The Last Watchdog

on Internet security by Byron Acohido

300 grocery store servers hacked

Posted on | March 28, 2008 | 2 comments

The Boston Globe has just reported that the Hannaford Brothers data breach came via malware installed on servers in each of the grocery store chain’s outlets.

Security Fix blogger Brian Krebs says this breach could presage a trend of bad guys targeting data while its unencrypted and traversing internal IT systems.

Fortify Software’s Brian Chess opines that it is “likely that the attackers found a vulnerability in a piece of code that was common to all of the servers. My guess is that they first broke into the internal corporate network, then did some basic network scanning to identify all of the target servers, then figured out that there was a vulnerability on some piece of code running on all of the machines.”

Chess notes that section 6.6 of the PCI DSS calls only for “all web-facing applications” to be secured against breaches.

“PCI DSS is a lot like a fire code or a health code,” says Chess. “I will not be surprised if future versions of PCI DSS drop the distinction between web-facing software and internal software.”

Category: Uncategorized

Comments

2 Comments »

  1. Why is the ratio of credit card numbers stolen vs. the 2,000 reported for fraudulent purchases so low?

    Comment by mlindsey — 3/30/2008 @ 12:02 pm

  2. Byron: Legally speaking, we can’t expect the PCI to keep pace with the criminals. Therefore the legal system (Federal Trade Commission) is wrong to punish merchants like Hannaford and TJX for credit card break-ins. –Ben

    Comment by Benjamin Wright — 3/31/2008 @ 12:21 pm

RSS feed for comments on this post.

Leave a comment

Search Last Watchdog

Navigate Last Watchdog