[Allow me to introduce Mike VanEmmerik. Mike is one of our engineers, who works closely with Christien Rioux and others on CA Veracode's analysis engine. Those of you who follow the decompilation community probably recognize his name. We'll have a full bio posted for him soon, and he will be a regular contributor to this blog.]
It Couldn't Happen To Us!
by Mike VanEmmerik
Surely this was what was going through the minds of the security staff of retailer TJX when they decided that WEP wireless security was "good enough". One thing they most certainly were not envisaging was a group of organized crackers with telescope-like antennas deliberately trying to steal data from outside a retail store.
But that's the thing about security -- whether it is a wireless network, web-based or stand alone applications, or for the next Olympics: you have to plan for the worst. The same incentive that drives the corporate world (the desire to be financially well-off) also drives the cracker world. Exploiting security vulnerabilities is big business these days, and the costs to business are even higher. Some estimates put the eventual cost of the TJX breach at over 1 billion dollars. So you have to assume that your adversaries are worthy. They know how to use security effectively; the encryption on files left by the intruders remains uncracked today.
Good security is a mind set. The "couldn't happen to us" mind set just isn't good enough in 2007, or in fact in 2005 when the TJX breach apparently started. Every possible check needs to be done, without costing a fortune or exhausting the supply of security experts.
Hi, this is Chris again. I just wanted to add an ironic twist to Mike's commentary. Yesterday I spoke with a friend who has been doing security consulting in the Boston area for the past five years or so. As it turns out, several years ago, his company put together a proposal for TJX to conduct a wireless security assessment and penetration test. Unfortunately TJX decided not to go through with it. Typically this sort of assessment would include a review of the overall wireless infrastructure as well as site visits to a representative sampling of the retail stores. In other words, there's a strong chance that the root cause of this $1B breach could have been discovered before the break-in occurred, for a tiny fraction of the cost. Talk about ROI -- ouch.