[AusNOG] Security for CC details of new signups
Sean K. Finn
sean.finn at ozservers.com.au
Tue Jul 6 10:13:43 EST 2010
Don't go down that path, publicly releasing details hasn't worked in the past for some. ;)
But seriously, +1 for PCI-DSS, make it mandatory.
And if they are storing data in /tmp, I'm telling you now it WILL Get read and they WILL lose the data, it's a matter of when, no IF.
/tmp /var/tmp and /dev/shm are the first 3 directories compromised on a *nix system
I should know, I have to clean them up.
No matter how tight you think a system is, consider /tmp a world-public space.
S
-----Original Message-----
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of James Paussa
Sent: Tuesday, 6 July 2010 10:13 AM
To: Steve Skeevens
Cc: ausnog at ausnog.net
Subject: Re: [AusNOG] Security for CC details of new signups
Steve,
Make them aware of the problem. If they don't congratulate you and give
you a full time job for at least 6 figures it seems that the standard
operating procedure is to release the details publicly to teach them a
lesson.
</sarcasm>
James.
> Hi List,
>
> I've been doing some work on a client's network and I was wondering if
> their
> method of storing credit card numbers of newly registering users was BCP
> or
> not. Basically, what seems to be happening is the new user's details,
> including CC, get stored in a world-readable file in /tmp. I'm worried
> that
> this might be susceptible to being stolen and posted somewhere by a
> hacker.
> Does this seem well-founded to you or am I just paranoid?
>
> Regards,
> Steve
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
More information about the AusNOG
mailing list