Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach

[Michael Graham <jmgraham () gmail com>]

PCI means well, and it's relevant (and sometimes useful) at the
smaller merchant levels because many of them will just ignore security
concerns otherwise, but it's _well_ past time that we in the security
profession stopped acting like PCI has anything to do with security
posture or risk exposure in large or high-volume companies.

Between the weak QSAs, the shoddy checklist audits, and especially the
fact that the standard is an attempt to apply security goalposts
without measuring the exposure delta in the environment, the whole
thing is absurd and more than a little infantile in almost any company
big enough to be a high-value target.

On Mon, Jul 27, 2009 at 2:26 PM, Paul Ferguson<fergdawgster () gmail com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> FYI,
>
> - - ferg
>
>
> - ---------- Forwarded message ----------
> From: security curmudgeon <jericho () attrition org>
> Date: Mon, Jul 27, 2009 at 10:35 AM
> Subject: [Dataloss] Network Solutions was PCI compliant before breach
> To: dataloss-discuss () datalossdb org, dataloss () datalossdb org
>
>
>
> http://www.scmagazineus.com/Network-Solutions-was-PCI-compliant-before-brea
> ch/article/140642/
>
> Network Solutions was PCI compliant before breach
> Angela Moscaritolo
> July 27, 2009
>
> Web hosting firm Network Solutions on Friday announced that, despite its
> being PCI compliant, a breach had compromised approximately 573,928
> individuals' credit card information.
>
> Network Solutions discovered unauthorized code on its servers used to
> support thousands of e-commence merchants' websites, Susan Wade, director
> of communications at Network Solutions told SCMagazineUS.com on Monday.
> The company determined that the unauthorized code may have been used by
> cybercriminals to capture transaction data, including customer names,
> addresses, and credit card numbers, and transfer it to servers outside of
> the company, she said.
>
> Approximately 4,343 e-commerce websites were affected by the breach.
> Network Solutions could not disclose which merchants were affected but
> said the victimized merchants sell a wide variety of merchandize and are
> primarily small businesses. The breach occurred from March 12 to June 8
> and the issue has since been mitigated, Network Solutions said.
>
> [..]
> _______________________________________________
> Dataloss Mailing List (dataloss () datalossdb org)
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.5.3 (Build 5003)
>
> wj8DBQFKbfFWq1pz9mNUZTMRAhWuAKDPtrA4pnasPZhYwjkFaGy8kM1rYgCfZpML
> czYn4K+Ij1sRJsWWu+Th7qg=
> =9uBg
> -----END PGP SIGNATURE-----
>
>
>
> --
> "Fergie", a.k.a. Paul Ferguson
>  Engineering Architecture for the Internet
>  fergdawgster(at)gmail.com
>  ferg's tech blog: http://fergdawg.blogspot.com/
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.