[AusNOG] Security for CC details of new signups

Sean K. Finn sean.finn at ozservers.com.au
Tue Jul 6 10:13:43 EST 2010


Don't go down that path, publicly releasing details hasn't worked in the past for some. ;)

But seriously, +1 for PCI-DSS, make it mandatory.

And if they are storing data in /tmp, I'm telling you now it WILL Get read and they WILL lose the data, it's a matter of when, no IF.

/tmp /var/tmp and /dev/shm are the first 3 directories compromised on a *nix system

I should know, I have to clean them up.

No matter how tight you think a system is, consider /tmp a world-public space.

S

-----Original Message-----
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of James Paussa
Sent: Tuesday, 6 July 2010 10:13 AM
To: Steve Skeevens
Cc: ausnog at ausnog.net
Subject: Re: [AusNOG] Security for CC details of new signups

Steve,
Make them aware of the problem. If they don't congratulate you and give
you a full time job for at least 6 figures it seems that the standard
operating procedure is to release the details publicly to teach them a
lesson.
</sarcasm>

James.

> Hi List,
>
> I've been doing some work on a client's network and I was wondering if
> their
> method of storing credit card numbers of newly registering users was BCP
> or
> not.  Basically, what seems to be happening is the new user's details,
> including CC, get stored in a world-readable file in /tmp.  I'm worried
> that
> this might be susceptible to being stolen and posted somewhere by a
> hacker.
> Does this seem well-founded to you or am I just paranoid?
>
> Regards,
> Steve
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>


_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog



More information about the AusNOG mailing list