Re: [fw-wiz] Transitive Trust: 40 million credit cards hack'd

From: George Capehart (capegeo_at_opengroup.org)
Date: 06/19/05

  • Next message: Bill Royds: "RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd" 
    To: "Marcus J. Ranum" <mjr@ranum.com>
Date: Sat, 18 Jun 2005 18:56:09 -0400

    Marcus J. Ranum wrote:
    > 40M credit cards hacked
    > Breach at third party payment processor affects 22 million Visa cards and 14 million MasterCards.
    > http://money.cnn.com/2005/06/17/news/master_card/index.htm?cnn=yes
    >
    > This sounds like (yet another) classical example of "transitive trust gone wrong."
    > Visa/MasterCard trusted a 3rd party to hold their data and - oops - the trust
    > was misplaced.
    >
    > I figure Paul and I and the other "security graybeards" can let this kind of
    > thing keep happening for a few months more and then we can start turning
    > on the big, blinking neon lights that say "We Told You So." Transitive
    > trust is a *HARD* problem in security. Always has been, always will be.
    > But today's businesses convinced themselves that they could basically
    > ignore it - mostly because the obvious stuff like patching and vulnerability
    > management was more obvious and accessible.
    >
    > The shift away from mainframe computing to departmental and distributed
    > in the 80's resulted in a massive dissemination of data. Instead of data
    > being held in one place in the enterprise, it's available for anyone with a
    > password who can open an SQL session and make a local table to
    > play with in Excel/Access. So private and sensitive data was scattered
    > to - essentially everyone with a password. Now that the horse has left
    > the barn, and trotted a few miles down the road, a great deal of attention
    > is being paid to the latch on the barn door. To make matters worse, the
    > "permissive 90's" and the "outsourcing of 2001" dramatically expanded
    > both the vulnerability footprint of most enterprises at the same time as
    > their trust boundaries balooned toward the effectively infinite.
    >

    > Here's a position to ponder: it's probably too late to secure enterprise
    > data, in all practical senses of the term "secure." What's "Plan B"?
    > Is there a "Plan B"?
    >
    > "We told you so."

    Heh. Just wait until Web services get widely deployed . . . No one is
    even thinking multiple trust boundaries yet . . . much less how to make
    systems operate across them. All the lessons we learned from the DCE,
    CORBA, Kerberos, SESAME, et al. (about what happens when one crosses
    trust boundaries (/*within* the organization*/) are about to be learned
    all over again, but with a much larger population . . . It's going to be
    a mess . . . And there will be no Plan B because no one has a clue what
    they're getting into . . . I gave a talk at OWASP last year that
    touched on this and, out of an audience of a couple of hundred people,
    only a handful showed that they'd understood the magnitude of the problem.

    Cheers,

    /g

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Bill Royds: "RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"