TJ Maxx security incident timeline

Here is an overview of the TJ Maxx security incident, CliffsNotes style.

The Actors

TJX companies

• T.J. Maxx, Home Goods, Marshalls
• The largest apparel and home fashions department store in the United States
• Owns chains in USA, Canada, UK, Ireland, Germany, and Poland
  Headquartered in Framingham, MA
• Founded in 1956

Hannaford Brothers

• Supermarket chain in the United States
• Headquartered in Scarborough, Maine
• Subsidiary of Belgian Delhaize Group
• Founded in 1883

Albert Gonzalez

• Role: ringleader (Segvec)
• Born 1981
• Parents migrated from Cuba in 1970s
• High School graduate — South Miami High School, Florida
• Member of a black hat hacker group — Shadowcrew

Jonathan James

• Role: hacker accomplice (c0mrade)
• Born in 1983
• Father is a computer programmer
• High school graduate — Miami Palmetto High School, Florida
• Prior conviction for computer crime — in 2000 for breaking into the
• Defense Threat Reduction Agency

Damon Patrick Toey

• Role: hacker accomplice
• Born in 1985
• Born in Virginia, moved to Florida

Aleksandr Suvorov

• Role: programmer (Jonny Hell)
• From Sillamae, Estonia

Maksym Yastremskiy

• Role: the fence
• Born in 1984
• A Ukrainian vacationing in Turkey

The Timeline

July, 2005

• Gonzales and his crew identify a weakness in TJX
• Sensitive internal WiFi lan is running WEP
• Gonzales, et al, compromise the networks
  • Install backdoors
  • Begin probing for sensitive data

August, 2005

• TJX databases are compromised
  • Point of sales
  • Credit processing transaction
• Gonzales, et al, have access to:
  • credit card, debit card, check, and merchandise return transactions
• Maksym Yastremskiy begins trading stolen credit cards from TJX and Hartford

September, 2005

• TJX upgrades its WiFi for security
  • Removes WEP, adds WPA
• TJX begins monitoring for suspicious activities
• Gonzales, et al, continue collecting and selling credit cards utilizing the backdoors previously installed

December, 2006

• TJX detects the intrusion
• TJX reports the incident to law enforcement
• Gonzales, et al, continue collecting cards

January, 2007

• TJX makes a public announcement on the attack
• TJX notifies people who may have been affected
• TJX engages third parties to overhaul its system security
  • Deloitte, General Dynamics, IBM

March, 2007
“By the end of March 2007, the number of affected customers had reached 45.7 million […] In addition to credit card numbers, personal information such as social security numbers and driver’s license numbers from 451,000 customers were downloaded by the intruders.”

2007-2008

• Investigators identify 14 people involved
• Investigators identify more targets
  • Barnes and Noble
  • Dave and Busters
  • Heartland Payment Systems
  • OfficeMax
  • Et cetera …

May, 2008

• Jonathan James’ house is raided and his equipment is seized
• James takes his life on May 18

September, 2008

• Damon Patrick Toey pleads guilty and prosecutors agree to a plea deal
• 11 (incl. Gonzales, Toey) arrested
• USA contacts Estonia about Aleksandr Suvorov

August, 2009

• Gonzales is indicated for the crime
• Yastremskiy is arrested in Turkey, and USA seeks extradition

Posted on TripWire: Security for Life: Promoting the Development of a Security Professional

This week marks the fifth and final week of National Cyber Security Awareness Month (NCSAM) 2015. The theme of Week 5 of NCSAM is “Building the Next Generation of Cyber Professionals.”

We cannot tackle security alone. We need to focus on building a generation of dedicated, well-educated security professionals to help defend against the online threats of tomorrow.

With this in mind, here are some recommendations on how we, as a society, can encourage young people to become interested in information security. We also provide tips on how budding security professionals can make the most out of their new careers.

(…)

Once a security professional has found their niche in infosec, they can then begin to leverage their unique skills to make connections and deepen their careers.

“Throughout my career, those who I have seen go the furthest the fastest make mentors and friends in the community,” states J Wolfgang Goerlich, Strategist at CBI and head of the CBI Academy.

“They don’t just attend conferences; they present and volunteer. They find open source projects to collaborate on. In these and many other ways, people develop their skills by contributing daily, weekly, and monthly,” adds Goerlich.

Like any career, information security requires ongoing effort and dedication. Those practitioners who internalize that fact are sure to succeed, one way or another.

Read the full article at http://www.tripwire.com/state-of-security/security-awareness/security-for-life-promoting-the-development-of-a-security-professional/

J. Wolfgang Goerlich is an influential leader and IT management executive with the ability to act as a cultural change agent, driving security initiatives and raising security postures. He currently works as a Cyber Security Strategist for Creative Breakthrough Inc (CBI) and has been in the industry for over 20 years. Areas of expertise include managing culture, ITGRC, security community and mentorship, application security and team leadership.

1. Early this year, you took the position of cyber security strategist at CBI. What exactly does this position entail?

As a security strategist at CBI, my role is connecting people and ideas to develop strategies for improving cyber security. I work with the senior leadership at CBI’s customers to understand their business strategy and collaborate on plans for aligning and maturing their security activities. Within CBI, I provide technical leadership and expertise toward our service lines and vendor partnerships. On select engagements, I work directly with the consulting team to deliver impactful results to our customers.

Another aspect of my position, which I find rewarding, is leading the CBI Academy. I have been mentoring and coaching professionals in my local community for years, so leading the Academy was a natural fit. We often hear CISOs talk about the lack of security talent for staffing their teams. At the same time, we often hear students talk of the difficulty in identifying and gaining the in-demand skills. With CBI Academy, we bridge the gap with an apprenticeship program that accelerates the careers of recent university graduates.

Read the rest at:

http://resources.infosecinstitute.com/interview-j-wolfgang-goerlich-cyber-security-strategist-for-creative-breakthrough/

Best Practices Are Stupid
by Stephen M. Shapiro

What if almost everything you know about creating a culture of innovation is wrong? What if the way you are measuring innovation is choking it? What if your market research is asking all of the wrong questions? It’s time to innovate the way you innovate.

Hire people you don’t like. Bring in the right mix of people to unleash your team’s full potential. Asking for ideas is a bad idea. Define challenges more clearly. If you ask better questions, you will get better answers. Don’t think outside the box; find a better box. Instead of giving your employees a blank slate, provide them with well-defined parameters that will increase their creative output. Failure is always an option. Looking at innovation as a series of experiments allows you to redefine failure and learn from your results.

Nonstop innovation is attainable and vital to building a high-performing team, improving the bottom line, and staying ahead of the pack.

Flash Foresight: How to See the Invisible and Do the Impossible
by Daniel Burrus, John David Mann

Flash Foresight offers seven radical principles you need to transform your business today. From internationally renowned technology forecaster Daniel Burrus—a leading consultant to Google, Proctor & Gamble, IBM, and many other Fortune 500 firms—with John David Mann, co-author of the Wall Street Journal bestseller The Go-Giver, comes this systematic, easy-to-implement method for identifying new business opportunities and solving difficult problems in the twenty-first century marketplace.

How I use sonar to navigate the world
By Daniel Kish

Daniel Kish has been blind since he was 13 months old, but has learned to “see” using a form of echolocation. He clicks his tongue and sends out flashes of sound that bounce off surfaces in the environment and return to him, helping him to construct an understanding of the space around him. In a rousing talk, Kish demonstrates how this works and asks us to let go of our fear of the “dark unknown.”

Give and Take: Why Helping Others Drives Our Success
by Adam M. Grant

For generations, we have focused on the individual drivers of success: passion, hard work, talent, and luck. But today, success is increasingly dependent on how we interact with others. It turns out that at work, most people operate as either takers, matchers, or givers. Whereas takers strive to get as much as possible from others and matchers aim to trade evenly, givers are the rare breed of people who contribute to others without expecting anything in return.

Using his own pioneering research as Wharton’s youngest tenured professor, Adam Grant shows that these styles have a surprising impact on success. Although some givers get exploited and burn out, the rest achieve extraordinary results across a wide range of industries. Give and Take highlights what effective networking, collaboration, influence, negotiation, and leadership skills have in common. This landmark book opens up an approach to success that has the power to transform not just individuals and groups, but entire organizations and communities.

Anticipate: The Art of Leading by Looking Ahead
by Rob-Jan de Jong

Business schools, leadership gurus, and strategy guides agree – leaders must have a vision. But the sad truth is that most don’t…or at least not one that compels, inspires, and energizes their people. How can something so essential be practiced so little in real life? Vision may sound like a rare quality, unattainable by all except a select few – but nothing could be further from the truth. Anyone can expand their visionary capacity. You just need to learn how. In Anticipate, strategy and leadership expert Rob-Jan de Jong explains that to develop vision you must sharpen two key skills. The first is the ability to see things early – spotting the first hints of change on the horizon. The second is the power to connect the dots – turning those clues into a gripping story about the future of your organization and industry. Packed with stories and practices, Anticipate provides proven techniques for looking ahead and exploring many plausible futures – including the author’s trademarked Future Priming process, which helps distinguish signal from noise. You will discover how to: tap into your imagination and open yourself to the unconventional; become better at seeing things early; frame the big-picture view that provides direction for the future; communicate your vision in a way that engages others and provokes action. When you anticipate change before your competitors, you create enormous strategic advantage. That’s what visionaries do…and now so can you.

“I will show you some absolutely terrifying things, as we progress through today and tomorrow, and I will show you things you guys can do to make people very, very, very uncomfortable where you work.”

Every time I turn on my car, John Strand’s voice says the above quote. The clip is audio from a SANS course that my car has stuck on repeat. I have heard it thousands of times now.

“Make people very, very, very uncomfortable” came to mind when watching Chris Roberts (@Sidragon1) tweet about plane hacking Wednesday night and into Thursday morning. He tweeted about messing with a plane’s oxygen … while on a plane … on the day the FBI released a report on plane security hacks.

People were indeed very uncomfortable. And the story did not end comfortably for Chris, that day.

I appreciate John’s work and the SANS courses. I enjoy Chris’s work and his One World Lab research. Both are fine people, with intelligent ideas, and enjoyable presentations. But let’s put hacking aside for the moment.

I wonder if car mechanics get training on how to make drivers feel very uncomfortable. I wonder if medical students have conferences celebrating making patients feel uncomfortable. I wonder the same about virtually any professional services. Perhaps I am a fortunate exception, however, every service I use is staffed with folks who do the exact opposite.

The folks I hire go out of their way to put me at ease, answer any questions, share knowledge without pretense. It is what professionals do. It fosters trust. It is the mark of customer service. It defines their role as trusted advisor for my health, my car, my home, my family.

Returning to hacking and information security, there is no need to make folks uncomfortable. The terrifying things in IT are well publicized. We know. Things are broken. Criminals are misusing technology. We have a lot of work to do. Everyone gets it.

Let’s make the people we work with comfortable. Let’s look at absolutely practical things. Why? Because that is what professionals do. Let’s get some work done.

It has been a busy quarter. With some room to catch my breath this weekend, I took a moment to update my website. Recent articles and interviews are up on:

• Press mentions
• Podcast interviews