Monday 8 March 2010

Even Schneier agrees: “It’s all in the database”

It’s official -- credit card security is no longer simply about WWII style “encryption” defenses, “it’s all in the database”. So says the information security industry’s “rock-star” Bruce Schneier. Bruce was being interviewed at this year’s RSA conference and was asked about the confidence of online shopping now that some “doubts” have arisen over the SSL encryption.

True to form, Schneier went straight to the heart of the matter stating that the problem is not about “eavesdropping” but rather it is about hacking the “endpoint”. It is clear that the database is the endpoint holding the potent information – including credit card information – and this remains the lucrative target for hacking.

Too many easy routes to the database exist – usually due to poor practice. Attackers who compromise databases get more than the data held inside. They get a completely privileged jump-off-point, deep within the corporate network. This is what Heartland discovered –after 130 million card details left. I am sure that they would suggest agree with Bruce that “It’s all in the database” – except when a complete copy has escaped!