Comments on: Hacked Companies Hit by the Obvious in 2009

By: Wade

Wade — Fri, 30 Jul 2010 01:27:53 +0000

@T.Anne –

We included the bit about the non-compliant orgs being mostly level 1 to rule out the possibility of them being compliant through a self-assessment questionnaire. IOW, because they were L1 and therefore were validated through a QSA, the result is more interesting. We weren’t intending to suggest any correlation between merchant size and the likelihood of a breach or security posture.

I would say that, in general, lower merchant levels draw more opportunistic attacks (often related to POS configuration) while the bigger merchants and especially processors are more targeted.

Well-loved. Like or Dislike: 7 1

By: Wade

Wade — Fri, 30 Jul 2010 01:15:34 +0000

@Steve –

We’ll be doing some slicing of the data like this over the next few months. I’ll be sure to add this one to the list.

Like or Dislike: 2 2

By: DaveMich

DaveMich — Thu, 29 Jul 2010 18:04:23 +0000

“The study found a strong correlation between ‘minor’ policy violations and more serious abuse.”

I would just like to point out the similarity to that quote and the “Broken Window” theory cited as a factor in reducing crime in New York city. See wikipedia’s entry for that term for an introduction.

Like or Dislike: 4 1

By: T.Anne

T.Anne — Thu, 29 Jul 2010 15:14:59 +0000

One piece of information I was not sure if I misunderstood was in regards to their PCI findings… 79% of those breached were not compliant at their last assessment or never assessed – while 21% had been found compliant in their assessment (this isn’t to say they were compliant at time of breach – simply that they had passed their annual assessment). Out of that 21% apparently all but one of them were level 1 merchants. Now here’s where I’m not sure I’m understanding correctly – is this saying that the majority of other levels are breached because they do not take the time to be compliant while level one merchants (even if validated at a point in time) are higher targets and so the theives don’t mind spending more time getting through their security? And that perhaps the other levels are more of the opportunistic breaches vs targeted? And if that’s true, statistically speaking then, being compliant actually would take most other merchants out of the attack range wouldn’t it?

Like or Dislike: 2 1

By: Louis

Louis — Thu, 29 Jul 2010 14:40:25 +0000

Once again, my valuable time has been rewarded.

Most often than not, I browse the subject lines and end up reading your articles.

I too saw the Verizon report coming out and ignored it for the very reasons you mentioned in the beginning.

Your articles both enlightened me to the fact I should check it out and provided valuable analysis I was able to forward directly to colleagues whose immediate response was “Wow, thanks”…

Keep it up

Like or Dislike: 3 1

By: BrianKrebs

BrianKrebs — Thu, 29 Jul 2010 13:39:11 +0000

Thanks, David. I’m moving your comment over to the Mariposa botnet author story where I think this belongs

Like or Dislike: 2 1

By: David M

David M — Thu, 29 Jul 2010 13:36:01 +0000

This is great addition information you have addes to this story, I got a lighter less detailed version on anthoter tech site, I wonder thou Brian if this fellow has been doing freelance coding for other crime ware kits or on a per contract basis for other bot nets, I see some similarities in some of the Newer Zeus modules with a some what similar encrypted communications protocol, makes me wwonde rif there isn’t a coreelation..I hoe you keep uus updated as to any fruther developments Brian, I think there is a lot of good OSINT that could be gleaned from this.

Like or Dislike: 2 1

By: george

george — Thu, 29 Jul 2010 13:29:35 +0000

I have a bit of mixed feelings versus Sartin suggestion of going really fast through 500GB log files looking for changes in patterns. I do it as well (though generally not when searching security related logs) and is quite effective and a vast improvement over not looking at all at logs. Yet, is quite subjective and I noticed individual members’ of an admin team ability to spot changes in log patterns vary greatly and I think is just not enough a company should put in place to detect security breaches. “Complex” intrusion detection system might or might not be the answer either, I found the most effective way for an organization is to build own set of automated scripts, fully tailored, which automatically mask normal patterns and extracts area of interests from the logs for human deeper investigation.

Well-loved. Like or Dislike: 7 0

By: BrianKrebs

BrianKrebs — Thu, 29 Jul 2010 03:42:46 +0000

A little OT, but sweet nonetheless Thanks for the heads up, I had hadn’t seen that.

Like or Dislike: 3 1

By: BrianKrebs

BrianKrebs — Thu, 29 Jul 2010 03:41:28 +0000

Paul, I’m sorry you’re having problems. I’m going to guess you’re using…..Chome? Am I right? I’ve heard the same report from other Chrome users. Unfortunately, I don’t know what the answer is.

Like or Dislike: 4 1