Data Auditing Blog View Mantra V5

Photo: Prat Moghe
 

Prat Moghe was the founding CEO of Tizor and led the company from 2002 to 2006 including driving the launch of its product into the data auditing market. Prat led Tizor through two financing rounds and established its security and compliance market strategy.
Read More »

Subscribe By Email

Your email:

Keepers

Current Posts |  RSS Feed

How did the TJX data breach happen? Part 1: Anatomy

 | Digg digg it | Reddit reddit | del.icio.us del.icio.us 

Very few people actually know how the TJX breach happened. Here is the sequence based on Attorney Joel Lisker's testimony in US District Court (Master Docket No. 07-10162-WGY). Joe Lisker is the Senior Vice Chairman of Dudinsky Lisker & Associates, LLC. Previously he was the SVP for Security and Risk Management for MasterCard International.

As we see below, the attack itself happened in two phases. In phase 1, the attacker penetrated and found the target - in this case, the stored Track 2 data. The attacker also managed to extract this data out of the TJX network. In Phase 2, the attacker actually installed software on servers to get at all Track 2 data being transacted. This data was subsequently retrieved without setting off any alarms.

Actual Sequence
The figures below show a highly simplified picture of the TJX infrastructure and illustrate the attack in steps.

Phase 1: Breach initiation
(1) Initial breach of the TJX system likely happened as a result of deficiencies in the wireless network used by TJX. At the time of the attack, TJX employed WEP wireless encryption at the store location, with some known deficiencies. Part of the problem was that the network broadcast SSIDs - the service set identifier name assigned to the wireless network by the administrator.
(2)  After breaching the TJX wireless system, the attacker was able to gain administrative privileges to the RTS servers located at the TJX corporate headquarters in Framingham, MA. The RTS servers hold all cardholder data that is processed centrally for most TJX stores.
(3) Once the attacker was able to gain administrative privileges to the RTS servers, he was able to find historic Track 2 data improperly stored by TJX on these servers.
(4) The attacker then used FTP to copy this Track 2 data to another machine on the Internet, utilizing TJX's high-speed internet connection.

Phase 2: Breach escalation
(5) Until this point, the attacker could only get at historical stored Track 2 data. Now it gets audacious. To get at new data, the attacker actually installed custom written traffic capture software on the servers!
(6) The attacker used the software to record live TJX transaction data. The software tool was configured to extract the payment card track data from the transactions. This track data was then stored in tool's log file, unpretentiously called just "log".
(7) The attacker used this tool to copy and extract Track 2 data from payment card transactions from May 2006 to December 2006.

The net impact of this attack?
Estimated likely 100 million unique account numbers affected by the breach, of which one attack alone compromised 42 million payment cards (12 million MasterCards, over 25 million Visa cards).

In the next post, I will outline security technologies that could have caught the TJX breach in action.

 

 


 

Posted by Prat Moghe on Wed, Apr 16, 2008 @ 01:20 PM

COMMENTS

any word on how they gained access to the RTS servers? just because they got on the network doesn't mean they necessarily had access to log into anything on the network.

posted on Saturday, May 10, 2008 at 11:36 PM by CG

A few questions.
1) How did the attackers gain admin privileges in #3? This seems like a huge breakdown, as bad as using WEP encryption, and begs clarification.
2) How were TJX stores connected back to the datacenter? Just an open VPN connection with no traffic limitations? For example, just allowing ports for transactions to the RTS servers could have greatly limited the exposure. I'm just curious if that really was wide open and trusted.
3) In #1, I'm not sure I would say that broadcasting the SSID was really part of the problem. Someone skilled enough to supposedly custom write a sniffer and go to this length would defeat a hidden SSID in moments. It might have reduced their risk a little bit, but SSID broadcasting doesn't impact the security of the wireless network.

posted on Monday, May 12, 2008 at 9:38 AM by LonerVamp

Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *
Receive email when someone replies.
Enter the code shown above