Major retailer suffers data breach

When it comes to security, 2007 has started off with a bang—a major data breach that could potentially make history, a Trojan horse following an epic storm, and a Swedish bank losing millions. Get the details in this edition of the IT Locksmith, and get some resources to make sure your company isn't the next one to make headlines.

2007 has started off with some serious security breaches and some really scary reports from security vendors. On the bright side, you can use these reports to improve corporate security procedures.


Let's start off with the bad news: If you know anyone who shops at any of the 2,300 T.J. Maxx or Marshalls stores in the United States or Canada (as well as HomeGoods, HomeSense, Winners, A.J.Wright, TK Maxx, and Bob's Stores), tell them to start watching their credit. Last week, the company announced that a hacker had potentially compromised tens of millions of credit and debit cards.

According to the International Herald Tribune, this could possibly be the biggest retail security breach to date. Then again, it could have far less impact. The company is still investigating, and no one apparently knows yet if hackers merely saw a database or downloaded it in its entirety, which would have included checking account information and even some driver's license info.

This is potentially a gigantic hit, and the facts are still unfolding. Even more important is the fact that the corporation relied on its bank to secure the data—who's supposed to be securing your clients' financial data?

Stormy weather

Don't ever say that attackers don't know how to take advantage of a natural disaster. "Storm Worm," one of the larger Trojan horse attacks in recent years, is raging across Europe on the heels of a disastrous real-time storm.

Sporting the subject line of "230 dead as storm batters Europe," the malicious e-mail turns computers into spam zombies. The attack started during the height of the deadly storm in Central Europe.

In addition, reports have surfaced that a rootkit Trojan has hit Swedish bank Nordea in a big way—resulting in the theft of almost eight million krona (up to $1.1 million U.S.) over the past year. Phishing e-mails sent to bank clients encouraged at least 250 customers to download an antivirus application containing a Trojan.

Reading list

On, Kaspersky Lab has published an analysis of criminal malware activity—"The Virtual Conflict—Who Will Triumph?"—which I consider essential reading for IT managers. The report examines the relationship between malware developers, antivirus and other security companies, and largely ineffective government action to counter the criminals. For example, the latest tactic employed to defeat antivirus efforts is the sandwich approach, which uses multiple code packers in an attempt to hide the true nature of the attack code.

In addition, McAfee has published the "McAfee Virtual Criminology Report 2007: Organized Crime and the Internet." According to one chilling part of this white paper, criminal groups are taking a page from mob movies in which the Mafia grooms lawyers and even FBI moles, paying for their education in the process. But even more sinister are the tactics these groups employ to "turn" young IT students before their moral compass solidifies. Check out the free report for more details.

There are several lessons you can take from this study. One example is to add some ostensibly innocent questions to your interviewing process. Right out of school, many newly minted IT professionals don't always grasp the seriousness of such actions as trying to guess someone's password, phone phreaking, or playfully hacking someone's homework file.

Case in point: Just last summer, Purdue University asked computer science students about common student hacker practices, and more than 75 percent admitted to them. Would you rather hire one of the 75 percent or one of the 25 percent—presuming those respondents were telling the truth?

You could slip some such questions into your interview process under the guise of determining the applicant's skill level. What you do with such knowledge about an applicant is obviously up to you and upper management.

Open source

In what could be a significant move affecting all Linux managers, news has surfaced that two Linux consortia are merging together to join standards and guide the development of Linux. The newly formed Linux Foundation is a joint effort of the Open Source Developer Labs (for which Linux founder Linus Torvalds works) and the Free Standards Group (overseer of the Linux Standards Base).

OSDL has focused on high-end servers and Linux itself (hence Torvalds' association), while FSG has worked to integrate Linux with applications and standardize the interfaces. Since the two groups were mostly working on different aspects of Linux, they could integrate well—and potentially provide a powerful, centralized group.

Final word

Even if this latest security debacle doesn't turn out all that bad, it once again highlights how weakly companies secure financial data. Don't let your company be the next one to make headlines. And while you're at it, don't forget to read that Kaspersky Lab report.

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Editor's Picks

Free Newsletters, In your Inbox