Breach Pain

Several stories involving companies victimized by intruders came to light at the same time. It's important to remember not to blame the victim, like the fool editor at Slashdot implied by writing Contractor Folds After Causing Breaches. The company in question, Verus Inc., didn't "cause breaches" -- it suffered them. Some bad guy stealing data caused the breaches. Read Medical IT Contractor Folds After Breaches at Dark Reading for the details.

New details on TJX came to light this week in stories like TJ Maxx Breach Costs Soar by Factor of 10 (Company had to absorb $118M of losses in Q2 alone) and The TJX Effect. The second article says this:

Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company's IT systems, InformationWeek has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX's retail stores, let people apply for jobs electronically but also allowed direct access to the company's network, as they weren't protected by firewalls. "The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals," says the source. In a March filing with the Securities and Exchange Commission,TJX acknowledged finding "suspicious software" on its computer systems.

The USB drives contained a utility program that let the intruder or intruders take control of these computer kiosks and turn them into remote terminals that connected into TJX's networks, according to the source. The firewalls on TJX's main network weren't set to defend against malicious traffic coming from the kiosks, the source says. Typically, the USB drives in the computer kiosks are used to plug in mice or printers. The kiosks "shouldn't have been on the corporate LAN, and the USB ports should have been disabled," the source says.

You can expect me to advocate detection and rapid response, and I'm curious what this will produce: DARPA seeks innovations in network monitoring. Why isn't it "innovations in stopping attacks?" Because that doesn't work.