Pages

Tuesday, October 13, 2009

Challenges of PCI

An excellent article on Walmart's security woes and what steps they are taking. If you are familiar with PCI you will recognize it's effect on what Walmart is doing.

http://www.wired.com/threatlevel/2009/10/walmart-hack/

"Investigators found that the tool had been installed remotely by someone using a generic network administrator account. The intruder had reached the machine through a VPN account assigned to a former Wal-Mart worker in Canada, which administrators had failed to close after the worker left the company. The day the server crashed, the intruder had been connected to Wal-Mart’s network for about seven hours, originating from an IP address in Minsk, the documents show.

The security team disabled the compromised VPN account, but the intruder, who should have realized the jig was up, came back in through another account belonging to a different Canadian employee. When that VPN account was closed, the intruder grabbed yet a third account while Wal-Mart workers were still scrambling to get a fix on the scope of the breach.

When Wal-Mart reviewed its VPN logs, it found that the activity had begun at least as early as June 2005, according to memos written by Wal-Mart employees during the initial stage of the investigation. The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis.

Wal-Mart declined to respond to questions about the initial date of the attack, the server logging or the conclusions it reached in its final report, which Wired.com has not seen.

Nonetheless, Wal-Mart’s security team was able to identify “over 800 machines that the attacker either tried to brute force or actually made a successful connection,” according to a Nov. 10, 2006 e-mail summarizing the early investigation."

Let's do a bit of analysis here. Mistakes were made and the innocent will be punished:
  1. Walmart failed to close old employee accounts. They should at least have the password age off.
  2. Walmart does not restrict traffic to specifc IP spaces. If they don't do business in Minsk they should not accept traffic from there. This is a hard assumption to make for a giant like Walmart but if you have a smaller company and you don't do business in Russia, Bulgaria, or China then setup your routers not to accept traffic from there.
  3. Why would you just log the unsuccessful attempts? These can indicate that you are being targeted but the paranoia should be on the SUCCESSFUL logons.
  4. No two factor auth for your VPN?

Obviously since I am outside the situation I don't get the big picture. But what I have listed are low hanging fruit on the tree.

No comments:

Post a Comment