Amazing that security breaches like the one I am about to tell you about are becoming more common...so common that the mainstream media like CNN doesn't even report it anymore. If you haven't read about this pretty significant security breach yet...let me briefly tell you about it...

Bank of New York (BNY) Mellon and People's United Bank of Bridgeport, CT may have Social Security numbers and bank account information lost when unencrypted backup tapes went "missing" from BNY Mellon. No big deal right? Only 4.5 million customers affected. From the Reuters article:

"...on February 27, Bank of New York Mellon was transferring back-up tapes with data, including names, addresses, birth dates and Social Security numbers, when it lost a box with six to 10 unencrypted tapes....an archiving vendor lost the tapes from its Shareowner Services unit, but there was no evidence any data had been inappropriately accessed or used."sic

Basically People's hired BNY Mellon Shareowner Services in 2007 to tabulate votes and process stock orders during its conversion from a mutual bank, which is owned by depositors, to one that is fully publicly traded.

Moving on...nothing to see here right?

The problem is that this data was not BNY Mellon's customer data but the customer data from People's United Bank, some Wachovia employees and some 64,000 MetLife shareholders...

"People's United claims this was a BNY Mellon security lapse, as People's United transmitted encrypted information to BNY Mellon who in turn created the unencrypted backup tape(s) that was lost."

Good for People's Bank for encrypting the data in the first place...but the problem lies with the vendor(s). It seems that more and more financial institutions are letting other financial institutions and other vendors process transactions and convert information for them. Trusting others with your sensitive data is not always the best idea (even though thats how business gets done these days), however, BNY Mellon should have encrypted these backup tapes in the first place! What about the vendor (Archive Systems Inc.) who actually lost the box of tapes? I would think that they are to blame as well. Sounds like a lot of vendor management issues here from many angles.

I would think that a large archive vendor like this would have some kind of policy stating some form of compensation for losing a box of tapes in transit. Almost how armored truck carriers transfer money from a bank branch to a financial processing center...if the armored car was compromised in transit and the bank lost all the money inside the car, it's not the bank's fault...thus the armored car carrier is responsible for the loss and would have to compensate the bank.

Looks like 4.5 million customers will get one year of crappy credit monitoring service as usual because of poorly managed vendor relationships. Nice.

I wrote an article some time ago about multiple platform password managers. At the time I talked about PasswordSafe and Password Gorilla. While both of these are really good password managers that work on Linux, Windows and OSX...Matt Neely talked about KeePass at the NEO InfoSec Forum last week and how KeePass is probably the best password manager available.

What is really cool about KeePass is that you can use it on just about anything including Blackberry and Windows Mobile devices. Having a password manager on the Blackberry just about sold me and I have yet to try it, however, what did sell me was the KeePass port called KeePassX for Linux and OSX! I downloaded and installed it on my Mac and it is way faster then the old Password Gorilla. The features are really great to with automatic clearing of your clipboard, a nice easy to navigate interface and a password expiration system. My only gripe was that I had to load up the Windows version to import my PasswordSafe formatted database file for use in the OSX version. The Windows version has a plugin you can download which will automatically import your database file from PasswordSafe. There is no PasswordSafe import plugin for OSX currently. Other then that, I am converted and love it!

This is just classic. A TJX employee, Nick Benson, was fired for posting about security issues on the TJX internal network to this sla.ckers.org forum. Nick attempted to report security issues to his management back in 2006 (before the massive TJX security breach) and nothing changed. Apparently things like having blank passwords on servers were in effect up until May 8th of this year! Some of the issues he identified are noted from the SecurityFocus article below:

"Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords."

"...a store server that was running in administrator mode, making it far more susceptible to attackers..."

and my favorite...

"My store manager even posted the password and user name on a post-it note..."

So whats the issue here? Two things...sure, telling your management that there are security issues was the right thing to do. However, when nothing changes based on the information you told them then things need to be escalated to a higher level of management. I would hope that TJX has some sort of "ethics" or "privacy" hotline (most major companies have these and they are anonymous) that this guy could have called. How about doing some research within the company Intranet to find out who to contact...that would be an easy approach to take if your management is not listening to you. Secondly, not the brightest idea to post on a hacking forum to let the whole world know of these issues. This guy was easily tracked back to his real IP...heck he probably even posted from work which made tracking him even easier! If he was really serious about not wanting to be caught then he should have used Tor or some other anonymous proxy to setup the account and make those postings (keep in mind he was just a retail worker, no IT background so Internet anonymity was an afterthought). Either way, not a very smart thing to do.

I still find it hard to believe that the TJX information security department would have thought it was ok to have blank passwords to log on to servers! If so these are not security professionals in my book...heck, a bunch of script kiddies wouldn't even use blank passwords! My guess is that the information security department never even knew about these issues. The "management" that he reported the issue to was actually the loss prevention department. The loss prevention department in retail and other companies mainly deal with preventing shoplifting and theft...really not the right people to handle information security issues. Regardless, TJX still seems like a security train wreck...they won't be getting my business anytime soon.

Looking for a fresh, new look at all the recent security news and threats? Check out the new security podcast called "SecuraBit". The crew of the SecuraBit podcast includes Jason Mueller, Chris Gerling (you may know him from Hak5), Anthony Gartner and Christopher Mills. It's nice to have another podcast following in the footsteps of Pauldotcom...no BS, just good security talk with guys that know what they are talking about.