RE: [NTSysADM] RE: 40 Million CC breach at Target....

[Ken Schaefer]

Chipping is something that a bank needs to do - not something Target can 
enforce - unless one wants to mount the argument that Target should decline all 
business from customers that have non-chip cards. That seems like a recipe for 
corporate suicide, and doesn't take into account online transactions.

Cheers
Ken

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jon Harris
Sent: Wednesday, 25 December 2013 2:07 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: 40 Million CC breach at Target....

I believe in the case of Target that cloning was thought to be what the 
attackers wanted to do or at least that was what appeared to be the target of 
their intrusion.  I believe the one of the articles I read indicated that all 
the information to clone was what was taken.  Chipping has been a long standing 
argument both pro and con by those in the financial industry here in the states 
for a couple of years I believe.  As Micheal has said (at one point) many 
companies here in the states do the minimum they have to until they have their 
ass bit by an attacker.  Unlike from my very short reading of news articles 
they don't face the same penalties that many companies do outside the country 
for lax security.

Personally in an ideal world hackers once identified would be tried and 
executed by a very painful method by a third party (one with no axe to grind 
something similar to what the Hague is supposed to do but only for criminals).

Jon

________________________________
From: k...@kj.net.au<mailto:k...@kj.net.au>
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [NTSysADM] RE: 40 Million CC breach at Target....
Date: Tue, 24 Dec 2013 08:40:16 +0000
All credit cards have magnetic strips for backwards compatibility reasons (all 
of my CCs have chips - I have a dozen issued across three countries, and they 
all have both), but don't chips merely prevent cloning? It doesn't stop someone 
using them at a "card not present" sale (e.g. an online store).

Is it going to be adequate security; or is it going to be financially feasible 
security?

All security is risk management. You can avoid, accept, transfer or mitigate a 
risk - and which you choose comes down to a set of factors, including cost.

What's the difference between "adequate security" and "financially feasible 
security"? I've never heard this distinction between drawn before.

Cheers
Ken

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr
Sent: Tuesday, 24 December 2013 2:42 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] RE: 40 Million CC breach at Target....

Re-read the information about the Target breach, and reconsider what I have 
said.  This would not effect people outside of the US that do not use credit  
cards with magnetic strips.
 Its not just a matter of reading the strip directly, but as well as the 
technology involved in how that information is further processed.
Ken, please pick a point are you going to choose to argue against/for: Is it 
going to be adequate security; or is it going to be financially feasible 
security?

--
Espi


On Mon, Dec 23, 2013 at 7:27 PM, Ken Schaefer 
<k...@kj.net.au<mailto:k...@kj.net.au>> wrote:
How do you know "they should not have happened"? Perfect security is, pretty 
much, impossible. So, statistically, there will always be some level of 
breaches occurring, including some level of severe breaches. How do you know we 
aren't at a level that makes monetary sense? Would you be prepared to, say, 
halve your income (because prices are double), simply to have 5% or 10% fewer 
security breaches?

I don't see how any recent serious breach is related to the use of magnetic 
stripe media or re-use of stolen phones, so I don't really understand what 
you're saying there.

Cheers
ken

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Micheal Espinola Jr
Sent: Tuesday, 24 December 2013 2:20 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>

Subject: Re: [NTSysADM] RE: 40 Million CC breach at Target....

I can only assume they dont, since historically (generally speaking) there have 
had serious breaches that should not have happened.  I've been involved with 
POS systems, banking systems, as well as various wifi-devices - and for years, 
there's been a lot of foolishness.  Business rarely does what it should - and 
instead only does what it has to, or can financially bet against.

  *   Banking: We (the US) still allow a system that relies heavily on magnetic 
strip media.
  *   Telco:  We (the US) still allow a system were cell phones can be stolen 
and reused.

--
Espi


On Mon, Dec 23, 2013 at 6:31 PM, Ken Schaefer 
<k...@kj.net.au<mailto:k...@kj.net.au>> wrote:
Your rant presupposes that there isn't "decent security" already in place. What 
evidence do you have that there isn't?

Cheers
Ken

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of J- P
Sent: Tuesday, 24 December 2013 12:43 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [NTSysADM] RE: 40 Million CC breach at Target....

/rant on

I have one question that rings in the back of my mind, they  (banks creditors 
merchants etc..)  charge all sorts of fee's,
sometimes i'have heard of fees larger than a bill thats due-
Why cant they take a piece of that to get some decent security into place?

/rant off

Happy holidays and a prosperous new year to all










Jean-Paul Natola

________________________________
From: asbz...@gmail.com<mailto:asbz...@gmail.com>

Date: Mon, 23 Dec 2013 08:10:19 -0500
Subject: Re: [NTSysADM] RE: 40 Million CC breach at Target....
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
>>That's a pretty fair analogy - and both statements are true. On the
other hand, banking is much better understood - experience with
banking goes back hundreds of years, with concomitant expertise in
many fields in dealing with the risks in banking. The experience
around computing is much more shallow, and the risks are not as well
known, nor has nearly as much thought and practice gone into
mitigating them.


Okay, so how about when banking relies upon computing?  Which risk profile 
comes into play, then -- the hundreds of years, or the shallow years/decades?
Whether or not YOU use online banking, it is almost assured that your bank 
provides it and that others are aware of its existence.  Do you think that your 
bank is providing such a service without any reliance upon 3rd parties?  Do you 
think that because you aren't using the online services from your bank that 
your data would be unimpacted?
(Hint: I'm sure that some of the people impacted in the Target breach, as in 
the TJX breach before it, were *not* online users)

ASB
http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker>
Providing Virtual CIO Services (IT Operations & Information Security) for the 
SMB market...




On Sun, Dec 22, 2013 at 10:31 PM, Kurt Buff 
<kurt.b...@gmail.com<mailto:kurt.b...@gmail.com>> wrote:
On Sun, Dec 22, 2013 at 6:59 PM, Andrew S. Baker 
<asbz...@gmail.com<mailto:asbz...@gmail.com>> wrote:
>>>Amazon's cloud is external to its customers - Amazon's staff,
> procedures and infrastructure are a risk to its customers.
>
> That's as illogical a statement as the following:
> XYZ Bank's technology infrastructure is external to its customers - XYZ
> Bank's staff, procedures and infrastructure are a risk to its customers...

That's a pretty fair analogy - and both statements are true. On the
other hand, banking is much better understood - experience with
banking goes back hundreds of years, with concomitant expertise in
many fields in dealing with the risks in banking. The experience
around computing is much more shallow, and the risks are not as well
known, nor has nearly as much thought and practice gone into
mitigating them.

>>>Except when suborned or perverted by money, patriotism or blackmail:
> http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220
>
> And how does you maintaining your infrastructure on-premises, but having to
> rely on 3rd party telecommunications mitigate the above risk in any way?
It's not just that specific incident - that's but one example, and in
this specific instance, there was no remedy - trusted parties were
subverted, and the same can happen in other fields. I'm not arguing
for perfection here - just a recognition that complexity brings risk,
and that keeping things simple and under more control is usually wise.

Indeed, for some businesses, especially small ones with no IT staff,
or very limited IT staff, going with a public cloud might make sense.
But if a business has good IT staff, I'd venture that migrating most
or all of their infrastructure to a public cloud isn't their best bet.

Kurt