May 07 2007
A couple of months ago I was in Massachusetts, driving down the road when Mitchell pointed out the window and said, “There’s the TJX building.” And there it was, fully visible from the highway with the corporate logo on the side of the building. All the talk the last couple of months and I finally got to see where the TJX compromise really happened. It definitely changes your perspective to see a place in the real world that you’ve only read about previously.
I can see how easy it would be to war drive the TJX building. We were on a main freeway and passed within a couple of hundred yards of the building. I can only guess that there would be a main street on the other side of the buildings and it probably wouldn’t be all that hard to sit on the street sniffing the wireless traffic. Which is apparently very close to what happened. TJX was using WEP encryption on their access points, even after they knew it was a cracked technology. I guess they didn’t understand how completely they were vulnerable.
There are at least a couple of databases of access points discovered from war driving that I know of and I’m certain there are some only the hackers use. I can imagine that TJX’s previously insecure access point was in at least one of these databases, which would make finding and targeting it a breeze. With a good yagi antenna, the hackers wouldn’t even have to be that close to the actual access point. There were several buildings in the TJX area that were stories taller and would have made good wireless attack points with a yagi. If TJX was really using WEP, there are several tools that could easily have broken the encryption with in a day, maybe less.
I hope other businesses who are still using WEP or no encryption in their wireless networks read about this. It’s one thing to have the convenience of wireless, it’s another thing to share it with someone who wants to steal your credit card data. Another point the auditors made in the TJX review is that the wireless network was basically part of the wired network, with no firewalls or other layers of security between the two. This is basic network architecture, which should have been in place if the network was set up by a security professional.
There are a lot of lessons to be learned from TJX and I’ve only scratched the surface. While I don’t like reaching management using FUD, this article gives a lot of very specific examples you could use to wake up your own management. I’ve often found the “See, this is exactly what we’re doing!” argument works well when you have specifics.