Monday, January 26, 2009

On Heartland II

More fun follow-up to Heartland breach coverage and analysis (Part 1 here), including exclusive coverage of Mike Rothman going insane :-)

  • "Will Heartland Become the Largest Data Breach in History?" reminds us about the breach notification laws (not mentioned so far!) – "Given the mandatory notification laws, which have been passed in almost all 50 states, this is going to equate a lot of people that have to be notified. Simply stated, it's going to be a "notification nightmare." He then sadly says "So far as PCI compliance — which now seems to have been proven ineffective in at least two instances"
  • A very good view from VeriSign called "PCI Compliant Companies Don't Suffer Breaches": they say that they "have NEVER concluded that an affected company was compliant at the time of a breach" (!) Think about it! It was always either due to changes after an audit or due to an “easygrader” (or even scammer) QSA. So, they continue '"Is there a problem with PCI? If there is one, the problem lies in the QSA community (or internal auditors that have not been through something like the CPISA training), not the standard itself." and ""So, to recap, our experience shows companies that suffer a breach are not compliant with the entire standard at the time of the breach. We should refrain from saying that another PCI Compliant company was breached because the facts show that it just is not true."
  • Martin McKeay confirms here: "But my own experience is that you’re always going to find at least some portion of an enterprise that’s not compliant if you dig deep enough. "
  • “SC Magazine” chimes in with “Is PCI working? Maybe, maybe not." There is nothing truly stupid there, but they definitely try: “The Payment Card Industry Data Security Standard (PCI DSS) took a severe blow this week when leading payment processor Heartland Payment Systems announced it had been breached." They also have a few sensible comments like "Compliance is merely a snapshot in time. So if Heartland was deemed compliant last April, as it was, the company could’ve been way out of compliance by the time the hackers go it. Or maybe even as soon as the next day."
  • A fun one, from Heartland CEO via this "Heartland CEO Calls for Industry Cooperation to Fight Criminals": "Consumers will know if their card account numbers have been used by reviewing their monthly statements. Cardholders should report suspicious activity to their issuing banks (the bank that issued the card, not the card brand). If unauthorized use is confirmed, cardholders are reimbursed for the fraudulent purchases and are not held financially responsible." (Good idea, buddy! Let the consumers do the work!) and this chunk of hilarity: “For the past year, Carr has been a strong advocate for industry adoption of end-to-end encryption - which protects data at rest as well as data in motion - as an improved and safer standard of payments security.”
  • More anti-PCI rhetoric in "Heartland breach raises questions about PCI standard's effectiveness." It is definitely more fun [for them] to report that “something sucks”, compared to reporting that “something works.” A quote: "Billions is being spent on PCI compliance, but it isn't really working," says Gartner analyst Avivah Litan. "PCI's dirty little secret is that it doesn't mandate encryption inside a private network because then all the processors would have to encrypt." and "But some analysts say what is clear is that the Payment Card Industry data security standard that Visa and MasterCard require isn't sufficient to ensure cardholder data is safeguarded.. " (Really? They do say it is “not sufficient”… funny, eh? OF COURSE it is not! But that is not the point.)
  • "Lack of transparency on Heartland breach" reminds us about – oh, horror! – lawsuits: "Depending on the results of the on-going investigation, Heartland will face the threat of litigation from issuing banks, merchants and consumers, says Scott Vernick, an attorney with Fox Rothschild LLP in Philadelphia, who specializes in data breach cases" and then again idiotically beats on PCI: "The fact that Heartlands’ system were certified as being fully in compliance with PCI standards underscores questions about the efficacy of the PCI rules."
  • Finally, a true shocker!! Mike Rothman apparently drank some vendor koolaid and has gone insane. In his piece "The Increasing Irrelevance of PCI" Mike talks about PCI’s “major problem of relevance, given the second (that we know of) massive data breach on a PCI "compliant" organization." Mike then talks common sense for a second: “Sure the 12 requirements are a good start, but clearly they are not enough and the general consensus-based process of updating the requirements means PCI is always solving the attacks of 2 years ago.” Correct! He then correctly points out that, sadly, "most folks would look at the 12 requirements and figure that's all they needed to do." However, then insanity returns: "The Council needs to act quickly and decisively to stem the rising tide of irrelevance. Or else they'll need to acknowledge that PCI is the next HIPAA and organizations will continue to due the bare minimum to comply, while secretly snickering at the ridiculous hoops they have to jump through to little benefit." and even "So with each data breach PCI becomes weaker and weaker until it ends up similar to HIPAA. Unless something changes organizations will continue to pay lip service to it, customers won't trust it (to the degree they even know about it), and it becomes just another report that is generated out of the security reporting system, which is my definition of irrelevance."
  • UPDATE! Already responding to Mike, the post "PCI irrelevant? Or is it just us assessors?" reminds that "In the case of Heartland, they had malware on a system that was passing around track data (at least according to the reports I've seen so far - maybe that's off base.) Is it a problem that that system was asserted to be compliant by a QSA?" [we are not even sure that the malware was there at the time, BTW, but it I would NOT be shocked if it, in fact, WAS!] And then: "Will some of them [QSAs] rubber stamp your dog as being "compliant"?" :-)
  • UPDATE! "Does the Heartland breach prove PCI useless?" is another pretty good look at the situation (their answer is: no) - "Should you blame Heartland, PCI regulation, or both?How about none of the above? [...] PCI compliance, much like the often preached Industry Best Practices of IT, amounts to nothing more than a simple list of baselines."

I am writing a longer analytical post, but for now: people, think about it for a second – there is NOTHING among the widely deployed and off-the-shelf security gear that will stop a hand-written piece of “application-aware” malware such as the one used in a Heartland hack (source: archetypical little birdie :-)) Why the f* (specifically) do people talk about “PCI FAIL” here? Admittedly, “PCI FAIL” message is mostly strong among the clueless mainstream press, but if you do security, think how would YOU stop custom malware in YOUR environment TODAY?



Dr Anton Chuvakin