[fw-wiz] Transitive Trust: 40 million credit cards hack'd

From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 06/18/05

  • Next message: Vin McLellan: "[fw-wiz] Re: InfoSec's Waterloo and it's implications" 
    To: firewall-wizards@honor.icsalabs.com
Date: Fri, 17 Jun 2005 21:25:24 -0400

    40M credit cards hacked
    Breach at third party payment processor affects 22 million Visa cards and 14 million MasterCards.
    http://money.cnn.com/2005/06/17/news/master_card/index.htm?cnn=yes

    This sounds like (yet another) classical example of "transitive trust gone wrong."
    Visa/MasterCard trusted a 3rd party to hold their data and - oops - the trust
    was misplaced.

    I figure Paul and I and the other "security graybeards" can let this kind of
    thing keep happening for a few months more and then we can start turning
    on the big, blinking neon lights that say "We Told You So." Transitive
    trust is a *HARD* problem in security. Always has been, always will be.
    But today's businesses convinced themselves that they could basically
    ignore it - mostly because the obvious stuff like patching and vulnerability
    management was more obvious and accessible.

    The shift away from mainframe computing to departmental and distributed
    in the 80's resulted in a massive dissemination of data. Instead of data
    being held in one place in the enterprise, it's available for anyone with a
    password who can open an SQL session and make a local table to
    play with in Excel/Access. So private and sensitive data was scattered
    to - essentially everyone with a password. Now that the horse has left
    the barn, and trotted a few miles down the road, a great deal of attention
    is being paid to the latch on the barn door. To make matters worse, the
    "permissive 90's" and the "outsourcing of 2001" dramatically expanded
    both the vulnerability footprint of most enterprises at the same time as
    their trust boundaries balooned toward the effectively infinite.

    Here's a position to ponder: it's probably too late to secure enterprise
    data, in all practical senses of the term "secure." What's "Plan B"?
    Is there a "Plan B"?

    "We told you so."
    mjr.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Vin McLellan: "[fw-wiz] Re: InfoSec's Waterloo and it's implications"
    • Quantcast