May 17, 2008   Sign In |  About ebizQ |  Contact Us |  Join ebizQ Gold Club
Peter Schooff
Peter Twenty-Four Seven Security
 Peter Schooff's blog is a daily look at what's going on in the world of computer security with an emphasis on how it affects businesses.

« Is Outsourcing an IT Dream or Security Nightmare: a Talk With Ounce Labs | Main | SOA Adding to Application Insecurity »

April 25, 2008
How PC Compliant Companies Get Breached
Fight back against security threats by getting ebizQ's Security Update Newsletter delivered to your inbox. Sign-up here.

An interesting post over at Security Fix goes into detail on the recent Hannaford breach, from which 4.2 million credit and debit cards were stolen from store networks.

And what makes this story interesting is that Hannaford was no TJX, as in they weren't just leaving their data tucked behind the store sock display and in open site. In fact, Hannaford had been compliance certified in both 2007 and again in early 2008, but what that proves is PCI simply isn't extensive enough.

Simply put, PCI compliance is mostly written for e-tailers, and not for bricks and mortar type of business with most of their assets existing offline (which is a little harder to pin down with a simple software fix). As the perps haven't been caught yet (if someone calls up and tries to charge a Yacht on their credit card without even looking at it, call the authorities), experts are currently speculating that it was likely an inside job.

So how'd they do it? Most security defenses can be compared to a candy bar, i.e. crunchy on the outside, creamy and data richy in the center, and once the intruders gained access, it's easy for them to get around and do their damage, which in Hannaford's case enabled the infiltrators to install malware on the point-of-sale systems of 294 stores and simply collect all the credit and debit card number as each transaction was authorized (to listen to my podcast on this very subject, click right here).

How do you stop it? Network segmentation. Said Avivah Litan of Gartner Inc., "The PCI standards don't recognize that there's no good reason for a company's stores to be able to talk to one another when it comes to [processing] card data. The fact that malware was spread across almost 300 stores shows there wasn't good network segmentation in place at Hannaford."

For Hannaford, it's back to the security drawing board. They're putting military strength security in place, so the next time you accidentally find a stun-grenade in that bushel of apples you brought home from the supermarket, you know who to blame.

Posted by pschooff in |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/3390

Comments Post a comment




Remember Me?

(you may use HTML tags for style)

We ask that you type your code (displayed below) in the text box.This code is an image that cannot be read by a machine. It prevents automated programs from submitting comments.


Code:



Most Recent ebizQ Blog Entries
ADVERTISEMENT
Subscribe
News Feed
Recent Posts
Categories
Archives
Blog Roll
Blogosphere
This Work
Accountability:The opinions expressed in this blog are solely representative of the blog's author, and not of ebizQ
Subscribe to our Newsletters
ebizQ Weekly Gold Club Update
Live Webinar Updates
Updates from ebizQ Partners
ebizQ SOA Update
ebizQ BPM Update
ebizQ Security Update
ebizQ BI Update
ebizQ Open Source Software Update
Virtual Show Newsletter
ebizQ Web 2.0 and the Enterprise
Your E-mail Address:
PepsiAmericas: Realizing Real-Time Communication
a refreshing approach to ESB and data integration
Date: May 28, 2008
Time: 13:00 PM ET
(17:00 GMT)
REGISTER TODAY!
Accelerate Agility and Lower Costs by Virtualizing and Governing Your SOA
Date: May 29, 2008
Time: 12:00 PM ET
(16:00 GMT)
REGISTER TODAY!
Archived Webinars | Upcoming Webinars

Marketing Solutions | Feedback | About ebizQ | Unsubscribe | Privacy Policy | Site Map