BreachExchange mailing list archives

Re: rant: Abandon Ship! Data Loss Ahoy!

From: "Jamie C. Pole" <jpole () jcpa com>
Date: Wed, 19 Mar 2008 12:48:05 -0400

OMG!

After reading that update, I'm speechless.

Are we supposed to believe that in the midst of their corporate hara-kiri
preparations, Hannaford took the time to tell Rapid7 THAT IT WASN'T THEIR
FAULT?!?

Not too long ago, CD Universe was sued out of existence over less than
100,000 lost card numbers.  This loss is in the millions.  I'm sure their
FIRST concern was to tell Rapid7 that it wasn't their fault.  Having worked
on numerous high-profile incidents, I find it highly unlikely that Hannaford
is in any position to make such a statement.  Also, please explain exactly
how it is that credit card processing systems that would obviously be
covered by PCI requirements were not covered by the tool upon which
Hannaford's PCI compliance is based??  I believe the release contains the
following statement - "NeXpose will be used to scan devices in Hannaford's
networks and at point-of-sale in its 158 retail supermarkets and food and
drug stores, ensuring the protection of customers' credit card data and
other information."  Doesn't seem like it did that, does it?

I wonder what kind of back room deal led to that paragraph.  Free
license/support for a year?  I liked it better when Rapid7 took down any
mention of the relationship.  At least then they had some credibility left.
Now, any shred of credibility is gone.

As far as the NeXpose tool, it's obvious how well it's working - THE USER
GOT HACKED.

Unbelievable...

I'm gearing up to present a seminar on vulnerability management for some
Federal banking regulators.  You'd better believe this whole situation is
going to become a doosey of a case study.

Jamie



-----Original Message-----
From: Jackson, Ben (ITD) [mailto:Ben.Jackson () state ma us] 
Sent: Wednesday, March 19, 2008 12:26 PM
To: Jamie C. Pole; dataloss () attrition org
Subject: RE: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!

A co-worker pointed out that they have updated their press release with
a general "not our fault!" text:

http://rapid7.com/docs/rapid7-hannaford.pdf


--
Ben Jackson - Sr. Security Engineer - Commonwealth of Massachusetts
ben.jackson () state ma us - +1-617-626-4575 (v) - +1-617-626-4459 (f)
"Security software is no replacement for secure software"

-----Original Message-----
From: dataloss-bounces () attrition org
[mailto:dataloss-bounces () attrition org] On Behalf Of Jamie C. Pole
Sent: Tuesday, March 18, 2008 9:57 PM
To: dataloss () attrition org
Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!


Yup.  And does anyone doubt that a company using Qualys would be in the
same boat?

All of these vendors that sell non-functioning crapware are seriously
damaging the efficacy of online commerce moving forward.  They sell a  
false sense of security.  Nothing more.  PCI compliance in a box?   
Yeah, right...

Then again, Visa is also very much to blame.  Until Visa gets serious
about PCI compliance and starts certifying expert security
practitioners, rather than clueless companies with big checkbooks, this
is just going to keep happening over and over again.  Visa should be
paying expert security practitioners to do PCI compliance assessments,
rather than having the big consulting companies pay THEM for the
privilege of saying they are certified to conduct PCI assessments.

All of these automated vulnerability assessment processes achieve the  
same result - they identify only the lowest of the low-hanging fruit.   
Automated tools might identify the exposures that script kiddies are
looking for, but they most certainly can't identify the exposures that
motivated and competent hackers are looking for.  Show me an automated
tool that can identify vulnerabilities that are contingent on the
successful exploit of other vulnerabilities, and I just might change my
mind.  I'm not going to hold my breath, because companies are too
wrapped up in buying automated scans for $19.99 per host.  As we can
see, they always get exactly what they pay for.  What exactly do they
think they are buying??

What's even worse is that there are "security consultants" running
around telling the world that they base their entire vulnerability
assessment offering on some of these useless tools.

Oh, well...

Jamie



On Mar 18, 2008, at 8:53 PM, lyger wrote:


http://attrition.org/security/rant/z/rapid7.html

Tue Mar 18 16:10:57 EST 2008
d2d

You are a security vendor. You sell the mightiest security doohickey 
the world has ever seen. It does it all, including "...ensuring your 
network is safe from hackers..." and amazingly it "...scans for Web 
site and database vulnerabilities that hackers can use to capture 
credit card information without you being aware". Since your doohickey

does what no others have ever successfully managed to do, you can tout

your client list proudly, and pimp your customer implementations 
liberally.

UNTIL...

One of your customers joins the etiolated top 10 with a massive hacker

perpetrated data loss incident.

OUCH.

[...]
_______________________________________________
Dataloss Mailing List (dataloss () attrition org) 
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring

solutions for large and small networks. Scan your network and monitor 
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml


_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

Current thread:

Re: rant: Abandon Ship! Data Loss Ahoy!, (continued)
- - - Re: rant: Abandon Ship! Data Loss Ahoy! James Ritchie, CISA, QSA (Mar 20)
    - Re: rant: Abandon Ship! Data Loss Ahoy! Adam Shostack (Mar 20)
    - Re: rant: Abandon Ship! Data Loss Ahoy! James Ritchie, CISA, QSA (Mar 20)
    - Re: rant: Abandon Ship! Data Loss Ahoy! Adam Shostack (Mar 20)
    - Re: rant: Abandon Ship! Data Loss Ahoy! Tracy Blackmore (Mar 20)
    - Re: rant: Abandon Ship! Data Loss Ahoy! Chris Walsh (Mar 20)
    - Re: rant: Abandon Ship! Data Loss Ahoy! Kevin McPoyle (Mar 20)
    - Re: rant: Abandon Ship! Data Loss Ahoy! Eric Nelson (Mar 20)
    - Re: rant: Abandon Ship! Data Loss Ahoy! Kim Zelonis (Mar 19)
  - Re: rant: Abandon Ship! Data Loss Ahoy! Jackson, Ben (ITD) (Mar 19)
    - Re: rant: Abandon Ship! Data Loss Ahoy! Jamie C. Pole (Mar 19)
- Re: rant: Abandon Ship! Data Loss Ahoy! Sasha Romanosky (Mar 20)
  - Re: rant: Abandon Ship! Data Loss Ahoy! macadamiamac (Mar 20)
    - Re: rant: Abandon Ship! Data Loss Ahoy! Manny Cho (Mar 20)
    - Re: rant: Abandon Ship! Data Loss Ahoy! James Ritchie, CISA, QSA (Mar 20)
    - Re: rant: Abandon Ship! Data Loss Ahoy! Al Mac Wheel (Mar 21)
    - Re: rant: Abandon Ship! Data Loss Ahoy! James Ritchie, CISA, QSA (Mar 21)
- Re: rant: Abandon Ship! Data Loss Ahoy! *Hobbit* (Mar 22)
  - Re: rant: Abandon Ship! Data Loss Ahoy! lyger (Mar 22)