Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target, PCI Auditor Trustwave Sued By Banks
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Mathew
Mathew,
User Rank: Apprentice
3/27/2014 | 7:12:18 AM
Should PCI auditors be prohibited from selling security services?
Interesting follow-on from the news of the lawsuit from Gartner analyst Avivah Litan, who says that while she thinks the PCI standard is good, the PCI enforcement process needs fixing.

Furthermore, she argues, assessors shouldn't be allowed to also sell security services to their clients: "Gartner has long argued that PCI qualified security assessors like Trustwave should not be allowed to sell remediation and ongoing security services as Trustwave did for Target, according to the lawsuit. This has the effect of potentially destroying the integrity and independence of the assessment process," she says in a blog post.
AccessServices
AccessServices,
User Rank: Apprentice
3/27/2014 | 6:49:54 AM
Compliance Does Not Mean Hack-Proof
I like PCI compliance.  It is a great fundamental step forard in security.  There is noting that says if you are compliant, you will not be breached.  Every company is different.  PCI DSS 3.0 12.2 says that companies have to implement a risk-assessment program.  Here is where the rubber really meets the road with security.  Each company needs to evaluate its own risks and respond.  I would recommend to Target and all other retailers that they demand that the card merchants provide boxes to process the card data so the retail network never sees the unencrypted card data.  The retailers would then shift the entire burden to the card merchants.

Jeff Jones

 
<<   <   Page 2 / 2


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-25936
PUBLISHED: 2023-01-30
Versions of the package servst before 2.0.3 are vulnerable to Directory Traversal due to improper sanitization of the filePath variable.
CVE-2022-25967
PUBLISHED: 2023-01-30
Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. **Note:** This is exploitable only for users who are rendering templates with user-defined data.
CVE-2023-24622
PUBLISHED: 2023-01-30
isInList in the safeurl-python package before 1.2 for Python has an insufficiently restrictive regular expression for external domains, leading to SSRF.
CVE-2023-24623
PUBLISHED: 2023-01-30
Paranoidhttp before 0.3.0 allows SSRF because [::] is equivalent to the 127.0.0.1 address, but does not match the filter for private addresses.
CVE-2022-48303
PUBLISHED: 2023-01-30
GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace c...