Archive for TJMaxx

Data Security Podcast Episode 59 – June 29 2009

Posted in Breach, Court Cases, darkweb, Podcast, Vulnerabilities, web server security with tags , , , on June 29, 2009 by datasecurityblog

30 minutes each week on data security, privacy, and the law…. (plus or minus five)

On this week’s program:

  • Web drive-by download attacks have hit the users of the DenverPost.com .  Attacks in progress.
  • Drive-by downloads are the fastest growing area of cyber attacks. A new tool alerts you before you get hit.

–>NEW! Stream This Week’s Show with our Built-In Flash Player:

This week’s show is 23 minutes long

–> Stream, subscribe or download Episode 59 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–>  A simple way to listen to the show from with stricter firewalls:  Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

This week’s show is sponsored in part by Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software.  If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com . Also sponsored by  DeviceLock Removable Media Security Software.

Show Notes for Episode 59 of the Data Security Podcast

  • Tales From The Dark Web:  Ira has a conversation with Yuval Ben-Yizthak, CTO of security company Finjan about a browser tool that can alert you to drive-by downloads before they strike.  Check out http://securebrowsing.finjan.com to get the tool.
  • From The News:  The owner of TJMaxx stores, TJX entered into a settlement with 40 states and the District of Columbia as a result of a massive data security breach in 2007.  The nearly $10million settlement is far reaching. Read the entire settlement here,  thanks to the Office of the Attorney General of Washington State.
  • From The News:  Adobe Shockwave critical security update. Be sure to UNINSTALL the older versions of Shockwave and then install the new version, if you are on Windows. Mac users just need to do an update.
  • From The News:  According to multiple online scanning sources, The Denver Post web site, DenverPost.com, has been breached members of the Dark Web. The site appears to be attacking visitors to select pages of the site, and attempts to download malware onto the computers of readers of the site.  See screen shots from the Google malware blacklist below. More details on the show.

Google Malware Alert

Google's Denver Post Malware Alert - Click on image for larger view

Firefoxs Denver Post Malware Alert - Click on image for larger view

Firefox's Denver Post Malware Alert - Click on image for larger view

Yuval Ben-Yitzak, CTO of Finjan

Advertisements

TJMaxx Agrees “Leadership Role” In Data Security

Posted in Annoucements, Breach, criminal forensics, darkweb, ediscovery, Legislation, Vulnerabilities, web server security with tags , , , , , on June 24, 2009 by datasecurityblog

Large US retailer TJMaxx today announced that it has settled with a multi-state group of 41 Attorneys General, resolving the States’ investigations relating to the criminal intrusions into TJMaxx’s computer system announced by TJMaxx over two years ago.

Jeffrey Naylor, Chief Financial and Administrative Officer of The TJX Companies (the owner of TJMaxx) stated, “This settlement furthers our goal of enhancing consumer protection, which has been central to TJX. Under this settlement, TJX and the Attorneys General have agreed to take leadership roles in exploring new technologies and approaches to solving the systemic problems in the U.S. payment card industry that continue to plague businesses and institutions and that make consumers in the United States worldwide targets for increasing cyber crime.”

Mr. Naylor continued, “The sheer number of attacks by cyber criminals demonstrates the challenges facing the U.S. payment card system in protecting sensitive consumer data. This settlement furthers TJX’s efforts to unite retailers, law enforcement, banks, and payment card companies to consider installing in the U.S. the proven card security measures that are already in use throughout much of the world.”

What has not been announced are the specifics of what TJMaxx, or the states, will do to take a leadership role in exploring new technologies and approaches to improving data security.

Here are some suggestions:

1. Making protecting information a key, important function for all organizations, of all sizes. Too often, data security is looked at as  “an IT task.”   In many organizations today, data security is just a subset of the IT department. Then it falls on the CTO/CIO/MIS manager  to strike the balance between ease of access and security.  The Chief Information Security Officer should report to the CFO or CEO, and bring them actionable information risks and the options to mitigate those risks. It is the role of the non-technical manager to strike the balance between ease of use and security, not the head of IT.

2. Educating business that the PCI standard is a MINIMUM standard, not a bar or goal to be reached “one day.”

3. Educating businesses on ISO-27k, OWASP, NIST, and other standards that can help protect information.

4. The culture in security and business is to not to do PR about specific security measures. Make an exception. TJMaxx should use their bully pulpit, deploy, and get the word out about the  importance of advanced web application scanning, data encryption, web drive-by downloads,  two-factor authentication, wireless security, and open-source.

5. Responsible Disclosure.  Today, it is almost impossible to alert a business when they have a security flaw.  Retailers and other businesses must develop an easy method for “good guy” security people to inform them when a security issue is discovered.

Almost every state has data security laws. The monies that go to the states should be used to better educate managers and decision makers about protecting personally identifiable information, and the list above.

According to press reports, 40 states are participating in this settlement agreement. Those state are Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, West Virginia, and Wisconsin. The District of Columbia is also a party to the settlement.

If TJMaxx is serious about playing a leadership role in data security, we hope to hear from them about what they will do. The Data Security Podcast has reached out the to TJMaxx. We have requested an interview for the audio program. We will let you know their response.