* Posts by j33zO

6 posts • joined 6 Aug 2010

Microsoft purges Windows of serious SSL vuln

j33zO
Thumb Up

Re: Hmm

I agree, we shouldnt be too hard on Microsoft, rushing this fix would have been a mistake. This vulnerability had serious implications for the standard, and required a renegotiation indication extension for TLS (RFC 5746). Not your every day vuln...

Malware gang steal over £700K from one British bank

j33zO

M86

"Researchers at the M86's Security Labs came across the attack after discovering the botnet's command & control centre" - so the bank didnt detect it themselves??

Alleged ring leader extradited in $9.4m RBS WorldPay heist

j33zO

still hazy

Not necessarily low level technical detail, just "they used SQL injection" or "they exploited a vulnerability in an unpatched web service" or some other high level explanation. The reason this would have been beneficial is it would have highlighted that RBS Worldpay were PCI compliant and still got hacked, hence industry standards such as PCI do not provide adequate security against intruders. But we cannot make that statement because all the articles say are "they exploited a vulnerability" which is like saying "the hackers hacked it". Also, the PIN numbers point does not add up either. How did they get the PIN numbers?? No one seems to be able to explain this one. If they did get them from the inside the Banks network then either RBS worldpay has broken every rule for storing or transmitting PIN numbers or the hackers worked out a way to break the encryption. Neither sounds all that likely.

j33zO

eh??

"They allegedly exploited a vulnerability to break into the company's network, where they retrieved payment card data as it was being processed." --- 2 issues with this, firstly how did they break in? Surely RBS Worldpay are PCI compliant so they should have adequate security controls in place to protect against these kind of attacks. If RBS Worldpay were PCI compliant and still got hacked, this places a big question mark over the worth and effectiveness of PCI compliance. Secondly, how did the intruders get the PIN numbers? PIN numbers are never (or at least should not be) stored or transmitted in clear text anywhere on a Banks network. So how did they obtain them?? All sounds a bit hazy on the details to me...

Botnet that pwned 100,000 UK PCs taken out

j33zO

BotNits

how come businesses are spending millions (billions??) on becoming PCI compliant to prevent fraud when it looks like they have a huge security hole, their customers! Shouldnt the banks and merchants be spending more money on educating their customers or developing a more secure means of online banking? Crims are going after end-points, that should be where the security budget should be spent, not on putting an IDS in place just to tick a compliance spreadsheet...

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021