Search This Blog

Monday, June 08, 2009

firewall-wizards Digest, Vol 38, Issue 1

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. found on the pentesters list; (R. DuFresne)


----------------------------------------------------------------------

Message: 1
Date: Thu, 4 Jun 2009 15:23:09 +0000 (UTC)
From: "R. DuFresne" <dufresne@sysinfo.com>
Subject: [fw-wiz] found on the pentesters list;
To: "'firewall-wizards@honor.icsalabs.com'"
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <Pine.LNX.4.64.0906041522180.6358@darkstar.sysinfo.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Seems relevant to recent discussions here;

- ---------- Forwarded message ----------
From: security curmudgeon <jericho@attrition.org>
Date: Jun 3, 2009 7:54 PM
Subject: [Dataloss] Merrick Bank v. Savvis: Analysis of the Merrick
Bank Complaint
To: dataloss-discuss@datalossdb.org, dataloss@datalossdb.org


http://infoseccompliance.com/2009/06/03/merrick-bank-v-savvis-analysis-of-the-merrick-bank-complaint/

Merrick Bank v. Savvis: Analysis of the Merrick Bank Complaint
Posted on June 3rd, 2009 by David Navetta

The Merrick Bank v. Savvis lawsuit has the potential to change the
liabilty dynamic of the PCI regulatory system. The Savvis case is one of
the first known instances of a payment card security assessor being sued
by a merchant bank ( the merchant bank is a third party relative to the
Savvis-CardSystems relationship). The Merrick Bank compliant alleges
that it relied on Savvis certification of CardSystems as Visa CISP
compliant (this matter pre-dated the PCI standard), and that
certification
was false. After CardSystems suffered a breach exposing up to 40 million
payment card records, Merrick allegedly incurred $16 million in payments
to the card brands (which was ultimately transferred to issuing banks who
suffered losses arising out of the CardSystem breach).

If Savvis is held liable (or even if this case makes it past motion to
dismiss or a motion for summary judgment) it has the potential to
significantly modify the relative risk of PCI qualified security
assessors, and in turn modify the PCI regulatory scheme. This post
discusses the two theories of liability alleged by Merrick: (1)
negligence; and (2) negligent misrepresentation.

[..]

Thanks,

Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

These things happened. They were glorious and they changed the world...,
and then we fucked up the endgame. --Charlie Wilson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFKJ+bgst+vzJSwZikRAjeNAJ9c5X3tEqQfY7BaXI5T7SdpyJalMACcCHBz
v74EaCfeStiJ/cH5WF+kfG4=
=ESf9
-----END PGP SIGNATURE-----


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 38, Issue 1
***********************************************

No comments: