>>>[....] It would not >>>surprise me one jot if some company, somewhere, has had a real disaster
>>> with Windows servers >>>that we've just not heard about. >> We did hear about CardSystems in the press. >It's not fair. The problem wasn't (at least directly) related to the OS. >I saw lost data on Windows, OS/390, VMS. I saw root01 as "standard >password" for unix root (banking system!), but also IBMUSER with default >password and not revoked. Many other security holes also. Some of them >were deeeeeep holes. The press reports indicated that one (or more) Microsoft Windows servers at CardSystems became infected by a worm which exploited a security vulnerability in the operating system. The Windows servers were processing credit cards directly and/or had trusted access to an Oracle database that held credit card numbers. The worm had network access to the public Internet to transmit its findings, which it did. CardSystems discovered the compromised system(s) much later, after some tens of thousands of abused credit card numbers and millions of exposed numbers. The company had a legal obligation in certain jurisdictions (e.g. California) to notify affected credit card holders, which it apparently did. With the news made public, two credit card brands pulled their business from CardSystems almost immediately. At the end of 2005 another processor bought out CardSystems's remaining business at an undisclosed price, thus CardSystems as a separate entity no longer exists. The short version is that a single Microsoft Windows worm functionally bankrupted a credit card processing company and cost the industry huge, ongoing sums. Sounds pretty directly related to the OS, but I'm just going by what I read in the press. (That's a quick summary of the press information.) Do you have any more (or different) details than I read? I'd appreciate hearing more because it will help other customers understand better how to prevent such incidents in the future. As a reminder I am not speaking on behalf of my employer. - - - - - Timothy F. Sipples Consulting Enterprise Software Architect IBM Americas zSeries/z9 Software Voice Messages: +1 312 529 1612 E-Mail: [EMAIL PROTECTED] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
