TJX's failure to secure Wi-Fi could cost $1B

The news of the TJ Maxx data breach has rocked the retail and banking industry, and many estimate that it will cost hundreds of millions or even a billion-plus dollars in financial damage. It was already widely reported back in March that the TJ Maxx breach was probably due to an insecure wireless network, but the Wall Street Journal is now reporting that it happened outside of a St. Paul, MN, Marshalls discount store in July 2005 (Marshalls is owned by TJX Cos.)  WSJ is reporting that investigators believe that the hacker used a laptop and a telescope-shaped antenna.

Joseph Pereira of the WSJ writes:
The $17.4-billion retailer's wireless network had less security than many people have on their home networks, and for 18 months the company -- which also owns T.J. Maxx, Home Goods and A.J. Wright -- had no idea what was going on. The hackers, who have not been found, downloaded at least 45.7 million credit- and debit-card numbers from about a year's worth of records, the company says. A person familiar with the firm's internal investigation says they may have grabbed as many as 200 million card numbers all told from four years' records.

[Update 4:45AM - While Pereira cited research firm Forrester's estimate, Boston.com quotes a $1.35 billion dollar estimate from Forrester.  Others like Dark Reading are reporting that the fine could be as high as $4.5B.

IPLocks, a compliance and database security company, is basing the estimate on the accumulated costs of fines, legal fees, notification expenses and brand impairment, according to Adrian Lane, the company's chief technology officer. He added that $100 per lost record is an average figure for major data breaches, but they calculated expenses particular to TJX and came out with the same figure.

The Ponemon Institute, a think tank focused on record privacy and data protection, expects the TJX breach costs to be even higher. They cite costs in the range of $182.00 per record, based on research from November 2006 of the cost of breaches incurred in 31 separate incidents. For TJX, this translates to $8.6 billion.]

WEP was originally demonstrated to be broken back in 2001 and it was broken even worse by a factor of 20 in early 2005 and then broken again by another factor of 20 last month by German researchers. WEP 104-bit encryption can now be cracked in under a minute on an 802.11g network using active ARP-replay packet-injection techniques. Since the TJX breach started around mid 2005, the attackers could have easily cracked the network within half an hour using second-generation of WEP cracking tools.

What's most alarming about this is that most of the major retailers during that time were running WEP and many are STILL running some form of WEP. There's no reason to believe the same attackers didn't try this sort of attack on many other retailers and are still actively attacking networks today. Many businesses and organizations, including hospitals, are STILL running WEP or some other useless form of security.  Some are running a slightly better enterprise version of WEP, which uses per-session per-user dynamic keys that supposedly rotate every hour, but even that's worthless since the third-generation of WEP cracking tools can break WEP in under a minute.

When I worked as a security consultant for major retailers and organizations during 2004 to 2005, I knew this was a time bomb waiting to go off because the vast majority of businesses and retailers were running bad wireless LAN security with blatantly weak security. Many businesses refused to fix their security and refuse to this day, through a combination of ignorance and denial. Some businesses and retailers listened and upgraded their security to WPA; others flat-out refused. I actually had one client go the extra mile to buy all-new WPA-capable equipment, only to be told in the end that they would only implement WEP because that was the "standard" their corporate head quarters used.

Getting people to upgrade their security and educate them was hard enough as it was, but the fact that many security professionals and security training courses are still recommending the worst kinds of wireless LAN security exacerbated the situation. I've done my best to spread the word about wireless LAN security, and even published a 10-article Guide to enterprise wireless LAN security, which is basically a free eBook. It is essential that businesses and organizations implement the kind of security I describe in my enterprise guide.

For homes and small home offices, wireless LAN security can be summed up in a single paragraph. All you need to do is use WPA-PSK security with a RANDOM alphanumeric pass-phrase that has a MINIMUM of 10 characters. I estimated that a truly random alphanumeric 10-character WPA-PSK pass-phrase using modern single-core computers will take one thousand PCs working in parallel 500 years to crack. If your hardware doesn't support WPA mode, you can almost always get a free software/firmware upgrade to support it. If the hardware can't be upgraded, businesses can't afford a breach in their data security and they must buy WPA-compliant gear regardless of the cost. Cost shouldn't ever be used as an excuse to have poor security and it won't help you in court when you're getting sued. WPA-compliant access points and wireless cards can be acquired for less than $50 per device.

<Next page - How TJX diverted attention and got help of media>

How TJX diverted attention and got help from media

TJX, during its 10-K filing, took the opportunity to point the finger elsewhere at the card payment industry standards rather than admit any mistakes and later promised to fight any lawsuits. Some in the press totally got it wrong and blamed the problem on encryption. EWeek's Lisa Vaas actually went as far as questioning the need for White House mandated encryption of laptops and quoted some statements from McAfee CSO Dr. Carmichael that exhibited a disturbing level of ignorance in basic cryptography (not sure if it was quoted properly).

Note:  I'm picking on the Vaas story only because it was widely cited by a number of blogs and articles on the Internet that tried to point out how futile encryption was. This is absolutely the wrong message to be sending the public about encryption!

We have a situation where TJX:

• Failed to implement basic encryption and access control security
• Got its user credentials and internal systems hijacked
• Leaked ATM/credit card information that caused a billion dollars of damage
• Then blamed others for its own failings

The news media should NOT be buying TJX's diversionary tactics, much less question the need for data encryption.  They should instead be calling bull on TJX and focus their attention on where TJX failed.

I contacted both Vaas and McAfee about the "Why Encryption Didn't Save TJX" article and they said Vaas promised to fix the article. I requested a chat with Dr. Carmichael to get him to clarify the quotations, but McAfee PR started talking about new podcasts they were doing and never addressed my request. I gave them plenty of chances to clarify and correct themselves, but nothing has happened in a month, and neither party followed up with me even though they e-mailed me that they would. Since neither Vaas or McAfee's CSO intend to correct themselves, I'm going to post some excerpts from two e-mails I sent them and correct it for them.

Why Encryption Didn't Save TJX:
"There are several reasons why encryption didn't save TJX and won't save many companies, regardless of how much legislators have mandated or want to mandate its use. (One example of which is the June 2006 White House mandate requiring federal agencies to encrypt the hard drives of all their laptops and mobile devices.)"

Lisa, saying encryption couldn't save the day is a straw man argument. No one ever claimed encryption was a panacea. Encryption is only there to protect data at rest (on the hard drive, in case it's ever physically stolen) or it's there to protect data in motion over an untrusted link (internal networks count as untrusted, especially when there is bad wireless LAN security in place). Encryption is a very small (yet critical) component in security, but it isn't a cure all by itself. That doesn't mean you discount the use of encryption or the need for it.

1. TJX ran a wireless LAN with the kind of weak security measures you seem to think were okay. It ran insufficient authentication and encryption on its wireless LAN.
2. TJX failed in basic access control by allowing hackers to access its network via wireless.
3. TJX failed in basic host hardening by allowing hackers to own its POS and transaction stations. Don't blame encryption. If anything, TJX didn't implement enough encryption and authentication on its wireless LAN, in addition to all the aspects of security it botched. 

Laptop and mobile device encryption with strong key management capability is very important because nothing else is going to save you when that laptop gets physically stolen. That doesn't mean you're immune to online attacks or that you don't need infrastructure -- and host-level hardening. That also doesn't mean you get to discount the need for encryption. They aren't mutually exclusive.

Why Encryption Didn't Save TJX:
"This type of public/private key cryptography is used because key distribution is a major problem, Carmichael said. Shared keys have to be stored somewhere. They can be unsecure, no matter where they're kept." 

First of all, you do realize that symmetric key encryption is ALWAYS used, even when asymmetric encryption is used, right? The asymmetric encryption is generally used only to encrypt a session key used for data transmission or for data encryption on a hard drive (this is key exchange, not data encryption). We don't generally implement either/or solutions; we generally implement hybrid symmetric/asymmetric systems, where asymmetric is used for key exchange and symmetric is used for bulk encryption. Asymmetric encryption is a wonderful and essential technology, but it's a fallacy to suggest that public/private keys don't need to be stored.

"Those who use public/private key cryptography have the private key stored in a 'very special place,' Carmichael said—a certificate server that's hardened and secured." 

I've built a lot of VPN and server systems that use crypto, and I've built a lot of PKI systems. I have yet to see a "certificate server" that stores private keys. When you say "certificate server," you may have been referring to a CA (Certificate Authority) like the ones that VeriSign operates, but those Certificate Authorities aren't there to store people's private keys; they're there to cryptographically bind your public key to your name with a digital signature.

Private keys in the vast majority of hybrid symmetric/asymmetric implementations are stored on the servers themselves on the hard drive.Those who are more security conscious or need higher grade FIPS certification store their private keys inside a cryptographic module that never divulges the private key outside of the module itself. But even in these cases where cryptographic modules are used, those modules are either still inside the server itself in the form of a PCI-X card or a directly attached SCSI device. At no time is a "certificate server" used to store private keys. They might have key escrow servers (which do store private keys) for emergency key or data recovery but that's outside of the routine day-to-day cryptographic operations.

Whether Vaas got the quotes wrong or whether McAfee's CSO got it wrong doesn't really matter to me, since neither side has clarified or corrected themselves. The story and information posted is just plain nonsense. It's disturbing to see such fundamentally bad information published, widely cited as proof that encryption mandates are worthless, and left uncorrected. This story and those who cited her since then are essentially playing in to TJX's hands by allowing them to divert attention from the real culprit.