logo

  •   Submit to to del.icio.us   Submit to to digg   submit to to reddit   submit to to StumbleUpon   submit to to Google   Submit to to Yahoo!

Category: news | Posted by Avatar Staff 275 days ago
Via: http://lists.jammed.com | Tags: isn security expert slams pci auditing comments Discuss  


http://www.vnunet.com/vnunet/news/2213564/security-expert-slams-pci



By Clement James

vnunet.com

04 April 2008



A recent security breach at US supermarket chain Hannaford Bros was

almost certainly the work of hackers exploiting a single code flaw on

internal systems, experts say.



Hannaford Bros revealed last month that intruders had broken into its

network and stolen the credit card details of some 4.2 million

customers.



It is understood that the hackers managed to download card details after

the cards had been swiped at the checkout and were in the process of

being authorised.



Brian Chess, founder and chief scientist at security firm Fortify

Software, claimed that the uniformity of the breach suggests that the

attackers were taking advantage of a software weakness.



"The fact that the servers in almost all of the stores were compromised

makes it much more likely that the attackers found a vulnerability in a

piece of code that was common to all the servers and used malware to

exploit the weakness," he said.



"My guess is that hackers first broke into the internal corporate

network, then did some basic network scanning to identify all of the

target servers.



"They then figured out that there was a vulnerability on some piece of

code running on all of the machines. We see many organisations that are

much more lax about internal systems."



Chess added that the interesting thing about the case is that Hannaford

Bros is believed to be fully PCI compliant and, as such, is unlikely to

have to pay fines under current PCI rules.



"The store chain had passed its PCI audit, but PCI takes a relaxed

attitude towards internal machines," he said.



The security expert pointed out that PCI DSS section 6.6, for example,

requires companies to "ensure that all web-facing applications are

protected against known attacks by applying either of the following

methods: having all custom application code reviewed for common

vulnerabilities by an organisation that specialises in application

security; and installing an application layer firewall in front of

web-facing applications".



This means that Hannaford Bros fulfilled section 6.6 by default so long

as its web applications were only for use inside the corporate network.



"PCI DSS is a lot like a fire code or a health code. It does not

guarantee smooth sailing, it just helps people avoid repeating a lot of

painful mistakes from the past," said Chess.





___________________________________________________

Subscribe to InfoSec News

http://www.infosecnews.org/mailman/listinfo/isn





addto Add this link to... report Bury 


Comments Who Voted Related Links
Copyright 2005-2008 Best of Security