Re: [Fwd: [WEB SECURITY] TJX pwned via wifi]

Le lundi 07 mai 2007 à 06:32 -0500, d1n a écrit :
> Most companies wait until it's too late and they never want to allocate 
> enough funds for security. Then something like this happens and the 
> damage is already done. Very sad and I feel bad for their customers. 

Problem also lies in hardware. Few years ago (end of 2003, early 2004),
I had to pentest two companies using wireless barre-code readers.

The first one was relying on 40bits WEP with old pre-b frequency hoping
(1-2Mbps) hardware. Non-upgradable. They had to renew their complete
hardware base (readers+AP) in order to switch to WPA.

The second one had barre-code readers with PCMCIA slot. Vendor was not
supporting WPA, the best they could get was LEAP if they switch all
PCMCIA Wi-Fi adapters to Cisco ones that close to 200USD each at that
time.

Now, go tell theses people who had invested a lot in their current
infrastructure "hey guys, you have to renew everything because your
security sucks". Even if security management agrees, associated cost
would eventually lead to a very simple risk management decision: "we'll
take the risk". And sometimes some mitigation means relying on backend
security architectures, mostly firewalls.

Problem is, when backend security architectures fails at preventing
escalation, we get TJX situation, that obviously failed at a lot more
things than just not using WEP: lack of firewalling, lack of security
patches and, most of all, no sensible data encryption...


BTW, thx to Richard, I'm lurking on IRC again ;)

-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
SyScan'07: 2 days of WiFi training and practice in Singapore
http://syscan.org/reg_training.html