Cenzic 232 Patent
Paid Advertising
web application security lab

TJX Whistle Blower

I had some very disturbing news today from one of the forum users - he had just been fired by TJX for whistle blowing on their security issues. CrYpTiC_MauleR, who’s posts on TJX can be found here was fired today by TJX for talking about the company’s security flaws. This is the same company who recently lost millions of credit card numbers, for those of you who don’t recall. They tracked him down by IP (we’re still not completely sure how they did this, but we think it may have to do with a DynDNS account he uses), contacted his ISP to find out who he was, brought him into the office, questioned him about what he found, asked for him to write down his thoughts on how to fix the issues and then promptly fired him.

I completely understand why a company would want to reduce their risk, but this doesn’t bode well for future would-be whistle blowers, or for the future state of security for TJX. CrYpTiC_MauleR has been a long time poster on sla.ckers.org and has made a lot of contributions. I, for one, feel terrible about what happened, and I implore the community to reach out to him on sla.ckers.org, especially if you are looking for someone to help out in any open positions you might have. I think the best possible outcome of this would be that he gets a better job for caring about consumer security at large. Only time will tell.

But as a side note, I must caution everyone who prefers full disclosure as a rule, to be particularly cautious when posting that information, especially when it’s under your own name or a name you use elsewhere that may be tied back to you. Many of the largest companies on earth post to or read this site regularly, and no doubt someone will take personal offense at your actions, so I encourage everyone by way of example to please protect yourself - especially from those who would claim to care about security. Only actions matter in this world.

40 Responses to “TJX Whistle Blower”

  1. Jim Manico Says:

    And how is it responsible to work for company X, post that you are an employee of company X, and then post details of company X’s specific security posture/problems? Isn’t that against even the most mild non disclosure agreement, not to mention irresponsible?

    Full disclosure has it’s place, and that does not include the situation where you want to disclose details of a company that you work for where you are an NDA’ed employee working as an IT professional.

    CrYpTiC_MauleR will be lucky if he is not sued for breach of contract!

  2. RSnake Says:

    @Jim - I understand and agree that NDAs exist for a reason, but don’t you think there is something to be said for someone with the best of intentions (read his posts - there’s no malice at all in them) who really does want things to get better, and sees that they aren’t? What outlets are there for him? Is it enough that lawyers get to tell us that we can’t talk about security just because a piece of paper says so? He didn’t give away passwords, or even the address of the TJX store he worked at.

    Lawyers have a time and a place, and I agree. But CrYpTiC_MauleR wasn’t working in IT. He was a normal guy working in a store. If he can find this, any minimum wage laborer also has the same access. It’s not exactly “private” intellectual property at that point. I agree that what he did should certainly entail a steep reprimand, but firing and lawsuits? Doesn’t motive count for anything in your mind? Should all whistle blowers go to jail?

  3. Jason Says:

    The company I work for is hiring an Application Security Engineer in St. Louis, MO.

    http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?fuseaction=dspjob&jobid=130527&company_id=15624&source=ONLINE&JobOwner=976291

    We need folks who can do more than run a tool and print our a pretty report.

  4. Dan Fields Says:

    I understand the need for whistleblowing. The problem in this case is there’s a protocol to blowing the whistle that’s intended to protect all parties, and, obviously, the TJX employee in question did not follow it. Avenues for whistleblowing are determined by the state you work in. Posting confidential information on a security web site is NOT whistleblowing, as they are not legal authorities that can enact change.

    Like it or not, NDA’s exist, serve an important purpose, and are legally binding. TJX was within their rights, and their actions were completely justified. Personally, I would not want to keep an employee around that entered into an agreement and then decided to not honor it, as I wouldn’t feel I could trust her/him.

  5. LonerVamp Says:

    Did he say he signed an NDA?

  6. RSnake Says:

    @Dan - I agree that in the truest definition that this is not a case of whistle blowing, but given that one hundred million people have already been impacted, don’t you think at least some action is warranted when he can’t get the change fixed himself? Also, he _did_ go through the proper channels (loss prevention dept) and nothing happened. Read the comments on the post.

    I’m not saying they shouldn’t have taken some action, but firing someone over their own dis-interest in security worries me given their horrid track record. But I think there are plenty of organizations out there who look for do-gooders in security who could probably use a guy like him on their side. Unfortunately, there are probably not enough of those out there, and it’s certainly not TJX. Not today anyway.

  7. LonerVamp Says:

    This leaves people like CrYpTiC in a situation where there truly is no correct answer. Does he have legal routes and acceptable internal processes to fix things in TJX? (Really, did it sound like they were working?) Should he fully disclose? Is TJX’s financial situation more important than the risk they leave their customers in? Should TJX be allowed to acknowledge and accept this risk without justifying it to people like CrYpTiC? Might this be a case of management preferring *not* to hear these stories because now they have liability to mitigate or accept the risk (see no evil…)?

    Who knows, it’s a crappy situation, and the only thing one can hope for is respectful dialogue between involved parties, and positive changes made as a result so that both parties can do great things together.

    A firing is not a positive change, and shame on TJX for that. Maybe CrYpTiC carried himself in an offensive way and there is more to the story, I don’t know. But at the end of the day, is TJX getting fixed? And if not, what does it take to get fixed? Should CrYpTiC have tipped off bad men these details? Should he have leveraged them himself and pwned them? What does it take to get someone internal to TJX (or XYZ) to implement change?

    And no, I don’t think there are easy or maybe even possible answers to these questions; it really depends on your personal philosophies.

  8. RSnake Says:

    @LonerVamp - I agree completely. Also, I was thinking about the term whistle blower as it applies to computer security. Clearly there are NDAs in place for other forms of whistle blowing, why should this be different? Also, if whistle blowing applies to matters of national security, why wouldn’t it apply to matters that have national impact (100MM people). I don’t see why this term isn’t more widely applicable other than the fact that it isn’t covered by legal protections - at least not yet.

  9. RSnake Says:

    Drazen Drazic has an interesting post that is somewhat related here: http://beastorbuddha.com/2008/02/01/ethical-dilemma-of-client-confidentialityyou-lose-either-way-at-the-moment/

    The ethical dilemma is ours as well - if we as security researchers know what’s wrong and know the client never intends to fix it, how is our situation any different than CrYpTiC_MauleR’s? My only answer to this, is that my personal reputation is at stake and I’m not short sighted enough to submarine my own career. That said, I know some companies have a tendency towards not fixing their problems, so if I get even the smallest whiff of that attitude in the intake I won’t take the client. Yes, that’s right, I actually tell people I won’t work for them.

    A great example of this as are colleges. I feel for them, I understand their problem, but they are unwilling to fix their issues because of freedom of speech issues. Fine, but find someone else. I know a lot of people will fall head over heels to work with colleges because of the money involved, but some things are worth more than money. If you want to get certified or fill a checkbox, go get the lowest cost cert that does the least amount of scrutiny with the weakest team you can possibly find. If you want to get secure, then we can talk.

  10. donwalrus Says:

    @RSnake,

    Although I completely agree with you here with the situation and the intent of CrYpTiC_MauleR, I must I ask the question of why an apparently reputable guy with security knowledge NOT working for the IT department has any clout with the company in which he works for when it comes to these matters?

    Is there something we don’t know here, such as a criminal record in regards to computer crimes, or are we just to accept that a reputable guy with security knowledge deserving of being hired by a firm (by your recommendation) wouldn’t be concerned that their new-hire-to-be just came from a retail job?

    Like I said, I’m only asking the question…I tend to agree with you on the point of the severity of the action, though…

    CrYpTiC_MauleR, if you’re here, please feel free to interject, and no harm meant…but knowing security and being qualified to introduce change in an organization like TJX has to do with resume, experience and clout within the organization–two different things.

    I can see why they would be pissed…not that CrYpTiC_MauleR disclosed any information, but he bore character witness to the organization in regards for their apparent lack of concern for the valid security issues he pointed out…he will either never make this mistake again, or he’s not a security professional to begin with, so what does it matter….plenty of retail stores hiring

  11. RSnake Says:

    @donwalrus - I wouldn’t claim to say that CrYpTiC_MauleR has any clout within his company, I believe at some point he said he was still in college. And as with everything doing background checks on your prospective employees is always a good idea (something TJX does not do regularly, from what CrYpTiC_MauleR said, by the way).

    I have a feeling he learned his lesson, as even during the process he said he was hoping he wouldn’t get fired. I’m not there on the ground so I can’t say for sure, but I have a feeling this is a non-malicious person who simply wanted to make some positive changes from his otherwise mundane role. Reminds me a lot of myself when I was younger, more idealistic and filled with a lot more bad ideas than good.

  12. thrill Says:

    @RSnake - thanks for posting this. Having been a part of this discussion, and even having been a middle man between the higher-ups at TJX and Cryptic, I feel somewhat responsible for what has happened.

    As a person who has been heavily into security for the past 12 years, I can already see that TJX is following the same lead every other large corporation has taken, this is to “keep things quiet and maybe they’ll go away”.

    @Dan Fields - What would your suggestion have been in this case, where he did reach out to higher ups when a different scenario presented itself, and yet they did nothing. The empty password was the pre-cursor to a weak user/password combination, to which he did inform the Loss Prevention department, and for which no action was taken by them?

    As the saying goes, opinions are like diapers, everyone has one, and it’s always full of shit.

    Sorry for the crudeness, but I truly believe Cryptic has been wronged in this instance. He showed great loyalty and character by bringing up these problems, and his reward was getting fired.

    –thrill

  13. Awesome AnDrEw Says:

    The question I would like to know is how exactly the company was able to receive the information from his Internet Service Provider. Was there a clause in the terms of service, which stated that customer information would be voluntarily given to third-parties without a court order, or subpoena? If not did the company choose to hand over his identity without such orders? I believe if this was indeed the case he may at least file a lawsuit against his ISP for providing his personal information to the company.

  14. digi7al64 Says:

    The yin and yang of disclosure. TJX took the appropriate action based on Cryptic’s action. I’m sure regardless of whether or not TJX is secure, the shareholders and board would not appreciate this information being released to the public domain. I agree his actions where noble but corporately they can be considered unethical/unprofessional and this is where he has come undone.

    Daily (like lots of readers here) I come across massive security holes in applications and for me to come on here are say they are insecure (when I have a direct link to them) would be tantamount to professional suicide.

    If we haven’t worked it out yet, we will, large corporations don’t care if they are vulnerable, what matters is who knows they are vulnerable (this is called threat management). Therefore, to expect anything less then what has happened is foolish.

    Finally, don’t get me wrong, Cryptic seems like a great guy who took a chance (and I admire what he did), but we’ve all been there and we’ve all been screwed over for it. So take it on the chin, learn from the mistake and move on. Chances are, this event will have no long term effect on his life other then to provide a great story next time TJX gets owned.

  15. tx Says:

    [quote]but knowing security and being qualified to introduce change in an organization like TJX has to do with resume, experience and clout within the organization–two different things.[/quote]

    @donwalrus: Since when do security issues require qualification? It’s that kind of thinking allows companies to just sweep breaches under the rug. I’m not saying you should pay some random man-on-the-street to do an assessment, but when a flaw in security is recognized its importance should be determined by severity and the margin of risk rather than whom it comes from. Frankly it seems like you’ve forgotten what it’s like to work retail; cryptic was only looking to resolve the problem, there are many others that would’ve just exploited it… I think his honesty deserved recognition, a far cry from termination.

  16. donwalrus Says:

    @tx: firstly, thanks for the response– but let me clarify my perspective on this issue…having dealt with my own set of legal/criminal problems/dilemmas in my youth (several times) my point is (much as digi7al64 and others have made), this is an issue of the corporation minimizing their risk, not the individual’s justification for their doings.

    To the corporation, a guy who works in retail is a scape-goat..they can fire him, blame him for whistle-blowing, etc, etc, etc (whether right or wrong). His position within the organization holds no clout with the shareholders when it comes to these matters—no “ifs ands or buts”….the “board” or the shareholders simply dont get it–nor does the public, but they dont tend to take their advice from low-level employees working in one of their stores.

    Making changes within an organization of that size does require a certain amount of politics (love it or hate it, it isnt gonna change any time soon). So my point is just that. You wanna make changes in a large corporation when it comes to security? either hack them and hold them for ransom, or work in their IT Security department and prove your worth—which takes a shit-load of ass-kissing…otherwise you can post what you like about them here and get your ass fired….its a free country

  17. Drazen Drazic Says:

    As a shareholder in a company, I would expect that the company is doing the right thing by me and protecting my investment. We question and seriously view financial audits but pay little service to security audits that could have just as far reaching impacts into business viability as dodgy accounting practices. Would we question someone who came forward and outed “suspect” business dealings? The guy would be a hero possibly in that scenario.

    Now in regards to IT Security, and being in the industry for quite a while, I am not naive enough to believe that anyone will compare what we do with what a financial auditor would do. BUT, why not? Things need to change….

    By the way, thanks for the link RSnake.

    Would shareholders prefer to have this information kept quiet or would they rather prefer to know that the company board and executives are looking after their investment? hmmm….how do you answer that one. Probably the latter and then the former (if it hits the fan). I know I would be very pissed off if a company I had an investment in went down the tubes due to bad IT Security and Risk Management practices.

    I don’t know what the guy’s intentions were, but to a degree, it opens up the ethical debate about how we as a profession deal with such scenarios. I cover this more in the link that RSnake included above. Keen on your thoughts there also if you have the time.

    DD

  18. Daniel Says:

    If CrYpTiC is looking for a job in a tech field, he should pass on a copy of his resume to this blog, say what kind of work (and where) he’s looking for, and I’m sure he’d get start getting interview offers like crazy. I’m sure this blog gets read by a lot of people who are involved in hiring processes.

    Some people have questioned why a security expert would be working a “regular” job not in IT, but frankly, I could see a lot of appeal in one day escaping the IT rat race and doing something else. Our interests, skills, hobbies and jobs do not need to intersect…

  19. Ryan Says:

    He should look into how TJX tracked him down by IP. It might even be illegal.

  20. Jon A. Longoria Says:

    This essentially falls within the bounds of lawful discrimination and wherein their actions were justified by their intent to protect both their intellectual property and resources by resolving a conflict of interest that they deemed to threaten their assets and/or that they suspected potentially violated any agreements regarding proprietary technology or corporate authority. This is of course relevant under the theory that they were at high alert due to their recent losses and anything/everything must be suspect.

    The motive, however, is questionable considering the gentleman did attempt to raise the issues up the chain of command as it were. He should have continued beyond Loss Prevention though if they were unwilling to hear him. This seems more like a case of someone covering their tail and using this gentleman as their crutch to do so.

    Unfortunately, that perceived threat was this gentleman and although they were questionably within their rights, they could have handled this in a more appropriate manner. I’ve been in the same shoes young into my career when I was released from a company for violating their firewall policy, twice, although they’d never provided me with any directive on such policy until the day of separation. On that note, I can sympathize.

    How did he get released without a severance package - was this never defined in his contract or is he a low-level employee without these benefits? Why would he comply with the organization when they began questioning him without assurances that his position wouldn’t be in danger? How did they obtain the private information of a user from his ISP? Those are the issues I am more worried about if they in fact didn’t do this through legal channels.

  21. Robert Says:

    A few comments

    You leaked confidential info on a public place about the company you currently work for. Good intentions or not you crossed a line.
    The larger the company the less tolerance they have for this sort of thing. Many people will disagree with me on this but tough :) Do me a favor and please don’t reply back to me debating this opinion unless you’ve actually worked at a company doing IT or security.

    If people at your company are not listening go up the chain. Email PR, lawyers, and Directors/VP’s. Do this formally in email so there is a documented paper trail. Once those up the chain start getting informed about major ‘preventable’ liabilities they must act otherwise they may be personally liable for doing nothing. In TJX’s case they are under investigation for related issues so they can’t ignore them.

    If you are afraid for your job and strongly suspect you’ll get fired, do this anonymously via a free email account online and state that you work for the company but are in fear for your job. I’m not promoting this but there *may* be a situation where this is justified/doable.

    In general if you work at a company and find an issue in something that you *should* have access to, you shouldn’t have anything to fear. If you are poking around in places you shouldn’t then that is a different matter.

    If after emailing high up people in your company and they still ignore you, contact the FTC (http://www.ftc.gov/ftc/contact.shtm)
    anonymously.

    One last thing. I will not get into a debate about reporting vulns to third party companies so please don’t reply back asking me. I’ll ignore you.

  22. Dick C. Flatline Says:

    The loss prevention/IT security setups in most US corporations are a bad joke. Usually they’ve got some guy sweeping the floor at night who knows more about IT security than they do. They’ve got HIS data being “protected” by Homer Simpson in a suit, but if HE objects to their cavalier attitude and total incompetence, they want to fire him, sue him, whatever.

    HINT: When the chief of IT Security LITERALLY doesn’t KNOW what mod_status IS (!!!), firing/suing the floor cleaner who points out their goatse “security” is the only “logical” reaction. What other course of action could simultaneously ignore a gaping rectum, keep the maximum number of retarded frat brothers employed, AND make more money for lawyers?

    And as for speaking my mind, I come from a long line of sergeants, every one of whom has fought and bled for the US Constitution in one bug-infested shithole or another. I speak the truth, and I’ll do so whenever and wherever I please, and I’ll regard ANY rat-bastard who tries to deny me my birthright to do so as a would-be tyrant in SERIOUS need of a real-world ass-whipping.

    Tell them to sit on it and twirl, MauleR!

  23. SethF Says:

    I am with Robert on this one.

    Cryptic basically exposed private, internal information about a company with whom he had privileged access. He is lucky TJX hasn’t sued and/or prosecuted.

    How many people out there that work in a company of over 100 can honestly admit their business doesn’t suffer from some oversight or security issue that could cause problems?

    While the default password is a problem, was the customer info secured? Most CRM packages I know of run on non-admin access and then require a user/pass that only provides limited access based on requirements (i.e. no CC info). Retail software is typically rather complex and has many layers…having access to a persons name and address isn’t the same as having access to full CC track2 info.

    Granted, cryptic gets the problem, but exposing your employer in a way that can be exploited by hackers on a board that TJX may or may not read is problematic at best…

    …Just imagine the problems cryptic could have if TJX gets hacked via the methods he exposed….

  24. RSnake Says:

    The press has taken a lot of interest in this:

    http://blogs.zdnet.com/BTL/?p=8895
    http://www.infoworld.com/article/08/05/23/TJX-staffer-fired-after-discussing-security-problems_1.html
    http://www.theregister.co.uk/2008/05/23/tjx_fires_whistleblower/

    @SethF - yes, but how much more upset would you personally be if you had your identity mis-appropriated knowing that someone like him knew about the problem but didn’t speak up.

  25. Robert Says:

    @RSnake
    I’d barely be upset that a random employee didn’t speak up, I’d be 1000 times more upset that the company lacked the basic checks and balances that should have identified these issues. Random employee’s shouldn’t be able to turn the company upside down due to basic security risks. Companies dealing with financial information should have regular security audits with remediation schedules that identify and address these as they come up. TJX isn’t a 50 person company and deals with billions of dollars. The author of
    http://searchcio.techtarget.com/news/article/0,289142,sid182_gci1239785,00.html
    makes a great point

    “More than likely, there will be a sacrificial lamb,” said security analyst Pete Lindstrom of Burton Group Inc. in Midvale, Utah. “I would expect it to be the CIO or a senior-level CISO to be let go.”

    This is a fuck-up at the security management level I’m not saying it is the CISO (I have no insight into tjx) but someone in the chain didn’t do their job.

    Note: I work for a financial company.

  26. Zeta Thompson Says:

    Ok, he probably did break a NDA. Most applications for employment have some form of an NDA on them. And it was not very ethical of him to post details and the company name on a site. HOWEVER, I can speak from experience that too frequently companies claim that they were hacked by an evil vicious mastermind when the fault lies in their own lackadaisical response to reported holes in their security. I have been told by people in my own IT organizations that the easily penetrated weaknesses in the system aren’t anything to worry to about because the users are not sophisticated enough to abuse them. When pointed out that external breaches are something to be concerned about the answer was invariably. Why would anyone want to go after us?

    So when years later they find someone has been using the mail server to distribute spam or that the system is slow because of all the bots running MP3 servers or DOS attacks, they react as if they are surprised and insulted. It is the poor lowly IT worker that is blamed by the management types. The same management types who refused to spend a little extra time and money to secure the system at the time of the report.

  27. nellwal Says:

    I read through all the comments and the original post and found this entire situation distressing. I am an IT whistleblower that spent the last 3 years of my life in litigation against my employer for poor data security practices. I took the time to write a “7 steps” to whistleblowing on data security problems and you can see it at http://whistlersear.wordpress.com/data-security-whistleblowing-101-for-it-professionals/. I think everyone here should read it to get an idea of what it takes to get any chance of success in regards to whistleblowing on data security issues. I hope CrYpTiC_MauleR can move on to bigger and better things.

  28. YouDontCareAnyway Says:

    You have to be kidding me. There was no whistle blowing at all. From what I read he told the head of loss prevention; which (no offense anyone) is like talking to a wall when it related to Information Security.. Mine as well ask the Wal-Mart greater where the store Demarc. is, it is just as likely to be effective. By all means, address the concerns you have but do so intelligently. Like the obvious idea of a whois. (which has nothing to do with websites CrYpItC) It looked to me like he was handed a free pass and coped out. Do you disagree Thrill/RSnake ? I really do know think you will.

    ” Yeah I was thinking about this too, I don’t want to lose my job for reporting this in. Yeah its not like I went looking for a security hole, I just happened to need the info to login to the remote server for my job task and was shocked at the password used. ” — CrYpTiC

    If you have not done anything wrong then you should have no worries. Believe me, I have said many things that pissed people off, and not be be a d!ck but I stick to what I say, because I think before I open my mouth. You shoud do the same.

    Mr Benson (http://www.google.com/search?hl=en&q=cryptic_mauler%40linuxmail.org&btnG=Search) is just too young and fires off with the mouth (or fingers) too quickly.. It sucks that he lost his job, but he should make this into a learning experience. Ill bet 20 bux he is still b!tch!ng about the whole ordeal. With a little maturity and some direction maybe he can get in on the legally paying side of Security… Like the post said, Step up or shut up.

    For a intelligent person, you sadly made some stupid mistakes, the trick is to learn from them. I’d start with a new alias…l

    Thanks for the read, use less spin next time tho please +)

  29. ChosenOne Says:

    offtopic:
    i’m wondering how many’s people cursor went over “claim”, to see if it’s actually a link ;-)

  30. LonerVamp Says:

    @Robert: “Random employee’s shouldn’t be able to turn the company upside down due to basic security risks. ”

    Amen. There is this tendency of managers (moreso as you move upwards) who would rather not hear about issues (especially in writing) because that means they need to do something or are liable. Way too much stifling of issues that may impact budgets or their credibility in higher-up eyes occurs these days. And once any manager decides to stifle, like a web of lies, it builds and grows from there. We (as people) so hate to admit being wrong, don’t we? :)

    Keeping internal secrets secret is a form of security through obscurity. If Cryptic_Mauler’s disclosures were so damaging, there are far worse issues going on at TJX than one low-level employee voicing some vague details on a web forum. Hell, we should all hope that our own networks and systems could stand up to internal and even open review, with minimal non-acceptable risks covered.

    I posted more of my opinion on my blog. :)

  31. LonerVamp Says:

    @Zeta Thompson: “HOWEVER, I can speak from experience that too frequently companies claim that they were hacked by an evil vicious mastermind when the fault lies in their own lackadaisical response to reported holes in their security.”

    They’re everywhere! I sees them in bushes and following me when I drive. Evul hax0r n!njas! Crazy mastemind genuises after mah mon3yz! :)

    You speak truth, Zeta!

  32. Felstatsu Says:

    @SethF

    I work in an HR department, where HR alone has over 120 employees, and I personally have not seen any place more locked down. Things like new sites for HR programs are notoriously late in coming out since the security audit on the site has at time take up to 3 times as long as the site took to make. As a key example, I got tasked with a quick site, as no one else was available and my schedule was free at the time. Small unimportant site took not quite 3 full days to make, had a total of 8 pages (3 with server side scripting), and took a bit over 3 weeks for all the security testing (we don’t have anyone who was on the project to make the site test it either). Short of going off-line and using air-gap security there’s not much left to be done. Having over 100 employees doesn’t make it any harder to be secure if you take security seriously and have a good team working towards it.

    Cryptic,

    Sorry it came to this, personally I think TJX is being idiotic beyond words for not promoting you to a position where you can do something about their security problems. Wish you the best of luck in finishing school and getting a real job where you don’t have to put up with idiotic corporations.

  33. jamie Says:

    In two previous companies, one was using pirated software - I mean in plastic sleeves with cheap inkjet-printed inlays, so pretty blatant - and one had a completely inadequate password policy. At this last I was the security guy and moaned and wrote proposals and warned them for two years.

    Sometimes you just cannot change things within however hard you try.

    Also, TJX’s main responsibility is to their share holders if they’re public - seems Cryptic was doing a better job for them than the TJX management.

  34. Mephisto Says:

    I feel for Cryptic for losing his job, especially in today’s economy, but I think a) announcing you are an employee of the company, b) publicly exposing their security issues and c) denouncing them for their practices would lead to anyone getting fired.

    I faced an eerily similar situation about 20 months ago, after posting in the “Full Disclosure” forum on sla.ckers, XSS flaws in bank/credit union websites, some of which ended up being customers of the company I worked for at the time. I was called into a meeting, threatened with losing my job and facing potential legal action, if it was determined I was the one responsible for posting those vulnerabilities.

    I eventually left the company, because like most companies, their security should only be discussed behind closed doors and what the public doesn’t know about their security practices, won’t hurt the company’s reputation or their stock holders.

  35. Pete Says:

    1. Jim Manico: It appears cryptic mauler was a responsible employee to point out his company’s security problems. Did you hear otherwise?
    2. Dan Fields: There is no protocol to protect whistleblowers. Do you really think you’ll win when your state government backs you against an $18 billion annual revenue company? You seem to suggest that as an employer you wouldn’t want any employee who expects a minimum level of info security to protect shareholders.
    3. digi7al64: You seem to suggest that shareholders and board would not appreciate this information. I hope my investments and yours never overlap - since you think the ostrich imitation is a good security stance.
    4. Dick C. Flatline: Your post was great. Down with no-talent ass-clowns!
    5. Robert: You stated “Random employee’s shouldn’t be able to turn the company upside down due to basic security risks.” A random employee didn’t turn the company upside down - TJX was notorious for being proud of having a complete lack of info security & the hackers did the heavy lifting. TJX shot themselves in the foot a long time ago, it was just a matter of how fast they could reload.
    6. nellwal: I’ll buy you a pint when we meet.
    7. YouDontCareAnyway: You stated “If you have not done anything wrong then you should have no worries.” Your inexperience shows so be careful when you mature and find out the world is not all snips and snails and puppy dog tails. Perhaps some anger management sessions too?
    8. LonerVamp: People - Listen to this guy.

    Note to all: I’ve never posted before & am unlikely to check in again. Don’t bother replying to me - just keep the discussion going.

  36. SHMINGVIN Says:

    I’d barely be upset that a random employee didn’t speak up, I’d be 1000 times more upset that the company lacked the basic checks and balances that should have identified these issues. Random employee’s shouldn’t be able to turn the company upside down due to basic security risks. Companies dealing with financial information should have regular security audits with remediation schedules that identify and address these as they come up. TJX isn’t a 50 person company and deals with billions of dollars. The author of INT: When the chief of IT Security LITERALLY doesn’t KNOW what mod_status IS (!!!), firing/suing the floor cleaner who points out their goatse “security” is the only “logical” reaction. What other course of action could simultaneously ignore a gaping rectum, keep the maximum number of retarded frat brothers employed, AND make more money for lawyers?

  37. Felstatsu Says:

    To somewhat mix parts of jamie and mephisto’s posts, TJX is mainly responsible to it’s shareholders, and Cryptic was basically doing more for them than his higher-ups were. What the public doesn’t know can still turn around and bite everyone in the arse, having horrendously lax security and going all hush hush about it will just lead to hackers exploiting them again. Getting hit a second time will probably cause problems for everyone and their head in the sand approach to security is setting them up for another failure. While people can move on and still shop at a place after one breach, as evidenced in the past coverage, do you think that people will be forgiving of a company that lets it happen again even after they’ve worked to improve their security? The damage to their reputation and the stock holders would likely be very bad.

  38. malkav Says:

    WTF ? i left cryptic at his job a month ago, and when i come back from work they fired him ?

    ok a lot have been said on full disclosure, NDA, enterprisey threat management and such. i’ll just add my $0.2

    since i am self (un)employed, i did assessment and precs in quite a few large financial organization (as it seems, they start to get a little more realistic on what constitute a threat, constant harassing start to do the job)
    only *one* had a real anonymous threat reporting system, affiliated to their compliance and regulation group (for those who don’t know, basically it’s a bunch of internal auditors, regrouping lawyers, techs, financials and whatever, monitoring that there is no major fluke in the compagny)
    and it wasn’t the largest one. as we regularly state and read on the forum, a clear reporting path is what miss the most in big compagnies. they clearly have the whole (in)competence necessary to handle the very same problems TJX had, and often the problems aren’t treated just because the people in charge doesn’t even know. two real life scenarios i encountered (considering the media coverage this event had, maybe this will teach some lessons)

    1 : we are in a LARGE banking group. like, one of the largest in the world. heavy security processes, surprisingly well managed on infrastructure, tight requirements, EAL5+ certification of every single piece of code deployed on mission critical systems. sounded like an easy job when i was sent to do a routine audit on some non critical infrastructure servers (yes, they even had routing audit)
    after a week or so of various messing around, i still had found nothing to report. sounded great for them. and while taking a coffee break i heard two devs discussing of the “problems” they encountered on a fat ass e25k doing some heavy database processing. wasn’t at all in my perimeter, but as i am a curious individual, i asked them to detail.

    they had a couple of batch jobs basically doing replication of some parts of the db they were messing with, because a slave server kept complaining, and were unable to locate the slave in question. it wasn’t on the same subnet, and the local network dept. were unable to tell them were it was located. as it was on a different AS (they have quite a few one) it was probably an offshore server, and they didn’t knew whois database existed (why network dept were unable to contact the other party, i don’t know)

    it was strictly stated in the security procedure, that comms with unknown third parties, even internal was to be reported ASAP to security, and as i pointed that to them, the answer totally astonished me. they didn’t *dare* report it. apparently security dept is considered internally like some cosa nostra, breaking your fingers and beating the crap out you when a security problem (IT, or whatever) was found, and various people had several things to report, but they didn’t, in *fear* with the security dept. from the rumors i gathered, at some point they had a TJX-like scenario, where some random, lowlevel brilliant individual tried to report a major fuckage, and “mysteriously disappeared” (didn’t even turn out to job next day after a convocation at security dept. likely was fired, or transfered to their equivalent to radar station in alaska). there was no debriefing at all of the guy’s team, and human being what they are, rumors about the security dept started to spread. it was 10 years ago. they are since nicknamed “stasi”

    what to learn from that ? don’t, ever, ever let your security people instill fear in the other employees, would it be from gestapo behavior (and god knows we can be so hard on people making mistakes) or just from non communication. let a reputation of being a shadowy group of some sort, and in 10 years, people still will fear you. you have procedures. they know them. you have monitoring, regular audits and everything. IT IS NO USE. your own kind won’t help, for they fear there will be retaliation. the sec ops of a compagny, whatever the size, must have strong links with employees of all hierarchical level, they must inspire trust. end of rant one

    (and for the curious, the mysterious-unidentiable-offshore-server was a basic report-building server in india for their local IT dept.)

    2 : this one is funnier, and it’s fresh
    a small software dev contractor compagny hired me a few weeks ago to do a performance audit of their ETL tool. their whole administrative infrastructure was internally developed and had everything linked in what you could call a web 2.0 ERP, but for even the simplest accounting op, the ETL server handling communication between the various piece of software jumped too 100% CPU like five minutes. and of course, sales waiting for loooong minutes while on phone with some client for their CRM, while the devs repeatdly tried to commit patch to their source control, while the accounting depts tried to… well you understood.

    guess what i found on the solaris box hosting the stuff ? dtrace everywhere. reporting scripts everywhere. auto repair scripts gone crazy. somebody did take security *damn* seriously at some point. every single move of every single bit was audited, RBACed from network *then* MACed locally, trailed, reported, like the sysop had stolen the NSA’s paranoia stash. when i asked for the use of such drastic security measures, the CTO (told you it was smallish) evasively responded something about a former sysop being “security conscious” apparently he didn’t really know about the stuff he put in there. in fact the other sysops didn’t knew either. there was strictly no documentation on this, the box worked at that time, and when our local NSA operative left, of course he didn’t mention it.

    so the box kept producing huge amount of various trails, various perl scripts processed it, before sending to… nothing. they used to be sent to the tin foil hat guy work box, but since he left, it was recycled into something else, and the box couldn’t flush its log anymore. and that triggered the autorepair scripts, which started to buffer the logs in memory. then on disk. then started to prune logs, while reputting new ones in memory, then on disk. which of course, was audited-trailed-reported. and the box spent more and more ressource on managing the information flood.

    great technical implementation. so *poor* management of it (and i don’t speak of Management, which didn’t even knew about the whole system existence)

    lessons from those two scenarios ? having great security is all well and good, it will probably save your ass, security management is mandatory. better a poor technical security, well known, well managed than state of the art paranoia left to rot in some corner. TJX had neither. technical security, because if some “random lowly store employee” (caricature intended) can start reporting problems, you’re in a deep shit (not that they shouldn’t *of course* what they shouldn’t is being able to encounter flaws that critical in their day job.
    cryptic has ethics. whatever will be said, he strictly followed the rules, by reporting it, waiting, reporting it higher, waiting, going public.
    because as RSnake stated, when you start talking about 100M persons, it’s not “private corporate matter” anymore. we don’t give a fuck about the board being worried for the price of share. they have our personal details. they emit credit cards. they’re responsible for *us*. we are “the public”. corporations that manage daily millions of personal data, and lose it see they share price drop. hey, what is more logic ?
    they have another problem now. like our first story security guys, they will be considered stasi/gestapo/whatever. problems won’t be reported anymore. they took the *stupidest* decision in firing cryptic. they had employees ready to make a job they aren’t even paid for, just because they care. at least one. they won’t have any anymore. too bad for them security isn’t an ivory tower. too bad for them every single employee in the compagny is involved in the process. too bad for them to cause fear and anger in their working mass, next security guy probably won’t be as keen to them cryptic had been, and with good identity selling between $0.5 to nearly a dollar piece (for really complete one. you know, like when you register for their discount/credit/fidelity cards, yeah, the one they lost by millions) i’d bet my beer that with strictly no confidence into corporate management and security, an employee without too much ethic wouldn’t hesitate too much between reporting it and getting fired, and making some quick cash.

    end of rant.

    BTW cryptic, you have a job waiting for you on the other side of the pond

  39. Benjamin Wright Says:

    Careful reading of the indictments of the TJX data thieves show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident. The TJX break-in was not as bad as we were led to believe. –Ben http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html

  40. Anngie Says:

    I was recently fired from TJX for saying Loss Prevention wasn’t doing its job. Our shrinkage was way over 3%, and I’d been complaining but when I confronted the Dept directly, I was “terminated.”