A recent breach of a PayChoice Inc. server is evidence that organizations must provide overall controls, not just those targeting popular attack vectors.
Chris Wysopal, chief technology officer at application security vendor Veracode Inc., said the breach is interesting because it shows that hackers are looking for targets other than credit card numbers and social security numbers to steal.
“The market is saturated with [stolen] credit card data,” Wysopal said. A credit card record that was worth $10 in the underground in 2007 today can be had for about 50 cents, he said.
As a result cybercrooks looking to monetize what they are doing are moving up to higher value attacks where possible, he said.
In this case, the hackers appear to have been trying to install keystroke loggers to get information that would have allowed then to access online banking accounts of PayChoice’s customers, he said. “That is where they would have got tens of thousands of dollars,” had they been able to pull it off.
Source: Large online payroll service hacked, Jaikumar Vijayan, Computerworld, 1 October 2009
This is an example of why security professionals must continue to protect ALL sensitive information regardless of what pops up in the media. Overall protection requires continuous marketing by security for management buy-in at all levels.
Tom Olzak on Security 