[SecurityRatty] tag: tjx

This week in history - volcanos, hurricanes, and the risk of Black Swans

Thu, 28 Aug 2008 07:07:47 +0000

Pouring over endless details of risks, regulations, taxonomies, and technologies can sometimes give us a narrow view of the world, so it seems worthwhile to take a minute to mark the 125th anniversary of the cataclysmic eruption of Krakatoa this week. For those of us that want to think big but can’t remember that far back, this week is also the 3rd anniversary of Hurricane Katrina’s devastating sweep across a wide stretch of the US Gulf Coast.

By now, I expect that most of you have read or are familiar with the 2007 book, The Black Swan, by Nassim Nicholas Taleb, which argues that these kinds of unpredictable, outlying occurrences are the ones that really shape businesses, countries, economies, and people. Taleb argues that although these “Black Swan” events are almost completely unforeseeable, we mistakenly try to explain the circumstances at the time and make predictions about similar events in the future.

In my ERM work with clients, and especially in the context of research I’ve been doing with my colleague Stephanie Balaouras on business continuity and resiliency, questions come up about how to plan for catastrophes... and they’re good questions. Were the CardSystems or TJX data breaches foreseeable? What about the Societe General debacle or the 2004 Indian Ocean tsunami? What’s next? Should these types of events be included in our risk assessments?

We’d like to get your opinion on these and other risks that may be on the very edge of the statistical tail. At what point do they belong in your risk register?

Of course, it’s possible to define mitigating controls for crises, disasters, or incidents without knowing for sure what they’re going to look like. That’s one of the hallmarks of a good crisis management plan. And that’s an important point, because trying to predict the next unforeseeable event can be a real challenge sometimes.

Show 029 - An Interview with Dennis Fisher

Mon, 18 Aug 2008 11:05:01 +0000

On the 29th episode of The Silver Bullet Security Podcast, Gary talks with Dennis Fisher, executive editor of The Security Media Group at TechTarget. Dennis helps run SearchSecurity.com and Information Security Magazine. Gary and Dennis discuss the current “BS factor” in security journalism, shopping at TJ Maxx right after the TJX privacy breach, the state of software security, and which is harder: being a fry cook at Hardees or working as a PR flack.

ID theft ring attacked retailers on multiple levels

Tue, 05 Aug 2008 20:00:00 +0000

A ring of identity thieves that targeted U.S. retailers used sophisticated and multifaceted attacks to steal more than 40 million credit and debit card numbers from TJX, OfficeMax, Barnes & Noble and other companies, according to court documents.

Wee-Fi: TJX Data Theft Arrests; Junxion Sold

Tue, 05 Aug 2008 12:10:41 +0000

Eleven people connected with largest data theft operation arrested: The US Justice Department said this will be the largest prosecution, paired with the largest theft, after arresting 11 people alleged to be behind the theft of over 40m credit card numbers from TJX and others, including Barnes & Nbole, OfficeMax, and other firms. The Wi-Fi angle is that the government charges the break-ins involved some of those charged driving to stores with laptops and entering via improperly secured Wi-Fi to compromise poorly designed back-end systems. (Okay, I'm saying "improperly secured" and "poorly designed," since that's self-evident, and was thoroughly documented in the case of TJ Maxx's parent TJX.) Total cost of this break in is in the billions, although it's clear that the companies whose systems were penetrated are culpable in their lack of data security. It's also clear that unless every card were canceled and reissued, this is the theft that keeps on taking. It's likely the reason why my card number (but not card) was stolen back in 2005, and misused.

Sierra Wireless buys Junxion: Sierra is one of the leading makers of mobile broadband adapters, like ExpressCards and USB modems; Junxion is the leading business-focused mobile broadband bridge maker. Junxion has plenty of competitors on the low end, where products are being sold to small business or individuals, but I'm not aware of another firm whose products have the feature list for centralized IT management and deployment. They bundle the cost of this central management into the products, which can accept any kind of PC Card. Well, perhaps not any kind in the future, though Sierra Wireless is likely to have little interest in making Junxion's box less compatible with rivals. But they'll certainly be a lot of good synergy in developing new hardware for the same market that's cheaper or has a different set of features. How about four adapters in one box that can bond connections together for specialized markets, like railroad Wi-Fi?

Aiming to make data-breach research easier

Tue, 22 Jul 2008 20:00:00 +0000

The monstrous data breaches involving millions of records make all the headlines — TJX, AOL, the Veterans Administration. However, it's those whoppers combined with the rat-a-tat-tat of seemingly daily divulgences involving lesser-known entities and fewer victims that add up to a costly and so-far-uncontrolled societal headache.

Not 'who you gonna run to" but "who you gonna call"?

Fri, 30 May 2008 16:50:26 +0000

You could try ghostbusters, but don't bother calling the PCI council. So says Mike Fratto and Martin McKeay in response to my earlier article about when you have an obligation to go public. Of course I was responding to Martin's earlier post on the TJX employee getting fired. What all three of us agreed on though is that there is no place or person that an employee or any other person frankly can call to report a company that is not in compliance with the PCI.

Mike Fratto says "PCI has no teeth because VISA/Mastercard doesn't want to bite the hands that feed it." Martin says the PCI council has established a way for people to report violations because "that’d make the Council responsible for acting on those reports. And that’s something they really, really don’t want." So are the PCI regs toothless. I wouldn't exactly go that far. I think we have to draw a distinction about having the power to act versus actually exercising that power. Mike is right, so far the PCI council has to exercised the powers they were granted to impose sanctions and penalties. That doesn't mean they won't in the future though. I think they will have to make some "examples" otherwise people are going to begin to ignore the requirements all together.

Without some process to report violations the credit card companies are inviting the government to step in. This is exactly the reason as Mike Fratto points out that they imposed the PCI regs to begin with, that is to keep the government out. Until they do though, I think going public and the court of public opinion may be the only recourse.

Those wild and crazy guys are back! - SSAATY #54

Fri, 30 May 2008 08:03:54 +0000

Mitchell and I are back! It has been a few months, but the stars finally lined up to allow us to record a show. It was great being back behind the microphone again. Mitchell and I discussed a number of topics:

1. Recent penetration of the FBI
2. TJX fires an employee for disclosing lax security
3. Barracuda makes an offer for Sourcefire
4. G.hos.st

Along with the usual back and forth. Hopefully it will spur us on to do more of podcasts!.

If you like the content of these shows or have any other comments or questions, please drop us a line at podcast@stillsecure.com

Thanks to ClickCaster for hosting our podcast. Tonights music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at http://www.jonschmidt.com. Music transitions between segments are by our own Mitchell Ashley!

Or download here:

mp3

Those wild and crazy guys are back! - SSAATY #54

Fri, 30 May 2008 07:04:59 +0000

1. Recent penetration of the FBI
2. TJX fires an employee for disclosing lax security
3. Barracuda makes an offer for Sourcefire
4. G.hos.st

Along with the usual back and forth. Hopefully it will spur us on to do more of podcasts!.

If you like the content of these shows or have any other comments or questions, please drop us a line at podcast@stillsecure.com

Or download here:

mp3

When do you have an obligation to go public?

Thu, 29 May 2008 17:13:01 +0000

No, not IPO public, but public about disclosing employer secrets which could provide a risk to the public. My friend Martin McKeay has written an article over the recent firing of an employee of TJX for disclosing in a public forum continued poor security practices by TJX. The same TJX I might add that as a result of slipshod security practices caused 100s of thousands of dollars, if not millions of dollars in bank fraud to occur.

Many have categorized CrYpTiC_MauleR, the employee who disclosed the information on hackers.org, as a "whistleblower". The term whistleblower is a term of art and in many circles will invoke some special immunity for the person who disclosed the confidential information. However, usually the disclosure of this information is made to a person or entity with the power or at least willingness to take corrective action. In this case, I think that is the missing pre-requisite. Just disclosing this information on a public message board does not meet the burden of defining this as whistleblowing. I think Martin is right on there. He says CrYpTiC (If I can call him that), was not a whistleblower in the strictest sense of the word and is not due any protection. He is just another person who violated his employment terms and his termination by TJX was perfectly justified. Let me say that I don't disagree with Martin about TJX having the right to fire CrYpTiC. They certainly do.

I have a problem with Martin when says that CrYpTiC should have done what he has done and that is keep your mouth shut and move on to the next opportunity. I think depending on the level of wrongdoing, not only is that wrong, but by willfully withholding certain information from the authorities it could make you guilty as an accomplice! Think about it Martin, if you knew your employer was committing a crime and you just quit your job rather than report that crime, you are an accomplice. When does the responsibility for the general good, outweigh your obligation to your employer. Is sticking your head in the sand and moving on while letting illegal or irresponsible behavior go on the right posture? I say not.

I think CrYpTiC felt strong enough about what TJX was doing was wrong that he posted it publicly. Though he did it anonymously and did not think it would be traced back to him, he felt strong enough that what TJX was doing was wrong and he wanted the world to know. When he made that decision, he also made the decision that letting the world know the truth was more important than his job at TJX. I am sure potential future victims of TJX fraud that will now be spared that loss would thank him for it.

Martin, there comes a time where keeping your mouth shut and moving along does not cut it. You have a duty to alert the proper authorities for the greater good of the public. The question is when does your duty to disclose surpass your duty to keep your employers information private? I think that is a personal question that all of us have to answer ourselves. Clearly criminal activity should be disclosed, otherwise you risk criminal exposure. Beyond that it is a judgment call. But saying not to disclose and just move on is appeasement at its worst.

The real question is why doesn't the PCI council or the government have a forum for people like CrYpTiC to go to in the future. That is what is needed!

Blogtard or Hero ?

Tue, 27 May 2008 11:30:53 +0000

In a recent The Register article, the firing of a TJX employee who blogged about security deficiencies was noted…

TJX Companies, the mammoth US retailer whose substandard security led to the world’s biggest credit card heist, has fired an employee after he left posts in an online forum that made disturbing claims about security practices at the store where he worked.

Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards. Benson said he was fired on Wednesday after managers said he disclosed confidential company information online.

Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers. He said he brought the security issues to the attention of a district loss prevention manager name Allen in late 2006, and repeatedly discussed them with store managers. Except for a stretch when IT managers temporarily tightened password policies, the problems went unfixed.

So happy shiny Liquidmatrix Security Digest readership…

Is he a Blogtard or a Hero?

… and do you have a published, communicated, and monitored employee policy on blogging about your company?

Tags: TJX, Blogtard, Whistleblower, Internet Asshattery