[Dshield] Guidance Software hacked?

Frank Knobbe frank at knobbe.us
Fri Dec 23 17:09:10 GMT 2005


On Fri, 2005-12-23 at 16:15 +0000, Fergie wrote:
>  http://www.eweek.com/article2/0,1759,1904780,00.asp

"These concerns have become far more significant now, and card companies
have combined to require that vendors only keep certain information a
certain amount of time. But again, that's an adjustment [you have to
make] to the software. It seems to me the kind of thing that if it was
easy, everybody would do it.[...]"


I don't think it's a matter of ease, but a matter of cost. It will cost
real money to adjust programs and databases to remove/modify CC data
retained (like removing the CCV number from log records). Since it's a
financial burden, companies will try to avoid doing it. There needs to
be an adjustment of the risk level in the boardroom. That's done by
threatening huge civil, and perhaps also criminal, penalties on the CxO
level.

Perhaps people put too much emphasis on *protecting* data (regardless of
what it is) instead of determining if they indeed *need* to retain that
data. Reviewing ones network for PCI compliance is a good time to review
what data needs to be retained and which not. We have become a society
of data-gatherers since it may become viable to resell that data at some
time. We should stop gathering and only retain what we really need. If
we don't learn from lessons like EnCase, CardSystems, I'm not sure we'll
ever do.


aight, I'll stop now :)

Cheers,
Frank

-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20051223/fcdee4cc/attachment.bin


More information about the list mailing list