Let’s come clean most of the major retail chains fail miserably to implement proper physical and basic network security. TJX is the shiny example and sometime ago it was confirmed thanks to an article from theregister.co.uk, the article highlights some of the obvious failures major retail chains face like leaving the servers running under administrative mode, no real physical segregation, and placing post-it notes with the passwords and user names in obvious places like under the monitor located next to the server.
The following articles explains in better deal the same flaws I witness while working for JC Penny.
Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas,
that employees were able to log onto company servers using blank
passwords, the fired employee, Nick Benson, told The Register. This
policy was in effect as recently as May 8, more than 18 months after
company officials learned a massive network breach had leaked the
details of more than 94 million customer credit cards.
I speak out of my own experience when I say that I witness the same thing while working for JC Penny (not for IT), the store has three servers running Windows 2003 under administrative privileges and one Cisco 1800 router. All the equipment was located in one room which happen to be the same room where the barcode scanners were located meaning a lot of people had access. Apparently the administrator account with no password was used in all server because the assistant store manager was expected to reboot the servers or perform some basic trouble shooting when calling technical support. If a determined person wanted to pull some data of the servers the best time was after 7 AM that’s when most on the employees had the remaining bar code scanners in their hands and had no reason to return to the room.
It’s been over two years but I remember the primary function for two of the servers.
- POS (this one always called my attention)
- File server
- CRM or SCM (can’t remember)
Back then I was shocked after witnessing the lack of security, my teacher always pointed out that security involved more than just configuring a firewall but also physical and keeping the equipment away from the water lines at any cost.
Maybe I was a kid flooded with curiosity meaning.
- Wireshark and Nmap just for fun
- Scanned for all network devices and ports in use
- Maybe the internal network was exposed
- Maybe the filtering rules used on the routers were exposed and maybe I found those rules to be weaker than the ones I created when taking my first CCNA class
- Maybe the possibilities for installing keyloggers in the kiosk and servers existed
I am no in a position to judge Nick Benson decision to post what he knew but I used to be in the same position he was, the only difference is that I was never part of IT for the company. My job was to be a simple replenisher for the merchandise and a minor at the time. The information he posted provides no concrete way for a cracker to cause further damage all he did was to exposed the already weak procedures in place. Let me say that in the end no lesson will be learned and your personal data will remain vulnerable because of the stupid decisions made by a few uninformed executives. The company was safe with me because I never had the intention of causing trouble instead I learned from their mistake which I hope to prevent in the future.
Who needs to bypass a corporate firewall or create elaborate social engineering tricks when all it takes is getting a job at a company that pays 8.20 an hour and work from the inside.