funsec mailing list archives
Re: The PCI sky *isn't* falling!
From: Jon Kibler <Jon.Kibler () aset com>
Date: Mon, 23 Mar 2009 15:30:54 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Todd Parker wrote:
The dirty secret PCI is trying to hide, is that much of the information flying on their clients networks is cleartext. I've been inside some of those networks, and was appalled.
I have done incident response after breaches on a couple very large etailers. I have found firewalls that allow everything outbound, most stuff inbound, Internet facing Cisco devices with the login 'cisco cisco' still enabled on the device (I would bet that about 10% to 15% of all newer cisco devices still have this default local login enabled!), I have found BIND 4.x name servers running on Internet facing firewalls, and like Todd -- clear text everywhere, and on and on I could go. PCI is 110% joke. Security theater at its absolute complete worst! Still worse, most auditors are clueless. They take the PCI auditing course and hang out their shingle as a PCI auditor. All they know how to do is to check the check boxes on the list. (I know of one organization that had a label "FIREWALL" covering the Dell logo on a server, and that got them an automatic check on the PCI audit for having a firewall.) PCI DSS is a complete joke! There are even pen testing firms that will guarantee you a pass for PCI compliance. The whole process is pure security theater. It is sickening -- absolutely sickening. At least, that is my $0.02 worth. Jon K - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224 http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknH424ACgkQUVxQRc85QlPnrACeIBuK9/9vWQIk3P6VZO0MUdJU ew0Anig1pWJX3JNH2rCFz91mJnOWM5XA =fpUd -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- The PCI sky *isn't* falling! Rob, grandpa of Ryan, Trevor, Devon & Hannah (Mar 23)
- Re: The PCI sky *isn't* falling! Todd Parker (Mar 23)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 23)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 23)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 23)
- Re: The PCI sky *isn't* falling! Alex Eckelberry (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 23)
- Re: The PCI sky *isn't* falling! security curmudgeon (Mar 23)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 23)
- Re: The PCI sky *isn't* falling! Amrit Williams (Mar 23)
- Re: The PCI sky *isn't* falling! Paul Ferguson (Mar 23)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 23)
- Re: The PCI sky *isn't* falling! security curmudgeon (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
- Re: The PCI sky *isn't* falling! Todd Parker (Mar 23)