I have seen some people point out that the Hannaford CIO is pointing fingers at Microsoft. That is true, and he does not mince words about it. However, I do not think that detracts from his more important messages. First, he calls for an in-depth strategy and second he calls for end-to-end encryption. Both points are excellent advice, and the latter is why I have been working with the OASIS EKMI TC for several years — an extension of a project to build end-to-end encryption at West Marine back in 2004.

He finds particular fault in one aspect of the current PCI standard: “All debit- and credit-card transactions should be encrypted from end to end. That should be the minimum. It’s astonishing that isn’t the standard of PCI,” which only requires encryption when transmitting over a public network such as IP.

Right, although it requires encryption of the network as opposed to the card numbers themselves. The latter would be a more useful system as it would simplify internal monitoring for malicious traffic.

Homa’s key point is that most retailers handle security backwards: Don’t pour everything into protecting the front door. Assume they’ll get through and have a plan to control them once they’re inside.

[…]

Homa has his own strong security strategy, which seems to be a minority view. It’s futile, he said, to continually pour resources and time into securing the front door and windows of a house that is being relentlessly attacked by well-financed thieves with plenty of time. Instead of spending so much effort trying to keep the bad guys out, assume they’ll get in.

I do not think that is a minority view. That is the standard defense-in-depth approach and a best practice since the beginning of information security, let alone physical security.

The article really does not do Bill Homa any favors as it makes him look like he has gone off the handle about Microsoft. The author also points out that PCI auditors could be a risk too. All around pretty weak analysis, so probably not even worth a read, but I at least recognized that Homa has painted a picture of PCI security that many of us were advocating many years ago.

An amazing ststory has emerged in Canada where 35-year-old Timothy Moisan faced 14 years in jail for operating “a massive operation designed to steal people’s identities, con into their bank accounts, and steal their money”:

In the end, there’s no explanation about how the man behind one of the biggest identity theft rings ever in B.C. got off serving only six months plus a day. Critics say sentences like this will only bolster a growing epidemic.

Just the fact that the accused was in possession of “stacks of passports, driver’s licenses, and credit cards” as well as “reams of stolen mail” might suggest a significant penalty. Instead, he pleaded guilty and walked free, while thousands of people spend money and time to recover their stolen identity information.

The judge gave him a year in jail. But because he had spent six months in custody awaiting trial — time which is weighed twice because it’s before trial — he had effectively finished the sentence before it began.

Will Canada soon become a haven for ID theft operations? I wonder if someone could pursue Moisan under PIPEDA by complaining to the Office of the Privacy Commissioner of Canada, and then take him to Federal Court of Canada under section 14. Alternatively, perhaps he could be charged for each identity under Section 264. (1) of the Criminal Code for harassment, since it covers stealing mail and electronic identity theft. Maybe he already was charged and the judge really did not see any harm from ID theft…the kind of harm documented in the criminal code.

RedHat just announced a breach (RHSA-2008:0855-6):

Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action. While the investigation into the intrusion is on-going, our initial focus was to review and test the distribution channel we use with our customers, Red Hat Network (RHN) and its associated
security measures. Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk

SSH was targeted by the attackers:

In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only). As a precautionary measure, we are releasing an updated version of these packages, and have published a list of the tampered packages and how to detect them at http://www.redhat.com/security/data/openssh-blacklist.html

Check your packages.