Monday, April 07, 2008

Ira Winkler says 'No' to Hannaford Inside Job

Ira winkler has refuted my comments about Hannaford being an inside job:

I can tell you first hand that a breach of that scope is very “relatively” easy to commit when there is a motivated attacker with the time available. Again, I have broke into many of the top companies in the world, always having tremendous success in relatively short periods of time.

Ira, what have you seen in terms of those companies who have submitted their PCI audit reports? Are they easier to break in? Harder? I am curious if the PCI spec has helped or not. I have to believe that by its nature it has helped make systems more secure and harder to break into.

With regard to many servers being compromised, it sounds like the experts have not heard about automated attack tools. Nor have they considered that servers are generally installed identically throughout an organization, and that if you can compromise one of those systems, you can compromise many. Similarly given that there tends to be password reuse, if you compromise the password on one server, you have compromised many servers. Similarly, if there are trust relationships between the systems, the compromise of one system actually compromises many systems.

I have seen, played with, and heard of automated attack tools - it's what the script kiddies and lazy grey or black hats use to accelerate the desired results. You can buy a great set on Ebay now and of IRC is the Devil's playground, but I digress...

The PCI spec which Hannaford said it had met is designed to take care of the low hanging fruit of a breach. Passwords, no consistent and measured or documented processes, and poor encryption are all targets the PCI spec is designed to mitigate and keep us lazy wannabe hackers out of systems.

Take a look at my other blog for more info on PCI...

Labels: , ,

Wednesday, April 02, 2008

Hannaford CEO Ron Hodge - Class Act

I just caught wind of the latest from Hannaford, and I hope Ron Hodge starts a trend amongst CEO's - accepting responsibility and dealing with a breach head on.

Nice work Mr. Hodge!

Hannaford Bros. CEO offers apology online, in leaflets

Hannaford Bros. supermarket shoppers are getting an apology in their shopping bags for a security breach that was disclosed two weeks ago. Chief executive Ron Hodge sent a message to customers online and through leaflets left in grocery bags. In the note, he apologizes for the "concern and inconvenience" that was created when 4.2 million credit and debit cards were potentially compromised. At least 1,800 cases of fraud have been reported. He says Hannaford stopped the theft and brought in top security experts to help guard against any further attacks. He says the company is also considering, on a case-by-case basis, the out-of-pocket expenses faced by customers who had to cancel their cards. (AP)