Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity

    The Nightmare Scenario: What If TJX Did Everything Right?

    By
    Evan Schuman
    -
    March 30, 2007
    Share
    Facebook
    Twitter
    Linkedin

      The latest news about the TJX data breach—including that the thieves doubly circumvented encryption, both by having a copy of the software key and by grabbing data right before it could be encrypted—is sending shockwaves through the retail security world, as it should.

      But the latest revelations also start to put TJX into a new light. Granted, there are still far too many unknown facts to establish whether or not TJX was a conscientious protector of consumer private data, but the latest information raises the possibility that it might indeed have been.

      Industry speculation—coupled with MasterCard confirming that TJX was in violation of PCI rules—prompted suggestions that TJX had failed to encrypt data. It still may have failed to encrypt some data, but the companys federal filings reports of cyber-thieves circumventing TJXs encryption certainly implies that there was some, perhaps more so than had been assumed.

      /zimages/7/28571.gifClick here to read more about the TJX data breach.

      Suggestions that the theft of data several years old proved TJX was holding onto data far too long was undermined by the latest filing, which said that TJX routinely deleted data but that a rogue program the intruders planted on TJX systems captured and made copies of the data beforehand. The filing doesnt establish that TJX was indeed not retaining data too long, but it raises the possibility that it was acting quite properly.

      That in turn raises a much more disquieting thought. What if it turns out that TJX had indeed been doing everything right the whole time? In other words, what if this proves to be much less of a case of TJX being careless and much more a case of the intruders being clever, resourceful and persistent?

      In the words of former federal prosecutor—and currently managing director for FTI Consulting—Mark Rasch: “Its really easy to say that TJX screwed up. A more frightening thought is that they didnt.”

      Before we get into the scary scenario that TJX IT managers were model IT citizens—which would truly mean that todays cyber-thieves could execute such a huge breach on any major retailer at any moment—lets take a look at the new details they revealed in their government filing.

      As TJX has done throughout this situation, the company has issued a rather lengthy document, which seems to have lots of new details. In all fairness, it does deliver many new goodies. But for every new detail it reveals, it raises 10 more questions. Its like a bright young university student discovering that the more he learns, the more he realizes all that he doesnt know.

      Before some reader calls me Grasshopper ($10 for the first reader who properly identifies that pop-culture reference), lets drill down. TJX reported that “we believe that the intruder had access to the decryption tool for the encryption software utilized by TJX.”

      What was not addressed was how TJXs investigation came to that conclusion, nor any indications—or even theories—as to how the intruder came to have such access. Was it an inside job? Sources within the investigation suggest that it wasnt. Had the visitor obtained it somewhere, learned that it was for TJXs system and then decided to target TJX? Maybe.

      A more likely scenario is that the intruder found the encryption key while engaged in the breach. This is made more likely because many retail IT departments will leave such encryption keys in the very same server that holds the encrypted data. Although thats convenient for the retailers IT staff, its also quite convenient for any intruder.

      Getting back to whether TJX was practicing safe computing. The encryption key revelation doesnt actually shed much light. The attacker could have brilliantly obtained the key some other way or could have obtained the key in some brilliant way that no one would have expected to defend against. On the other hand, the key might have been left in an easily discovered file, perhaps even the default file used by the software installer. Without knowing the key particulars, theres no way to know.

      Next Page: “Really great locks and keeping the key under the mat”

      Really great locks and


      keeping the key under the mat”>

      Next new revelation: the thieves grabbed transaction data before it could be encrypted, effectively sidestepping encryption security. This is hardly a new strategy, which is why most systems add substantial security to the system at that point. How hardened was TJXs? Again, without those details, its hard to assess whether TJX had defended itself appropriately.

      There were new numbers about the size of the breach, but nothing materially changed. It was always known to be huge and this didnt change much.

      The filing confirmed some things we had already reported, such as it was the Secret Service that had requested TJX to keep quiet and that, when discovered in mid-December, authorities believed the thief was still routinely accessing the servers, which meant they had a chance of laying a trap.

      Lets set aside, for the moment, the role that TJX played. Given the tactics that TJX reported, what are the implications for retail IT execs? What does this mean for encryption procedures?

      For Aberdeen retail analyst Sahir Anand, its a signal that procedures have to be re-examined. “There is no safe transaction environment for a customer. The whole notion of network security obviously needs to be revisited,” Anand said, “from the point of authentication to how the POS data is handled.”

      Most industry observers, however, said that a less-dramatic change is needed. Simply adhering to safe computing procedures—including taking extreme precautions to safeguard encryption keys, such as storing them on separate non-networked hardware—and making sure encryption is never the only protection being used is probably adequate.

      Ted Julian, vice president of strategy for Bedford-Mass.-based security firm Application Security, places himself in that in-between position.

      “The emerging details of this (TJX) incident highlight the fundamental limitation of encryption,” Julian said. “While encryption has always been seductive as a silver-bullet security measure, it is at most a leg on the security stool. The other legs are vulnerability assessment—hardening databases against attack—and activity monitoring, to flag attacks, misuse and abuse.”

      Former prosecutor Rasch agreed that encryption is still a crucial tool, but it needs to be considered just one tool among many. “Encryption creates a false sense of security,” he said.

      The problem he cited is the tendency to store the keys on the same machine as the protected data. “Ideally, the key should be kept on a separate piece of hardware and used only when its needed. The keys typically are kept somewhere on the system,” which Rasch compared to “having really great locks and keeping the key under the mat.”

      Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at Evan_Schuman@ziffdavis.com.

      To read earlier retail technology opinion columns from Evan Schuman, please click here.

      /zimages/7/28571.gifCheck out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.

      Evan Schuman
      Evan Schuman is the editor of CIOInsight.com's Retail industry center. He has covered retail technology issues since 1988 for Ziff-Davis, CMP Media, IDG, Penton, Lebhar-Friedman, VNU, BusinessWeek, Business 2.0 and United Press International, among others. He can be reached by e-mail at Evan.Schuman@ziffdavisenterprise.com.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×