Caltrops - Rants





	[quote name="Tansin A. Darcos (TDARCOS)"][quote name="Entropy Stew"][quote name="Tansin A. Darcos (TDARCOS)"]The only reason places are having credit card compromization events is they fail to provide adequate safeguards.[/quote][quote name="Tansin A. Darcos (TDARCOS)"]The only reason places are having credit card compromization[<i>sic</i>] events is <b>because they fail to prevent them</b>.[/quote]YOU DON'T SAY. Even when people encrypt the card numbers, they don't do it correctly[/quote] Jesus H. Christ on a crutch! If you do something incorrectly to start with you end up with incorrect results. It just confirms what I said. Security is expensive and pure overhead, so it doesn't get the attention it needs. Too often security is nothing but lip service or pure theatre. Doing security right is expensive and isn't easy. Well, rather, it isn't easy when it's a bolt-on to something that wasn't designed to be secure in the first place. We have viruses, worms, trojan horses, and malware sent around because Windows wasn't designed with security in the first place. I have heard that there never was a single successful compromise of the older Macintosh systems, OS 8, OS 9 or OS X, no published external exploit allowing someone to crack the box and get external control was ever shown. Or it may have been that the web server was never cracked, I forget which. We have phishing e-mails and spamming because e-mail was designed in the days when everyone knew each other and the Internet wasn't very large. The protocols didn't have security built into them and now we are paying for it. There are things that can be done but it either requires changing practices or bolting on security procedures. For example, one thing that's been reported that will cut off a lot of spam is to simply have mail servers issue a temporary fail the first time it gets a HELO or EHLO request. Mail botnet systems have to send lots of mail and can't wait, they'll skip to the next place if they get an error message. A regular MTA will retry the HELO/EHLO. Most customers do not need to send mail directly from their PCs. Fix it so that unless a customer enables it, they can't connect to port 21 on other systems except with their ISP's mail server, would eliminate indirect spam. Then, by throttling at their mail server - a user can't send more than maybe 3 e-mails a minute or 200 an hour - would cripple botnets that depend on having zombie PCs sending tens of thousands of messages an hour each. Throttle them down to 200 an hour and the capacity of a botnet goes down dramatically. But these are changes someone has to make the effort to try to fix. [quote name="Entropy Stew"]half the time so as to make them undecryptable, or the key itself was exposed by the hack.[/quote] Which is why I said that the database is encrypted, that way the professionals who design the database systems - IBM, Oracle etc. - have the proper encryption systems set up. Then you're also supposed to have the database queried inside the firewall, so the only thing the system accessible outside can access is a single record. Also proper role models so that a particular application is simply prohibited from some activities. [quote name="Entropy Stew"] PCI auditors are a godsend for this - I think I'll take their advice over the flaccid TDARCOS Generally Advised Security Model.[/quote] And if you have security auditors, and you get compromise of data, it means one of two things. Your auditors are incompetent - and should be fired - or your software people are failing to follow the auditor's instructions - in which case they should either be retrained or fired. Does any place with competent security auditors and proper implementation of their instructions by competent programmers have data compromises? I think not. But I also suspect the places that get these huge break-in failures either have no security audits - again, implementing security is pure overhead and if it doesn't have a champion it doesn't get the support it needs - or the people who are supposed to implement the recommendations either don't implement them (possibly because of lack of budget) or because management demands the new bells and whistles and fails to provide the resources necessary to provide the security enhancements. Or management talks about security - but keeps talking a lot more about how much money IT is spending and how it's not getting things done fast enough. [/quote]