'60 Minutes' on TJX computer security
I just finished watching Leslie Stahl do a piece called "Hi-Tech Heist" on 60 Minutes in which she describes the theft of credit card and other personal information from TJX. These are a couple quick Defensive Computing thoughts on the subject.
I can't imagine using a credit card at T.J. Maxx, Marshall's, Bob's Stores or any of the other stores owned by TJX. In the 60 Minutes piece, the focus was on the poor Wi-Fi security and keeping sensitive customer information for much too long. But, after the hackers got into the Wi-Fi network, they were able to get to the master database of customer information, meaning that there were many other security problems along the way.
And, as was mentioned in the story, the bad guys poked around the internal TJX computers for about a year and half without getting noticed. The word inexcusable doesn't begin to describe the many security problems. Unless I hear that TJX has laid off people responsible for computer security, they will never see a credit card of mine again.
The story ends on a happy note, TJX has upgraded all their Wi-Fi to use the newer, better type of encryption known as WPA. But this is far from the end of the story. It may not be well known, but WPA encryption can be good or bad.
Because it is vulnerable to a brute force attack, the crucial point is the length of the password. A short password, or a word in the dictionary, offers no better security than the much maligned WEP encryption. But a really loooooooooong password is very secure. WPA supports passwords up to 63 characters long. You can think of it as a "pass sentence" rather than a password.
The WPA password only needs to be entered once on each computer, so there is no excuse not to use a long password. If you can't think of one yourself, then Steve Gibson has a Web page that will generate long passwords.
The WPA encryption may also be turned off if a WEP-using computer joins the network. Many consumer grade routers can do either WEP or WPA but not both at the same time.
Finally, if WEP is still being used at retailers, as the story pointed out, then online purchases may very well be more secure than brick and mortar.
Update: Robert Vamosi of CNET wrote an interesting story on this in his Security Watch column -
What's behind retail data breaches
Update November 25: A reader comment mentioned WPA-PSK and WPA2 Enterprise. Let me explain the terms. The simplest way of using WPA encryption involves a single password for the entire network. It is entered once when configuring the router and once at each computer accessing the wireless network. This mode of operation is called "Pre-Shared Key" or "PSK" or "Personal" and is what I was referring to.
Companies with the necessary technical skill, can use WPA in such a way that each user gets his or her own password. The software that validates passwords is a Radius server. This mode of operation has multiple names. An old Belkin router calls it simply "WPA with Radius Server", it has also been called "WPA Enterprise" and "server-based infrastructure mode".
Michael Horowitz is an independent computer consultant and the author of several classes on Defensive Computing. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure.
Comments like "WPA password only needs to be entered once on each computer" not only ridiculous but irresponsible. Is this how we are supposed to practice secure key management?
WPA-PSK scheme might be fine for your home network but has no place in the workplace. Please, read up on WPA2 Enterprise and 802.1x.
this might be my misinformation, but where is stated that TJX is going to use WPA-PSK and not (pick your WPA terminology that uses 802.1x authentication, possibly something with mutual digital certificates, like EAP-TLS?)
But, the reason for my comment here is, please educate yourself prior to making such comments: "The WPA encryption may also be turned off if a WEP-using computer joins the network. Many consumer grade routers can do either WEP or WPA but not both at the same time." please tell me you took this from somewhere and not made this up. I've been away from the wireless world for a few months, but I don't see an ssid supporting these two different layer2 encryption types in the same ssid.
please clarify
best,
luiz
From a technical point of view, you're absolutely correct. But from the larger perspective, look at it this way: When guys like Michael are blogging like this...when 60 Minutes refers, by name, to TJX's obsolete encryption...it's a clear sign that the public in general is taking more of an interest in what's going on re: identity theft. It's up to companies that use our data to secure it...to stay a step ahead of the bad guys.
The public doesn't care about WEP or WPA or any of that stuff. That's "geek speek." All we care about is, "is my identity safe when I do business with you?" If the answer isn't yes...we're going to shop elsewhere. So, please...continue the discussion. But understand, and I know you do, that the technical standards aren't what's at stake here: what's really important is something far more pervasive....the essential nature of trust in our way of doing business.
When data is encrypted in a conventional manner it does not assure the data is safe. This is because the strength of even the best encryption algorithm ultimately depends on the size of its key space AND the predictability and environmental awareness of the keys that fill it. If the keys are large but predictable and not location and time aware, the hurdles to hackers and insider negligence or rogue behavior are low and no one should be surprised that when valuable data disappears high anxiety and, ultimately, harm results.
On the other hand, if the keys are large, dynamic and unpredictable, then hackers are disarmed. And if the keys are also location and time aware, insiders can only enable decryption when they present their credentials at authorized physical locations at approved times for use. These additional capabilities dramatically increase the level of protection that is possible and introduce new policy alternatives that are available for controlling access to sensitive information assets.
Large, dynamic and unpredictable keys are needed to defeat hackers and location and time aware keys are needed to prevent insiders from abusing privileges and compromising the enterprises data. The solution exists and DOD helped develop it at USJFCOM with a company called Digital Authentication Technologies in Florida.
Nothing new has sprung in the past few months, so I'd agree w luz that one ssid couldn't support those two level 2 encryption types. So what is this blogster saying?