Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Why Encryption Didnt Save TJX



 By: Lisa Vaas
2007-05-08
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Why Encryption Didnt Save TJX
  2. ' 2 '

Rate This Article:
Poor Best
Why Encryption Didnt Save TJX
( Page 1 of 2 )

Updated: News Analysis: The largest data theft ever is a case in point that encryption is not a security cure-all.

TJX: Its the target of the largest known customer record theft of all time, and its a case in point that encryption is not a silver bullet.

This is the heart of the encryption problem, quoted from the 10-K filing The TJX Companies made to the Securities and Exchange Commission:

"Despite our masking and encryption practices on our Framingham system in 2006, the technology utilized in the Computer Intrusion during 2006 could have enabled the Intruder to steal payment card data from our Framingham system during the payment card issuers approval process, in which data (including the track 2 data) is transmitted to payment card issuers without encryption. Further, we believe that the Intruder had access to the decryption tool for the encryption software utilized by TJX."

Encryption has no value when data isnt encrypted, obviously, but credit cards cant be processed when their numbers are encrypted. Hence, a smart crook will seek a way to get the data during that window of time when its in that state of being "in the clear"—that is, unencrypted.

Resource Library:
TJXs intruder also had a backup plan if data in the clear wasnt attainable: namely, the decryption key.

There are several reasons why encryption didnt save TJX and wont save many companies, regardless of how much legislators have mandated or want to mandate its use. (One example of which is the June 2006 White House mandate requiring federal agencies to encrypt the hard drives of all their laptops and mobile devices.)

In an interview with eWEEK, McAfee Chief Security Officer Dr. Martin Carmichael said that after he had read TJXs take on the intrusion, he was curious if TJX was using data masking as articles indicated, or some sort of data encryption. Dr. Carmichael indicated there were different methods of encryption key methods: shared key, in which the sender and receiver of encrypted data both have the same key, or asymmetric, which uses a public/private key pair.

Data stolen from TJX was used in an $8 million scheme before the breach was discovered. Click here to read more.

Shared-key encryption is inherently risky, since humans think up convenient but absurdly insecure places to store their keys. "We have seen … some companies that chose to use shared-key [encryption] that stores the key with the data," Carmichael said. "Which is outside of most policy. Sometimes ease of development can be [counter to] good security process." In fact, Carmichael has seen keys in data files that are named "key to data."

Another encryption trap is the use of weak encryption. Original DES (Data Encryption Standard) encryption is now considered to be insecure for many applications, chiefly due to its 56-bit key size being too small. DES keys have been broken in less than 24 hours. Some analytical results point to theoretical weaknesses in the cipher, as well, although those have not been proven in practice. In May 2002, DES was superseded by AES (Advanced Encryption Standard) following a public competition, but DES remained in widespread use as late as 2004; Carmichael said it was "very common in a lot of applications."

Did TJX use DES? TJX has determined that its data was first accessed by an unauthorized intruder in July 2005, and DES was widely used in 2004, so its imaginable that the company did.

Asymmetric cryptography gives part of a key to the data sender and part of the key to the data receiver. The receiver of data—for example, a bank thats receiving your bank account number or user name and PIN—can publish whats called the public part of the key to the whole world. The only thing that encrypts data, however, is the private part of the key. You as a bank customer can contact your bank using one part of the key, and the bank can match that up with its part of the key, thus having an encrypted session with two different keys.

This type of public/private key cryptography is used because key distribution is a major problem, Carmichael said. Shared keys have to be stored somewhere. They can be unsecure, no matter where theyre kept.

Those who use public/private key cryptography have the private key have more options with asymmetric cryptography and a certificate server thats hard-ened and secured, Carmichael said. The certificate server offers options for key escrow and certificate revocation list offering greater control over keys and their use.

Did the TJX intruder stumble on a key stored with the encrypted data, a la shared-key cryptography, or did the intruder have access to a certificate server? The question is moot, given that the intruder figured out a way to take the data before it was encrypted, but the details of nabbing an encryption key will be instructive if we discover them as TJXs investigation continues.

And so that leaves us with asymmetric, aka public/private, key cryptogra-phy. Is it safe to consider that form of encryption a silver bullet? Encryption is not a silver bullet and weaknesses in key management represent a bullet that can backfire.

Next Page: The downside of encryption.





  Reader Comments: Why Encryption Didnt Save TJX
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
 


x}r۸j9km]mGJɖkŶ,%L*%BER9eoВ/TlFwh4~ 'I"gn;̢dw}=zk;HR}gL#r-GgPSrdH-w!@au۵ܐruz>;|9|@vD%j'AM3c{ڮlN1ecs[gp,FmgM5d{9B ~5[sr!%֥qϊͽ'c! [tV9v W*UN8Sp{cf_ʞ0HQIM"h4"j>vn=w2`Vq|&k`T黖>? M-G ؓ ۭ@x!BP#"FτwCՠ匝8Gd`jI:@*"42R!p5:Rը>5-G|ݖ|#XulAf@dТ&q#!꿩$f…05g?LG`B'lǦ" Gm_j|sfq@ffrdHU o~cn> :t<=0;DL<:/yÙ6Mަߙecfy 3?b Jg3B~5_:OOfKN:W>nu83tfAZ|[kUV1?x?-|kh2`=t8Lwj/ ?5;ǽ/-2 OGgcdp,^z;?#̧KdoF" 2#~B(:pHqbNbϡW sCzlNTVʒ0Wb{(EށItjeOnS3G#вnZ3榣V)ǦcWJPX=,‹ʾb(7Z`Lm,5,LtϬ Y0` i vzSOaΦnۉ9~t$AG66^lzK $ ,70}HG:QI4+p|g͇v13 a {>0sJ}D5h-DCw 0Ieg&S yK ΝdrkoM~(wE@>X^0 vjq.HpyY?d| wA,߽9#z[MKx GِzRP|'sZ( w^`y""D% T h4AGEENAww$]I+TbD8JnOu$9cJ"ڹLX*QY,p[/ ͙JRdy8ZLboD6], S m-Muc{XT5m\O4MhFЄ%1@.ϼG32H`0HCb;NM: x9wo@Cyu[J`p=Ͱ"̴b֜u4dufB7 Ɖ9 R g?fx0-qڛ8wuVw]ˤF|a* ,q7& 3Ͱ&q_;+owzbré&9|YrY2훿i /&](LuΩJJ&k*HX3j-yrp V֌Or1r@yOS*rH1g0dz׍[Oq=џ8S7RtZC+>q^i.;[@Lg˺z+fYT]۽/ 7RiO4 m {24@0ٖk_Xt jQWt(:АT um:bXGJG!1~h/a2(&nw߱}|sö V/U Wß@-jISJJeHǝ8~L&'[BSjb35-F  ? |'+ȁUrqXkw0잴ׅ!Τ('Wi+Ao{LsCm0 G"}Ӛ#Ow')]B~,%1Iҏ5 &^PGe d^s`M[`R9#Dzl lF9 CQ>-DM{ ipbZEZiI~~~0*y.Kg>Fm `+z\qgI}єa˘30|q֓-*IbAQ KkMf٧7c_g>Ѐah"pHE@xZkhpL@U.(L-9Ij1 [ hg [QznSC znaRI?IL!2BgOM{c>4Ye n,A@z"RT j%05*ERf=>2~2Ejwp;< _q˻u/?M0,|Qқ~k>sn}G>N-â&-;h'^+0v +JB2By^ihw\rR" apxg u;ufv9AC]#@$4]rC XQaw4 Ř)bK@s hj_R U#tT#CWta3 X]QiSiR9\PӲ+SLjH@Aܚ:y>z,.MHT0v-1hXa:5UW *~i{oR64F@2<"8dS>tV}P@K&nƚ67=ϼd[̌<9yn2$8z0JL;O%95$_ۂ3Bdۤs:n&2006Y-0P>\մR XDObK>u8홗[?g`̦S`p1\An#>҇73Wnj*r6=_?J][L4F@V1M0]̞̙A mۨX9 6?`(_J`Y V8$g[}'Dc0$2L3 æRRU V_Aұg.3_5<]~?Ʊ4>JixG2cdQJhU m{\ c4wzN1 Q;v}b;_&I|SeYȃV)+i+TX񋰷 ?3pa-XPjpHU}EO C/ PNJ[Cn$}T>Vy`*+ZR^?*4 9 ^  lZv~ZC kpo= 2j>vR/̖M%4e3/ -GXNM=1h˃QaߍCuRԣ{{kC4g?"XwSwgu̇)5sg\Դ"hw ĶRs?'DMqC` H\WK{dQ"Y rrjT +dP\xO+tCN\n+T'n\'+cI`q`w0DB*MWFDccb^f.^*oo(0h_pǭ;dU]uv'hEw%]f4O}ҹI'ٗ`d˙]=-bo/fta؆Z'0Z@IDW:^\9o\}h_/~w:W(!9k_dcxΥx\MC;R%9!hUHV*<fShmƛ&akCs#fDH[h!Uuřb9kI.Dz=d_5g0õh4&lꏝ/a֭ Bf/3bB!|J<؇APC{ z H)'4 v%:\b:$VB 0FG_TJi)4z'uSxlw) 5;Eыſ}i X x4~WK0fAda+F+9ǭϤsGHY 8/g`!IBܰ2 7{KP -Mu>S4 jGYkNEm펇{6-~=`rrPR)&bz&I[և%uyjtJ1SBt 2H P,O&e=lI1 iKBih%bbVHRo{ٸ؜6<1ަmƙLƗHΖˬf̗4.נzY8V#"|G)-&X!*VZRZz*$'?vs81 _mzǜGoQM21ɘKԇ>^Y]s>ͥ=0i8;?P.ZsgOɵ2sXs\ Zpl+ҿDž̳bpi#쐋N4z+Ҹ;5LZ0e,H~"[#|$j~>xFMyuS意G 93rĸy}[)=h u[xؕv{vO n<]1逧vlLcI"ɫ:w7}\8%++w|621@7YU (f~X;pOҠc=d0 82{K7Kx=*~OϺv4]f+wuB%u-JKz%nwQhr;D҂%Y(qQ#{"F%{two FuUmquOycZy‡i襖N<ƛ;a!ϑ +Ӡ9MH.v )$T0hl?|nwcJdjl 8QbhoM9oj9٢hr" a' ZYC,G Op$|#؈'GG鎿Z7{cE|3̔ u\wW)~elƚ[sLBIpIM{fr+ 7~-nɸ!E%͖xLL._&`65xfV،SLsQS J2_fX^'\/_wz懌Xו8o# %gx{-jMtg[vWTP+DUHobcϲk4xli)Q,<¾c t7p\\O,mgS[HNr]T-~?Mkk(]6;  I\LxXc j?;3 + ~&_M͢1siA8Nb>\sㇹ" :K2cԹzr !Մ@▁[I8MymXi겎TC} Cx;أwe{ZLsuTĖaAŰ~]ɽ wR[JX,ĞHɒ+v>oWH\JCym"[PZ3o|6"ޙeU [e-ZN"ʳ _Ib1cq8>YWz׈%k_ ] җuzAͻ8NaX(<0I*J4Z)1Zqɠ>mԎaeyE@F =X t!īz/U@=ݮJ1cIֿ zl ݀3d!!;Mo|_=|U17I)HmZgh l|E95ȗ ;"],u.h(` *uX HV(&:mް`"Z! ZA g/Kq7$`H'Pwb}IU%)q = ߨ@V%L|%BΈu^rBgי\X׳ 1ܓoRlQ|^3I}DK$^9e$!0xEARë t^L< t˶@+m:.XB>EMtTںg:\XڣP^؊}@8 ($ W@No=,GFV~Q:7-9BJlw}rZySƪYMo@(@7-_yШ,SفŰ8F0"oζm?XJKxTŵݦݦݦݦ/6-JnX%=4=4o_Z6.a|yE1QAs|NEӾ V#t5"7]@y8RցuJѝMGY'y@N0XM|OCvc;w5Tޟ pMzl8leǶt"o2Fɼ'hSz ƟM'x._3H ɒЧA/,IpP,$ӈT^xBA0v&bn5ʉEE >Gи} X3{:]4֤? 9\,m;ԝ;g9ژ$]U n٬OtwjHa'`K6q 9 GJ] :=G_f|D* ?i3,0CX7!<̴gnRǥWֵi0* m b$)5M<;_wDudT-Jʚo~^UHrqQ$+_4IWč?7uA%%%% \BE}. sx~3 nR/]4(> 썤k:~2×i=n_p.u%7(Bj8(n0sMCJ̰8_rF~ wcn| 1~C50tfO1 ~@r!,D*oePj]2Mvbrfɒ6F ^Kxョjj|kץ,<_XYQ>BPVj aoq{+( q ĩUZTU_Ė{}2;*%P[9k_?! 6Eaoj=tkY䣙i!FLV/xe!s_#[U(G`zC5zi” ٬CA=/M.K<:G}挝~t HO6yV|LwWD%R_|7Gon qSSǬknzT25)b yxASkksȘ.ԍmCl(I#1ۀچձ9(UT_tׅdUoko#fyN[-mV)KjhkK4o}6=( ƗY'$ [IHgc;3}c^8ET2̭,4df ,ƀHRyAv|woױw1Rp0P Xv_ڳKۨ_}˼ Xp ZNړmiİOi{X ђ,#Ћ'gT#d a vEx]k~=mkql+o[*18;7~k{ʞVS,?Y+ ZfquQ%1 o2^P_Z6`;TP3مm.MEfAȢi\1U}ub?=G/ttAk-c"]J1x~[M̀+5fL5P;qU6'aH'*t=jhDˤJd i|XP)ϡVPJj\=tW;ϯz!_ՔV-!ϣy-r3<#qn: Փ>/,bGc0/Ƙ`^*iB¼{֜4 }TX*!gIG. R&Z:<~Q-mER!&bg|6`Z|}P.[ozpWӸ Ǿ3 %XY! ̯a ;_`lsdwIND]%FR)ՌBH*&,C}F}kzGb^n90H\YrV^ͬͱ-j%!F㬤]F5Rx3SmSӁPK_/HHuTy+sc6ވjM$俢J \0] aLbD )m2FwF#䧞W1hcn1x2\TbЍB1˪M;InP}wY?e=` ' 3t/x{~ B {=Ll~'dM,Û^|Ui|%w[mk 0Ȕ_S{D`߄'8 :{WZ- F/|T3/b-3-Ѩ#^>xAn-1K= o~{@\Ar q,Ye)+փފ> rF@Yj!u;H]U# `x1F(zhu뵮a373C}m"Xy;򦺸}tQh04P <8$EuE)dww85y^9._кlɧtC!ᘭ#!+^bΑ,QfXk]*J3X#'p`\`sr8@KdK*2&Bs8{_]&j&[ր aNJů3AF3%H 1LL/0Yfw iu=rvji_21Fiŷn(l;b21#|>OS$`,% vqY@y#LD݂z![C P71MF·:=b3+%̔,0AuA"\2,GAn25:`re^55KqfldaQ({b8M t߃3,ȏKlݜ(8Ãj1I(tCK/Hzscp ׆úޝC_F`3W VjE)OBӾRs]j)q\]{} YV^*߉ӄ^I+\A] / PIZ W{uK1u0 }a3brMtc޸@?d'(חzQkg3틌r;nF( eٮ~1>y< ><@ g9y^d?gBiF?P~Q{1 ?sw1~'? /q _fs?]fe_W(u}'O?g~3 Ak(*kh:k Ku1Ay#Cpzz;"9(/GR*zUK}(ge3VNa{Ar!Wge_7C@/q}yi&R+ ]Q%>5Mk[I2nX_Kȣ_xi +{.y@W4<< X1rnmŚ/JYy8q slžȾɅ0ʛQǒGЬg]#=Dz?|[23?n`jE@' @9\pۭঠϻ]O*-~kOW=Ms.nmG;yh#ֽ2"T_;Yo[췡^2C{6'K5}MoNDV)pF F^a%1zI]0vZ{DrjhN4psn ?g n􇖉$5sg\ԴZjRs?7/ð =""CУ*R%}a`_*V&K=# .=M^t f -ϡ'!pA>fJC Dk(xxmDv_ƴmBfpZT;i@18Lo9X,.#vR'Q+\ę}g_ p1iR {{[2gډ5 fu̿O6rFL3 O,O~f+g ԛn 4@[4XjڔSgJYmZxk9F@ B`:՞/kW63-#6O,5U,%O|^.c˃a.yCW]`b)WOM^D`yCOfƽ6op"7N! ީn'[]6Q+&Lia l ophd1ck+#P<틒ՍP~Pڄ!نI5h+>fim ; 1,;ԟ1l!JlMav; ^%5,l$9=ASh4OW5EXI% i[j9.KPRJVr.Q ?`n4ۭto8ZOe[V8ŷ-<>,D*9"[o %P)@EikA/?nwH3ۉd&%}YQ v.ymьU%$t|5(JrHqpC>~EE3`A^|eD${' FOnC>X의nTeΝƔQYɶz SO~n\(Coݒ6x}ҀO1Su Ыvl>cxH37cxQ||ӕU`7g#~"VœA6`0C3`܀}lI5Oyw죗iOJ D O[n'`wDl .3./Y& hWa!*e;1KLP`3"w6G}d ȑ(d}j6͜ԋO0xeҕhWɬnq;X?Y m-!+$~Il=bu-Wrcd+{f:eP EXtl+!R+Kei$Vit/ >ΐRjãXǸӭ [) qy6` <Щ0D\bXeܔ1농 ѨpCTVD'S^m'gymOEmE>qk2X#+v$п9V0|6,lp/>CwϏp`2uW^=͓ ɤ{%̅2 !δZxyU~ҥN.I,g`aQd+8*)ؐrkO`4bOP1,sQf7=MaN*)Asa#Dl [ApV/9LgѸ;" 㡺_0U9uUZ12Mo,gkV"K꺘#'yQs3=v=ǘ mr7q,r?],MclRc9zbfr癰W`0MZ.<'ȳ(`,Lv"VKjMΡmlpR!EfƲ 7cP.X-%B@w:S .x CG,$?ˋ}P byx ŧ$NS?|T+s+ Sq|}9k-]7{,sѓN/<|Xix0~']f(FRqO\|j8(>ub3 /=jptєŠҜ%!t4!ջl4ɊxYΟ0m\}!l4{n_M4jV*wV㛼VtƢI:6pz.yg;a+b(16lS24K_hjVJlxTʉY3z[q;f†[hh /b;f1Բw3Ct'