Penetration Testing mailing list archives
RE: reporting a web site breach
From: "Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>
Date: Fri, 17 Oct 2008 14:07:16 -0500
As concerning as it is I don't think you should jump to conclusions or react without careful considerations first. - -----Original Message----- - From: listbounce () securityfocus com - [mailto:listbounce () securityfocus com] On Behalf Of David Glosser - Sent: Thursday, October 16, 2008 6:47 PM - - More like if they process, transmit, or store Credit Cards Numbers. - There are at least two problems Jason pointed out: 1)the credit card - numbers are stored unencrypted and 2)the CVV number is stored as well. How can you tell if the files are stored unencrypted? I know of businesses where the drives are encrypted but decrypts for anyone. As long as the file is encrypted and the key isn't stored on the system PCI basically doesn't care about anything else. - -----Original Message----- - From: listbounce () securityfocus com - [mailto:listbounce () securityfocus com] On Behalf Of acey deucey - Sent: Thursday, October 16, 2008 8:12 PM - - I think Jason has done more than his duty. I second calling a - reporter. That will certainly get some atention. Hell, contact 10 - reporters. I suggest you give them a period to react. If the company is a decent size you don't just shut down your money stream because some random dude calls and tells them to. And I certainly don't see why they would have the least bit interest in discussing their resolution with a non-employee. This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please notify the sender that this message was received in error and then delete this message. Thank you. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- reporting a web site breach jason_jones98 (Oct 16)
- RE: reporting a web site breach Prodigi Child (Oct 16)
- RE: reporting a web site breach Bob Woods (Oct 16)
- Message not available
- Fwd: reporting a web site breach Geoff Brunkhorst (Oct 16)
- Re: reporting a web site breach Anthony Cicalla (Oct 16)
- Re: reporting a web site breach David Glosser (Oct 16)
- Re: reporting a web site breach Jason Ross (Oct 17)
- Re: reporting a web site breach David Glosser (Oct 17)
- Re: reporting a web site breach Email Cash (Oct 17)
- RE: reporting a web site breach Nick Vaernhoej (Oct 17)
- RE: reporting a web site breach Prodigi Child (Oct 16)
- Re: reporting a web site breach Chris Finley (Oct 20)
- Re: reporting a web site breach Dotzero (Oct 20)
- Re: reporting a web site breach David Glosser (Oct 20)
- <Possible follow-ups>
- reporting a web site breach jason_jones98 (Oct 17)