Category: News

It just goes to show, if you think you’re safe, you’re not. This time RedHat was hit:

http://blogs.zdnet.com/security/?p=1784&tag=nl.e550

This is pretty ugly since it involves the signing of certificates used to validate the RPM repositories and RPMs themselves. RedHat claims that the “passphrase“s for the certificates weren’t compromised, so no harm no foul. However it’s very concerning and in order to sufficiently mitigate may require manual intervention by all users or at least changes on all users’ systems.

The problem here is if RedHat is wrong, forged RPMs could be created that appear “valid” and in theory if installed could infect customer systems compromising binaries et al. It would take quite a bit of effort here, including getting the RPMs into the repositories without anyone noticing, but it is not out of the realm of possibility, particularly when you consider what this hack in itself says about security.

StorefrontBacktalk has a short but brilliant article with the former CIO, Bill Homa, of Hannaford grocery chain who suffered a major breach of credit card data:

http://storefrontbacktalk.com/story/071108homa

There are three particular points that stand out:

1. That Microsoft is still so hole ridden as to put your company at additional risk.
2. That PCI is still not sufficiently strong.
3. That a security posture based only on perimeter defense is ultimately fallacious.

In my experience PCI (also called CISP or PCI DSS) while certainly better than nothing, is still well below what is necessary to protect customer confidential data. Furthermore certain components of the credit card processing stream require less than ideal levels of encryption (I’m being generous here), providing simplified points of collection and attack for hackers (to note, there are plans to improve this).

In regards to depending on “perimeter defense”, this quote particularly stands out:

Most retailers have the philosophy of keeping people out of their network. It’s impossible to keep people out of your network. There are bad people out there. How do I limit the damage they can do? If you don’t do that, they’ll have free reign to do whatever they want.

However I hardly think this mentality is limited to retailers. In my discussions with numerous peers in the computing industry, many shops, large and small, retail or non-retail are inflicted with this mentality. In fact I would consider it pervasive – “keep the intruders out and you’ll be ok.”

But the honest truth is you can never keep them out and like a game of chess, everyday some new hole is found to subvert your external protections. Nor for that matter should you really trust your own employees, which are ultimately one of the largest sources of data compromise, and they are on the inside.

The answer is “defense in depth“, with layers of security, some strong, some weaker, some on perimeter, some on the host, some in the software tools themselves, but the sum total providing sufficient security for the value of the asset(s) being protected (based on “risk analysis“).

Until corporations start thinking this way, we can expect to see breaches like Hannaford’s continue for some time.