Security expert slams PCI auditing

Security expert slams PCI auditing
Security expert slams PCI auditing 

By Clement James
04 April 2008

A recent security breach at US supermarket chain Hannaford Bros was 
almost certainly the work of hackers exploiting a single code flaw on 
internal systems, experts say.

Hannaford Bros revealed last month that intruders had broken into its 
network and stolen the credit card details of some 4.2 million 

It is understood that the hackers managed to download card details after 
the cards had been swiped at the checkout and were in the process of 
being authorised.

Brian Chess, founder and chief scientist at security firm Fortify 
Software, claimed that the uniformity of the breach suggests that the 
attackers were taking advantage of a software weakness.

"The fact that the servers in almost all of the stores were compromised 
makes it much more likely that the attackers found a vulnerability in a 
piece of code that was common to all the servers and used malware to 
exploit the weakness," he said.

"My guess is that hackers first broke into the internal corporate 
network, then did some basic network scanning to identify all of the 
target servers.

"They then figured out that there was a vulnerability on some piece of 
code running on all of the machines. We see many organisations that are 
much more lax about internal systems."

Chess added that the interesting thing about the case is that Hannaford 
Bros is believed to be fully PCI compliant and, as such, is unlikely to 
have to pay fines under current PCI rules.

"The store chain had passed its PCI audit, but PCI takes a relaxed 
attitude towards internal machines," he said.

The security expert pointed out that PCI DSS section 6.6, for example, 
requires companies to "ensure that all web-facing applications are 
protected against known attacks by applying either of the following 
methods: having all custom application code reviewed for common 
vulnerabilities by an organisation that specialises in application 
security; and installing an application layer firewall in front of 
web-facing applications".

This means that Hannaford Bros fulfilled section 6.6 by default so long 
as its web applications were only for use inside the corporate network.

"PCI DSS is a lot like a fire code or a health code. It does not 
guarantee smooth sailing, it just helps people avoid repeating a lot of 
painful mistakes from the past," said Chess.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods