The methods used in the TJX breach have been widely “known” for some time now; crack WEP, remotely connect upstream, sniff transactions. Prat Moghe has posted an organized list of details supposedly from actual testimony. There is nothing new yet, but this at least lends more weight to some facts.

Still, there are gaping questions not covered, or at least not covered yet. I posted a couple questions on the comments for the link. Here they are, plus a couple more.

1) What sort of protection was or was not in place to filter and detect fraudulent traffic from the store to the datacenter? My guess would be a leased line or site-to-site VPN that was wide open.

2) How did the attackers gain admin rights to the “RTS” server(s)? If it was just a little wave of a magic wand, then here is another breakdown with patching or HIPS protection.

3) How did the attackers install “custom sniffing” software on the “RTS” server(s)? Did this show up under installed software (gah!) or in a task listing? If so, this should be ideally monitored (yeah, ideally anyway), or some sorts of tripwires set up.

4) Outbound FTP from the data center? I guess, but this could be blocked or at least alerted upon. I mean, how often would this bank of servers really initiate FTP connections or any connections to the Internet cloud?

5) I’m curious at what level the sniffing occurred. For instance, was it grabbed right off an unencrypted connection, or pilfered lower in the OS?

And I’m still just scratching the surface. Interestingly, everything above is not integral to actually making the payment transaction system work as needed. All of this is added on as security tightening. Kinda illustrates that priority is getting things working, not getting things working securely.