Firewall Wizards mailing list archives
Transitive Trust: 40 million credit cards hack'd
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Fri, 17 Jun 2005 21:25:24 -0400
40M credit cards hacked Breach at third party payment processor affects 22 million Visa cards and 14 million MasterCards. http://money.cnn.com/2005/06/17/news/master_card/index.htm?cnn=yes This sounds like (yet another) classical example of "transitive trust gone wrong." Visa/MasterCard trusted a 3rd party to hold their data and - oops - the trust was misplaced. I figure Paul and I and the other "security graybeards" can let this kind of thing keep happening for a few months more and then we can start turning on the big, blinking neon lights that say "We Told You So." Transitive trust is a *HARD* problem in security. Always has been, always will be. But today's businesses convinced themselves that they could basically ignore it - mostly because the obvious stuff like patching and vulnerability management was more obvious and accessible. The shift away from mainframe computing to departmental and distributed in the 80's resulted in a massive dissemination of data. Instead of data being held in one place in the enterprise, it's available for anyone with a password who can open an SQL session and make a local table to play with in Excel/Access. So private and sensitive data was scattered to - essentially everyone with a password. Now that the horse has left the barn, and trotted a few miles down the road, a great deal of attention is being paid to the latch on the barn door. To make matters worse, the "permissive 90's" and the "outsourcing of 2001" dramatically expanded both the vulnerability footprint of most enterprises at the same time as their trust boundaries balooned toward the effectively infinite. Here's a position to ponder: it's probably too late to secure enterprise data, in all practical senses of the term "secure." What's "Plan B"? Is there a "Plan B"? "We told you so." mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Host based vs network firewall in datacenter Zurek, Patrick (Jun 10)
- Re: Host based vs network firewall in datacenter Devdas Bhagat (Jun 13)
- Re: Host based vs network firewall in datacenter Alin-Adrian Anton (Jun 17)
- Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 18)
- Re: Transitive Trust: 40 million credit cards hack'd Vin McLellan (Jun 18)
- Re: Transitive Trust: 40 million credit cards hack'd George Capehart (Jun 18)
- RE: Transitive Trust: 40 million credit cards hack'd Bill Royds (Jun 18)
- RE: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 18)
- RE: Transitive Trust: 40 million credit cards hack'd Brian Loe (Jun 19)
- RE: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 19)
- RE: Transitive Trust: 40 million credit cards hack'd David Lang (Jun 19)
- RE: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 19)
- Re: Transitive Trust: 40 million credit cards hack'd Darren Reed (Jun 20)
- Re: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 20)
- Re: Host based vs network firewall in datacenter Alin-Adrian Anton (Jun 17)
- Re: Host based vs network firewall in datacenter Devdas Bhagat (Jun 13)