[Owasp-ireland] Potential of 4.2 million credit card details stolen via cyber attack.

Eoin eoin.keary at owasp.org
Tue Mar 25 08:14:57 EDT 2008


David you have hit the nail on the head regarding the expertise in
understanding standards such as PCI.
This is a real big issue as following the PCI standard in a blind compliant
fashion is a complete false sense of security. The PCI standard is
technically incorrect in some of its assumptions for a start.




On 25/03/2008, David Ryan <dave.ryan at gmail.com> wrote:
>
> I think interpretation of standards leads to a level of security that is
> reasonably required by the organisation interpreting them. Of course, I
> assume that the organisation is interpreting them with a modicum of
> expertise in the field, which may be provided via internal resources or
> through external consultancy. What they end up with might be "lower" than
> what is "ideal", which may not be "perfect", but may be all that particular
> entity can achieve at that stage of their
> iterative-information-security-management-lifecycle. This reinforces my
> original point, which evidently my elaboration failed to illuminate. The PCI
> standard is applicable in different ways to different entities and this is
> not only reflected in the ambiguity of the language within the standard, it
> is also reflected in the multi-tiered compliance and conformance
> requirements laid out by the PCI themselves.
>
> Objectivity is dead. Long live Subjectivity.
>
> Re: "breach". Granted, it is of concern, but perhaps less so considering
> the information that was lost was the card issuers and not the private
> information of the customer. I was also being somewhat facetious.
>
> On 25/03/2008, davidrook <david.rook at realexpayments.com> wrote:
> >
> > I fully understand that 100% security isn't realistic -  Thanks for the
> > clarification though ;-)
> >
> > I agree that the standard will always be ambiguous but do you not feel
> > that the interpretation of the standards is often what leads to a lower
> > level of security than is required?
> >
> > My own opinion is that any breach like this is a big issue, from a
> > consumers perspective if they have lost *any* data it should be a point
> > of concern.
> >
> > Dave
> >
> >
> > David Ryan wrote:
> > > Dealing in absolutes is an error. There is no "secure". There are
> > > security controls and depending on what, how, where, when, why, if,
> > > biff, bam, and boom they are implemented and managed their effect is a
> > > quasi-linear progression along the cost-versus-hardcore axis where
> > > they intersect at the "good enough for us at this moment in time"
> > > point. Compliance may equate to "good enough" security controls, but
> > > suggesting there is a final resting point for IT expenditure on all
> > > things security is folly.
> > >
> > > PCI has gone through a round of improvements and perhaps it will
> > > continue to do so in the future. Whilst I don't have a history of
> > > other safety standard from our recent industrialised history, I
> > > imagine there are comparable observations to be made. Cars did not
> > > start off with airbags and they still don't prevent people from
> > > killing each other on country roads or on overpriced toll roads.
> > >
> > > As for the PCIDSS being ambiguous, I agree. However, I think this is
> > > perhaps a necessary quality: Not all companies are equal. I would
> > > suggest that VISA/Mastercard/AMEX/etc wanted to establish a baseline
> > > for their own "insurance" purposes (imho and used here as a loose
> > > term).  Does it raise the proverbial bar? In my experience, it
> > > probably has done for some clients I've worked with and maybe not for
> > > others, but again this is an example of the underlying intention
> > > functioning (imho). Another example is BS7799/ISO17799 certification.
> > > No doubt any future attempts to provide a super-compliance-standard
> > > will end up with ambiguity too.  The point is that the organisation
> > > must interpret the "ambiguity" to suit their needs and explain why
> > > they have interpreted it as such to the auditor and, where applicable,
> > > compliance body.  The aim could be to provide the least amount of
> > > ambiguity as possible, but being overly prescriptive would perhaps be
> > > more prone to failure when issues such as capabilities, economics and
> > > other factors are considered.
> > >
> > > As for who is to blame? I'm sure they both have insurance ... *if* no
> > > personal data was lost, is this such a big issue? (from a consumers
> > > perspective)
> > >
> > > On 25/03/2008, *davidrook* <david.rook at realexpayments.com
> >
> > > <mailto:david.rook at realexpayments.com>> wrote:
> > >
> > >     I think this is another example of PCI compliance being just that
> > - a
> > >     compliance standard. Being compliant (as is demonstrated here and
> > with
> > >     TJX) does not always equate to being secure.
> > >
> > >     PCI is ambiguous and it could be improved to try and make
> > >     companies both
> > >     secure and compliant. As for who is to blame, is it not a case of
> > 6 of
> > >     one and half a dozen of the other?
> > >
> > >     Dave
> > >
> > >
> > >     Eoin wrote:
> > >     > Maybe a bit slow on this one but I'd thought I'd share it
> > >     >
> > >     > A PCI compliant company was compromised and an estimate of 4.2
> > >     million
> > >     > cc numbers were obtained.
> > >     > The issue arises that the company were PCI compliant and now the
> > >     blame
> > >     > game has ensued. The PCI assessors are being blamed, there is
> > >     mention
> > >     > of ambiguity regarding the PCI standard, where to apply some of
> > the
> > >     > technical controls etc..
> > >     >
> > >     > http://www.theregister.co.uk/2008/03/18/hannaford_data_breach/
> > >     >
> > >     >
> > >     > http://www.hannaford.com/Contents/News_Events/News/News.shtml
> > >     >
> > >     >
> > >     >
> > >
> > http://www.merchantcircle.com/blogs/Pre-Paid.Legal.Services.Inc.-.Ind.Associate.786-390-0581/2008/3/4.2-million-account-numbers-stolen-at-Hannaford-Bros.-Co./70643
> > >     > --
> > >     > Eoin Keary OWASP - Ireland
> > >     > http://www.owasp.org/local/ireland.html
> > >     > http://www.owasp.org/index.php/OWASP_Code_Review_Project
> > >
> > >     >
> > >
> > ------------------------------------------------------------------------
> > >     >
> > >     > _______________________________________________
> > >     > Owasp-ireland mailing list
> >
> > >     > Owasp-ireland at lists.owasp.org <mailto:
> > Owasp-ireland at lists.owasp.org>
> >
> > >     > https://lists.owasp.org/mailman/listinfo/owasp-ireland
> > >     >
> > >
> > >     --
> > >     David Rook | david.rook at realexpayments.com
> >
> > >     <mailto:david.rook at realexpayments.com>
> >
> > >     Information Security Analyst
> > >
> > >     Realex Payments
> > >     Enabling thousands of businesses to sell online.
> > >
> > >     Realex Payments, Dublin, www.realexpayments.com
> >
> > >     <http://www.realexpayments.com>
> >
> > >     Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
> > >     Tel: +353 (0)1 2808 559 Fax: +353 (0)1 2808 538
> > >
> > >     Realex Payments, London, www.realexpayments.co.uk
> >
> > >     <http://www.realexpayments.co.uk>
> >
> > >     1 Hammersmith Grove, London W6 0NB, England
> > >     Tel: +44 (0)203 178 5370 Fax: +44 (0)207 691 7264
> > >
> > >     Pay and Shop Limited, trading as Realex Payments has its
> > >     registered office at Castlecourt, Monkstown Farm, Monkstown, Co
> > >     Dublin, Ireland and is registered in Ireland, company number
> > 324929.
> > >
> > >     This mail and any documents attached are classified as
> > >     confidential and
> > >     are intended for use by the addressee(s) only unless otherwise
> > >     indicated. If you are not an intended recipient of this email, you
> > >     must
> > >     not use, disclose, copy, distribute or retain this message or any
> > part
> > >     of it. If you have received this email in error, please notify us
> > >     immediately and delete all copies of this email from your computer
> > >     system(s).
> > >
> > >     --
> > >
> > >
> > >     _______________________________________________
> > >     Owasp-ireland mailing list
> >
> > >     Owasp-ireland at lists.owasp.org <mailto:
> > Owasp-ireland at lists.owasp.org>
> >
> > >     https://lists.owasp.org/mailman/listinfo/owasp-ireland
> > >
> > >
> >
> > --
> > David Rook | david.rook at realexpayments.com
> > Information Security Analyst
> >
> > Realex Payments
> > Enabling thousands of businesses to sell online.
> >
> > Realex Payments, Dublin, www.realexpayments.com
> > Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
> > Tel: +353 (0)1 2808 559 Fax: +353 (0)1 2808 538
> >
> > Realex Payments, London, www.realexpayments.co.uk
> > 1 Hammersmith Grove, London W6 0NB, England
> > Tel: +44 (0)203 178 5370 Fax: +44 (0)207 691 7264
> >
> > Pay and Shop Limited, trading as Realex Payments has its registered
> > office at Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland and is
> > registered in Ireland, company number 324929.
> >
> > This mail and any documents attached are classified as confidential and
> > are intended for use by the addressee(s) only unless otherwise
> > indicated. If you are not an intended recipient of this email, you must
> > not use, disclose, copy, distribute or retain this message or any part
> > of it. If you have received this email in error, please notify us
> > immediately and delete all copies of this email from your computer
> > system(s).
> > --
> >
> >
> >
>


-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html
http://www.owasp.org/index.php/OWASP_Code_Review_Project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20080325/f55296ee/attachment-0001.html 


More information about the Owasp-ireland mailing list