A few other people have been all over this already, but TJ Maxx, victims of a rather large electronic break in a few years ago, has recently fired an employee for revealing many of their lax security policies. The issues he raised were not small ones either:

Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards.

Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers.

My store manager even posted the password and username on a post-it note.

Lest anyone think this employee started off on the wrong foot, he did try to tell management first, but to no avail. It was only afterwards that he mentioned these things in public. Now whether he should have done this or not is clearly a matter that could be the subject of much debate. The issue which I feel more strongly about is the way TJ Max responded.

Firing this employee is, in my opinion, the worst form of security-through-obscurity. Rather than realizing that lax policies lead to security problems, they think that it’s the revelation of lax policies that lead to security problems. A simple root cause analysis should reveal that it’s the policies, not their revelation, which is the source of security weaknesses, and it’s time for TJ Maxx to wake up.

When dealing with any kind of security, whether physical or electronic, there are two kinds of attacks to worry about – those that are picking their targets based on opportunity, and those that are picking their targets based on intent. To borrow a common example, a target of opportunity is simply walking down the street trying to door handle on every car looking for one that is unlocked, while a target of intent is trying to steal a specific car. When it comes to the internet, many large entities (especially government organizations) are regular targets of intent. On the other hand things like viruses and worms that scan indiscriminately for unpatched systems are perfect examples of targets of opportunity.

Most internet organizations currently consider both lines of attack when designing a security plan, although this may start to change if IPv6 ever becomes a full fledged reality. (Whether or not IPV6 ever does gain wide acceptance is not a matter I care to speculate on). Since IPv6 uses 128 bit IP addresses, (IPv4 uses 32 bit addresses), there will be approximately 3.4×10³⁸ total IP addresses. Even small organizations could have IP spaces that dwarf the entire IPv4 address space. Scanning random IPv6 addresses looking for targets will likely become an exercise in futility. One way attackers will have to adapt in an all IPv6 world is to spend much more time footprinting their targets – trying to find specific system’s through publicly available information sources before attacking them. Parts of this process can clearly be automated by opportunists. For example, an attacker could use Google to find web servers at random and then check them for web specific flaws. However, this will likely deter several common methods of finding targets of opportunity. The danger to this of course is that internet organizations will get lazy and assume that if they can simply hide something in the larger IP space it will never be found. As well know, difficult does not mean impossible.