May 7th, 2007

TJX's failure to secure Wi-Fi could cost $1B

Posted by George Ou @ 6:23 pm

Categories: Desktop, Infrastructure, Mobile/Wireless, Networking, News, Security, Servers

Tags: Security, WEP, WLAN, Server, Wi-Fi, Encryption, Wireless, Key, TJX, George Ou

The news of the TJ Maxx data breach has rocked the retail and banking industry, and many estimate that it will cost hundreds of millions or even a billion-plus dollars in financial damage. It was already widely reported back in March that the TJ Maxx breach was probably due to an insecure wireless network, but the Wall Street Journal is now reporting that it happened outside of a St. Paul, MN, Marshalls discount store in July 2005 (Marshalls is owned by TJX Cos.)  WSJ is reporting that investigators believe that the hacker used a laptop and a telescope-shaped antenna.

Joseph Pereira of the WSJ writes:
The $17.4-billion retailer's wireless network had less security than many people have on their home networks, and for 18 months the company — which also owns T.J. Maxx, Home Goods and A.J. Wright — had no idea what was going on. The hackers, who have not been found, downloaded at least 45.7 million credit- and debit-card numbers from about a year's worth of records, the company says. A person familiar with the firm's internal investigation says they may have grabbed as many as 200 million card numbers all told from four years' records.

[Update 4:45AM - While Pereira cited research firm Forrester's estimate, Boston.com quotes a $1.35 billion dollar estimate from Forrester.  Others like Dark Reading are reporting that the fine could be as high as $4.5B.

IPLocks, a compliance and database security company, is basing the estimate on the accumulated costs of fines, legal fees, notification expenses and brand impairment, according to Adrian Lane, the company's chief technology officer. He added that $100 per lost record is an average figure for major data breaches, but they calculated expenses particular to TJX and came out with the same figure.

The Ponemon Institute, a think tank focused on record privacy and data protection, expects the TJX breach costs to be even higher. They cite costs in the range of $182.00 per record, based on research from November 2006 of the cost of breaches incurred in 31 separate incidents. For TJX, this translates to $8.6 billion.]

WEP was originally demonstrated to be broken back in 2001 and it was broken even worse by a factor of 20 in early 2005 and then broken again by another factor of 20 last month by German researchers. WEP 104-bit encryption can now be cracked in under a minute on an 802.11g network using active ARP-replay packet-injection techniques. Since the TJX breach started around mid 2005, the attackers could have easily cracked the network within half an hour using second-generation of WEP cracking tools.

What's most alarming about this is that most of the major retailers during that time were running WEP and many are STILL running some form of WEP. There's no reason to believe the same attackers didn't try this sort of attack on many other retailers and are still actively attacking networks today. Many businesses and organizations, including hospitals, are STILL running WEP or some other useless form of security.  Some are running a slightly better enterprise version of WEP, which uses per-session per-user dynamic keys that supposedly rotate every hour, but even that's worthless since the third-generation of WEP cracking tools can break WEP in under a minute.

When I worked as a security consultant for major retailers and organizations during 2004 to 2005, I knew this was a time bomb waiting to go off because the vast majority of businesses and retailers were running bad wireless LAN security with blatantly weak security. Many businesses refused to fix their security and refuse to this day, through a combination of ignorance and denial. Some businesses and retailers listened and upgraded their security to WPA; others flat-out refused. I actually had one client go the extra mile to buy all-new WPA-capable equipment, only to be told in the end that they would only implement WEP because that was the "standard" their corporate head quarters used.

Getting people to upgrade their security and educate them was hard enough as it was, but the fact that many security professionals and security training courses are still recommending the worst kinds of wireless LAN security exacerbated the situation. I've done my best to spread the word about wireless LAN security, and even published a 10-article Guide to enterprise wireless LAN security, which is basically a free eBook. It is essential that businesses and organizations implement the kind of security I describe in my enterprise guide.

For homes and small home offices, wireless LAN security can be summed up in a single paragraph. All you need to do is use WPA-PSK security with a RANDOM alphanumeric pass-phrase that has a MINIMUM of 10 characters. I estimated that a truly random alphanumeric 10-character WPA-PSK pass-phrase using modern single-core computers will take one thousand PCs working in parallel 500 years to crack. If your hardware doesn't support WPA mode, you can almost always get a free software/firmware upgrade to support it. If the hardware can't be upgraded, businesses can't afford a breach in their data security and they must buy WPA-compliant gear regardless of the cost. Cost shouldn't ever be used as an excuse to have poor security and it won't help you in court when you're getting sued. WPA-compliant access points and wireless cards can be acquired for less than $50 per device.

<Next page - How TJX diverted attention and got help of media>

Pages: 1 2