Wednesday, June 11, 2008

Security, is it really that hard?

I read and hear about security breaches almost everyday and I always ask myself the same question, "is security really that hard?".

Today I have read two articles on the BBC website, one (BBC Article 1) is even more credit card numbers lost and the second (BBC Article 2) is more UK government confidential documents lost.

Cotton Traders have lost 38,000 credit card numbers through their website. No technical details of the breach have been given but its likely to be a SQL Injection attack. The article on the BBC doesn't give much information away. What it does give away is false information about the TK Maxx data breach in 2007. The article falsely stated the TK Maxx breach occured through their website.

TK Maxx (more precisely TJX) didn't loose their card numbers through their website. The breach occurred because of someone noticing that the TK Maxx stores used WEP to protect their internal POS networks. Through war driving they cracked the WEP (not a highly technical hack) and went onto take close to 100 million card numbers over 18 months. For such a big news company I would have expected a more accurate report from the BBC.

Back to the original point, the Cotton Traders breach. Many sites are vulnerable to (again this is based on my assumption) SQL Injection so only half a scowl for them on that. But cleartext card data, thats not really forgivable. If I were investigating the breach my two main questions would be 1) Did you need to store that data and 2) Why didn't you securely store it (i.e. encryption)? I'm sure we will never publicly know these answers.

My last point on Cotton Traders is the breach occurred in January, 6 months ago. The sooner we see more laws like California's SB 1386 the better! The public should be made aware sooner of such breaches, just think how many are probably going un-reported.

The second article focuses on the fact that the UK government has lost more information. This time a government official has left printed copies of Top Secret documents on Al Qaeda and the war in Iraq on a train. A police investigation is being conducted and I'd suggest that some poor employee that may not have known better will be receiving their P45 soon. I could write all night about the potential problems that have occurred to cause this loss of data but I won't!

At a recent Data Privacy seminar we were all unanimous in our fear of printed data. We can have all the latest and greatest firewalls, IPS/IDS, encryption etc but once its on paper what can you do?

Dave
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)