[lug] Letting folks pay from the web.

Bear Giles bgiles at coyotesong.com
Tue Feb 2 14:49:48 MST 2010


On Tue, Feb 2, 2010 at 2:11 PM, Maxwell Spangler <
maxlists at maxwellspangler.com> wrote:

> After doing such, we went to the web site of a company that does PCI
> compliance to perform a web-based self-assessment.  The website remotely
> did an nmap style scan of our IP address to determine if we had ports
> and services open and several firewalls I installed allowed us to pass
> that easily.  As Landon suggests above, other requirements were vague
> and not very challenging.  We answered a variety of questions like "What
> version of MICROS are you using" (which they verified was now secure),
> "Do you have firewalls on your network", and "Do you have anti-virus
> software installed."
>

Online merchants are easy.  It's a lot more extensive if you're dealing with
retailers and restaurants, esp. the national chains.  Think TJ Maxx with the
POS terminals, a couple systems supporting POS and inventory and a
printer/fax machine in the back.  Sounds simple but most of them had
insecure wifi setups and were compromised by somebody sitting in a car in
the parking lot.

E.g., I remember one question that came up recently was what to do about a
printer that was running an embedded version of (samba? cups?).  There was a
known vulnerability but the printer couldn't be updated.  Would they have to
replace the printer?  A compromised network printer is still attached to the
network and could be turned into a packet sniffer with the right software.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20100202/e7dc92a4/attachment.html>


More information about the LUG mailing list