Being an employee of TJX its amusing to see what bad security practices they did before their major breach and still do after. For example very very poor password policy for the network, my mother could pick better passwords. Its a step up from their blank passwords and username and password being the same which they had in place before the breach. Not to mention they write the passwords down on a post-it note next to the computers and even write down what the password is used for.

Recently they started to add Cisco firewalls to their stores, its about time...but the technician from Fujitsu that came to one store did not know what he was doing. He said it was his first time setting up one of those firewalls, and then said he didn't know what he was doing and he thinks he set it up right. He even ended up asking a cashier about the computer's setup, as if he/she would know. Now judging from this does this sound like progress in securing a company's IT infrastructure?

Its good to know I never use anything but cash at their stores, but its hard to sleep at night knowing the same network stores my employee information. For all I know that information has already been picked cleaned by the hackers and company could have swept it under the rug. Looks like I'm looking for a new job =oD

Eesh! That's not what I'd like to hear. This is pretty timely... have you read this? http://www.darkreading.com/document.asp?doc_id=132200&WT.svl=news1_1

- RSnake
Gotta love it. http://ha.ckers.org

Yep read about that. From what I speculate is that the hackers sold the data to several parties for $1 or less per record just to unload their plunder and make some quick money and then disappear. The buyers then sold them to other people for a little bit more and so on. The digital trail of who got it from who is like following breadcrumbs in a bakery. It is going to be very difficult to know who actually did it unless someone does something stupid like slip up and brag or get caught doing something similar. Just to know that the stolen information is traveling the entire world from one continent to another shows how networked these criminal rings are and how hard it is to trace back anything to a single person or group of people. I think its a total waste of time trying to find out who it was. Just fix the damn problem (TJX's security) and move on with life, and of course cancel all accounts of yours that may have been breached. Its just a waste of resources to be doing a wild goose chase when there are bigger problems like the above post that pose a more immediate threat.



Edited 1 time(s). Last edit at 08/22/2007 11:33PM by CrYpTiC_MauleR.

same here with mcd.com.sg

McDonalds Singapore website sucks big time with a lot of vulnerabilities. Told them a few times, been hacked a few times, data wiped a few times, still no improvement on their security.

http://hackathology.blogspot.com

Some juicy info for discussion =oP...

Well the TJX stores use a central server where all registers, markdown equipment etc all communicate with wired or wirelessly. The server sadly is run under admin and has windows network shares not to mention a shitty password. One scary thing is that the server for some odd ass reason has Adobe PDF reader on it, as to why a server would need that I don't know, but the worst part is it is version 5.x. So who knows what other software including the OS is not up to date and protected. The company has told the press it is now PCI compliant but doesn't requirement 6 of PCI state that systems must be up to date with all vendor supplied security updates?

yucks!!

http://hackathology.blogspot.com

TJX has been having a new program with Mastercard for a TJX Rewards credit card. They will soon be going live in all stores to allow customers to get instantly approved for the card. Downside is the customers full info including social security number is entered into the cash register terminal. If they are not PCI compliant indicated from above posts, doing such an action would be very irresponsible, not to mention you will be giving your SSN to some part time teenage or college worker who in most cases has not even had a background check.

UPDATE to anyone interested: So the store I work at the password to remotely desktop to the store server before the breach was the same as the username, then after the breach it was changed to a variation of the old password. Today I learn that the password has been changed to a blank password. WTF?? You would think they would learn from their mistakes, I assume they must think now that they have the above mentioned firewall in place they don't need a strong password or they are just lazy. I am not sure if this is just an isolated incident within this specific store, but it goes to show that you can't trust a company to protect your information, esepcailly TJX. Today was a very sad day for me =o(

<sarcasm>Of course you don't need passwords, as long as you have a firewall you're A-OK!</sarcasm>

That is sad.. just really really sad.. I feel for you..

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

I've spent half an hour trying to crack auth on something just to have it turn out blank; maybe they are just really hoping no one thinks they could be that dumb?

-id

Quote

I've spent half an hour trying to crack auth on something just to have it turn out blank; maybe they are just really hoping no one thinks they could be that dumb?

Is that really something you want to be bragging about? :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

As if you've never done a dumb thing....

-id

Quite often as a matter of fact.. Didn't we have a discussion about this 8 years ago where we decided "people are stupid"?

And after deciding that, we agreed that checking for a blank password should be within the first 3 steps of trying to break into a system? Yes, I know, you don't remember too much from those days due to your beer consumption habits. ;)

Actually, now that I remember, it wasn't 8 years ago, it was more recently and we were both quite inebriated. I think it was for a Chavez fight or something.. heh..

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

CrYpTiC_MauleR said: "but it goes to show that you can't trust a company to protect your information"

And I would assume your disclosure of your company's inner server workings on the internet means that they can't trust employees to protect their information? >_>

by the sounds of it cRy Ptic is not a very wise person

Quote

by the sounds of it cRy Ptic is not a very wise person

And you make this statement because you think that identifying vulnerabilities and informing website owners of their faults is a bad thing?

Be weary of those you don't hear from, not those who let you know where your weaknesses lie.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

I totally agree but it does not sound like he is posting his findings to the owner, but posting in the open for everyone to see. just my thoughts, but if he were a true security professional he should help not hinder.

I told an executive loss prevention manager about the username being the same as the password months before the breach occurred, of course he didn't do anything. I am not an IT tech at this store just an average employee so my opinion or advice does not mean shit when I do tell people who have the power to make any changes. Me disclosing this does not mean I am trying to be a bad person, its just that I've done all that I could do and nothing more I can be done. Me disclosing this information also does not put the company in any more danger than they already are as we know for a fact those passwords are the most common tried passwords and if an attacker needs to read this post to figure that out then they need to try a different target. Whatever I discuss on this forum about the company has already been brought up with whoever I was able to raise the issue within the company. If TJX does not want to listen to common sense advice its not my fault, but they should not be painting a false sense of security to their employees and customers. Just my 2 cents.

Quote

I totally agree but it does not sound like he is posting his findings to the owner, but posting in the open for everyone to see. just my thoughts, but if he were a true security professional he should help not hinder.

Obviously, you're new to security. Let me tell you how things go for the majority of white/gray security experts in this world:

1) You discover vulnerability.
2) You disclose vulnerability to site owner.
3) You get ignored and/or get threatened with legal action.
4) Vulnerability never gets fixed.
5) You disclose publicly (BugTraq or other means)
6) Vulnerability magically gets fixed.

Funny enough, I just watched the movie Evan Almighty yesterday, and when he was yelling at everyone to get on the Ark it totally reminded me of the security world. We can tell people their site is vulnerable until we're blue in the face, but getting someone to do something about it that has no clue what we're talking about is almost next to impossible.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Quote

1) You discover vulnerability.
2) You disclose vulnerability to site owner.
3) You get ignored and/or get threatened with legal action.
4) Vulnerability never gets fixed.
5) You disclose publicly (BugTraq or other means)
6) Vulnerability magically gets fixed.

So true.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

And sometimes this magic fix is no better than magic quotes...

I don't want to get into a pissing match with you mate, but instead of stocking the shelves with the new spring fashion colours and designs, why dont you step up and apply for an IT position where it would seam your skills be best suited. By the sounds of it they could use your help and it sounds like you have solid skills.

and as "Thrill" so noted I must be new to security. spot on!

Cheers Gents! POB





If your enemy is secure at all points, be prepared for him. If he is in superior strength, evade him. If your opponent is temperamental, seek to irritate him. Pretend to be weak, that he may grow arrogant. If he is taking his ease, give him no rest. If his forces are united, separate them. If sovereign and subject are in accord, put division between them. Attack him where he is unprepared, appear where you are not expected.
- Sun Tzu

Quote

why dont you step up and apply for an IT position where it would seam your skills be best suited. By the sounds of it they could use your help and it sounds like you have solid skills.

It's not as simple as it would seem. Most times they're looking for certification, a degree, and "real" experience (which to them means working in their corporate world, and completing menial tasks).


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

AnDrEw - I dont want to put your theory down, but we all have to start somewhere. We can't all instantly become CEO's. If we want a position we need to work towards it. if you have no motivation and are happy servin up fries by all means keep up the good work see you at the drive thru mate. It seem like todays youth is into instant gratification. I know for myself and my peers we have all worked hard to get where we are, nothing was ever handed to us on a silver plater and we would have not expected it to be either.

ps I have no certs or degrees I am totally against them. If you want something bad enough you can obtain it. It all depends on what your goals in life are. it is a sad person who goes through life without any goals.

All warfare is based on deception. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near. Hold out baits to entice the enemy. Feign disorder, and crush him.
- Sun Tzu

>> It's not as simple as it would seem. Most times they're looking for certification, a degree, and "real" experience (which to them means working in their corporate world, and completing menial tasks).

That how it is. I am still in college so n degree to back me up, and most IT jobs AFAIK ask for a min of a computer science degree and at least 3 years work experience. Not to mention I would rather not have an IT job at TJX. The companies only priority is to make money money and more money. They cut corners in so many places just to achieve that. Trying to get them to do sensible security implementations where the potential cost is more than $0 is asking them a lot. Their information security training for each store is an 'intrusion checklist' which managers have to do periodically. All they do is check them all off regardless if they were done or not. The companies information security training for employees is to just keep office doors locked,and shred office and register paper, training complete. Reason credit card and employment applications are left lying around outside of the offices, employees are putting passwords to computers on post-it notes on the monitor. to other careless things that training should have taken care of. The company wants to meet the bare min manpower on getting their information security at a presentable level for customers, employees and shareholders, so they can end up spending the least amount of money.

CrypTiC - take the lead mate! Step up to the plate and do something about it. I doubt there is a manager in any store that wants to be the cause of a breach. Write your findings down address them with the manager. Once you have documented this information and nothing seems to be being done of the situation fwd it on to HQ. I'm guessing with all the publicity over the last infraction they will take thing very seriously at a corp level. So with if they had a smart person like yourself at all the store stepping up and taking charge there would not be so many problems. Lead by example!!!

http://www.theregister.co.uk/2008/05/13/trio_accused_in_carding_scam/

Consider this some constructive criticism,

You have made some interesting posts, and sound like you might be skilled; and then there are the things you post which disprove that for instance, you have detailed knowledge
of user names and passwords, yet you are "just an average employee"
and it sounds like you don't have a workstation at TJX... Also, you talk of doing this and doing that to inform the "powers at be", you mention Loss Prevention
how about doing a whois on tjx.com and notifying the listed contacts who can be assumed to have control over the infrastructure; the numbers work I have even called them. Its a shame you did not think to do that first, as its the most logical thing to do. Further if you think your skilled apply your self and stop bagging groceries. I have told my friends the same thing, you are what limits you the most...


As a side note, someone mentioned notifying companies of their vulnerabilities. I could not disagree more. First of all, almost no-one will listen to anything someone just says. However, if you were to inform them that you know of their vulnerabilities, and offer your services as a consultant (remember a consultant is a highly trained, skilled and experienced professional who people will pay for advice, so stop giving it away ;). Do not misunderstand I am talking
about companies like TJX not vendors like Apache or MySQL. By all means that works with Apache and other software vendors, however not a retail chain or the other 90% of companies

Information Security is a highly skilled field that needs to pay the premium it is worth and that is deserved.

You would shit a brick if you knew how far you can go by being skilled, while not having a Degree or Certs. Balls in your court home-slice. Regards.


/me leads by example

>>yet you are "just an average employee"

I am at the same hierarchical level as a cashier, fitting room attendant etc would be, one of my roles involves me doing office work which requires access to a computer that involves connecting to the store server to handle tasks given. Reason I am aware of the password issues. The exec who I had told the first issue with was a regional exec for loss prevention, the department that handles internal and external theft of all kinds. I did not think doing a whois on tjx.com will yield a better contact. Those contacts are for the techs who handle the website, not the everyday security issues that the LP department has to handle. I'll take your advice and take another stab at trying to get these issues resolved, but I can't guarantee any success. I do plan on doing some extensive job hunting this week so hopefully that will have a better outcome. I appreciate the feedback on this guys and the encouragement to push on, thanks.

If you are serious about reporting this I dug this # up for ya mate (508)390-2164