X

TJX hackers got comfortable, very comfortable

Jon Oltsik
Jon Oltsik is a senior analyst at the Enterprise Strategy Group. He is not an employee of CNET.
Jon Oltsik
4 min read

I'm not sure what the talk is in Silicon Valley, but the TJX data breach continues to get a lot of play in Boston. Scandal is a blood sport in these parts.

TJX--the Massachusetts-based operator of discount chains including T.J. Maxx and Marshalls--recently released more information about the massive breach of customer data. Nearly 46 million customer accounts were compromised, according to TJX.

My first thought is that this is a textbook attack. Computer hacking isn't like a high-adrenaline, guns-blazing bank robbery where the criminals hope to instantly end up with a pile of dough. Hacks are more time-consuming. Hackers compromise one system that gives them access to others. Then the hackers study the others, looking for the next host to "own." Slowly and steadily, the bad guys continue down this path until they find the ultimate digital loot, such as credit card numbers.

The TJX computer system breaches can be traced back to July 2005 but weren't discovered until November 2006, according to a TJX filing with the U.S. Securities and Exchange Commission. I'm no math whiz, but that's 17 months of unauthorized access. That's a long time to poke around any network, and it appears that these hackers were pretty good. With that much time, they probably knew more about the network than did the TJX ops team.

The filing also states that the attackers circumvented an encryption utility. Many security folks interpret this statement as meaning that the bad guys found an encryption key and were able to unlock the vault.

My conclusions thus far:

• Forget the rhetoric that this problem could have been overcome with a solid perimeter of firewalls and intrusion detection systems. I've heard rumors about how the hackers penetrated the network, though TJX isn't saying for sure. The fact is that a corporate network like TJX's can be penetrated in hundreds of ways, including right through the firewall, and hackers check all the doors and windows. Technology alone is no security panacea; let's stop pretending that it is, once and for all.

• The evidence points to the fact that the attackers had access to lots of systems, not just a single database. When this occurs, it is the digital equivalent of an inside job. The bad guys get to know network traffic, data flows and business processes, and they can cherry-pick what they want to take. Heck, they were probably patching systems and making support calls to Cisco just for sport.

• How did the attacker pull the "end around" past mathematically sophisticated encryption algorithms? Someone left the key under the mat. Here's a dirty little secret that security professionals don't like to share: many shops use as few encryption keys as possible in order to keep key management processes as simple as possible. I've even heard of big IT shops using one key to encrypt massive amounts of data. Combine this with security weaknesses like storing the key in cleartext or poor key management access controls--and voila.

• In one of his early books, security guru Bruce Schneier admits that even with his background in higher mathematics, it was a personal epiphany when he realized that strong encryption did not equal strong security. Unfortunately, most of the rest of society holds on to this encryption/security myth. Encryption is about protecting data confidentiality--not security. And there are two ways around it: get the encryption key, as evidenced at TJX, or compromise something that has legitimate access to the data.

In other words, if I compromise an application server or establish a user account that is allowed to access the data, encryption is as good as invisible. It doesn't matter whether the encryption algorithm is weak 56-bit DES or some top-secret NSA 1024-bit AES algorithm.

• Not to cast dispersions on my fellow commonwealth citizens, but someone at TJX should have noticed something suspicious during this 17-month identity theft binge. In order to find systems to penetrate, a hacker does a lot of network poking and prodding to see what he or she is up against. What is the network topology? Which hosts run Windows? What type of router is in place? Where are the database servers? At some point, someone in network operations should have noticed some anomalous network behavior and uttered that famous movie line, "Well, that's funny." This is the point that really stands out to me.

Every large organization in the world should pay close attention to the TJX breach. There are absolutely no certainties with information security. With today's botnets and targeted attacks, everyone is at risk, and you can't implement a few safeguards and assume immunity. Vigilance and paranoia are the only defenses. Just ask us up here in still-snowy Massachusetts.