Enterprise Applications - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Enterprise Applications


The Nightmare Scenario: What If TJX Did Everything Right?



 By: Evan Schuman
2007-03-30
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Enterprise Applications story.


  Table of Contents:
  1. The Nightmare Scenario: What If TJX Did Everything Right?
  2. ' Really great locks and '

Rate This Article:
Poor Best
The Nightmare Scenario: What If TJX Did Everything Right?
( Page 1 of 2 )

The latest TJX data breach details raise the frightening scenario that TJX may have done the proper steps. If so, no one's safe.The latest news about the TJX data breach—including that the thieves doubly circumvented encryption, both by having a copy of the software key and by grabbing data right before it could be encrypted—is sending shockwaves through the retail security world, as it should.

But the latest revelations also start to put TJX into a new light. Granted, there are still far too many unknown facts to establish whether or not TJX was a conscientious protector of consumer private data, but the latest information raises the possibility that it might indeed have been.

Industry speculation—coupled with MasterCard confirming that TJX was in violation of PCI rules—prompted suggestions that TJX had failed to encrypt data. It still may have failed to encrypt some data, but the companys federal filings reports of cyber-thieves circumventing TJXs encryption certainly implies that there was some, perhaps more so than had been assumed.

Click here to read more about the TJX data breach.

Resource Library:
Suggestions that the theft of data several years old proved TJX was holding onto data far too long was undermined by the latest filing, which said that TJX routinely deleted data but that a rogue program the intruders planted on TJX systems captured and made copies of the data beforehand. The filing doesnt establish that TJX was indeed not retaining data too long, but it raises the possibility that it was acting quite properly.

That in turn raises a much more disquieting thought. What if it turns out that TJX had indeed been doing everything right the whole time? In other words, what if this proves to be much less of a case of TJX being careless and much more a case of the intruders being clever, resourceful and persistent?

In the words of former federal prosecutor—and currently managing director for FTI Consulting—Mark Rasch: "Its really easy to say that TJX screwed up. A more frightening thought is that they didnt."

Before we get into the scary scenario that TJX IT managers were model IT citizens—which would truly mean that todays cyber-thieves could execute such a huge breach on any major retailer at any moment—lets take a look at the new details they revealed in their government filing.

As TJX has done throughout this situation, the company has issued a rather lengthy document, which seems to have lots of new details. In all fairness, it does deliver many new goodies. But for every new detail it reveals, it raises 10 more questions. Its like a bright young university student discovering that the more he learns, the more he realizes all that he doesnt know.

Before some reader calls me Grasshopper ($10 for the first reader who properly identifies that pop-culture reference), lets drill down. TJX reported that "we believe that the intruder had access to the decryption tool for the encryption software utilized by TJX."

What was not addressed was how TJXs investigation came to that conclusion, nor any indications—or even theories—as to how the intruder came to have such access. Was it an inside job? Sources within the investigation suggest that it wasnt. Had the visitor obtained it somewhere, learned that it was for TJXs system and then decided to target TJX? Maybe.

A more likely scenario is that the intruder found the encryption key while engaged in the breach. This is made more likely because many retail IT departments will leave such encryption keys in the very same server that holds the encrypted data. Although thats convenient for the retailers IT staff, its also quite convenient for any intruder.

Getting back to whether TJX was practicing safe computing. The encryption key revelation doesnt actually shed much light. The attacker could have brilliantly obtained the key some other way or could have obtained the key in some brilliant way that no one would have expected to defend against. On the other hand, the key might have been left in an easily discovered file, perhaps even the default file used by the software installer. Without knowing the key particulars, theres no way to know.

Next Page: "Really great locks and keeping the key under the mat"





  Reader Comments: The Nightmare Scenario: What If TJX Did Everything Right?
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Enterprise Applications Articles          >>> More By Evan Schuman
 


xv㶲 ;^+(}L햲dKnkly[v:ҢHHbL$K2%Ο%*BIt:gIPBP(|GgoD:nZΘ\ܦd轿O$w}Lj9UQ#C3W)9bPg34mZΠN@\~}@^}fwD%x_'Щ=ѩ:€wɄZIPQۗ>}^~l .hrL⎲IlG5tuGѦ%yH#ERΎȏm@|׶cַ(>r@ߩVANé-}!*{>"E%k4ًʏшqGOП{/ !X]~ꄽ4-fGdh-vu=yͰ { /\1r.b,{{4ɿTݱm6{R'-,v2M*-f{е:9z u v=r@J53ҧ =K;O=k\w=jP?B1 To[©̝ wQk|Qʪ)E}~#GA mkh[J"ZA;h^w{ݳ>~ju:at{A~$Vj}& D%\.I&0h5&ttڽ~X}r\㍒~7nJxXX+(.c#-byOa`%pfQU:7gsKߺnZ:=?nΐ}1fP+M~(#3hؕgxg_:nΚ77fGκפ>m>s鐚&tXAZ|YkU[_lxmaj; dPp9Lwjt(~hvOZd[WO:Sdp*~r޿Cj ݖeB_ȻX_KŗG)H73ǚ -#0ɔSHu t:99~mE!oU:^&T7o`2 4 ]-w a4ZALt&h)5?&Țb.L2o<|)mR—U/(AK/- 5f>]R${3BDȝ`g@ BDԑ?CzC0&pt/\~5L.΃awWʲ9QY +K\M흛ޢG\zgFuIzW^?]zLqJjpX.B2iKB0:8WG5MGR>M獯fz\CU9-|Qnl :2X jX1nґ>~ӁAkӧIΎ|Zꎓx>:AGAticšhϭ@7&h`C}ҍ:L{ݣn]=&tnYXŞ+LRVi`IE 6]LR}>t9qHhQ0<sz0Y[S衟#j{7t( u,/{@`\@8HpyY?9>o  ߃5#z[-[Z6x G͹A }QP|'sZ( 7^`y"# EEKy3@ $hO`z.< ŊH~ޑvZ*&RP*m=!ԑq@-JEs㙰TL٣XB YX/_23CCɴaX9{DMfT`B[ᛥLKak`F^rA+ŲMCAӀIi\Z9,)CzdEgOl;Si;#O\F0,/Cw)iBI ?,xpoFaB?1fѺ)Cu!@3~ ~6Ӈ-}Ȧ5}j0&{b6g{A3uOP#'Կ ;7u9\v,_zt߻GcNEiKJ/ι7M)j`>J7n2gNP/h|WY 3EDVhdF!! = \PȭT)w^IY䞅T_9YX X`~w ,Rd0q6I SXh8G/C4v ei[I%ͺ7RumIJۥa]hk%T87Bj^¢ym<2D֑`9HM^>V "fˣQ4lJ &Ϳl]pZ#>{+UVOLYV<[)ZXbY;l ʸnJirij>NMKϵ("fln6)8{y4!%6$;~L&'V L Mڊ(1@/ŵaa{68c*tҝŅe익ה]!;үhMVpv*> 0f&6X#˦>oُgWKHZSYClX.)Uij"yd\s˰e0\Pbr>+ eT)5*IMym"P/?ˇ%Ŵ谢zԘ{}Qː 0gted-흧 IR-frheU-UjR9_V2:EƟQptɕK-˰p c.Z$ c?`׊._{kOWbL['ʂX hO7`sk'k0ECV0! H*7hІ{egjڳP twPJ v|~KZhI[dEλԲ'**5P6>*0GnG=W֌H+?N-1Ǩi 05j-tpMU*Ղʾ_v+^t m(5# #2qgrh)hMf558};`[ k欭h+,s Jb+ʹV(EcYUzzulFYdgEU)XW<N ~7M=;`%g\Ukh{9A;B< r?_MϺ!܏p<7L Mɣ*騫VJe2&0ʃF5c; [LY6RL5sݿxWji==ݸ/">sԳйtNcl }~rnAf D|8 F.K6,~xf)4D|\D"p-nōapzGdD"9zB*>_l6a9Ln7[JI) `uVDZ)~9HǞ1}]ܙe>tgc:4N7p/UU^S<:h93$P@hOXM\?k78$"ML laƭbR/\f ?+:TfDU5}5?>nVɵGZV?fIG{EY(..n$UHU(V $ yUrmn,: /6" ޜbl[ ezפ|X+Gs;"ʊg b|r{q>'F{lj>cWՄθNr `3O?#[IfYyVum4uH"5Hq+$˴I>N0atA*¾G.CGTTFogGDo0|=^%5͇RiEmT)玿ߓN\X 8zAbQ=Y rvjT dP\؈'߾b[D ‚'T'.n\'Wƒ"'!Z+3,qvë eVqm^?3Z cS7WZU{"}QL ޟpفbßyc(m'@ޏcﻛv~D ۦ>^EO0inow/x01Vy? 0WK/5.ašJf#R:&h)/[Tc8 !6:g5ރ `i8Fnx{L(}ׇu{9EUl_; Yu8-odD4|w/iӽI}ْWs5A AHNKBV%';yRb QגZ4ҫoeW!9 |Ds`S=CD!aF#rWzaU"Ա0@뀴#O.\<;n{ WS eZnOapϲl^ta|`|;p=F'5]{HƸ DucBA095zDϝO(|9e>x>HАYc=p>}⌜0n;zkkbO0>oV8i?{޽s¶"CWq j: -`*1$XhHnm e_"2NIJn/:4L|dM#}ݺJf:7k^x̠t4w {{!.50/y<7?_gpKw z >+-R!EkE7_UK 㒏םyeQj ȓGDK`#i>R{+!bi4V;Tf{s̷kD>dO#@/lvm鼳2> AYCؖrbLp$`G-ݺܭ)³$`GDA|g˩g涣A jm Z0\k9f> V2ÿ&[qVL|}rx|[q$[+/' g|o#&_M_k wS M[k/!/1 %]%h3[aG0^ ="t(u߂Kd[:a8[&?6#d,GeBRɇ&Lj5j+dXZ8~kfpTՊ< O,gYVO[-C/NbA}%¾;c Q;,pg<&C}qO1~9oqZϣ{0T-gy’rB\Cw;=>0u_,EA5[*;PlPN [pcp21b7)&# >w2g@m^ )S㰢X?&N:h(}IݘO0k`BdmdAWAg[uL R]n!6:64qxdAhOӔ׆.jG<8H=zg[Qb\T?ZgYElOT _p'Gǽ.5}YO?HÔ,Ilv= R}՗8>yNZTRi"lcDHnc/_O,LOvuJ2RRlHIMGv?~?B&Нx-#%S !٩_^%@Ҳ)16Qg/y*xĦ")M`o#]ZVX)q]FZAx(\7kk  AB`I W'EH0o_wweK1T4KT^2|Ie*$!B!~.wS-?t@-Xљ\j2Lb H8D孀H8į^K=JIԟ<*Vږ'Kϰx0vٙ4f|a4t0?1%[I91y@B" jVӳ0OQ&zM5vUVn/>5]@w0MHrd05<\lS?C5]` f 19nCw@}]YF,S[rA­4*u߃FAwfAh`'IC;R;2ޡ1h)w'squa({=Kj /y3W/L3"\Lt(MKes0^Sl>x$J5/3{nU\H}-սOfy*Vk|k_V+U˛ F65TsMH~ے ^̇^>y54 c:j5[ $" ^ 0tBz4 2ԟҖ\S|%Ɲkl9z &K}*{l%]_7N@ʖcZBBp|C:|&L8]C$D @$ br?!2e&kD3^ޒ^̵ױԝQP<ݺ>N0UE: d)s 3]e֗w L&U:oEjT*WX#$yU!" [Dr-O& qIM~%'nDחg!n㒪);/]`dֹw $ W–/B _ߡ:wI!2222]U\]f% $܆;,05^J lro |)cS`M5QXb>3N/a2t]PX`>ueK*-=47718~r-=M7+[>(b0-1ȁ~h5oENfX1D/zVO /IHmgdq^+lj)]SP_KJ)>򆐾A~-H]qƗFDq=? [zx |=n^:\JmQI_r>ObDYPZȭGلi--+~iT[عbH"]6ɒG&6z<:!#{_Q&ju"'YGt{[_tJrT3u*n$a$%?[^Uwm()L3wrsD%R|7i ƿ2nrO|kN,?]uؠBҚC-`d;695㵙vm{{ŷi`W۲:pXEIj>*G]J6b5>д|6ˡzl/4C2ĚHa+I錃qlrNXL4s+x(0E7{/2brpDLKפ |:<Ϡ 8|F:Hg pݰoqe0t|W[aۋ@{%4Iq%!ZpP]}z񬃪1kB1o2Z@ aL槺l;CPҸl`Rtq"o(20zX67E ~VxrtLv m_@gfǖ[?qCb$: "'w?C* O2[OYjl /wLqìfo!_`n3Ey+o1q-Ga(9w=<~^xG)LE|*A$㷈]D#ঀ~x#U܏;@;%=߿en|'aY1sʉmOGUxaLEqmc1B,ot.@,vaM)ȁ;[ĆWc#kx|]CyFwi.'-Ee9LY^bJbFyA y!Fv#{Kb+I7{$qяp+jj5BA^ #_.ckjrD,?t$"RV./> :l?QX2axEe3)Mu{ 0m^"ΩTh,ZNxRȥkc.ZE9TWK.}KBG2KN+ߥtW L i/z"r\IoA$ΨP1VхI UP+$4h9ޝŨqYM13bcCyol+=umc;b9mj+LxT8Ow| 􄼥޼vwO%YՉHٚ mݹ]K<5&<+ڢ RDXoj'ށaQ '2vC`m 4,\ 7\πTnA4`}"fR%26HZX+(%\B;Li}yjUS*ZYQ#UMYQ%Z֘OsP=ӂ"Z{2֑: bRI+-ݳItgK5o>iIߚRF ,飏ji' 1 m0=-;g|[2@ `ƖC0Ÿn54ȱrt*%i@Jo]KjL߶"|t"Os'ܚ&M:u_aci7t]ktKs>нvRRmFu,uX'b^n90b8\YrVfih ͬ-j%!V㬤]F Rt3}$纣;~ ˍ$HoF Ki~RBJuT{W"Y0l՚o>*1Xb fZ*F6#ZIikxw4 4ƿB< EÍ)<*)W'nYVmIr .kh>aL{R(?hUeqb+Y75 U@8AnIxmm`L8 /&}&`Cq qt7\9P[ 8'7/|T3/b-#-Ѩ#>xI1K= o~{@ܭr 8q,֎-D||z['AU}H?Km1.+62sjDlo/u\oݴZl:~uC@;G}m!y;򦺸kY< B"sϬcA|`(LRrH[>B8!i?͇˞r0Iݾ`?Ðs{OZ"`R1@Q>ɹcMZfBE< ,iM YC) Q?\y6")(ĴF#1CLD:5,ǰlFLN@NBnC AS!S}%zH"V|8snj򽉡0usr3RC´vx$X-nB<䱤P <'<, 7,X2| =<RXX_1[> MꪂOJBveX &zuKwy |WfY3{8~BOz%ruW0`A-'i92bg4t\KDISk;Ǧи|&gk g׭}<^%9iu7x Zѷptԝsm~>^}>k_ۗ\y|j5+LJrfdeA.-f)TY#dL*rKN*IKvE Gcqq^ SwD~@)Qe;ʋ QW~4ab_)o4׭^O˦V\k!h?o?gg:^Zx:|jTN^^Z+!PU8iz67a\nq4ħVu'Vn(2_3ʯz}i8QޅnF9rz}yhleB3Y}CgG(חzQkg3ˌr;z^Fg(;a_dȂȠ">Eyy(_~OP~Q(GF_d^f%e\]f_O7CtAt3U\W_\gOe{Y_c}OYߧ >>eoʁo2ڿh&s$eCPȐ.NpN2KIʠ/ޯŚ/JYmJ5faOd_ BU=QǒGЬ]#=DNz[G$Q=P\pm⦠ϻ]Oށ-AkOW=Mԍx.nmG;yh#ֽ2"T_;Yo%P/YCIsge'σfţu>TVl<-t&j\eˣf(+@J~@q37}e\ 7㌠6{x50AZח:i>cPS4tHÙ#~ǰ+L 2"9Ì)<螉i~54]M4pὍ6Ʈ;O7maHfT.jZQo\)Uʹ俋K}a8 "(eDdU*.R0X\^9Q(Fuoo*F0njy=q'a1V1;BDO"׏ ѱW;fMWeL ,$ uaSKp^Wv,P0~Y$P*`!K֞.^͇$ $X?bl{IW1hӐM Fؒ%Dİ-#)N>@_E25<>Mqgq%B4;Po#-ؠGО#cwˡB~ 2RV@LЫȅ>KDr&ߢjOG T*A[`"fx¡}(|_s[&lybmb+ӆwr$|H-ljKzUx , #XC0 |'3^g+3qLa\Dm8]H',L=on`-K?X v7iBK .G{J 1-Xhkоx^I HNl7c@ԯJ`Xkt JV7B3FfZ˩;:su_[|݅NmwnJc10'O>ވ'ĕl8=;t؆"0 ]ݸ3EK~#xR Hn2]M70 9K:Bdx^32|e'0O2˟$4ng su}0D9O,ځ&1}㿄&l5191`=E(aO+spn27 6L C;W1^{ #E3dưz< RƠC)e h km tZwkdY9Hr&zU h$.7=j"6: gKCJ'Ҥwvgcw[/AI)H[aD.v =c"1b>v+qދ/!Z^y|X.eHԳx6Y ߚR TDO"vy9m$KY[zQڗ@1a璧ێf*iůKw? /X)Ns'|omW|B,[kl`IvB`9`"sv3C@_v܅eNUhJl;:Ƶd2-  M|w؆;A Pr⁜2ћS#+nv˧Dg>6كl2p}ρ!XsCQ%7` ={ 5HJ B ϱ [ngn`Cl .3.O]& hWa! e71KLP`O3"w6G}7d ȉ(l}j6f)+o[wt%(5x;n6m˟~HױI _[0~OX+ʕbA,\n2?>Şi#*|@ =(ۉnfTt %`GYU`+r5E6&G[0tcf﮳zg[8KIJ y2 !NZxyU~ҥ^.I,'_cQd+8*)ؐrk` bOP1,,oԛŒ'TS*4.v>ϝn<^e^}]x O!0gWPR Y -f1%IDb88)ҡCCԞBTfƲ 7cP.Xd]-%oB@:S .xBG,?ɋ|P 399.@OI"cXM1}aE|S<'\B/0,L!ŠKNš|]Zk/o?XY/5.ڝG<|;Xyx8~'c(FRqO\|j?(>v1XںqKO_w?^6HђuV]5dEg0]\}l4n_?[3ˬZY$I#;ob[b$- U.ɡRv3F'e9TU>\JBS+$X/WfTN˚J܄;"6BKFslx6 QGς(