Angels of security » pci http://angelsofsecurity.com/blog Musings of an infosec renegade Tue, 02 Aug 2011 19:01:53 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 RAM skimmers http://angelsofsecurity.com/blog/2009/12/10/ram-skimmers/ http://angelsofsecurity.com/blog/2009/12/10/ram-skimmers/#comments Fri, 11 Dec 2009 03:26:53 +0000 admin http://angelsofsecurity.com/blog/?p=545 In Verizon Business’ most recent data breach investigation report they mentioned a new class of malware which I’d never heard of before but found interesting – RAM scrapers. The basic idea is that they grab data straight from RAM. Verizon goes on the conclude that the recent increase in the use of encryption and limitations on what data can be permanently stored (mostly thanks to PCI), scammers have had to start looking to other areas to gain access to unencrypted data. I guess this shouldn’t really surprise anyone too much – we already know that for every measure there is another countermeasure. This is also another good example of Shamir’s third law of cryptography – “Cryptography is typically bypassed, not penetrated”.

]]> http://angelsofsecurity.com/blog/2009/12/10/ram-skimmers/feed/ 0 TJ Maxx fires whistleblower http://angelsofsecurity.com/blog/2008/05/29/tj-maxx-fires-whistleblower/ http://angelsofsecurity.com/blog/2008/05/29/tj-maxx-fires-whistleblower/#comments Fri, 30 May 2008 02:47:05 +0000 admin http://angelsofsecurity.com/blog/2008/05/29/tj-maxx-fires-whistleblower/ A few other people have been all over this already, but TJ Maxx, victims of a rather large electronic break in a few years ago, has recently fired an employee for revealing many of their lax security policies. The issues he raised were not small ones either:

Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards.

Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers.

My store manager even posted the password and username on a post-it note.

Lest anyone think this employee started off on the wrong foot, he did try to tell management first, but to no avail. It was only afterwards that he mentioned these things in public. Now whether he should have done this or not is clearly a matter that could be the subject of much debate. The issue which I feel more strongly about is the way TJ Max responded.

Firing this employee is, in my opinion, the worst form of security-through-obscurity. Rather than realizing that lax policies lead to security problems, they think that it’s the revelation of lax policies that lead to security problems. A simple root cause analysis should reveal that it’s the policies, not their revelation, which is the source of security weaknesses, and it’s time for TJ Maxx to wake up.

]]> http://angelsofsecurity.com/blog/2008/05/29/tj-maxx-fires-whistleblower/feed/ 0