Comments on: Hannaford Brothers hacked, but there’s a silver lining http://www.mckeay.net/2008/03/18/hannaford-brothers-hacked-but-theres-a-silver-lining/ The views of one man on security, privacy and anything else that catches his attention Sat, 11 Oct 2008 23:43:56 +0000 http://wordpress.org/?v=abc By: anonymous http://www.mckeay.net/2008/03/18/hannaford-brothers-hacked-but-theres-a-silver-lining/#comment-1454 anonymous Sat, 22 Mar 2008 22:48:50 +0000 http://www.mckeay.net/2008/03/18/hannaford-brothers-hacked-but-theres-a-silver-lining/#comment-1454 You bring up an interesting point. But that is only if the attackers got into a database at Hannaford. Since it was during the auth process, that seems highly unlikely - and what may have happened may be a sniffer in action. Sniffing just the initial part of the POS messages should give the account number and expiration date only with no names. Lets not give credit to Hannaford till we know what happened. But I do agree with your silver lining theory _if_ we can find store, that is! Check out my theory at http://securitycoin.blogspot.com/2008/03/hannaford-supermarkets.html You bring up an interesting point. But that is only if the attackers got into a database at Hannaford. Since it was during the auth process, that seems highly unlikely - and what may have happened may be a sniffer in action. Sniffing just the initial part of the POS messages should give the account number and expiration date only with no names. Lets not give credit to Hannaford till we know what happened. But I do agree with your silver lining theory _if_ we can find store, that is!

Check out my theory at http://securitycoin.blogspot.com/2008/03/hannaford-supermarkets.html

]]> By: Joshua Gruber http://www.mckeay.net/2008/03/18/hannaford-brothers-hacked-but-theres-a-silver-lining/#comment-1450 Joshua Gruber Sat, 22 Mar 2008 00:56:15 +0000 http://www.mckeay.net/2008/03/18/hannaford-brothers-hacked-but-theres-a-silver-lining/#comment-1450 This makes me sad in part because Hannafords makes a point of not forcing customers to join a club and give them loads of personal information to be tracked in order to get discounts. This makes me sad in part because Hannafords makes a point of not forcing customers to join a club and give them loads of personal information to be tracked in order to get discounts.

]]> By: The data breach that hit home — Security Bytes http://www.mckeay.net/2008/03/18/hannaford-brothers-hacked-but-theres-a-silver-lining/#comment-1426 The data breach that hit home — Security Bytes Thu, 20 Mar 2008 14:25:52 +0000 http://www.mckeay.net/2008/03/18/hannaford-brothers-hacked-but-theres-a-silver-lining/#comment-1426 [...] Security blogger Martin McKeay wrote of a silver lining in the Hannaford’s breach. [...] [...] Security blogger Martin McKeay wrote of a silver lining in the Hannaford’s breach. [...]

]]> By: David Navetta http://www.mckeay.net/2008/03/18/hannaford-brothers-hacked-but-theres-a-silver-lining/#comment-1408 David Navetta Tue, 18 Mar 2008 20:30:20 +0000 http://www.mckeay.net/2008/03/18/hannaford-brothers-hacked-but-theres-a-silver-lining/#comment-1408 This perfectly illustrates how the ambiguities of the PCI can get you into big trouble. The legal implications of giving a stamp of PCI approval based on a loose interpretation of PCI are enormous (you can read more here at my blog, I am an infosec attroney: http://infoseccompliance.blogspot.com/2008/02/legal-implications-risks-and-problems.html) Anyway, in this case if the ambiguity is in section 4.1 of the PCI Standard, which requires "Encrypt transmission of cardholder data across open, public networks" and also states "Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit" Examples are provided, the Internet, WiFI, global systems for mobile communications and GPRS. So the question is, does this include open "internal" networks of a merchant that may be "easy and common" for a hacker to intercept. If all of the supposition is true, it appears that Hannaford (or its Qualified Security Assessor) interpreted this to mean only "public" networks like the Internet... This perfectly illustrates how the ambiguities of the PCI can get you into big trouble. The legal implications of giving a stamp of PCI approval based on a loose interpretation of PCI are enormous (you can read more here at my blog, I am an infosec attroney: http://infoseccompliance.blogspot.com/2008/02/legal-implications-risks-and-problems.html)

Anyway, in this case if the ambiguity is in section 4.1 of the PCI Standard, which requires “Encrypt transmission of cardholder data across open, public networks” and also states “Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit”

Examples are provided, the Internet, WiFI, global systems for mobile communications and GPRS.

So the question is, does this include open “internal” networks of a merchant that may be “easy and common” for a hacker to intercept.

If all of the supposition is true, it appears that Hannaford (or its Qualified Security Assessor) interpreted this to mean only “public” networks like the Internet…

]]> By: Benjamin Wright http://www.mckeay.net/2008/03/18/hannaford-brothers-hacked-but-theres-a-silver-lining/#comment-1407 Benjamin Wright Tue, 18 Mar 2008 18:09:09 +0000 http://www.mckeay.net/2008/03/18/hannaford-brothers-hacked-but-theres-a-silver-lining/#comment-1407 Martin: Spectacular announcements about massive data security breaches do the public little good. The implication of these announcements is that some data (i.e., that which are the subject of the announcements) are more exposed than other data. As a practical matter that is false. All personally identifiable data are more or less exposed all the time. And successful exploitation of that data by an identity thief requires a lot of work and luck. Socially responsible data-holders should set a high threshold of proof before concluding that a <a href="http://hack-igations.blogspot.com/2007/09/definition-of-data-security-breach.html" rel="nofollow">"data security breach"</a> worthy of announcement has occurred for any given unit of data. (Data-holders should of course consult their attorneys.) Martin: Spectacular announcements about massive data security breaches do the public little good. The implication of these announcements is that some data (i.e., that which are the subject of the announcements) are more exposed than other data. As a practical matter that is false. All personally identifiable data are more or less exposed all the time. And successful exploitation of that data by an identity thief requires a lot of work and luck. Socially responsible data-holders should set a high threshold of proof before concluding that a “data security breach” worthy of announcement has occurred for any given unit of data. (Data-holders should of course consult their attorneys.)

]]> By: EJ http://www.mckeay.net/2008/03/18/hannaford-brothers-hacked-but-theres-a-silver-lining/#comment-1406 EJ Tue, 18 Mar 2008 17:46:57 +0000 http://www.mckeay.net/2008/03/18/hannaford-brothers-hacked-but-theres-a-silver-lining/#comment-1406 So I'm hoping that if they reported it on 2/27 then they had it all under control by then. I never typically shop at Hannaford's, but I stopped in March 7th to pick up a few sundries while out and about. Sounds like I dodged a bullet. And if the attackers are listening, I bough croûtons. ;) So I’m hoping that if they reported it on 2/27 then they had it all under control by then. I never typically shop at Hannaford’s, but I stopped in March 7th to pick up a few sundries while out and about. Sounds like I dodged a bullet.

And if the attackers are listening, I bough croûtons. ;)

]]>