funsec mailing list archives
Re: [privacy] TJX Intruder Moved 80-GBytes Of Data And No One
From: "Dr. Neal Krawetz" <hf () hackerfactor com>
Date: Fri, 26 Oct 2007 11:45:37 -0600 (MDT)
On Thu Oct 25 20:33:33 2007, Paul Ferguson wrote:
[snip]
A TJX consultant found that not only was TJX not PCI-compliant, but that it had failed to comply with nine of the 12 applicable PCI requirements. Many were "high-level deficiencies," the consultant said.
Considering that the PCI DSS is effectively the "minimum" requirements, this is amazinging and dumbfoundingly stoopid. Not complying with 9 of 12 is effectively saying "they had no security at all." I mean, consider the 12 points: 1: Install and maintain a firewall configuration to protect cardholder data 2: Do not use vendor-supplied defaults for system passwords and other security parameters 3: Protect stored cardholder data 4: Encrypt transmission of cardholder data across open, public networks 5: Use and regularly update anti-virus software 6: Develop and maintain secure systems and applications 7: Restrict access to cardholder data by business need-to-know 8: Assign a unique ID to each person with computer access 9: Restrict physical access to cardholder data 10: Track and monitor all access to network resources and cardholder data 11: Regularly test security systems and processes 12: Maintain a policy that addresses information security So... if you could only follow 3 of these, which 3 would you choose? Granted, the fact that TJX even had a compromise means they did not do #3. And since one of the vectors used WiFi, that means they did not do #1. AND, since they collected all of the data, they probably DID do #10.
"After locating the stored data on the TJX servers, the intruder used the TJX high-speed connection in Massachusetts to transfer this data to another site on the Internet" in California. More than "80 GBytes of stored data improperly retained by TJX was transferred in this manner. TJX did not detect this transfer."
80 GB of data... At first, this number is astounding. However, we don't know if this was over a few years or all at once. If this was a continuous stream and they were compromised for 3 years, that would be 26GB/year or 2GB/month or 700K/day. So this isn't a very big number and could easily go unnoticed if they had no form of egress traffic monitoring. Ingress and egress network monitoring is covered by PCI DSS item 11.4. However, section 11 is "Regularly test" and that does NOT sound like "continual and ongoing monitoring". Following the letter of the PCI DSS, TJX could have run an IDS, saw nothing, then killed the IDS and still be compliant. (And I expect people to argue with me here. :-) -Neal -- Neal Krawetz, Ph.D. Hacker Factor Solutions http://www.hackerfactor.com/ Author of "Introduction to Network Security" (Charles River Media, 2006) and "Hacking Ubuntu" (Wiley, 2007) _______________________________________________ privacy mailing list privacy () whitestar linuxbox org http://www.whitestar.linuxbox.org/mailman/listinfo/privacy
Current thread:
- [privacy] TJX Intruder Moved 80-GBytes Of Data And No One Noticed Paul Ferguson (Oct 25)
- Re: [privacy] TJX Intruder Moved 80-GBytes Of Data And No One Dr. Neal Krawetz (Oct 26)