lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4b6ee9310805261939t66056709l27074e5164ffd492@mail.gmail.com>
Date: Tue, 27 May 2008 03:39:09 +0100
From: n3td3v <xploitable@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Fwd: TJX staffer sacked after talking about
	security problems

---------- Forwarded message ----------
From: n3td3v <xploitable@...il.com>
Date: Tue, May 27, 2008 at 3:35 AM
Subject: TJX staffer sacked after talking about security problems
To: n3td3v <n3td3v@...glegroups.com>


A low-level TJX employee has lost his job for speaking in public about
information security problems he uncovered while working for the
company.

The employee, Nick Benson, is a University of Kansas student who
worked at T.J. Maxx's Pine Ridge Plaza store in Lawrence, Kansas. In
an email interview, he said he was fired Wednesday for violating
corporate policy by disclosing proprietary information.

TJX is sensitive about information security after being the victim of
a massive data theft, apparently made possible by poor security on the
company's wireless networks. That breach, which compromised 94 million
credit and debit card accounts, has cost the company tens of millions
of dollars in legal settlements.

Benson, also known by his hacker name, Cryptic Mauler, is a frequent
poster to computer security discussion groups such as Full Disclosure
and the Sla.ckers.org web forum, where he criticized the company's
password policy, its server security settings, and the competence of
the technicians who install firewalls at the company's stores.

"I never use anything but cash at their stores, but it's hard to sleep
at night knowing the same network stores my employee information," he
wrote on August 22, 2007. "For all I know that information has already
been picked cleaned by the hackers and [the] company could have swept
it under the rug."

Although Benson didn't disclose anything that would have been news to
a "vaguely smart" criminal, he did make a mistake by not disclosing
the problems he'd found through the proper channels, said Robert
Hansen, the CEO of Sectheory.com and owner of the Sla.ckers.org site.
He first blogged about Benson's termination on Thursday.

Hansen said he felt bad for Benson, as did many of the contributors to
his website. "He's a young guy," he said. "He didn't know the rules."

It's an all-too-common story in the information security industry,
Hansen said. "When people are new to information disclosure ...
they're idealistic and young and they tend to make mistakes," he said.
"A good chunk of the people who sympathize with him have had almost
exactly the same thing happen to them."

Benson said he reported the issues to his store manager and the
company's district loss prevention manager but no immediate action was
taken.

Just last week, Benson expressed concern that he might be fired for
reporting the problem. "I don't want to lose my job for reporting
this," he wrote. "Unfortunately anonymously reporting this will not
work, since it would require me giving the store location which would
then easily zero me out. "

Apparently TJX zeroed Benson anyhow, identifying him from the IP
address he used to post his comments to the Web site, Hansen said.

The company met with him on Wednesday and asked him to explain all the
security issues he'd found. After that, he was "fired on the spot," he
said.

TJX did not return calls seeking comment for this story.

Benson said the company has threatened to take legal action against
him if he talks any more about the company's security problems.

http://computerworld.co.nz/news.nsf/scrt/3A2C5453A05F8C31CC257454006CE111

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ