[WEB SECURITY] SSL does not = a secure website

Lyal Collins lyal.collins at key2it.com.au
Tue Mar 28 03:01:06 EST 2006

While this doesn't answer the question about incident data it may be
Requirement 3 goes on to specify encrypted databases, minimise the volume of
card data held among other things.
These 2 requirements mostly affect the theft of the physical storage media
since it's pretty difficult, imho to prevent a worstation user from
masquerading as an application call to the database/repository.
Multi-layer DMZ, with the DB in its own tightly limited access network
environment, and separation from app servers etc are also necessary.
And these sorts of requirement exists elsewhere in PCI - Section 1.3.5, and
section 2.2.1 for example
Requirement 4 addresses issues other than attack-based sniffing - e.g. proxy
servers that cache GET/POST request data, IDS's that log all packets for
post-incident analysis etc, and simple routing errors.
If servers and apps were strongly locked down, then attackers would focus on
the next weakest barrier in the security environment - and network sniffing,
and traffic redirection via ARP or DNS poisoning would probably be higher on
the list of threats 
So as I think about this question, it seems that PCI should be considered in
its entirety, not just single sections, when it comes to addressing risks.
Just a few random thoughts

-----Original Message-----
From: Ryan Barnett [mailto:rcbarnett at gmail.com] 
Sent: Tuesday, 28 March 2006 12:41 PM
To: Web Security; webappsec at securityfocus.com
Subject: [WEB SECURITY] SSL does not = a secure website

I need some feedback from the lists.  Does any have any verifiable proof
(new story, etc...) that documents where attackers successfully sniffed
Credit Card data off of the Internet for an eCommerce site???  Every story
that I have read about indicates that attackers mostly obtain this data by
breaking into the back-end DB to steal the CC data rather than sniffing.
Anyone with info to the contrary? 
While I believe that we would all agree that the use of SSL for eCommerce is
a good idea, I am interested in the actual THREAT.  It seems to me that the
real threat to CC data is a vulnerable webapp/backend and not the use of
SSL.  The PCI Data Security Standard document (
sp_PCI_Data_Security_Standard.pdf> ) lists this as Requirement 4 -

Protect Cardholder Data

Requirement 3: Protect stored data

Requirement 4: Encrypt transmission of cardholder data and sensitive
information across public networks

So, when an eCommerce website boasts "We are a secure website" - keep in
mind that they are referring to Requirement 4.  Who knows what they are
doing about Requirement 3... 

Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
Author: Preventing Web Attacks with Apache 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060328/a2a467cd/attachment.html>

More information about the websecurity mailing list