<![CDATA[[SecurityRatty] tag: downright]]>

<![CDATA[[SecurityRatty] tag: downright]]> http://securityratty.com/tag/downright Sun, 06 Jan 2008 17:00:06 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA["It Was an Insider!" = "Sorry, We Are Idiots!"]]> http://securityratty.com/article/ea65b99c8e0068a44dbba4a9c051e2c6 http://securityratty.com/article/ea65b99c8e0068a44dbba4a9c051e2c6 Hannaford breach the work of an insider? I think whoever made this one up was thinking like this:

We are PCI compliant, we pretend to have good security, etc ->
we suffer a huge embarassing data loss ->
how can we still justify our past efforts as worthwhile and "effective" (even though reality just proved they were not) ->
let's invent a factor that is known to bypass many of the existing defenses ->
what this factor? ->
Yes! Insider! It was an insider! ->
We KNOW it :-)

(Mike R doubts it too here)

Some of the stories on this get downright idiotic, like this: "... also confirms repeated theoretical warnings that malicious hackers can create custom remote-control Trojans for specific targets." Really? How about it was known since, say, 1980s? :-)

Here is a fun chronology of the events by Richard "IDS is dead" Stiennon as they are known (as they are reported?)

]]> Wed, 02 Apr 2008 09:11:00 +0000 insider custom remote-control trojans malicious hackers data loss fun chronology theoretical warnings downright idiotic specific targets past efforts "It Was an Insider!" = "Sorry, We Are Idiots!" <![CDATA[The Case For Information Security]]> http://securityratty.com/article/4cf3f3553687b612b1bdf62508270637 http://securityratty.com/article/4cf3f3553687b612b1bdf62508270637 While working as a security consultant, every MDAC attack, every cross-site scripting attack, every SQL injection attack, every custom application vulnerability that was exploited, was treated with such zeal that it made me think the companies that we assessed should be eternally grateful to us for having found those vulnerabilities and saved them millions and millions of dollars.

Now that I'm on the other side of the fence, I see why they didn't care so much. The companies don't care. Okay, so there is a SQL injection. a few dozen SQL injections. what does it mean to me the CFO or me the CEO ? the loss of a few card numbers ? we already are monitoring fraud losses - and have money set aside too. Can this be translated into a mass compromise of card data ? Hmm - now, you probably caught my attention. Loss of reputation - temporary. But try convincing me this could mean something critical to the bottom line - that is downright hilarious. Because the truth is - Wall St doesn't care about a company being hacked. Don't believe me ? Check out TJX. 46 million card numbers. Biggest ever breach so far. The current stock price ? An all-time high right now.

The same with AT&T. 19000 Card numbers stolen.

Choicepoint shareholders punished the company for a while - and then forgave and forgot.

So what does this mean for you and me ? Should we just ignore the fact that our personal data can be compromised and sold on the internet because the loss of our information is something 'they' have already accounted for ? Thats brutal. A weak glimmer of hope could be PCI. PCI SSC has been making an effort to fix this scenario - and we could begin to see changes. But these standards are currently so vague and can be interpreted in so many different ways - it is pathetic. Unless there are strict regulations (FFIEC/FDIC begin requiring Application Security integrated into the SDLC of a company and quarterly validation by different independent 3rd parties would be nice :) )and stricter enforcement - with real hefty fines - Wall St. may just continue to look the other way ..and we all know that Wall St is what matters.

]]> Fri, 21 Mar 2008 11:08:00 +0000 attack mdac attack sql injection attack card card data sql injection million card loss pci The Case For Information Security <![CDATA[Scamming the Scammers: 5 Brilliant Reverse 419 Scams [Pics]]]> http://securityratty.com/article/10efa362592162a65b165bd8e96a1444 http://securityratty.com/article/10efa362592162a65b165bd8e96a1444 Tue, 12 Feb 2008 13:00:06 +0000 scammers international scammers business partners downright hilarious countless people clever crusaders royal families fortunes access Scamming the Scammers: 5 Brilliant Reverse 419 Scams [Pics] <![CDATA[Facebook Voter Registration App Asks for SSN w/o SSL]]> http://securityratty.com/article/c43a64dc765f0f0fea72aaa599e3727f http://securityratty.com/article/c43a64dc765f0f0fea72aaa599e3727f Sun, 06 Jan 2008 17:00:06 +0000 security whatsoever downright retardulous social security people idea vote encryption Facebook Voter Registration App Asks for SSN w/o SSL