I find this all very interesting! Everyone seems to have good points. But I don't think you can slam a company based on one stores laziness. It seems to me that according to recent news tjx has spent plenty in upgrading its security, but as with any company you are only strong as your weakest link, and that is always and I use this phrase loosely "stupid users". Mostly the users are either lazy, un-informed or as you have stated just not trained. I feel it is up to all of us as security professionals to educate the user community, of course I enjoy my job and I have the user community and people like yourselves to thank for keeping me employed.

So to cryptic try that number >>f you are serious about reporting this I dug this # up for ya mate (508)390-2164

I have tried it and it is a live # that gets you to a security response team.

I am very interested in what you find out. Keep us informed

--shorty (no fancy quote)

Quote

if you were to inform them that you know of their vulnerabilities, and offer your services as a consultant

Then the company you are contacting about their insecurities sees nothing but $ signs at the fact that they can actually sue someone that has some money for DMCA violations and reverse engineering their site.

In law terms, it's called "Ambulance Chasing", but at least the lawyers don't go to jail.

You need to remember the pride aspect. Everyone is proud of what they've built, and some take it personally when you point out the fact that they did it wrong. It takes a very big person to actually take the comments and/or advice from a total stranger, whether that stranger is JohnnyB.Hacker, or @Stake/Symantec. Performing unsolicited pen testing of any site (with the exception of MS Live) can get you in a lot of trouble, hence the reason why sites like this, or Security Focus maintain a certain level of anonymity. That way, PHB won't automatically sick the dogs on the researcher to get him arrested for breaking into his insecure site.

There's a few postings on this site having to do with ISPs and how all the modems are insecure.. one of their user's informed them of that fact, and what they did is threaten to have him arrested, and then disconnected his account..

We all fear what we do not understand, and the sad part is that there's only very few people in the world that actually understand security.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Touche, thanks for the tip. Methods and details aside however, my point is the same. Do not give security away that is bad for everyone. Breaches and consumer/confidential data are THE reasons there is any demand for Security Professionals.


I agree with the pride thing, it is unfortunate when someone take offense to the fact that someone purposes a different/better way to do something. I know people that have told thier employer that the firewall looks like swiss cheese, and gotten fired because they have been percieved to be a threat, even if it is only by knowing that security device configuration is not up to par. That type of publicity can take a large toll on a company for instance a bank or investment company.

Quote

and gotten fired because they have been percieved to be a threat

Okay, get ready to laugh.. in 1992 I got fired because I informed our IT manager that there was a virus on the file servers. After their investigation they fired me because "you connect to the internet with our modem pool and have rendered our network vulnerable to viruses"..

It was obvious they knew lots about computers, since the 'internet' I connected to, was a shell on a unix box, and they had their modem pools (anywhere remote) set up to not allow file transfers, so obviously I cut-n-pasted the virus I found and reported to them.. heh.. A week after I left, they got hit by an even worse virus.. I told them I did a "drive-by virus infection".. not sure if they believed me..

Anonymity, while it sounds cowardly, is the best approach when reporting vulnerabilities. :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Yeah I was thinking about this too, I don't want to lose my job for reporting this in. Yeah its not like I went looking for a security hole, I just happened to need the info to login to the remote server for my job task and was shocked at the password used. I'm not sure if I will be punished for bringing to light the issue with the IT department. Yeah I agree there is a pride issue where a tech does not want to look stupid, I've had experience with that happening and I ended up getting burned in the end. Unfortunately anonymously reporting this will not work, since it would require me giving the store location which would then easily zero me out. Should I just leave this be or pursue getting it fixed? My honest opinion is it won't get fixed, or if it does get fixed some tech will change the password for convenience again. I mean why change it from a good password to a blank password in the first place? I'm sure the password issue is one of the least of the issues present.

I will talk with my contact, who is the head of IT compliance and business operations at a very large and well-known corporation, and get their opinion on the matters for you. My own experience with this is very limited, but being as I am familiar with the policy and enforcement aspects of Information Technology/Security have you signed any agreements during your employment there which would ultimately cause you to face termination for disclosing such information (not to us, but to the company)?


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

what do you care what the password is? you need physical access to the terminal to crack it regardless. TJX aren't really concerned that they're going to get hacked through that access point mate, they're concerned that their databases will get swiped and sold again. Just my 0.02

>>what do you care what the password is? you need physical access to the terminal to crack it regardless.

I'm not sure how the network is setup, but having a terminal with access to a server that has user accounts with blank passwords is a bad idea. No user account on a server or any computer that is linked to a computer handling register transactions should have a blank password. Honestly, no computer in a corporation that suffered the largest retail breach in history should have any user account with a blank password, there is just no excuse in my opinion.

Quote

what do you care what the password is? you need physical access to the terminal to crack it regardless.

I guess you've never heard of disgruntled employees.. people who would love the ability to install some sort of software that would allow them to record every transaction which later they could copy onto a memory stick.

Guess you should stick to posting bad things others say about RSnake.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Cryptic has once again faced the magical glass wall. for plainandboring i'll explain.

in security there is a "magical glass wall" somewhere between mid and high hierarchy. if your corp. is enterprisey compliant (and that's perphaps the only compliance rules they're strictly following) information *seems* to get into the higher level of hierarchy (ie : your average regional VP of insecurity makes some "hu, hu" sounds while blankly staring at you explaining *why* <insert random security loophoole here> is really *bad*)

but !

that's where the "magical glass wall" shows it's power. the information never made it through. like if there was a glass wall between you and him (and it fact, it was staring at you like at a monkey shoving a banana way up it's arse)
ey
rule #1 : you have to be in a position of power to be able to break the glass wall. IE : you have to be at least of equal hierarchical level of whoever you're talking to, hired consultant (and i did say consultant, contractors are treated like interns) counting being automatically of higher hierarchical position in within their area of expertise.

a simple exemple to back me up. i already told here about the plain shitty security we had at the large bank i worked a few month ago. they called me last week, for a full scale audit of the very same infrastructure i managed.

guess what ? in one week, the implemented each and every single correction i made in the final report (something like 40 pages of various shit). and i didn't even have to work for this one, i just had to write the report from the administration notes i had when i worked there, (that i of course had already transmitted to upper management, taking the glass wall with full force in the face)

being an all mighty consultant 1 / being the shitty contractor 0

more seriously, i think this have to do with the fact that spontaneously, people are affected by the "higher, smarter effect". you wouldn't take administration class from your local mexican cleaner, no ? what if the mexican cleaner is really a system engineer ?

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

@Malkav

You explain it exactly how it is, no one with power wants to take advice or listen to people lower on the food chain. My store manager does the same, when he/she had asked the associates to group up and come up with suggestions on improving our setup in our receiving dock. We all took about 30 mins of company time to discuss how to do it better and came up with some great ideas. What does the manager do when we tell each suggestion one by one? No, no, no, no, no... Fine with me, they wasted payroll on the discussion and in the end made it less cost efficient in how we received trucks in at the dock.

thrill Wrote:
-------------------------------------------------------
> what do you care what the password is? you need
> physical access to the terminal to crack it
> regardless.
>
> I guess you've never heard of disgruntled
> employees.. people who would love the ability to
> install some sort of software that would allow
> them to record every transaction which later they
> could copy onto a memory stick.
>
> Guess you should stick to posting bad things
> others say about RSnake.


Of course that's a possibility, but that has nothing to do with a blank password.. If he knows its blank, he'd know what the password was if there was one, because he would need it to perform the task (according to you, he's an employee). Thus all employees are potentially trying to defraud you, which is absurd. Even if one moron attempted to install malware on the machine, he would be caught and raped alive by the FBI - his timesheet would show his access to the machine, his usage would be logged, and I'm sure there is surveillance. To be perfectly honest, a good password is always nice, but 1) Physical access is required for the password to actually be truly effective in defense and 2) If they are attacked through the net side of things, then either a) another of their servers is compromised or b) their entire network/an adjacent computer is compromised or c) their machine is badly patched, and they will get owned just like anybody else. password or not, that's not what its really about, and you know it. You're just trying to to toot the "bad security" horn because you found something wrong. Cryptic, if you don't report it to your manager, then you should quit. No manager would fire you for saying "that computer doesn't have a password, shouldn't we set one up so that it's more secure?". Sure, he might say "who the fuck is going to walk in and use it aside from us", but you'll be prepared for that because I just raised the same point. One question: is the terminal within the general store area, or out in the administration/office area? In conclusion, a password is definitely a good idea, but its not a critical security flaw; only really a problem if a bunch of thieves broke in and stole data off the machine, in which case they're already fucked cause the thieves got in.. - report the problem and it will be remedied very quickly. I'd be more worried about their server flaws.. credit card leaks are terrible.

Quote

his timesheet would show his access to the machine, his usage would be logged, and I'm sure there is surveillance.

In the 2 1/2 years during the time they experienced their last break-in, can you tell me exactly what user/employee was working at what store and had physical access to the machines? If the program is written well enough, it could go undetected for months, or even years. All the while, the ex-employee would be sipping mai tai's in <insert tropical heaven of choice here>.

Quote

You're just trying to to toot the "bad security" horn because you found something wrong.

The only thing I found wrong was your in-ability to realize there are many different types of attacks. The vast majority of attacks today in the corporate world are "insider" attacks. But since you are SuperMegaSecurityGuru(tm), those types of attacks don't happen around you.

Quote

No manager would fire you for saying "that computer doesn't have a password, shouldn't we set one up so that it's more secure?"

Obviously, you failed to read the posting, but let me quote it for you:

Quote

I told an executive loss prevention manager about the username being the same as the password months before the breach occurred, of course he didn't do anything.

And just for reference, "Executive Loss Prevention Manager" > Store Manager, which also takes care of the part where you say "report it", and I'm sure if the weak username and password were not remedied "very quickly" as you mention, there's a pretty good chance that you might just have missed a few other things in this thread alone.

Aren't there any other postings talking crap about RSnake you could be cut-n-pasting? Because you are just simply FAILing at retail/corporate security.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

I ignored the first character attack, but that was too funny. I don't understand what you have against me thrill, nor care - that was a joke of a response, and I will treat it as such.

Quote

I told an executive loss prevention manager about the username being the same as the password months before the breach occurred, of course he didn't do anything.

Was the breach performed on that terminal with no user/pass? If not, who the fuck cares? Its like using encryption to store your passwords - its just one more layer to make the cracker work harder for it, but in all honesty if they want it hard enough they will get it; it is by no means a strong active form of security.

Quote

Obviously, you failed to read the posting, but let me quote it for you:

Obviously, you failed to read all of the postings, but allow me to quote one for you:

Quote

Yeah I was thinking about this too, I don't want to lose my job for reporting this in.

And

Quote

I'm not sure if I will be punished for bringing to light the issue with the IT department.

Or maybe

Quote

Unfortunately anonymously reporting this will not work, since it would require me giving the store location which would then easily zero me out.

Future tense thrill. You learn that in primary school. Right?

If we were to look at this from the perspective of only an employee attack, then the attack surface is limited. They would need access to a terminal facing the server or the server itself. They would need to know the password (or lack thereof). They would need permission to use the terminal. They would have been tasked with using the terminal at that time. They would be filmed. The server would log their actions (to the best of my understanding, unless TJX are completely useless). The attack would be narrowed down to 1 store, and if they manage to get a snort log running, they will know where the packets are going too. The fuckwit that then opens a backdoor for himself or sets up some logging on the server is asking for 10 years in prison for fraud, conspiracy to commit fraud, theft & unauthorised access to a computer, amongst other things. I never said the scenario couldn't be done, I just tried to make you aware that you'd need one insanely stupid person to do it. For the record, when making my second posting I hadn't realised that terminals were pointing to the server, but that isn't of huge importance. Thrill, drop you personal vendetta shit, I don't even fucking know you. Nor would I care to after that little show. Keep your shit to yourself and within pms so you can complain about me in private. Fucking pathetic.

@fragge

I'll tell you what I have against you:

1) You're an instigator. You like to bite the hand that feeds you. We are all trying to learn here, not attack RSnake's lack of prowess in writing Perl.

2) Your views on security are equal to a 14yo that has zero experience in the real world. The fact that you can say things like "what do you care if they use no password" means to me that you could give a rats ass about the security procedures at your workplace, which again shows a lack of experience in fixing these problems.

3) You seem to lack insight in the ease with which you can overcome wireless security. You claim that the attack surface is small if only the employees have access to this server, but you missed the fact that the cash registers not only connect to this server in a wired manner, but also wirelessly.

This is not a vendetta. I am simply pointing out the incredible flaws in your thinking.

Ignoring a problem does not make it go away. Just like walking by if you see a man hitting a woman. If you don't stop it, as a man should, then you are as culpable as the one hitting the woman. It's called cowardliness.

I applaud Cryptic_Mauler for even posting the information he did, it shows that he cares. His frustration in the lack of security at his workplace shows dedication and loyalty. There are plenty of unsavory characters that would have utilized this information for self gain. He on the other hand just wanted it fixed. And as Malkav pointed out, this is the conundrum the security community faces; Tell someone and lose your job, or shout it out from a mountain top and still end up jobless.

While it would be really nice to have the capabilities of pin-pointing every attacker, maybe you should take into consideration the break-in TJ Maxx had. They still have not caught the person(s) responsible, which again shows that you seem to live in a perfect world where bad deeds always get punished. Unfortunately for the rest of us, we do not live in that perfect world, and in our world, no good deed goes unpunished. It's the bad ones that we're still fighting against.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

1) I posted that because I found it humorous, and thought RSnake would also. I have NOTHING against RSnake.

2) The password problem was trivial in context to the attack surface presented; putting a complex password on the machine means zip, because they give the information to employees, who proportedly post it up on post-its around the office - this negates the purpose of a password, hence it is a very low form of security in this instance. If they want to wifi to their server, then thats their problem, they should know better than to leave their bank communications in the ether for anyone to sniff. The whole point around my post was that there were much bigger problems with TJX' security model than just a weak password.

3) I know very well how easily wireless security can be breached, but I didn't notice anywhere in the thread that the OP said they used wifi to connect to the server. If the server is handling personal user info, and the communications are handling this info, then TJX deserve another leak.

If you read all of my posts in this thread relating to the password issue, they are all alluding to the fact that the attack requires a breach of ANOTHER security protocol prior to actually getting to the password layer of protection; this is the major problem, and something you don't seem to understand. If an attacker (non-employee) can get physical access to a terminal/the server, then that's a big security breach on its own, and the password problem just makes it worse. If they are sitting in the shop somewhere, or out in the parking lot, hacking their wifi, then that's another security flaw and a huge security breach, prior to any password protection. You must realise that the password is only a last ditch effort at security in this circumstance, and that the real security must go into not even allowing an attacker the satisfaction of having physical/near-physical access to their machines. Its really "security in depth" in this case - they need to maintain a strong layer of physical security, and should keep their servers facing inline where possible, and keep that shit patched, firewalled and logged. I didn't mean to rub you the wrong way thrill, but I apologize if I came across as someone who disliked RSnake/people here.. I really had no idea that anyone thought that, but that is simply not the case.

As a side note, CrYpTiC you should probably notify your head of security to issue a memo to your employees at *your* store about leaving passwords on post-its - that is just stupid. How old are you CrYpTiC? I'm sure if one of/your manager was a smart, nice guy, you could probably bring a few of these security flaws to his attention and suggest cheap/free fixes that would immediately increase security, and make him look better to his boss. Might even get you off the registers ;)

@fragge

Apology accepted. And I apologize if I mistook your postings. As a personal friend of id and RSnake, I know how much shit they have to deal with in regards to not only this board, but also from the blog. And I also have a long history of giving stuff for free and having people just bitch and moan about crap when I wish to make a simple change that would save me a little money. Your postings struck a nerve with me for that specific reason. RSnake is not claiming to be a Perl god, but rather a person that is sharing his knowledge with those of us who do not share his level of understanding. That is something we should be grateful for, not nit-pick at how he accomplished what he set out to do, which was teach us a little something useful.

As for cryptic and his dilemma, it should be obvious that TJX needs to do EVERYTHING in it's power to prevent another breach, but from his posting I can tell that it is just not a priority to them.

Many years ago I made an analogy on retail establishments, and I think it is still fitting today; they can spend millions and millions in advertising, but will skimp out on hiring decent people, even though those minimum wage clerks are usually a customer's first real contact with the company. In short, they're spending their money in the wrong place.

Back in 1998 I was betting that once Y2k was over, everyone would focus on security. Unfortunately, I was wrong. The focus on security today still remains a distant second thought. Companies still rather "shut those who discover our flaws up" than spending the money on fixing the flaw.. it is unfortunate.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

For those who weren't already aware or didn't read the blog, he has been fired by TJX: http://ha.ckers.org/blog/20080522/tjx-whistle-blower/

- RSnake
Gotta love it. http://ha.ckers.org

I actually would like to apologize to Cryptic publicly. I already did it privately, but think that a public apology is warranted.

Cryptic, I really apologize for even thinking that these TJX people who posted to the boards had good intentions. I guess id was right when he said they were just trying to gather enough information to bring you down.

As I said in my PM, if you are thinking of moving to the California Bay Area and need a place to stay for a few months, you are welcomed at my place, rent free. Maybe my current employer could utilize your knowledge and we could get you a pretty nice job out here with a really good company that takes security very seriously.

In the mean time, whoever reads this and wants to get this on the front page of Digg, please go digg this article!!!

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Bad luck CrYpTiC, although I already noted that your disclosure method (releasing internal information) was not in your company's best interests:

Quote

CrYpTiC_MauleR said: "but it goes to show that you can't trust a company to protect your information"

And I would assume your disclosure of your company's inner server workings on the internet means that they can't trust employees to protect their information? >_>

The firing would have been about your disclosure of internal security measures and server operations (NDA mate.. they make you sign it for a reason), as opposed to general security procedures that could be implemented. On the bright side, maybe they'll implement some of the changes they made you write down before they fired you.. Good luck in the future CrYpTiC, your talents were being wasted as a cashier my friend.

@CrYpTiC

That sucks man! I can't believe they fired you. Yet another example of management not understanding security risks and find it easier to pass the blame onto their employees. If I was rich I'd offer you a job

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Reality hurts sometimes, all you can do is hope they implement at least some of the measures you suggested. I wish you all the luck CrYpTiC.

I will never shop at any TJX store on the basis of this.
They should have listened to their employee and corrected their lame security practices.
It is sad that most company's have lame lame security.
I love then Joe Thomas's password is joe1.. or jthomas
I cant get over it.

I wrote a letter to TJX corp explaining they were wrong for not listening.
Thank you Cryptic for warning us all about the security at the TJMaxx store.
I will never shop there.. I now have possibly saved my own identity from being stolen due to you.
Thank you again and good luck in your job searches.

God, that is crazy! Bastards, real bastards!
I too will never shop there!
I hope your luck tuns CrYpTiC.

CrYpTiC (damn your name is a bitch to type), you might want to consider talking about this at the upcoming Defcon convention in Las Vegas. We got room in our hotel room for ya!

Good luck to you in the future

shorty461 Wrote:
-------------------------------------------------------
I find this all very interesting! Everyone seems to have good points. But I don't think you can slam a company based on one stores laziness.[/quote]


Actually, you can slam a company based on one store's laziness. It is not just the responsibility of the store itself to ensure that it is in compliance with today's standards. It is TJX's responsibility to ensure that there are proper security audits being completed to ensure regulations are adhered to and compliance with security policies and settings.

As long as Cryptic Mauler, (not that hard to type when you don't bother with all the AbCdEf typing, haha), made the appropriate attempts to advise his store of the issue...then the failure to address the issues is the stores fault. But, the lack of controls from TJX's corporate office can be dumped on the company all day long. Why aren't they mandating password policies? What does their security policy state for password compliance? Where are the audits to check compliance? Who is in charge of Information Assurance at the store level? What actions should be taken when a weakness is identified? All of these are things that should be addressed by TJX; and yet they obviously haven't learned their lesson yet. Which leads to another question....WTF is their CIO/CISO, etc doing?!?!?!?

--------------------------------------------------------
Regarding gun carry laws: I'd rather be judged by 12 than carried by six...

Interesting update on one of the criminals

http://news.cnet.com/8301-13739_3-10069776-46.html

-id

Someone needs to develop the Slipped Disk interrogation method. With as painful as this crap is, trust me, I'd even give you id's PIN and social if you asked.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

I don't think there was any violence used, he was probably offered a voucher and a 3 day sale http://www.scmagazineus.com/TJX-customers-get-vouchers-three-day-sale-as-part-of-breach-settlement/article/35826/ so that he could live a day in the shoes of his victims and see what they have to endure. Heck if British admins give up their passwords for a chocolate bar, why not?