funsec mailing list archives

Re: [privacy] TJX Intruder Moved 80-GBytes Of Data And No One

From: "Dr. Neal Krawetz" <hf () hackerfactor com>
Date: Fri, 26 Oct 2007 11:45:37 -0600 (MDT)

On Thu Oct 25 20:33:33 2007, Paul Ferguson wrote:

[snip]


A TJX consultant found that not only was TJX not PCI-compliant, but that it
had failed to comply with nine of the 12 applicable PCI requirements. Many
were "high-level deficiencies," the consultant said.


Considering that the PCI DSS is effectively the "minimum" requirements,
this is amazinging and dumbfoundingly stoopid.  Not complying with 9 of 12
is effectively saying "they had no security at all."

I mean, consider the 12 points:
  1: Install and maintain a firewall configuration to protect cardholder data
  2: Do not use vendor-supplied defaults for system passwords and other security parameters
  3: Protect stored cardholder data
  4: Encrypt transmission of cardholder data across open, public networks
  5: Use and regularly update anti-virus software
  6: Develop and maintain secure systems and applications
  7: Restrict access to cardholder data by business need-to-know
  8: Assign a unique ID to each person with computer access
  9: Restrict physical access to cardholder data
  10: Track and monitor all access to network resources and cardholder data
  11: Regularly test security systems and processes
  12: Maintain a policy that addresses information security

So... if you could only follow 3 of these, which 3 would you choose?
Granted, the fact that TJX even had a compromise means they did not do #3.
And since one of the vectors used WiFi, that means they did not do #1.
AND, since they collected all of the data, they probably DID do #10.

"After locating the stored data on the TJX servers, the intruder used the
TJX high-speed connection in Massachusetts to transfer this data to another
site on the Internet" in California. More than "80 GBytes of stored data
improperly retained by TJX was transferred in this manner. TJX did not
detect this transfer."


80 GB of data...
At first, this number is astounding.
However, we don't know if this was over a few years or all at once.
If this was a continuous stream and they were compromised for 3 years,
that would be 26GB/year or 2GB/month or 700K/day.  So this isn't a very
big number and could easily go unnoticed if they had no form of egress
traffic monitoring.

Ingress and egress network monitoring is covered by PCI DSS item 11.4.
However, section 11 is "Regularly test" and that does NOT sound like
"continual and ongoing monitoring".  Following the letter of the PCI DSS,
TJX could have run an IDS, saw nothing, then killed the IDS and still be
compliant.  (And I expect people to argue with me here. :-)

                                        -Neal
--
Neal Krawetz, Ph.D.
Hacker Factor Solutions
http://www.hackerfactor.com/
Author of "Introduction to Network Security" (Charles River Media, 2006)
and "Hacking Ubuntu" (Wiley, 2007)

_______________________________________________
privacy mailing list
privacy () whitestar linuxbox org
http://www.whitestar.linuxbox.org/mailman/listinfo/privacy

Current thread:

[privacy] TJX Intruder Moved 80-GBytes Of Data And No One Noticed Paul Ferguson (Oct 25)
- Re: [privacy] TJX Intruder Moved 80-GBytes Of Data And No One Dr. Neal Krawetz (Oct 26)