Post on 26-Feb-2016
description
TJX Breach
Ryan Paulsen Chris Lafferty Nilesh Nipane
What happened?
Intruders gained access to credit card information between 2005-2007
~50 million credit card and debit card numbers stolen ½ million driver’s license and SSN stolen
Largest theft to date Previous was 1.5 million credit card
numbers
What happened?
WEP key crack at St. Paul Marshalls store Hackers monitor and gather network
traffic Gather data and crack encryption key for
traffic destined for central database Gathered usernames and password from
decrypted traffic Created accounts in TJX systems
What happened?
Create accounts on central database systems in Framingham, MA Gathered historical data from storage systems▪ Used by TJX to track returns
Install specially made blabla sniffer tool gathering credit card numbers before they were encrypted▪ Hackers then logged into the systems and
transferred data files off of the system Used in Wal-Mart gift card scam ($1
Million)
Impact
Monetary Cost/Loss for nearly all involved Customers may lose money/time or
other resources directly Banks lose customers or reputation
points TJX loses substantial amounts of money ▪ Approximately $1.5 billion to fees,
settlements, and new security measures mandated by FTC▪ More than $195 million in new security
equipment and training
Impact
Reputation/Business costs Customer confidence Federal Trade Commission’s response
Ethical and Policy Implications/Movements Ethical concerns of information
protection, misuse of resources, privacy, etc.
Impact
Impacts still being felt and analyzed… Legal Issues / Legislation insufficiencies The full extent of these attacks and just
how many systems were attacked by the same people (still finding out of new cases today)
The actions and lack of actions being taken in response by other companies
Why did this attack succeed? 2004 audit found failure of 9/12
criterion for credit card merchants Misconfigured wireless networks Poor antivirus protected Weak intrusion detection Easily crackable usernames and
passwords Poor log maintenance Failed to install data encryption software
Why did this attack succeed? Initial Breach
Due to deficiencies in the wireless network and WEP encryption scheme▪ WEP is known to be broken since 2001. (FMS
attack) Collected data transmitted by handheld
devices used to communicate price markdowns and to manage inventory▪ Used that data to crack the encryption code.
Why did this attack succeed? Other Vulnerabilities
Kiosks, equipped with USB drives, were located in many of TJX's retail stores▪ Allowed direct access to the company's
network and were not protected by firewall
Aftermath: Criminal
Feds tracked down and arrested 11 coconspirators
Discovered credit theft ring known as “Operation Get Rich or Die Trying” Led by Albert Gonzalez Ring responsible for most major credit
card thefts in US▪ Including Homestead breach which is now the
largest of its kind
Aftermath: Legal
Class Action Lawsuits TJX reluctant to disclose data on the
breach Failed to detect for 7 months, took another
month to disclose Prosecutors hope to show negligence
Watershed Case Companies now must be more open and
transparent about how they protect customer data
Making Systems Less Vulnerable PCI Security Standards Council Data
Security Standard (DSS) Special recommendations published July
2009 for wireless networks Covers best practices in relation to
processing credit card information around wireless networks
Making Systems Less Vulnerable Wireless Intrusion
Detection/Prevention System (IDS/IPS) Investigate and classify wireless
networks and their access to customer data
Create automatic alerts of rouge wireless connections
Response plans to remove rouge connections
Making Systems Less Vulnerable Filter wireless networks that do not
need access to customer data with firewall Do NOT use VLAN
separation Monitor rules
every 6 months
From Information Supplement: PCI DSS Wireless Guideline
Making Systems Less Vulnerable Protect wireless networks that
transmit card holder data Physical protection▪ Secure access points so no one can reset to
factory defaults▪ Make sure access points aren’t stolen▪ Don’t store PSKs in obvious locations
Making Systems Less Vulnerable Protect wireless networks that
transmit card holder data Change default configuration▪ Use enterprise mode when possible▪ Do not advertise company name in SSID▪ Only use SNMPv3▪ Disable unnecessary ports and protocols
Making Systems Less Vulnerable Protect wireless networks that
transmit card holder data Logging and Monitoring▪ Store event logs for 90 days▪ Maintain updates to network topology
Security▪ Use AES when possible▪ Use enterprise security when possible▪ 13 character PSK
Making Systems Less Vulnerable Protect wireless networks that
transmit card holder data Encryption▪ Use SSLv3 with 256 bit
encryption▪ Treat wireless networks
as outside network
From Information Supplement: PCI DSS Wireless Guideline
Book Chapters
Chapter 6 – Database SecurityChapter 7 – Security in
Computing Chapter 9 – Economics of
Cybersecurity Chapter 10 – Privacy Chapter 11 – Cryptography
Explained
Sources http://news.cnet.com/2100-7348_3-6169450.ht
ml https://www.pcisecuritystandards.org/pdfs/PCI_D
SS_Wireless_Guidelines.pdf http://www.wired.com/threatlevel/2008/08/11-ch
arged-in-m/ http://www.wired.com/threatlevel/2009/07/pci/ http://www.wired.com/threatlevel/2007/10/tjx-fai
led-to-n/ http://searchsecurity.techtarget.com/news/articl
e/0,289142,sid14_gci1249421,00.html http://searchsecurity.techtarget.com/news/articl
e/0,289142,sid14_gci1245727,00.html http://searchsecurity.techtarget.com/news/articl
e/0,289142,sid14_gci1239711,00.html http://hardware.slashdot.org/article.pl?sid=07/0
5/05/1812254 http://www.informationweek.com/shared/printab
leArticle.jhtml;jsessionid=AW4H134JQ43VXQE1GHOSKHWATMY32JVN?articleID=201400171
http://www.wired.com/threatlevel/2009/06/watt/ http://www.wired.com/threatlevel/2009/08/tjx-ha
cker-charged-with-heartland/