Vulnerability Alerts
SANS
 
Microsoft
 
CERT/CC
 
 
Latest Comments
"Excellent info. If you use Gumtree Australia you will see many obvious scam posts in all ..."
on Scammers target online car buyers, warns ACCC
by Marian Imrie | Dec 5, 2008 4:45 PM
 
"Very nice and useful information. UT4B4. Tape4backup.com"
on Weighing the options for securing back-up data
by Lto-4 Tape | Dec 4, 2008 9:23 PM
 
"Interesting that you do not bother to list the one AV that has consistently passed the VB100. ..."
on Latest VB100 malware test brings good news
by Ben | Dec 4, 2008 6:00 PM
 
"I like this"
on AVG update deletes critical Windows file
by nanwin | Dec 3, 2008 3:05 PM
 
"Concerned man's comments seem to intimate that if I'm using agents all will be well but the ..."
on Shavlik Technologies to broaden its patch management offerings
by Werner K | Nov 26, 2008 8:36 PM
E-Commerce Security

Security expert slams PCI auditing

  • Email a Friend
  • Print Page
Related Articles
By Clement James
Apr 7, 2008 3:20 PM
Tags: Security | expert | slams | PCI | auditing
Hannaford Bros revealed last month that intruders had broken into its network and stolen the credit card details of some 4.2 million customers.

It is understood that the hackers managed to download card details after the cards had been swiped at the checkout and were in the process of being authorised.

Brian Chess, founder and chief scientist at security firm Fortify Software, claimed that the uniformity of the breach suggests that the attackers were taking advantage of a software weakness.

"The fact that the servers in almost all of the stores were compromised makes it much more likely that the attackers found a vulnerability in a piece of code that was common to all the servers and used malware to exploit the weakness," he said.

"My guess is that hackers first broke into the internal corporate network, then did some basic network scanning to identify all of the target servers.

"They then figured out that there was a vulnerability on some piece of code running on all of the machines. We see many organisations that are much more lax about internal systems."

Chess added that the interesting thing about the case is that Hannaford Bros is believed to be fully PCI compliant and, as such, is unlikely to have to pay fines under current PCI rules.

"The store chain had passed its PCI audit, but PCI takes a relaxed attitude towards internal machines," he said.

The security expert pointed out that PCI DSS section 6.6, for example, requires companies to "ensure that all web-facing applications are protected against known attacks by applying either of the following methods: having all custom application code reviewed for common vulnerabilities by an organisation that specialises in application security; and installing an application layer firewall in front of web-facing applications".

This means that Hannaford Bros fulfilled section 6.6 by default so long as its web applications were only for use inside the corporate network.

"PCI DSS is a lot like a fire code or a health code. It does not guarantee smooth sailing, it just helps people avoid repeating a lot of painful mistakes from the past," said Chess.

Copyright © 2008 vnunet.com

 
Ads by Google
Thoughts on this article? Add a comment below.
Be the first to comment on this article.

Report this comment as offensive:

   * Indicates information we require to process your submission.

Name: *
Email: *
Reason for offense: *
Your report will not be displayed.  
Name:
*
 
Email:
(will not be displayed)
*
 
Comment:
(HTML not permitted)
*
 
Validation
*

Enter the code you see below:

 

 
 
 
 
 
Tripwire - Click here to win an iTouch
 
 
Breaches & Exposures Whitepapers
 
Popular Tags
card compliance credit deadlines digital firms free information major mashup microsoft pci pdf policy report security secuware updates vendors vulnerability