Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

MasterCard scandal: More details emerge
Silicon.com ^ | June 21, 2005 | Joris Evers

Posted on 06/21/2005 8:59:47 PM PDT by HAL9000

click here to read article


Navigation: use the links below to view more comments.
first previous 1-2021-4041-51 last
To: HAL9000

" That seems to be the case. The CardSystems employees were negligent and incompetent in choosing to deploy Microsoft products in their data center."

I disagree.

I'm not a big fan of Microsoft, but it's not any worse than anything else.

What I do for a living is to fly around, visit my customers, break into their applications, systems, and networks, and systems. The operating system it's self is only a small part of the total attackable surface area.

My understanding is that they knew where the problems were for a long time, knew how to fix them, and just plain old didn't apply the patches or make the configuration changes that they knew needed to be made.


41 posted on 06/23/2005 9:07:10 PM PDT by adam_az (It's the border, stupid!)
[ Post Reply | Private Reply | To 40 | View Replies]

To: adam_az; HAL9000

"What I do for a living is to fly around, visit my customers, break into their applications, systems, and networks, and systems. The operating system it's self is only a small part of the total attackable surface area."


Left out the part 'tell them what to fix to keep the bad guys out' :)


42 posted on 06/23/2005 9:08:48 PM PDT by adam_az (It's the border, stupid!)
[ Post Reply | Private Reply | To 41 | View Replies]

To: zeugma
No way to fully guard against brain dead users who write their password down though. Also, I'd like to look at it and see if it can be brute forced. People are really horrible about picking bad passwords. I have a program to keep track of the dozens of passwords I use regularly.

Okay...so if you don't write 'em down, how do you store the passwords for use? And don't tell me you remember dozens of randomly-generated passwords....

43 posted on 06/23/2005 9:11:52 PM PDT by paulat
[ Post Reply | Private Reply | To 30 | View Replies]

To: adam_az
Left out the part 'tell them what to fix to keep the bad guys out' :)

We'll have to disagree about whether Microsoft is the worst, but good luck to you white hat folks!

44 posted on 06/23/2005 9:19:34 PM PDT by HAL9000 (Get a Mac - The Ultimate FReeping Machine)
[ Post Reply | Private Reply | To 42 | View Replies]

To: HAL9000

The reason I say that is because the OS is a tiny part of an enterprise security posture.


45 posted on 06/23/2005 9:23:41 PM PDT by adam_az (It's the border, stupid!)
[ Post Reply | Private Reply | To 44 | View Replies]

To: HAL9000
The probe also found that the Atlanta-based payment processor did not meet MasterCard's security regulations. CardSystems held onto records that it should have discarded, and it stored transaction data in unencrypted form...

Then why did they have the business? In other words, they outsourced the work and had absolutely zero control over how the transactions were being processed and how the data for same were stored. This mishap is  just the tip, tip, tip of the iceberg, just the tip.

46 posted on 06/23/2005 9:34:51 PM PDT by Chief_Joe (From where the sun now sits, I will fight on -FOREVER!!!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: paulat
Okay...so if you don't write 'em down, how do you store the passwords for use? And don't tell me you remember dozens of randomly-generated passwords....

Like I said in my previous message, I have a program that keeps track of all that stuff for me. I have a master passphrase that is used to unlock the datafile used for this program. My passphrase for this program is around 30 or so characters in length, with letters, numbers, and punctuation. You can think of it as one big lock to guard lots of little secrets. You'd be amazed at how fast you can type a phrase that you use regularly.

There are a number of programs that you can use for this, that will keep track of the website, username, password, and comments for any number of sites. One of the best for Windows users is Password Safe". On my Linux boxes, I use gpasman.

These programs will let you copy/paste passwords in such a way that you never actually see the password you are using. Pretty cool IMO.

NOTE: If you use one of these programs, DO NOT LOSE YOUR DATAFILE or the PASSPHRASE to unlock it or you are really screwed.

47 posted on 06/23/2005 10:37:16 PM PDT by zeugma (Democrats and muslims are varelse...)
[ Post Reply | Private Reply | To 43 | View Replies]

To: zeugma

Still doesn't answer my question...how can these programs "handle" your passwords when they are as hackable as anything else?


48 posted on 06/23/2005 10:46:13 PM PDT by paulat
[ Post Reply | Private Reply | To 47 | View Replies]

To: zeugma
Also...your words....

NOTE: If you use one of these programs, DO NOT LOSE YOUR DATAFILE or the PASSPHRASE to unlock it or you are really screwed.

So...what do you do...WRITE IT DOWN???

49 posted on 06/23/2005 10:47:51 PM PDT by paulat
[ Post Reply | Private Reply | To 47 | View Replies]

To: paulat
They are only hackable in the sense that any file can be brute forced. A file encrypted with 3des and a good key is as good a safe as anything you can imagine. To date there are no known attacks against 3des, blowfish, or the current AES standard. From what I've seen of the academic attacks, AES may well fall to cryptonalysis within 10 years, at least I wouldn't be suprised as some current lines of attack look promising.

I could send you a copy of my password database and it wouldn't do you any good at all. Now, if someone were to hack my system and install a keylogger, they could capture my passphrase and my data, but that is something that you can do nothing about. Sure, you run a hardware firewall, and don't open unneccesary ports, and check for trojans and the like, but someone could come up with a zero-day exploit that allows them to root your box and you are toast no matter what you do.

The most important thing IMO is to backup as often as you can, and be as careful as is reasonable. Don't log in as root or a user with "administrator" privileges. And never ever use IE to browse the internet. Windows users have a lot more stuff they need to have a box be reasonably safe like an additional software firewall, virus scanners and stuff.

My advise, if you're concerned about safety and security is to use Linux or get a MAC. You can never be completely safe and secure, but nothing else is either, so why should computers be any different?

50 posted on 06/24/2005 8:42:57 AM PDT by zeugma (Democrats and muslims are varelse...)
[ Post Reply | Private Reply | To 48 | View Replies]

To: paulat
So...what do you do...WRITE IT DOWN???

Many people actually do suggest that you write it down and put it in your wallet. Personally, I wouldn't do that. It's an important bit of information. Think about it and come up with something that is both memorable to you, and as hard as possible for someone else to guess. Wait a couple of days. If you can still remember it, use it. If not, come up with something else. Once you've got a good key, you can start using it. :-)

51 posted on 06/24/2005 9:07:58 AM PDT by zeugma (Democrats and muslims are varelse...)
[ Post Reply | Private Reply | To 49 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-51 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson