern single-core computers will take one thousand PCs working in parallel 500 years to crack. If your hardware doesn't support WPA mode, you can almost always get a free software/firmware upgrade to support it. If the hardware can't be upgraded, businesses can't afford a breach in their data security and they must buy WPA-compliant gear regardless of the cost. Cost shouldn't ever be used as an excuse to have poor security and it won't help you in court when you're getting sued. WPA-compliant access points and wireless cards can be acquired for less than $50 per device.

<Next page - How TJX diverted attention and got help of media>

 

How TJX diverted attention and got help from media

The news media should NOT be buying TJX's diversionary tactics, much less question the need for data encryption.

TJX, during its 10-K filing, took the opportunity to point the finger elsewhere at the card payment industry standards rather than admit any mistakes and later promised to fight any lawsuits. Some in the press totally got it wrong and blamed the problem on encryption. EWeek's Lisa Vaas actually went as far as questioning the need for White House mandated encryption of laptops and quoted some statements from McAfee CSO Dr. Carmichael that exhibited a disturbing level of ignorance in basic cryptography (not sure if it was quoted properly).

Note:  I'm picking on the Vaas story only because it was widely cited by a number of blogs and articles on the Internet that tried to point out how futile encryption was. This is absolutely the wrong message to be sending the public about encryption!

We have a situation where TJX:

  • Failed to implement basic encryption and access control security
  • Got its user credentials and internal systems hijacked
  • Leaked ATM/credit card information that caused a billion dollars of damage
  • Then blamed others for its own failings

The news media should NOT be buying TJX's diversionary tactics, much less question the need for data encryption.  They should instead be calling bull on TJX and focus their attention on where TJX failed.

I contacted both Vaas and McAfee about the "Why Encryption Didn't Save TJX" article and they said Vaas promised to fix the article. I requested a chat with Dr. Carmichael to get him to clarify the quotations, but McAfee PR started talking about new podcasts they were doing and never addressed my request. I gave them plenty of chances to clarify and correct themselves, but nothing has happened in a month, and neither party followed up with me even though they e-mailed me that they would. Since neither Vaas or McAfee's CSO intend to correct themselves, I'm going to post some excerpts from two e-mails I sent them and correct it for them.

Why Encryption Didn't Save TJX:
"There are several reasons why encryption didn't save TJX and won't save many companies, regardless of how much legislators have mandated or want to mandate its use. (One example of which is the June 2006 White House mandate requiring federal agencies to encrypt the hard drives of all their laptops and mobile devices.)"

Lisa, saying encryption couldn't save the day is a straw man argument. No one ever claimed encryption was a panacea. Encryption is only there to protect data at rest (on the hard drive, in case it's ever physically stolen) or it's there to protect data in motion over an untrusted link (internal networks count as untrusted, especially when there is bad wireless LAN security in place). Encryption is a very small (yet critical) component in security, but it isn't a cure all by itself. That doesn't mean you discount the use of encryption or the need for it.

  1. TJX ran a wireless LAN with the kind of weak security measures you seem to think were okay. It ran insufficient authentication and encryption on its wireless LAN.
  2. TJX failed in basic access control by allowing hackers to access its network via wireless.
  3. TJX failed in basic host hardening by allowing hackers to own its POS and transaction stations. Don't blame encryption. If anything, TJX didn't implement enough encryption and authentication on its wireless LAN, in addition to all the aspects of security it botched. 

Laptop and mobile device encryption with strong key management capability is very important because nothing else is going to save you when that laptop gets physically stolen. That doesn't mean you're immune to online attacks or that you don't need infrastructure -- and host-level hardening. That also doesn't mean you get to discount the need for encryption. They aren't mutually exclusive.

Why Encryption Didn't Save TJX:
"This type of public/private key cryptography is used because key distribution is a major problem, Carmichael said. Shared keys have to be stored somewhere. They can be unsecure, no matter where they're kept." 

First of all, you do realize that symmetric key encryption is ALWAYS used, even when asymmetric encryption is used, right? The asymmetric encryption is generally used only to encrypt a session key used for data transmission or for data encryption on a hard drive (this is key exchange, not data encryption). We don't generally implement either/or solutions; we generally implement hybrid symmetric/asymmetric systems, where asymmetric is used for key exchange and symmetric is used for bulk encryption. Asymmetric encryption is a wonderful and essential technology, but it's a fallacy to suggest that public/private keys don't need to be stored.

"Those who use public/private key cryptography have the private key stored in a 'very special place,' Carmichael said—a certificate server that's hardened and secured." 

I've built a lot of VPN and server systems that use crypto, and I've built a lot of PKI systems. I have yet to see a "certificate server" that stores private keys. When you say "certificate server," you may have been referring to a CA (Certificate Authority) like the ones that VeriSign operates, but those Certificate Authorities aren't there to store people's private keys; they're there to cryptographically bind your public key to your name with a digital signature.

Private keys in the vast majority of hybrid symmetric/asymmetric implementations are stored on the servers themselves on the hard drive.Those who are more security conscious or need higher grade FIPS certification store their private keys inside a cryptographic module that never divulges the private key outside of the module itself. But even in these cases where cryptographic modules are used, those modules are either still inside the server itself in the form of a PCI-X card or a directly attached SCSI device. At no time is a "certificate server" used to store private keys. They might have key escrow servers (which do store private keys) for emergency key or data recovery but that's outside of the routine day-to-day cryptographic operations.

Whether Vaas got the quotes wrong or whether McAfee's CSO got it wrong doesn't really matter to me, since neither side has clarified or corrected themselves. The story and information posted is just plain nonsense. It's disturbing to see such fundamentally bad information published, widely cited as proof that encryption mandates are worthless, and left uncorrected. This story and those who cited her since then are essentially playing in to TJX's hands by allowing them to divert attention from the real culprit.

Topics: Servers, Networking, Security, Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

80 comments
Log in or register to join the discussion
  • $1 billion?

    You cite "many" estimates that this will cost hundreds of millions or even a
    billion dollars worth of losses. Could you provide an actual citation?

    Security is important, but it fails when sold through hyperbole, too.
    Mitch Ratcliffe
    • I'm not reporting that, others are

      I'm not reporting that, others are. It's going to directly cost many banks hundreds of millions of dollars in stolen goods and card replacement costs. That's already a GIVEN. The billion dollar estimate isn't a joke, that's what many are estimating. Does it really make a difference to you if I can PROVE to you it's $1B or if it's ONLY a few hundred million dollars of confirmed damage?

      I mean people like you would be all over the government if they simply accessed nameless phone logs and scream privacy but if criminals access ALL of your personal information like your credit card info, your mother?s maiden name, and your SSN, I need to prove to you whether the damage is merely a few hundred million or actually $1B? Is this your American Criminal Liberties Union mentality kicking in? I don?t follow your thinking here.
      georgeou
      • People like me?

        Relax George, I asked you to cite a source. It would make the otherwise
        reasonable concern you raise much more powerful.

        I'd like to know who these "many" are, since they are the noticably
        unsourced fact you cite. It isn't a given if you can't provide at least one
        source out of these "many." Or maybe you think by capitalizing "given" you
        can ignore the question.

        I'll just ignore the ad hominem, which speaks for itself, because your
        argument would hold up with a cost of $50 million. However, losses are
        invariably overestimated in the security industry and it would be good if
        you didn't engage in exaggeration that is similar to the "distractions" you
        suggest are conspiratorial. Your approach opens the door to people?not
        me?to say "it's not as bad as all that." Being precise about the estimated
        losses would help eliminate the excuses people rely on to justify lax
        security.
        Mitch Ratcliffe
        • You can start with the WSJ article I linked to

          You can start with the WSJ article I linked to. The details of that $1B estimate includes law-suits, remediation, consulting, etc. When this is all said and done with the class-action lawsuits, I can assure you TJX will feel the pain and deservedly so. What do you do with a corporation that exposes ALL of our personal information? You punish them financially of course.
          georgeou
      • So, no responsibility?

        So your line of thinking is this: you can wrie everything you want, and as long as you make sure "it's someone else who wrote it [originally]" people should just shut up, because "it's not you". I don't buy that. It's weak.

        1. You chose to reproduce the words of others.
        2. For your purpose.
        3. So you are also responsible to react to others.

        Don't hide and blame others.
        nizuse
      • Gratuitous hate won't improve your clarity

        [i]Is this your American Criminal Liberties Union mentality[/i]

        Do yourself a favor. Stop drinking the caffeinated beverage now. Make a note how much you have had so far. tomorrow, stop earlier.
        fuzzy2k
        • Chill out, that's an inside joke

          Chill out fuzzy, that's an inside joke to Mitch.
          georgeou
          • Sorry

            I guess I thought it looked like, well, what it looked like.

            Maybe I am too sensitive, as you seem to imply. Maybe you need to be more clear in your writing.

            Maybe I should go play in another sandbox...
            fuzzy2k
          • No problem, I should have sent that in email

            No problem, I should have sent that in email instead.
            georgeou
    • He said "could", not "will".....

      I don't like many of George's articles, but in this case, he is using estimates found in his research, and clearly states that.

      Just because something may be, doesn't necessary mean that it will be.
      linux for me
  • Shocking

    In my own survey of neighborhoods, my N800 when intentionally left searching for a wireless AP has returned more often than not routers with no encryption!

    It doesnt make sense to me that any device should allow a factory default setting of no encryption. But that is the current state of affairs.

    Perhaps legislation directed at this can mandate needed manufacturing changes to conform with your WPA minimum guideline.
    D T Schmitz
    • I don't know, maybe it is necessary

      I'm flattered you'd call it my minimum guideline, but I must admit that I didn't invent it. All I did was compile some common sense crypto 101 with my experience in the industry. The industry already has a pretty decent set of guidelines with WPA Enterprise edition and 802.11i though even that can be implemented incorrectly. For example if you implement WPA Enterprise mode with Cisco?s proprietary EAP-FAST protocol using the default anonymous server cert mode (which most Cisco shops do), then you?re going to be really insecure.

      There is already too much legislation in place which focuses more on "compliance" but not on actual security. "Compliance" simply means you're following your own security policy which could mean anything you can rationalize and "risk accept". None of the compliance legislation offers any actual security guidelines and that's usually not a good idea because you don't want politicians coming up with network topology standards since they don't know what they're doing and they simply pass what they're lobbied to pass. For example I would really be irked if the government passed a requirement for IPSEC encryption for Wireless LAN networks because a bunch of VPN companies lobbied them to do so.

      What might be necessary is for the NIST to come up with a more specific set of bare minimum guidelines on encryption and authentication requirements. That's sort of what I tried to do when I wrote my guide to enterprise wireless LAN security.
      georgeou
      • Just the facts ...

        I like the fact-checking you surfaced in your account, as well as reporting the analysis that no one has chosen to respond to or act on. (I'll let you and Mitch hammer out where the decimal point goes in the $10^n costs.)

        It looks like this is going to get worse before it gets better. For example, someone is selling financial institutions some sort of bogus "multi-factor" on-line authentication technique, based on an e-mail I recently received from a credit union. (I closed the account, but it is stuck with a $0.01 balance and I get monthly statements on it, along with breathless announcements of how they are improving my privacy and security by asking me for my kindergarten teacher's name as well as my password. Funny, I don't feel safer.)
        orcmid
        • Multi-factor is a scam that falls under "snake oil" in security

          Multi-factor is a scam that falls under "snake oil" in security. It's a scam because it's actually a single factor. You can't have two factors unless the factors are different. Just because you ask multiple passwords doesn't make it multi-factor.

          The other problem is that two-factor isn't necessarily better. Biometrics for example is merely another form of a password since it can be replayed. It just happens to be a really long password that's harder to reproduce but it's certainly no secret since you leave your fingerprint everywhere you touch. What would REALLY help are smart cards because that enables asymmetric key management which is considered the strongest form of authentication. So strong-authentication is actually MORE important than two-factor authentication comprised of two weak authentication methods. When you have a smart-card, a pin-on-pad or a biometric device only serves to unlock the smart-card which is a tactic that buys you time to void out that device. The pin or biometric itself isn't what gives you the strong authentication. The fact that the smartcard can't easily be duplicated and the fact that you would know if it's stolen or missing is what makes it good security.

          As for Mitch, he just argues for the sake of argument. The WSJ story I quoted mentioned the $1B price tag and gave more details on how that number was derived.
          georgeou
          • Some one tell my bank that as well

            Actually I have had multiple institutions fall for the same scheme. I would rather take home an RSA fob rather than deal with that crap.

            My Bank, My Credit Card Company and My Student Loan holder are all guilty of falling for this same practice.

            The logic behind the tiered password is that it will require more selection in the questions as to how to get the personal information. However, I have a very profound web print from my reckless youth. I am sure any information that I use could easily be looked up if some one really wanted to find out. This is simply adding a then layer of security that is almost worthless.
            nucrash
          • No, I'd rather use my own smartcard/keygen

            No, I'd rather use my own smartcard/keygen where I generate the public/private key pair and I can use the same device for multiple banks and multiple applications. I don't want the bank to generate my private key and have each bank charge me for a new device every time. I don't want to carry multiple devices for each bank and each application. I want to use my own certified device where I simply give the bank my public key.
            georgeou
          • Multi-factor authentication

            Steve Gibson's Security Now episode #90 (http://www.grc.com/SecurityNow.htm#90) is an interesting discussion of this topic.
            dancac
          • Compounded Cluelessness

            What gets me about the multi-factor scam is that if I were to buy into it as one of their customers (I simply will not play), there is even more personally-related information that is vulnerable to disclosure when the same clueless institution manages to suffer a data loss.

            A couple of years ago I had to instruct this credit union's marketing department to take me off of a third-party distribution of email announcements of product and feature offerings. They were providing e-mail lists to an external service that was creating these glitzy e-mails. They just didn't get why I didn't want those pretty mailings (on a par with statement inserts) and didn't get why I was disturbed that my financial institution would do that. I carefully pointed out to them that the third-party sourcing and the tying of my email into the embedded links looked like spam and/or potential phishing attacks.

            I appreciate that it is really easy for such carelessness to arise, and even be moderately well-intentioned (though mostly self-serving). It will take some famous litigations and penalties for this to wake some people up. Unfortunately, there is a high probability that a bogus CYA approach will be adopted with inadequate diligence at verifying that the approach solves the real problem.

            This is going to take a painfully long time to sort out, I fear.
            orcmid
      • Standardised processes may not create high quality

        Regarding your comments about compliance not being explicit.

        I think it is a trend that has been happening more over the last few years, where standards have been focussing more on processes. The principle exponent of this is ISO9000 where many companies tout it as guaranteeing their customers some sort of quality. Of course, it doesn't per se.

        All it guarantees is that they followed the process they have defined. So if a call-desk company states their process requires that every customer must get abused twice during each call or a home-appliance manufacturer's process is to not test whether their devices work, they get their ISO9000 certification because they have documented the process. However, it means nothing to the consumer other than they will get CONSISTENTLY good or bad quality BUT NOT necessarily HIGH quality level. The standard and certification says nothing about the actual quality of the output of the processes, just the quality of the processes themselves!
        Patanjali
        • You're right, consistently low quality

          ISO9000 is all about the process. It could be a really bad process.
          georgeou