[SecurityRatty] tag: hannaford

PCI compliance, building the base

Thu, 12 Jun 2008 07:54:22 +0000

Blogger: Randall Gamby

An alarming trend is beginning to surface within SMB “PCI compliant” companies, like Hannaford Brothers (http://www.networkworld.com/news/2008/031708-hannaford-data-breach.html), Okemo Mountain Resort (http://www.okemo.com/okemowinter/security_update.asp), etc. Credit data is being stolen! While this is exceedingly bad, I have a theory on why this is happening.

Before I get into my theory I’d first like to talk about military bases. As we all know, the military contains a lot of top secret information. So how does, say the U.S. Army, protect it? First, they classify what information needs to be protected. Next they find a piece of property that they can physically secure. Once the property has been thoroughly checked (no listening devices or mines buried in the ground) they construct a series of secure buildings to house the data. They then put up a fence with a limited number of gates with guard houses and guards to protect it. Then, most importantly, after certifying the security of the base, they use sentries to periodically patrol the perimeter of the grounds to ensure unauthorized access is not gained by spies sneaking in under the fence.

So what does this have to do with PCI compliance for SMBs? Well the process of PCI certification is similar to what a military branch would do to secure their information. Enterprises identify and classify what data falls under PCI compliance. They validate that the systems that contain the information are controlled properly and are locked down through processes and technologies. Then they build a fence of security around the systems to ensure only properly authorized personnel have access to them. Finally they certify that the protections meet PCI compliance requirements. But unlike the military, I theorize that a lot of SMBs, short on personnel and resources, quit here. In exploring the topic I’ve found that there’s an attitude by some executives that PCI compliance is a gate. Once SMB organizations achieve PCI compliance, some move on to the next pressing security problem. But this is the wrong attitude. Just as the military found out eons ago, they must be constantly on guard because spies are always looking for kinks in the defense perimeter in order to slip in and gain access to information without authorization.

It seems that SMBs are the most at risk of not having “guard patrols” constantly patrolling the perimeter due to the cost and resources needed to monitor and report on the security’s on-going effectiveness and the bad guys are now sneaking in stealing the very data they created these defenses to protect.

So what’s the warning? Whether you’re a SMB or Global Enterprise, PCI compliance is a gate, that’s pretty much a fact, but it can’t be left unguarded. Time, money and resources must be allocated on an on-going basis else the bad guys will sneak in undetected and you may find yourself making a breach disclosure that wasn’t detected until it was too late.

PCI compliance, building the base

Thu, 12 Jun 2008 07:54:22 +0000

Blogger: Randall Gamby

An alarming trend is beginning to surface within SMB ???PCI compliant??? companies, like Hannaford Brothers (http://www.networkworld.com/news/2008/031708-hannaford-data-breach.html), Okemo Mountain Resort (http://www.okemo.com/okemowinter/security_update.asp), etc. Credit data is being stolen! While this is exceedingly bad, I have a theory on why this is happening.

Before I get into my theory I???d first like to talk about military bases. As we all know, the military contains a lot of top secret information. So how does, say the U.S. Army, protect it? First, they classify what information needs to be protected. Next they find a piece of property that they can physically secure. Once the property has been thoroughly checked (no listening devices or mines buried in the ground) they construct a series of secure buildings to house the data. They then put up a fence with a limited number of gates with guard houses and guards to protect it. Then, most importantly, after certifying the security of the base, they use sentries to periodically patrol the perimeter of the grounds to ensure unauthorized access is not gained by spies sneaking in under the fence.

So what does this have to do with PCI compliance for SMBs? Well the process of PCI certification is similar to what a military branch would do to secure their information. Enterprises identify and classify what data falls under PCI compliance. They validate that the systems that contain the information are controlled properly and are locked down through processes and technologies. Then they build a fence of security around the systems to ensure only properly authorized personnel have access to them. Finally they certify that the protections meet PCI compliance requirements. But unlike the military, I theorize that a lot of SMBs, short on personnel and resources, quit here. In exploring the topic I???ve found that there???s an attitude by some executives that PCI compliance is a gate. Once SMB organizations achieve PCI compliance, some move on to the next pressing security problem. But this is the wrong attitude. Just as the military found out eons ago, they must be constantly on guard because spies are always looking for kinks in the defense perimeter in order to slip in and gain access to information without authorization.

It seems that SMBs are the most at risk of not having ???guard patrols??? constantly patrolling the perimeter due to the cost and resources needed to monitor and report on the security???s on-going effectiveness and the bad guys are now sneaking in stealing the very data they created these defenses to protect.

So what???s the warning? Whether you???re a SMB or Global Enterprise, PCI compliance is a gate, that???s pretty much a fact, but it can???t be left unguarded. Time, money and resources must be allocated on an on-going basis else the bad guys will sneak in undetected and you may find yourself making a breach disclosure that wasn???t detected until it was too late.

Paying Breach Bill May Not Buy Hannaford Full Data Protection

Mon, 28 Apr 2008 02:22:05 +0000

Hannaford Bros. is spending millions of dollars on IT security upgrades following the theft of up to 4.2 million payment card numbers from its systems. But it remains to be seen whether that will fully protect the grocer from future attacks.

Security upgrades may not buy Hannaford full data protection

Sun, 27 Apr 2008 20:00:00 +0000

Hannaford Bros.said last week that it expects to spend "millions" of dollars on IT security upgrades in response to the the recent theft of up to 4.2 million credit and debit card numbers from its...

Hundreds of WiseBuys customers are victims of credit card fraud

Sat, 26 Apr 2008 17:01:56 +0000

Technorati Tag: Security Breach

Date Reported:
4/24/08

Organization:
WiseBuys Stores, Inc.

Contractor/Consultant/Branch:
WiseBuys of Canton

WiseBuys Plaza, 5533 US Highway 11, Canton, NY 13617, 315.379.0456

Victims:
Customers

Number Affected:
"hundreds"

Types of Data:
"credit and debit card numbers"

Breach Description:
"Hundreds of credit and debit card numbers were stolen in December at the Canton Wisebuys store, according to Canton Village Police."

Reference URL:
Watertown Daily News
WWTI Channel 50 News
TWEAN News Channel of Syracuse

Report Credit:
WWTI Channel 50 News

Response:
From the online sources cited above:

CANTON — Police are investigating hundreds of reports of thefts of credit and debit card numbers belonging to customers who shopped at WiseBuys department store in December.

"We have had hundreds of victims and thousands of thefts. We have had amounts as high as $3,000 and as low as $10," said Sgt. Lori A. McDougal of the village police department. "I would say at this point they total upwards of $100,000."

Victims are all believed to have shopped at the Canton WiseBuys store between Dec. 5 and 20

Since then, stolen credit card numbers have been used to create fake cards in New York City.

The fraudulent cards were used to pay for taxi rides, to buy food at a Wendy's Restaurant and to make purchases at New York City drug stores and other locations.

"We had the New York City police call us about one of our cards that was picked up in a sting," said Scott A. Wilson, president and chief executive officer of SeaComm Federal Credit Union, which has a branch in Canton.

Complaints about the thefts began to come in early in March as victims received their monthly bank and credit card statements

"At this point we are not sure how the numbers were obtained. It may be an employee or it may be somebody who hacked into their system," Ms. McDougal said.

Hannaford Bros., which operates supermarkets in the Northeast including stores in Watertown and Massena, reported the theft of up to 4.2 million credit and debit card numbers from 300 of its stores in March.
[Evan] I think Watertown, NY is ~60 miles from Canton, and Massena is ~30 miles away.

It is unknown if there is any similarity between the Hannaford thefts and the WiseBuys thefts.
[Evan] I certainly don't know enough to speculate (but I will later ).

"We have people working on it," said Norman V. Garrelts, chief executive officer of Hacketts, which took over operation of WiseBuys after a November merger.

"We had no inkling it was going on. The police notified us," he said. "How anybody could have hacked into the system, I am not a big enough geek to know. It happened over a day or two."
[Evan] I think there are many organizations that have "no inkling". CEOs like Mr. Garrelts don't need to be "a big enough geek" to know how the companies they run are managing information security. CEOs are the ones that are ultimately responsible. Information security should be governed in such a way that it has visibility with the CEO. Information security is an organizational issue, NOT an IT (or geek) issue.

"We have rechecked all of our safeguards and everything seems to be in order," Mr. Garrelts said. "It should not have been able to happen."
[Evan] This incident is proof of the contrary. I agree that it should not have been able to happen, but it DID happen. The question is what is the "it"?

The Canton store was the only one in the WiseBuys and Hacketts chain that was affected by the number thefts. The stores use the credit card processing system used by nearly every True Value hardware store in the nation, Mr. Garrelts said.

WiseBuys changed its computer system in December and investigators are attempting to determine whether that was when the numbers were stolen

Village police have begun interviewing about 30 WiseBuys employees but so far have not identified any as suspects.

District Attorney Nicole M. Duvé, who learned of the thefts Thursday, said she takes the thefts seriously.

"This is starting to eat up a lot of law enforcement time and a lot of our time. I intend to take a very dim view of anybody caught doing it," she said.
[Evan] I wonder what the ultimate cost of incidents like this really is. Law enforcement time, employee time, bank and credit issuer time, victim time, actual fraud dollar amounts, prosecutorial time, etc. etc. It all ends up, and somebody has to pay for it all, right?

Debit and credit card issuers believed to have been affected by the thefts to date include Community Bank N.A., SeaComm Federal Credit Union, Key Bank, Discover Card, Capital One and NBT Bank, Ms. McDougal said.

"As far as I know, all of the banks have been cooperating with their customers and all have been reimbursed by their banks or credit card companies," she said.

"We have a zero loss policy," said Mr. Wilson, of SeaComm Federal in Massena. Under the policy, the credit union absorbs any losses caused by fraud.

In all, 42 credit union members were among those whose numbers were stolen. All were issued new numbers and cards.

Commentary:
I don't get a good feeling about this one. Too many unanswered questions. Nobody seems to know very much. There has been no official public response by WiseBuys.

NOT FACT, only speculation:
I like to speculate, so what the heck I'll throw something out there. I'm going to say that full magnetic stripe data was captured during data transmission and that this is not an inside job. I am also going to say that this was not related to the Hannaford breach. I didn't exactly go out on a limb with my speculation, but I did speculate nonetheless.

Past Breaches:
Unknown

Links for 2008-04-22 [del.icio.us]

Tue, 22 Apr 2008 20:00:00 +0000

Hannaford to spend 'millions' on IT security upgrades after breach

Tue, 22 Apr 2008 09:00:00 +0000

Officials at Hannaford Bros. said the grocer plans to install new intrusion-prevention systems and encryption-enabled checkout devices following the recent theft of up to 4.2 million payment card numbers from its network.

Hannaford vs TJX

Tue, 22 Apr 2008 01:13:00 +0000

Fun comparison here: "TJMaxx was not PCI compliant, and Hannaford was. Big deal, you say, we all know about compliance! It’s the “Gentleman’s C.” Absolutely. But Hannaford cared enough to make the effort, at least, and get in line with some basic good security practices."

Read on.

Q&A: Bob Russo talks about the PCI Council

Wed, 16 Apr 2008 07:16:23 +0000

Bob Russo, the general manager of the PCI Security Standards Council, spoke with Computerworld's Jaikumar Vijayan about the organization's current thinking on the PCI standard, what's changed since he took the helm in 2007, and what he makes so far of the Hannaford and Okemo Ski Resort data breaches.

RSA Impressions - 2: Compliance "Megatrends"

Tue, 08 Apr 2008 13:47:00 +0000

So, one more impression for today: I am sitting at BUS107 panel session titled "Compliance Megatrends: The Future of Information Security" and there is actually some interesting discussion going on. Here is my account of this session:

One person said that 'a common theme recently is that "those breached were compliant"' (meaning TJX and Hannaford). I question: is this really so? I think the truth is everybody, compliant or not, is 0wned, not that "those compliant are 0wned"
All panelists predicted that governments (US and European) will be influencing security more in the near future: more laws, more regulation, more enforcement (and that governments will do more to secure their own systems)
One person proclaimed that 'law enforcement model of security (detect->respond) doesn't work anymore', but said nothing about what comes next, instead, etc. I just hate empty posturing like that ... but wait! There is more from the posturing department: one more panel member said 'we need to not buy software products unless "absolutely secure".' Hellooooo, is anybody home? :-)
ISO27001 is hot. Really? A lot of people in the audience seemed to like ISO27001. So, is it enough to predict its takeoff in the US? Somehow I am still skeptical ...
GRC was mentioned... in passing. Everybody heard about it - and nobody cared. One person said "GRC... hmmm... so, how do you know you have it?' :-)
One more person said that "plausible deniability [about security] is dead" - companies cannot pretend that information security doesn't exist anymore ... Again, no matter how much we want this to be the case, is this really true? I think many smaller companies are kinda still in the same bin?
A bizarro opinion on PCI DSS was voiced by one panel member: she said that she dislikes PCI since it is "too prescriptive" and it got turned into a mindless checklist (losing the original intent of improving security). She also disliked that PCI compliance evaluation is bad: based on a "dumb" control checklist, not on measuring effectiveness of "meaningful controls." I think this is true to some extent; but I'd hate to blame it on PCI DSS standard itself.
Finally, panels' take on "What will happen in 5 years?" Their predictions: catastrophic events ("Estonia-like" - eeeeh, you mean somebody is fined $1642?), 'integrity of data' attacks which are "exceptionally scary" (data loss -> data change!), growth in data volume (huge!) with total lack of how to control it, increased dependency on the Internet - without a corresponding increase in security, SaaS and Web 2.0 will change security and so will virtualization (now, that's original :-))

So, it was all good fun!