Re: TJX breach shows that encryption can be foiled

["Sean Steele" <SSteele () infolocktech com>]

James,

You pose some interesting questions re: what other regulations TJX is
likely non-compliant with -- as a public company, I'd guess their SOX
404 controls should be examined. GLBA may come into play, though they're
not a finsrv company.

Who is their PCI-DSS auditor and are the results of their most recent
audit either able to be requested or legally discoverable outside a
lawsuit?

The PCI Security Standards Council is a private, non-profit
organization, so FOIA can't be used to force disclosure from them,
correct?

FWIW, I was a victim of this breach. I had my debit card re-issued by my
bank this week. It's the first one of 2007 for me ;-(

--
Sean Steele, CISSP
infoLock Technologies
703.310.6478  direct
202.270.8672  mobile
ssteele () infolocktech com

-----Original Message-----
From: James Childers [mailto:james () iqbio net] 
Sent: Tuesday, April 03, 2007 2:20 PM
To: B.K. DeLong; Sean Steele
Cc: dataloss () attrition org
Subject: RE: [Dataloss] TJX breach shows that encryption can be foiled

> From what I understand extended retention of Track 2 data along with CVV
(as evidenced from some media reports) is strictly against PCI-DSS
standards - especially when they were also capturing drivers license and
address details and coordinating these records in a single database.
Perfect tool for ID thieves if you ask me...

Are there any other regulatory penalties or fines (other than PCI
non-compliance) that TJX could get hit with?  What safeguards should be
put in place to prevent this stupidity in the future?

WRT cryptography - once the database is "decrypted" and available for
viewing in raw form on any terminal, it can be captured quite easily
with a trojan or any other logger.  From what I have been able to gather
they were using a proprietary system of PKI and not maintaining a good
key management system.   

Does anyone else have other data?  Were they using strictly SW
encryption or were they using a hardware token?  Single factor?
Multi-Factor authentication?  Local or remote storage of keys?  Terminal
emulation, Windows server, Linux, SQL, Etc...

Any data would be helpful.

James (Jim) Childers
President / Owner
Artemis Solutions Group (USA)
BioCert(r) - iQBio(tm) - BioSaf(r)
www.iqbio.com 
USA Headquarters
PO Box 403
1635 East Main Street
Suite A-8 
Freeland, WA 98249
Phone - (360) 331-1071 X-2101


-----Original Message-----
From: dataloss-bounces () attrition org
[mailto:dataloss-bounces () attrition org] On Behalf Of B.K. DeLong
Sent: Tuesday, April 03, 2007 10:47 AM
To: Sean Steele
Cc: dataloss () attrition org
Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled

I think Andy's got it covered but I'm confident the amount of data
(including Track 2) they were retaining was above and beyond the
PCI-DSS maximum; especially with such a failure cryptography-wise.

On 4/3/07, Sean Steele <SSteele () infolocktech com> wrote:
> I'm familiar with PCI-DSS standards for DAR encryption for cardholder
> information, but less sure of retention requirements.
>
> Does anyone know conclusively if TJX was simply retaining cardholder
> data per regulations?
>
> -Sean
>
> -----Original Message-----
> From: dataloss-bounces () attrition org
> [mailto:dataloss-bounces () attrition org] On Behalf Of DAIL, ANDY
> Sent: Tuesday, April 03, 2007 9:49 AM
> To: dataloss () attrition org
> Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled
>
>
>
> I don't care if you're using 1024 bit encryption with an atomic
> booby-trap, there is no business reason to retain that much card data
> for such a long period after authorization. Especially magnetic track
> data!!
>
> In the final analysis, if the data were not being retained, the data
> could not be stolen.
>
> TJX is a perfect case-in-point of a retailer who is afraid to purge
> historical data, or does not spend the effort to triage the data to
> determine what is obsolete.  Data Management policy anyone?
>
>
>
> -----Original Message-----
> From: dataloss-bounces () attrition org
> [mailto:dataloss-bounces () attrition org] On Behalf Of Chris Walsh
> Sent: Monday, April 02, 2007 5:42 PM
> To: dataloss () attrition org
> Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled
>
>
>
> On Apr 2, 2007, at 2:44 PM, Casey, Troy # Atlanta wrote:
>
> > It should make for a short list of suspects, assuming TJX was doing
a
> > reasonable job of key management...
>
> That (reasonable key management) is a critical assumption.
>
> I'd be interested in learning what algorithm (and implementation
> thereof) they were using, as well.
>
> Not holding my breath on that info :^)
>
> cw
> _______________________________________________
> Dataloss Mailing List (dataloss () attrition org)
> http://attrition.org/dataloss Tracking more than 203 million
compromised
> records in 609 incidents over 7 years.
>
> This message and any files transmitted with it is intended solely for
> the designated recipient and may contain privileged, proprietary or
> otherwise private information. Unauthorized use, copying or
distribution
> of this e-mail, in whole or in part, is strictly prohibited. If you
have
> received it in error, please notify the sender immediately and delete
> the original and any attachments.
> _______________________________________________
> Dataloss Mailing List (dataloss () attrition org)
> http://attrition.org/dataloss
> Tracking more than 203 million compromised records in 609 incidents
over
> 7 years.
> _______________________________________________
> Dataloss Mailing List (dataloss () attrition org)
> http://attrition.org/dataloss
> Tracking more than 203 million compromised records in 609 incidents
over 7 years.
>


-- 
B.K. DeLong (K3GRN)
bkdelong () pobox com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 203 million compromised records in 609 incidents over
7 years.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 203 million compromised records in 609 incidents over 7 years.