Posted on 06/21/2005 8:59:47 PM PDT by HAL9000
I'm not blaming the firewall... I *am* blaming the operators... :-)
Sorry, but you can replace 'Microsoft operating systems' with Linux, Solaris, HP-UX, IRIX, AIX, FreeBSD, OpenBSD (barely! OpenBSD is pretty solid), MacOS, IPSO (barely!) and the statement would still be just as true. Again, they are all tools. In the hands of the proper craftsman (ie, someone how knows how to secure them), they are fine. In the hands of a cluebie (majority of sysadmins/server admins/desktop admins/network admins) then you have what we've experienced for the last 10 years.
The big problem is that we as a society have been conditioned to be compliant with those who ask things of us (we give out info easily and freely).
It may seem as though there has been a rash of these kinds of incidents. In fact, the main driver behind it all is a law in California that mandates disclosure of such incidents. 3 years ago, an incident like that mentioned in the article would have been kept quite quiet. Neither you nor I would ever have heard of it.
On a side note, while any computer system is vulnerable to a degree, IMO, placing that kind of information on a W2K system with IIS 5.0 that is internet facing should make them criminally liable for extreme damages. Note that they don't mention how long this breach has been occurring.
Before anyone bashes MS or anyone else Cardsystems voilated Visa/MC rules under their card holder security programs. They kept data on cardholders that thyey weren't allowed to keep or even see !
Their webserver is IIS on Win2k, which tells us nothing about the breach - I really, really doubt they had any of their payment systems running on their webserver, and nobody knows what they've got inside yet.
doh!
In the time of the "Wild West", a horse thief would be hung. The rational being that if you stole a man's horse, you took away his ability to feed himself.
In this day and age, your credit is the way you feed, clothe, house, and get medical care (just the short list). So why aren't the bastards doing this hung? This is what the politicians need to address.
And for every instance of credit theft, the company that didn't take security seriously should have to pay $10,000. to each of the victims. Forty million customers x $10,000. = a whole lot of incentive to tighten up security.
In those days, to steal a man's horse was tantamount to killing him. To be without a horse in the expanse of the west was to be as good as dead. That's why horse theivery was a hanging offense.
I'd like to see grand theft auto held to a similar standard nowadays.
Also, what do you do about backing up your data? Another issue might be if there is anything that ties the drive to the motherboard. That would mean that if you fry the board, you lose your data that would otherwise be recoverable.
Good point. Agreed. If they are running it on their webserver though, they need to be boiled in oil!(slowly)
of course
Let's assume the HD is used in conjunction with a laptop that has a fingerprint scanner, like some IBM Thinkpads. What about that scenario?
That would be useful for the most part. If it were just a fingerprint scan, that would be less than optimal IMO, as they can be subverted (fairly easily from what I understand). I'm not really that familiar with the values returned by fingerprint scanners. If you could create a hash of the values, that would be a starting point to use as the basis of your crypto-key. You'd want a password too, even though users are stupid.
I'd be interested in seeing what different failure modes are like with these systems. For instance, let's say you have to replace the fingerprint scanner. Does it still return the same hash as the previous one? Suppose it is more sensitive than the previous model? Is it still the same? If not, then your data is even more vulnerable to hardware failure than it would ordinarily be.
I've used encrpted partitions from time to time. They can be useful if you understand their limitations. Do you really want to encrypt your programs and OS? On Windows, you're probably better off doing so, as your data is harder to separate from your programs in many cases than it is on Unix derivatives. If you encrypt all of the drive, do you take a performance hit? If so, is it acceptable?
There are really a lot of questions that surround such things, many of which are answerable on a case-by-case basis.
I don't know if anything MS was involved, but I for one don't want IIS 5 anywhere near my personal data. I might accept IIS 6 in a heavily locked-down configuration though.
"FYI - More wonderful publicity for Microsoft."
Having some inside knowlege about this, I can tell you that it was not the fault of any vendor in particular, it was the fault of the negligence and incompetence of their own employees.
"Before anyone bashes MS or anyone else Cardsystems voilated Visa/MC rules under their card holder security programs."
Besides penetration testing, the consultancy I work for is also on the various credit card issuers list of vendors who can perform regular security testing for their periodic compliance certifications.
We have yet to have one merchant pass the first time, and most fail the 2nd 3rd and 4th time, too.
Here is a good rule of thumb: If it's something you don't want anyone else to ever know, make sure it's not stored in electronic format anywhere ever. period.
"I don't know if anything MS was involved, but I for one don't want IIS 5 anywhere near my personal data. I might accept IIS 6 in a heavily locked-down configuration though."
If I were you I'd be more worried about bugs in web apps than in web servers.
It's often possible to steal everything from a database directly through the web app without ever compromising the web server it's self.
That seems to be the case. The CardSystems employees were negligent and incompetent in choosing to deploy Microsoft products in their data center.
eEye Digital Security has announced that they are working on the problem.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.