* Posts by j33zO

6 publicly visible posts • joined 6 Aug 2010

Microsoft purges Windows of serious SSL vuln

Thumb Up

Re: Hmm

I agree, we shouldnt be too hard on Microsoft, rushing this fix would have been a mistake. This vulnerability had serious implications for the standard, and required a renegotiation indication extension for TLS (RFC 5746). Not your every day vuln...

Malware gang steal over £700K from one British bank



"Researchers at the M86's Security Labs came across the attack after discovering the botnet's command & control centre" - so the bank didnt detect it themselves??

Alleged ring leader extradited in $9.4m RBS WorldPay heist


still hazy

Not necessarily low level technical detail, just "they used SQL injection" or "they exploited a vulnerability in an unpatched web service" or some other high level explanation. The reason this would have been beneficial is it would have highlighted that RBS Worldpay were PCI compliant and still got hacked, hence industry standards such as PCI do not provide adequate security against intruders. But we cannot make that statement because all the articles say are "they exploited a vulnerability" which is like saying "the hackers hacked it". Also, the PIN numbers point does not add up either. How did they get the PIN numbers?? No one seems to be able to explain this one. If they did get them from the inside the Banks network then either RBS worldpay has broken every rule for storing or transmitting PIN numbers or the hackers worked out a way to break the encryption. Neither sounds all that likely.



"They allegedly exploited a vulnerability to break into the company's network, where they retrieved payment card data as it was being processed." --- 2 issues with this, firstly how did they break in? Surely RBS Worldpay are PCI compliant so they should have adequate security controls in place to protect against these kind of attacks. If RBS Worldpay were PCI compliant and still got hacked, this places a big question mark over the worth and effectiveness of PCI compliance. Secondly, how did the intruders get the PIN numbers? PIN numbers are never (or at least should not be) stored or transmitted in clear text anywhere on a Banks network. So how did they obtain them?? All sounds a bit hazy on the details to me...

Botnet that pwned 100,000 UK PCs taken out



how come businesses are spending millions (billions??) on becoming PCI compliant to prevent fraud when it looks like they have a huge security hole, their customers! Shouldnt the banks and merchants be spending more money on educating their customers or developing a more secure means of online banking? Crims are going after end-points, that should be where the security budget should be spent, not on putting an IDS in place just to tick a compliance spreadsheet...