Penetration Testing mailing list archives

RE: reporting a web site breach

From: "Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>
Date: Fri, 17 Oct 2008 14:07:16 -0500

As concerning as it is I don't think you should jump to conclusions or
react without careful considerations first.

- -----Original Message-----
- From: listbounce () securityfocus com
- [mailto:listbounce () securityfocus com] On Behalf Of David Glosser
- Sent: Thursday, October 16, 2008 6:47 PM
-
- More like if they process, transmit, or store Credit Cards Numbers.
- There are at least two problems Jason pointed out: 1)the credit card
- numbers are stored unencrypted and 2)the CVV number is stored as
well.

How can you tell if the files are stored unencrypted?
I know of businesses where the drives are encrypted but decrypts for
anyone. As long as the file is encrypted and the key isn't stored on the
system PCI basically doesn't care about anything else.

- -----Original Message-----
- From: listbounce () securityfocus com
- [mailto:listbounce () securityfocus com] On Behalf Of acey deucey
- Sent: Thursday, October 16, 2008 8:12 PM
-
- I think Jason has done more than his duty. I second calling a
- reporter. That will certainly get some atention. Hell, contact 10
- reporters.

I suggest you give them a period to react.
If the company is a decent size you don't just shut down your money
stream because some random dude calls and tells them to.
And I certainly don't see why they would have the least bit interest in
discussing their resolution with a non-employee.

This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged,
confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby
notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in
reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please
notify the sender that this message was received in error and then delete this message.
Thank you.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Current thread:

reporting a web site breach jason_jones98 (Oct 16)
- RE: reporting a web site breach Prodigi Child (Oct 16)
  - RE: reporting a web site breach Bob Woods (Oct 16)
  - Message not available
    - Fwd: reporting a web site breach Geoff Brunkhorst (Oct 16)
  - Re: reporting a web site breach Anthony Cicalla (Oct 16)
    - Re: reporting a web site breach David Glosser (Oct 16)
    - Re: reporting a web site breach Jason Ross (Oct 17)
    - Re: reporting a web site breach David Glosser (Oct 17)
    - Re: reporting a web site breach Email Cash (Oct 17)
    - RE: reporting a web site breach Nick Vaernhoej (Oct 17)
  - Re: reporting a web site breach acey deucey (Oct 16)
    - Re: reporting a web site breach Chris Finley (Oct 20)
    - Re: reporting a web site breach Dotzero (Oct 20)
    - Re: reporting a web site breach David Glosser (Oct 20)
- Re: reporting a web site breach David Glosser (Oct 16)
- Re: reporting a web site breach Jamie Riden (Oct 16)
- Re: reporting a web site breach Jason (Oct 17)
- <Possible follow-ups>
- reporting a web site breach jason_jones98 (Oct 17)