-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Todd Parker wrote: > The dirty secret PCI is trying to hide, is that much of the information > flying on their clients networks is cleartext. I've been inside some of > those networks, and was appalled.
I have done incident response after breaches on a couple very large etailers. I have found firewalls that allow everything outbound, most stuff inbound, Internet facing Cisco devices with the login 'cisco cisco' still enabled on the device (I would bet that about 10% to 15% of all newer cisco devices still have this default local login enabled!), I have found BIND 4.x name servers running on Internet facing firewalls, and like Todd -- clear text everywhere, and on and on I could go. PCI is 110% joke. Security theater at its absolute complete worst! Still worse, most auditors are clueless. They take the PCI auditing course and hang out their shingle as a PCI auditor. All they know how to do is to check the check boxes on the list. (I know of one organization that had a label "FIREWALL" covering the Dell logo on a server, and that got them an automatic check on the PCI audit for having a firewall.) PCI DSS is a complete joke! There are even pen testing firms that will guarantee you a pass for PCI compliance. The whole process is pure security theater. It is sickening -- absolutely sickening. At least, that is my $0.02 worth. Jon K - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224 http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknH424ACgkQUVxQRc85QlPnrACeIBuK9/9vWQIk3P6VZO0MUdJU ew0Anig1pWJX3JNH2rCFz91mJnOWM5XA =fpUd -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.