TJX Intruders Sought Any Wireless Port In A Storm

With a new report that the TJX data breach began with wireless communications between handheld price checkers, IT is being reminded that "convenient" is usually code for "insecure maximus."

Throughout the five-month public history of the TJX data breach fallout, the industry has repeatedly tried to simplify it, to label one cause as the explanation, whether it was incompetent IT execution, an inside job, an open wireless port or some other clean explanation.

But the TJX situation is complex, complicated and defies a simple explanation, just as their intruders were a lot more sophisticated, creative, relentless, daring and professional than anyone in the industry wants to believe.

On Friday, the Wall Street Journal reported the TJX data breach started with a wireless breakin at a Minnesota Marshalls. The story went into remarkable detail about intercepted communications between wireless price-checking handheld units "during peak sales periods to capture lots of data."

The Journal reported that the cyber thieves then "used that data to crack the encryption code" and then they "digitally eavesdropped on employees logging into TJX's central database in Framingham and stole one or more user names and passwords. With that information, they set up their own accounts in the TJX system and collected transaction data including credit-card numbers into about 100 large files for their own access.

A 5-second glance at those latest details?assuming they ultimately prove to be true?has led many people to dismiss this as another wireless problem. The truth is that TJX offered intruders a generous smorgasbord of security holes, enabling the intruders to plant a trojan horse, steal an encryption key, sidestep less-than-diligently-monitored traffic logs and be able to grab credit card data before it was to be encrypted. So let's not paint TJX as security Eagle Scouts who happened to let their guards down on wireless.

That all said, the TJX Intruder Welcome Mat did start with a wireless hole and the wireless hole helped enabled the rest of the operation. Cyber thieves don't need much, especially when they're looking for any wireless port in a storm.

Reportedly, TJX had been slow to move to WPA and was still using WEP at the time of the breakins. If that was the sole offense here, TJX would be in good company, as major corporations?along with more than its fair share of retail chains?tended to be slow to upgrade wireless security.

A crucial reason for that is lack of understanding. Few managers took the time to understand how much the wireless network was accessing. Just because a unit is designed to do pricechecks, it was seen as innocuous. This has the same feel to it as when IT was remarkably slow to appreciate that intelligent network printers were wonderfully clever gateways to the rest of the network.

Why? Because for many years, printers were harmless. When they suddenly started getting a lot more CPU, hard-disk and RAM and became fully networked, it took years before the security threat sunk in.

Most retailers have a strong appreciation for wireless security challenges, but many revolve around looking for rogue wireless networks. Wireless security cameras are another example, with thieves having used them to "case" a retailer while sitting in their parking lot.

Theory: the TJX case is likely going to crack wide open by this summer. The laundry list of unanswered questions will get a lot shorter as the Massachusetts weather gets warmer. A U.S. House congressional hearing had been slated for May, but it's now slipped until at least June, according to one congressional aide working on the scheduling. But whether that hearing will take an aggressive stance and truly try and get closure on the most interesting unanswered questions is unknown.

The class-action lawsuits are also supposed to start getting discovery within a few months and the state Attorneys General probe can't really continue much beyond this summer. The incident was discovered in mid-December and all break-in activity pretty much stopped by early January. It's now five months later With no active suspects, it's questionable how much more time the probers would need.

The defining moment will be when TJX comes out from the shadows, calls a news conference and gets their side of this out. I'm not holding my breath, but if it's clear that they'll have to answer the questions publicly anyway, they might as well at least do it in their own forum.

The big-picture takeaway on this, however, is that the perpetrators of the TJX attack were doing exactly what every retailer is afraid they were doing. Planning a multi-staged attack, using a wide range of tools and tactics. In their attacks, they did what every retailer should have done in their defense: use multiple redundancy.

In other words, the attackers didn't assume that a particular tactic would work, so they had multiple backup plans. If only TJX had done the same, we wouldn't be having this conversation.