Shostack + Friends Blog Archive

SANS Top 20 has competition!

SANS has just released their annual Top 20. I won’t bother linking to it — Google knows where to find it, and if you’re reading this blog, you probably do too.
Anyway, it seems like the SANS people have a bit of competition.
Check out this list [link to http://www.dmnews.com/cms/dm-news/legal-privacy/39056.html no longer works]:

1. Failing to assess adequately the vulnerability of its network to commonly known or reasonably foreseeable Web-based attacks, such as structured query language injection attacks;
2. Failing to implement simple, low-cost, and readily available defenses to such attacks;
3. Storing in clear, readable text network administrator credentials, such as user name and password, that facilitated access to credit card information stored on the network;
4. Failing to use readily available security measures to monitor and limit access from the corporate network to the Internet; and
5. Failing to employ measures to detect unauthorized access to consumers’ credit card information.

Ooops! My bad.
This isn’t a list of the top five security bonehead moves. This is a list of the things the Federal Trade Commission says Guidance Software did, resulting in the loss of thousands of customers’ credit card information, in violation of federal law.
Guidance, of course, are the makers of enCase [http://www.encase.com/], the market-leading computer forensics tool. The company admits no wrongdoing [link to http://www.encase.com/downloads/Guidance_Software_FTC_Consent_Decree_Statement.pdf no longer works], and has entered a consent decree with the FTC.

Originally published by cwalsh on 17 Nov 2006
Last modified on 26 Apr 2023
Categories:   breaches   Uncategorized