|
Technology Computing, programming, science, electronics, telecommunications, etc. |
|
Thread Tools | Display Modes |
01-24-2009, 10:43 AM | #1 | |||
King Of Wishful Thinking
Join Date: Jan 2001
Location: Philadelphia Suburbs
Posts: 6,669
|
Yawn.....Another multi-million dollar data breach
From here
Quote:
Quote:
The TJX breach occurred with a WEP wireless crack. Quote:
__________________
Exercise your rights and remember your obligations - VOTE!I have always believed that hope is that stubborn thing inside us that insists, despite all the evidence to the contrary, that something better awaits us so long as we have the courage to keep reaching, to keep working, to keep fighting. -- Barack Hussein Obama |
|||
01-24-2009, 11:33 AM | #2 | |
barely disguised asshole, keeper of all that is holy.
Join Date: Nov 2007
Posts: 23,401
|
Quote:
__________________
"like strapping a pillow on a bull in a china shop" Bullitt |
|
01-24-2009, 02:54 PM | #3 |
dar512 is now Pete Zicato
Join Date: May 2003
Location: Chicago suburb
Posts: 4,968
|
These were likely mainframes or unix systems -- so finding black hats is a whole 'nother level of geekiness. Not to be found by a simple McAfee check.
But, yeah. You'd expect processors like this to have the right people and software on the job.
__________________
"Against stupidity the gods themselves contend in vain." -- Friedrich Schiller |
01-24-2009, 03:52 PM | #4 |
barely disguised asshole, keeper of all that is holy.
Join Date: Nov 2007
Posts: 23,401
|
I was being facetious, but still it took over 18 months to do find the problem. I may be naive here, but isn't that like at least 17 1/2 months too long?
__________________
"like strapping a pillow on a bull in a china shop" Bullitt Last edited by classicman; 01-24-2009 at 04:04 PM. Reason: space - the final frontier |
01-24-2009, 03:59 PM | #5 |
dar512 is now Pete Zicato
Join Date: May 2003
Location: Chicago suburb
Posts: 4,968
|
Let's see 171 divided by 2 equals 85.5. No that's way too long. They should have found in a half a month at most.
(Just funnin ya)
__________________
"Against stupidity the gods themselves contend in vain." -- Friedrich Schiller |
01-24-2009, 04:39 PM | #7 |
lobber of scimitars
Join Date: Jul 2001
Location: Phila Burbs
Posts: 20,774
|
Definitely bad, but unless they release a list of who they clear cards for, I don't know if it's "ohshitohshitohshit" bad or "doesn'tdirectlyinvolveme" bad.
I still want to know which breach caused citibank to replace all of their cards a couple of months back ... they refused to tell me where the breach occurred. I've been suspecting paypal, since that was one of only two places where that particular card number was in use (the other was AOL, but who the heck gives a crap about AOL anymore ...)
__________________
wolf eht htiw og "Conspiracies are the norm, not the exception." --G. Edward Griffin The Creature from Jekyll Island High Priestess of the Church of the Whale Penis |
01-24-2009, 08:22 PM | #8 |
-◊|≡·∙■·∙≡|◊-
Join Date: Feb 2003
Location: Parts unknown.
Posts: 4,081
|
WEP? It takes about 2 minutes to crack a WEP password.
We are all so screwed.
__________________
♠ ♥ ♣ ♦ |
01-24-2009, 08:38 PM | #9 |
The future is unwritten
Join Date: Oct 2002
Posts: 71,105
|
They did?
__________________
The descent of man ~ Nixon, Friedman, Reagan, Trump. |
01-24-2009, 10:16 PM | #10 |
lobber of scimitars
Join Date: Jul 2001
Location: Phila Burbs
Posts: 20,774
|
Mine was replaced after the TJ Maxx thing. I'm not referring to that. There was a data breach that they admitted to, but even when I called to speak to the security division, they wouldn't reveal the source, so I figured it was pretty big. I think they may have replaced it twice within a short period of time, based on what shows on their website and active/past accounts.
I'm no longer using my Citibank card ... not because of this stuff, just part of my debt reduction strategy.
__________________
wolf eht htiw og "Conspiracies are the norm, not the exception." --G. Edward Griffin The Creature from Jekyll Island High Priestess of the Church of the Whale Penis |
01-24-2009, 10:18 PM | #11 |
The future is unwritten
Join Date: Oct 2002
Posts: 71,105
|
Mine hasn't been replaced.
__________________
The descent of man ~ Nixon, Friedman, Reagan, Trump. |
01-25-2009, 12:09 PM | #13 |
Lecturer
Join Date: Jan 2001
Location: Carmel, Indiana
Posts: 761
|
Hi, I do InfoSec for a living
Hello,
I can tell you that they wanted to bury this under the Obama-mania. This is a big deal, and it is because EVERY major set of regulations mandates version checking and proper change management for critical systems. In other words, PCI-DSS, HIPAA, and other regulations (specifically the DODi 8500.1 and DODi 8500.2 overarching IA ones for government systems, and the DNS, UNIX, and Active Directory STIGs for DOD systems) specify that: 1. Every piece of data coming into the network needs to be examined. 2. The integrity of the systems doing the processing need to be checked using third-party tools such as Tripwire (7.5V works for Windows, Linux, and third-party platforms, and does send changes in real-time). This extends to systems that are in any way, shape, or form involved in processing of data, and many people do not understand that. 3. There needs to be multiple layers of protection at the host and network levels, using multiple layers of IDS/IPS systems, anti-virus (yes, these are available for Linux and UNIX), log analysis and correlation from multiple devices (again, if you cough up enough $$$ to IBM Global Services, Symantec, TriGeo, Quest or McAfee, they will provide you this), and the staff to handle this. 4. The staff to monitor and handle these logs, plus Job Rotation, is mandated by almost every major security best practice out there. 5. The fact that a third-party firm found this, rather than internal discovery, means that the internal staff which should have been checking this 24/7 didn't. 6. The fact that they didn't have a date as to when this was done shows that they weren't doing integrity checking on their critical systems. 7. The fact that they apparently aren't checking ports & protocols for incoming and outgoing traffic shows that they don't even know if the traffic is going to Russian Business Network or not. This is really bad! If you're in this business, you know who your partners are, and you only allow the ones you need to to business with inside. Even then, you check every damn packet going in or out, and the integrity of the systems themselves. There's a reason why every major critical system I am in charge of security of that has access to the outside world has IBM ISS, Tripwire, and a full Ports & Protocols workup for outgoing and incoming traffic done. 8. Don't even get me started on their apparent lack of ability to patch. Most of these breaches are caused by known public security holes that companies don't properly patch against, or assume that firewalls and NAT will protect against. 9. If the documentation for changes isn't there, they're dead. PCI-DSS mandates this too as part of the change management process. If they processed Government payment cards in any way, shape, or form, it could be game over for them. GSA may see them for not following PCI-DSS regs, and put out a 2-sentence ruling that will kill their business. I would not want to be Heartland Payment Systems now. I would want to be the competition or the third-party Audit Firm which will be brought in to remediate the situation (probably Deloitte). |
01-25-2009, 01:51 PM | #14 | |
Read? I only know how to write.
Join Date: Jan 2001
Posts: 11,933
|
Quote:
Of course, the breech was rarely reported. This can be done with credit card numbers. This is not routinely possible with social security numbers. Just another reason why we still have near zero identity protection. |
|
01-25-2009, 01:57 PM | #15 |
The future is unwritten
Join Date: Oct 2002
Posts: 71,105
|
Mitch, do you have a feeling for whether this Heartland fuck up was lazy IT people, or management cutting IT to the bone for the bottom line?
__________________
The descent of man ~ Nixon, Friedman, Reagan, Trump. |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
|
|