The latest news about the TJX data breach—including that the thieves doubly circumvented encryption, both by having a copy of the software key and by grabbing data right before it could be encrypted—is sending shockwaves through the retail security world, as it should.
But the latest revelations also start to put TJX into a new light. Granted, there are still far too many unknown facts to establish whether or not TJX was a conscientious protector of consumer private data, but the latest information raises the possibility that it might indeed have been.
Industry speculation—coupled with MasterCard confirming that TJX was in violation of PCI rules—prompted suggestions that TJX had failed to encrypt data. It still may have failed to encrypt some data, but the companys federal filings reports of cyber-thieves circumventing TJXs encryption certainly implies that there was some, perhaps more so than had been assumed.
Suggestions that the theft of data several years old proved TJX was holding onto data far too long was undermined by the latest filing, which said that TJX routinely deleted data but that a rogue program the intruders planted on TJX systems captured and made copies of the data beforehand. The filing doesnt establish that TJX was indeed not retaining data too long, but it raises the possibility that it was acting quite properly.
That in turn raises a much more disquieting thought. What if it turns out that TJX had indeed been doing everything right the whole time? In other words, what if this proves to be much less of a case of TJX being careless and much more a case of the intruders being clever, resourceful and persistent?
In the words of former federal prosecutor—and currently managing director for FTI Consulting—Mark Rasch: “Its really easy to say that TJX screwed up. A more frightening thought is that they didnt.”
Before we get into the scary scenario that TJX IT managers were model IT citizens—which would truly mean that todays cyber-thieves could execute such a huge breach on any major retailer at any moment—lets take a look at the new details they revealed in their government filing.
As TJX has done throughout this situation, the company has issued a rather lengthy document, which seems to have lots of new details. In all fairness, it does deliver many new goodies. But for every new detail it reveals, it raises 10 more questions. Its like a bright young university student discovering that the more he learns, the more he realizes all that he doesnt know.
Before some reader calls me Grasshopper ($10 for the first reader who properly identifies that pop-culture reference), lets drill down. TJX reported that “we believe that the intruder had access to the decryption tool for the encryption software utilized by TJX.”
What was not addressed was how TJXs investigation came to that conclusion, nor any indications—or even theories—as to how the intruder came to have such access. Was it an inside job? Sources within the investigation suggest that it wasnt. Had the visitor obtained it somewhere, learned that it was for TJXs system and then decided to target TJX? Maybe.
A more likely scenario is that the intruder found the encryption key while engaged in the breach. This is made more likely because many retail IT departments will leave such encryption keys in the very same server that holds the encrypted data. Although thats convenient for the retailers IT staff, its also quite convenient for any intruder.
Getting back to whether TJX was practicing safe computing. The encryption key revelation doesnt actually shed much light. The attacker could have brilliantly obtained the key some other way or could have obtained the key in some brilliant way that no one would have expected to defend against. On the other hand, the key might have been left in an easily discovered file, perhaps even the default file used by the software installer. Without knowing the key particulars, theres no way to know.
Really great locks and
keeping the key under the mat”>
Next new revelation: the thieves grabbed transaction data before it could be encrypted, effectively sidestepping encryption security. This is hardly a new strategy, which is why most systems add substantial security to the system at that point. How hardened was TJXs? Again, without those details, its hard to assess whether TJX had defended itself appropriately.
There were new numbers about the size of the breach, but nothing materially changed. It was always known to be huge and this didnt change much.
The filing confirmed some things we had already reported, such as it was the Secret Service that had requested TJX to keep quiet and that, when discovered in mid-December, authorities believed the thief was still routinely accessing the servers, which meant they had a chance of laying a trap.
Lets set aside, for the moment, the role that TJX played. Given the tactics that TJX reported, what are the implications for retail IT execs? What does this mean for encryption procedures?
For Aberdeen retail analyst Sahir Anand, its a signal that procedures have to be re-examined. “There is no safe transaction environment for a customer. The whole notion of network security obviously needs to be revisited,” Anand said, “from the point of authentication to how the POS data is handled.”
Most industry observers, however, said that a less-dramatic change is needed. Simply adhering to safe computing procedures—including taking extreme precautions to safeguard encryption keys, such as storing them on separate non-networked hardware—and making sure encryption is never the only protection being used is probably adequate.
Ted Julian, vice president of strategy for Bedford-Mass.-based security firm Application Security, places himself in that in-between position.
“The emerging details of this (TJX) incident highlight the fundamental limitation of encryption,” Julian said. “While encryption has always been seductive as a silver-bullet security measure, it is at most a leg on the security stool. The other legs are vulnerability assessment—hardening databases against attack—and activity monitoring, to flag attacks, misuse and abuse.”
Former prosecutor Rasch agreed that encryption is still a crucial tool, but it needs to be considered just one tool among many. “Encryption creates a false sense of security,” he said.
The problem he cited is the tendency to store the keys on the same machine as the protected data. “Ideally, the key should be kept on a separate piece of hardware and used only when its needed. The keys typically are kept somewhere on the system,” which Rasch compared to “having really great locks and keeping the key under the mat.”
Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at [email protected].
To read earlier retail technology opinion columns from Evan Schuman, please click here.