[Owasp-ireland] Fwd: Re: Heartland Breach: Bigger than TJX?

Brian Honan brian.honan at bhconsulting.ie
Wed Jan 28 16:54:30 EST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just came across this tonight

Heartland Sniffer Hid In Unallocated Portion Of Disk
http://www.storefrontbacktalk.com/securityfraud/heartland-sniffer-hid-in-unallocated-portion-of-disk/

Good write up on what the investigation has found thus far

Brian

- -----Original Message-----
From: owasp-ireland-bounces at lists.owasp.org [mailto:owasp-ireland-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Wednesday, January 28, 2009 5:45 PM
To: owasp-ireland at lists.owasp.org; davidrook; Denis Carmody
Subject: [Owasp-ireland] Fwd: Re: Heartland Breach: Bigger than TJX?

The key point there is "certified" which is dangerous imho. 
Certification pending a full blown pentest may be a better idea so "real security" can be somewhat addressed? 
OWASP has the ASVS document which is attempting to addrress levels of security which is worth looking at. 

http://www.owasp.org/index.php/ASVS 

PCI is "certification to trade" and in my opinion should be in addition to other efforts to secure company and client assets :) 

Thanks to everyone that has signed up to OWASP ($50) so far. This shall help develop further guides tools, admin if the site and mail lists and also a few €€€ for chapter meeting speakers, beers and food etc. 


Also a new version of the Code review guide (CRG) shall be out really soon and I would recommend anyone involved in such things to take a quick peak. 

regards, 

Eoin 

OWASP Ireland Chapter Lead 





On Jan 28, 2009 8:44am, davidrook <david.rook at realexpayments.com> wrote: 
> It certainly has the potential to be bigger than TJX but no one knows 
> 
> 
> for sure at the moment. They process 100m+ transactions per month but 
> 
> 
> they aren't all affected judging by some of the press stories I have 
> 
> 
> read. As with any PSP they will process a wide range of transaction 
> 
> 
> types and I believe it was only their standard authorisation 
> 
> 
> transactions that have been affected. 
> 
> 
> 
> 
> 
> Tough times for Trustwave at the moment though, they certified 
> 
> 
> Heartlands and RBS Worldpay - both have announced data breaches within 
> 
> 
> the past month. 
> 
> 
> 
> 
> 
> Dave 
> 
> 
> 
> 
> 
> Denis Carmody wrote: 
> 
> 
> > Interesting reading, Heartland Breach: Bigger than TJX?, 
> 
> 
> > 
> 
> 
> > http://www.bankinfosecurity.com/articles.php?art_id=1175&rf=012279eb 
> 
> 
> > 
> 
> 
> > Heartland was compliant with PCI and certified by PCI assessor 
> 
> 
> > Trustwave in April 2008. 
> 
> 
> > _______________________________________________ 
> 
> 
> > Owasp-ireland mailing list 
> 
> 
> > Owasp-ireland at lists.owasp.org 
> 
> 
> > https://lists.owasp.org/mailman/listinfo/owasp-ireland 
> 
> 
> > 
> 
> 
> > 
> 
> 
> 
> 
> 
> -- 
> 
> 
> David Rook | david.rook at realexpayments.com 
> 
> 
> Security Analyst 
> 
> 
> 
> 
> 
> Realex Payments 
> 
> 
> Enabling thousands of businesses to sell online. 
> 
> 
> 
> 
> 
> Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland 
> 
> 
> |t: +353 1 2808559 | f: +353 1 2808538  | www.realexpayments.com <http://www.realexpayments.com/>  
> 
> 
> 
> 
> 
> 1 Lyric Square, London W6 0NB 
> 
> 
> t: +44 203 1785370 | f: +44 207 6917264  | www.realexpayments.co.uk <http://www.realexpayments.co.uk/>  
> 
> 
> 
> 
> 
> 27 avenue de l'Opéra, 75001 Paris. 
> 
> 
> t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51 
> 
> 
> 
> 
> 
> Visit our other Realex Payments websites: 
> 
> 
> www.airlinepayments.com <http://www.airlinepayments.com/>  
> 
> 
> www.sepa.ie <http://www.sepa.ie/>  
> 
> 
> 
> 
> 
> Pay and Shop Limited, trading as Realex Payments has its registered office at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is registered in Ireland, company number 324929. 
> 
> 
> 
> 
> 
> This mail and any documents attached are classified as confidential and are intended for use by the addressee(s) only unless otherwise indicated. If you are not an intended recipient of this email, you must not use, disclose, copy, distribute or retain this message or any part of it. If you have received this email in error, please notify us immediately and delete all copies of this email from your computer system(s). 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________ 
> 
> 
> Owasp-ireland mailing list 
> 
> 
> Owasp-ireland at lists.owasp.org 
> 
> 
> https://lists.owasp.org/mailman/listinfo/owasp-ireland 
> 
> 
>



- -- 
Eoin Keary CISSP CISA
OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
OWASP Global Committee Member (Industry)

Quis custodiet ipsos custodes



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.1 (Build 287)
Charset: UTF-8

wj8DBQFJgNQXi7bwgPG1z30RAp0aAKDfzMl2UI5ZTWMjecN7rprdqo8OogCgg1Hs
boS0bC8R1F0QykEzBxBk+Kk=
=0o+Y
-----END PGP SIGNATURE-----


More information about the Owasp-ireland mailing list