Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

Software weakness could have been behind Hannaford data loss.

Fortify : 02 April, 2008  (Technical Article)
Server code vulnerability likely to have allowed unauthorised access to card-holder data in US supermarket breach according to Fortify.
Fortify Software says the recent Hannaford supermarket data breach in the US, in which as many as 4.2 million customers card details appear to have been downloaded, was almost certainly the result of malware that exploited a code flaw.

According to Brian Chess Fortify's Founder and Chief Scientist, the uniformity of the breach suggests that the attackers were taking advantage of a software weakness.

'The fact that the servers in almost all of the stores were compromised makes it much more likely that the attackers found a vulnerability in a piece of code that was common to all of the servers and used malware to exploit the weakness,' he said.

'My guess is that hackers first broke into the internal corporate network, then did some basic network scanning to identify all of the target servers, then figured out that there was a vulnerability on some piece of code running on all of the machines,' he added.

"We see many organizations that are much more lax about internal systems," explains Chess.

'What's interesting about the case is that newswire reports suggest the store chain was fully PCI compliant and, as such, is unlikely to have to pay fines under current PCI rules, unlike, for example, the TJX Group hack of last year,' said Brian Chess, Fortify's Chief Scientist. Chess added, "the store chain had passed its PCI audit, but PCI takes a relaxed attitude towards internal machines."

If you take a look at PCI DSS section 6.6, for example, says Chess, this requires companies to 'ensure that all web-facing applications are protected against known attacks by applying either of the following methods:
· Having all custom application code reviewed for common vulnerabilities by an organization that specialises in application security, and
· Installing an application layer firewall in front of Web-facing applications.

According to Chess this means that Hannaford fulfilled section 6.6 by default so long as their Web applications were only for use inside the corporate network.

'PCI DSS is a lot like a fire code or a health code. It doesn't guarantee smooth sailing, it just helps people avoid repeating a lot of painful mistakes from the past,' he said.

As a result of this, Chess predicts that future versions of PCI DSS drop the distinction between Web-facing software and internal software.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo