BreachExchange mailing list archives
Re: TJX breach shows that encryption can be foiled
From: "Sean Steele" <SSteele () infolocktech com>
Date: Tue, 3 Apr 2007 14:31:36 -0400
James, You pose some interesting questions re: what other regulations TJX is likely non-compliant with -- as a public company, I'd guess their SOX 404 controls should be examined. GLBA may come into play, though they're not a finsrv company. Who is their PCI-DSS auditor and are the results of their most recent audit either able to be requested or legally discoverable outside a lawsuit? The PCI Security Standards Council is a private, non-profit organization, so FOIA can't be used to force disclosure from them, correct? FWIW, I was a victim of this breach. I had my debit card re-issued by my bank this week. It's the first one of 2007 for me ;-( -- Sean Steele, CISSP infoLock Technologies 703.310.6478 direct 202.270.8672 mobile ssteele () infolocktech com -----Original Message----- From: James Childers [mailto:james () iqbio net] Sent: Tuesday, April 03, 2007 2:20 PM To: B.K. DeLong; Sean Steele Cc: dataloss () attrition org Subject: RE: [Dataloss] TJX breach shows that encryption can be foiled
From what I understand extended retention of Track 2 data along with CVV
(as evidenced from some media reports) is strictly against PCI-DSS standards - especially when they were also capturing drivers license and address details and coordinating these records in a single database. Perfect tool for ID thieves if you ask me... Are there any other regulatory penalties or fines (other than PCI non-compliance) that TJX could get hit with? What safeguards should be put in place to prevent this stupidity in the future? WRT cryptography - once the database is "decrypted" and available for viewing in raw form on any terminal, it can be captured quite easily with a trojan or any other logger. From what I have been able to gather they were using a proprietary system of PKI and not maintaining a good key management system. Does anyone else have other data? Were they using strictly SW encryption or were they using a hardware token? Single factor? Multi-Factor authentication? Local or remote storage of keys? Terminal emulation, Windows server, Linux, SQL, Etc... Any data would be helpful. James (Jim) Childers President / Owner Artemis Solutions Group (USA) BioCert(r) - iQBio(tm) - BioSaf(r) www.iqbio.com USA Headquarters PO Box 403 1635 East Main Street Suite A-8 Freeland, WA 98249 Phone - (360) 331-1071 X-2101 -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of B.K. DeLong Sent: Tuesday, April 03, 2007 10:47 AM To: Sean Steele Cc: dataloss () attrition org Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled I think Andy's got it covered but I'm confident the amount of data (including Track 2) they were retaining was above and beyond the PCI-DSS maximum; especially with such a failure cryptography-wise. On 4/3/07, Sean Steele <SSteele () infolocktech com> wrote:
I'm familiar with PCI-DSS standards for DAR encryption for cardholder information, but less sure of retention requirements. Does anyone know conclusively if TJX was simply retaining cardholder data per regulations? -Sean -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of DAIL, ANDY Sent: Tuesday, April 03, 2007 9:49 AM To: dataloss () attrition org Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled I don't care if you're using 1024 bit encryption with an atomic booby-trap, there is no business reason to retain that much card data for such a long period after authorization. Especially magnetic track data!! In the final analysis, if the data were not being retained, the data could not be stolen. TJX is a perfect case-in-point of a retailer who is afraid to purge historical data, or does not spend the effort to triage the data to determine what is obsolete. Data Management policy anyone? -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Chris Walsh Sent: Monday, April 02, 2007 5:42 PM To: dataloss () attrition org Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled On Apr 2, 2007, at 2:44 PM, Casey, Troy # Atlanta wrote:It should make for a short list of suspects, assuming TJX was doing
a
reasonable job of key management...That (reasonable key management) is a critical assumption. I'd be interested in learning what algorithm (and implementation thereof) they were using, as well. Not holding my breath on that info :^) cw _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 203 million
compromised
records in 609 incidents over 7 years. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or
distribution
of this e-mail, in whole or in part, is strictly prohibited. If you
have
received it in error, please notify the sender immediately and delete the original and any attachments. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents
over
7 years. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents
over 7 years.
-- B.K. DeLong (K3GRN) bkdelong () pobox com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years.
Current thread:
- Re: TJX breach shows that encryption can be foiled, (continued)
- Re: TJX breach shows that encryption can be foiled B.K. DeLong (Apr 02)
- Re: TJX breach shows that encryption can be foiled Casey, Troy # Atlanta (Apr 02)
- Re: TJX breach shows that encryption can be foiled Chris Walsh (Apr 02)
- Re: TJX breach shows that encryption can be foiled Adrian Sanabria (Apr 02)
- Re: TJX breach shows that encryption can be foiled Avery Sawaba (Apr 03)
- Re: TJX breach shows that encryption can be foiled DAIL, ANDY (Apr 03)
- Re: TJX breach shows that encryption can be foiled Sean Steele (Apr 03)
- Re: TJX breach shows that encryption can be foiled DAIL, ANDY (Apr 03)
- Re: TJX breach shows that encryption can be foiled B.K. DeLong (Apr 03)
- Re: TJX breach shows that encryption can be foiled James Childers (Apr 03)
- Re: TJX breach shows that encryption can be foiled Sean Steele (Apr 03)
- Re: TJX breach shows that encryption can be foiled Casey, Troy # Atlanta (Apr 02)
- Re: TJX breach shows that encryption can be foiled B.K. DeLong (Apr 02)
- Re: TJX breach shows that encryption can be foiled Chris Walsh (Apr 03)
- Re: TJX breach shows that encryption can be foiled Donald Aplin (Apr 03)
- Re: TJX breach shows that encryption can be foiled James Ritchie, CISA, QSA (Apr 03)
- Re: TJX breach shows that encryption can be foiled Katie Felten (Apr 03)
- Re: TJX breach shows that encryption can be foiled Dan Good (Apr 03)
- Re: TJX breach shows that encryption can be foiled B.K. DeLong (Apr 03)