[cryptography] Non-governmental exploitation of crypto flaws?

Jon Callas jon at callas.org
Mon Nov 28 21:10:28 EST 2011


>> 
>>> WEP?  Again, we all know how bad it is, but has it really been used?
>>> Evidence?
>> 
>> Yes, WEP was a confirmed vector in the Gonzales TJX hack:
>>> http://www.jwgoerlich.us/blogengine/post/2009/09/02/TJ-Maxx-security-incident-timeline.aspx
>> 
>> http://en.wikipedia.org/wiki/TJX_Companies#Computer_systems_intrusion
> 
> Ah --- I'll check.  I knew they attacked WiFi; I didn't recall that they'd
> cracked WEP.  Thanks.

I don't believe the TJX attack cracked WEP. I believe that the post-hack auditors identified WEP as a weak point, but the attackers got in through an easily-cracked network. By easily cracked I mean something like a stupid password or unsecured. The attackers were not sophisticated.

	Jon




More information about the cryptography mailing list