Casino Sues Security Firm For Failing To Contain Malware Infection (softpedia.com) 50
An anonymous reader writes: US casino chain Affinity Games is suing Trustwave Holdings, a cyber-security vendor that was brought in to investigate a card breach but failed to detect and stop a malware incident on Affinity's servers, which led to the escalation of a previous card breach. The casino chain noticed the sloppy job a few months later when it hired a penetration testing company to comply with new gaming regulation. Mandiant was brought in to mop up Trustwave's job later on. Affinity is now suing for $100,000 (or more) in damages.
So a Normal Business Matter (Score:3, Insightful)
This could read as:
Company hires accounting firm,
Company hires Auditing firm who notices accounting firms errors.
Company hires OTHER accounting firm to fix problems from first accounting firm.... sues 1st accounting firm for breach of contact.
How is this not business as normal?
Re: (Score:1)
It is the old "on a computer" fallacy. Everything is new again when it is done on a computer. Just look at how many patents are granted for things people have done for years but are new because they are on a computer or all the sky-high IPOs in the dot-com era or today.
Re: (Score:2)
It's more
Go to a doctor to cure your back pain.
Have another doctor examine your foot a few months later.
Sue the first doc for not finding the wart on your foot when he examined your back.
Re:So a Normal Business Matter (Score:5, Interesting)
No, no it isn't:
This really sounds like they hired Trustware, who did a half-assed job, and failed to look at things they had been contracted to look at.
So, take your pick: incompetence, laziness, or fraud.
Reminder.. (Score:5, Interesting)
>PCI (Payment Card Industry)-compliant servers
PCI-DSS, the security standards for payment processing have nothing to do with security. There is a veneer of 'we are doing this for security', but none of it makes sense. This is why we keep seeing PCI-DSS compliant systems getting hacked and revealing card and personal details by the million.
Re: (Score:2)
The PCI DSS is a set of basic set of system/network administration goals related to security. It means what it means. It doesn't mean that known vulnerabilities have been patched, or that specific security measures have been taken to secure card data. It does mean that system default passwords have been changed, that users have unique IDs, and that there is some kind of auditing going on.
It's a fair assessment IMO to say it's a "veneer" that is going to continue to allow giant breaches because it doesn't pr
Re: (Score:2)
about how little security it thinks
By "it" there I meant the credit card industry.
Re: (Score:2)
My family has a small business. But I have a day job as a security engineer. I design security circuits and work in cryptographic standards.
So I got exposed to the PCI-DSS specs when I was implementing the point of sale system for my family's business and many of their requirements ran counter to security. They should have concentrated on more specific details of how computers handle personal details and card details.
Re: (Score:2)
That is not true. PCI-DSS set a very low standard for security but the whole purpose is to establish minimum security controls.
The reason they keep getting hacked is, transaction data or credit related personal data is really valuable, and PCI-DSS sets such a low standard.
PCI and the card standards they set and the compliance they regulate is the direct cause of all the insecurity. It all happened on their watch.
Setting low standards isn't an excuse, it's the cause. It's their fault.
We would be better served if the job was handed over to IEEE. P802 got screwed the first time around when they asked the government for help and got given WEP by the NSA, but they wised up and have since proven capable of secure and implementable standards to sound engineering standards.
Re:So a Normal Business Matter (Score:4, Insightful)
Re: (Score:2)
If you want a medical world analogy for this case: 1. Guys gets shot with a shotgun.
I'm going to go with... 1. Guy gets sick. Hires doctor to find and fix all infections for a fixed pre-paid contract.
2. Doctor identifies invasive skin cancer and administers radiation therapy.
3. Apparent infection dies off.... All the visible anomalies are gone according to all analysis order... doctor pronounces Guy cured.
4. Guy show-up at Doctor2 a year later for a detailed scan.
5. Doctor2 identifies lung cancer
Re: (Score:2, Funny)
How is this not business as normal?
Normally, for a casino, they'd hire Guido and Luigi, who would solve problems in another way.
Re: (Score:2)
http://instantrimshot.com/inde... [instantrimshot.com]
AC will be here all week
PLEASE TRY THE FISH
Re: (Score:2)
Company hires accounting firm,
Malware detection and removal is not like accounting.
Malware can make itself undetectable and dormant for years, and then popup on command.
For example: there's no such thing as an antivirus with a 100% detection rate.
If any security firm is representing that they can make a 100% assurance that all malware is gone, not involving a rebuild or restore of system from backup, Or offline comparison against a gold image, then they are lying, and they deserve to get b
Only $100,000? (Score:1)
Sounds like they're just wanting the money they wasted on them back.
It's a gamble (Score:5, Insightful)
Hire the wrong security, and you might be wasting your money or even exacerbating the problem. The cheapest security is usually not the cheapest.
Re:It's a gamble (Score:5, Insightful)
Hey, it's entirely possible to be expensive and incompetent.
Lousy companies never cease to over-value their services.
Re:It's a gamble (Score:5, Funny)
You've worked with Oracle before I see.
Re: (Score:3)
That's unfair.
Everyone at Oracle is extremely competent. How else would they manage to so consistently screw people over?
Re: (Score:2)
Clearly someone has never worked with Oracle nor has met someone who has worked with Oracle.
Re:It's a gamble (Score:5, Interesting)
That is if you're actually interested in security. Most of the time companies are just interested in getting certified for compliance.
This is why there still are snake oil peddlers in this business. If all you're really interested in is a sheet of paper so you can get a contract, what you want is the auditor that tells you everything in your company is in a great security shape. Not that pesky one that would actually find something wrong with your security.
Re: (Score:2)
This is why SSAE 16 certification doesn't mean a lot to me. Having been through the certification process personally, I've seen firsthand a lot of crap signed off that shouldn't have been. Our "data center" was located in a suite in the office
Re: (Score:2)
will check that there is a documented process for security related changes, the fact that the process is actually implemented in practice is non important and they will never verify what you tell them to be actually true.
Well, it may be that they don't need to actually verify that what you say is true. If your company or an officer attests to a lie in an engagement with an auditor, then under federal law, there's a crime called fraud that it falls under, and I believe the risk of being prosecut
Re: (Score:2)
Security, nothing should be more secure than say elevator servicing but the cheapest elevator servicing contractors, go up there wipe over some fresh grease and leave, doing nothing else, good luck. Problem with private anything and lowest tenders is, highest profit means trying to get away with doing nothing and when caught blaming others for it. Trusted companies who do good work with high costs, no problem con artists come in with corrupt bank support, buy them out and turn them into cheating shit, infl
Re: (Score:3)
Hiring someone to do security after the fact is like hiring someone to fix a badly designed house. It's going to cost a fortune, and the design will still be bad.
At times like that, eat crow, and build a replacement product from the ground up, this time with security as part of the integral design from get-go. Yes, it will be expensive, but less so than re-occurring breaches.
Re: YOU created the mess in the first place (Score:3)
No, they hired a company to ferret out and fix their problems, paid a lot of cash for the service, and the company did a half-assed job.
Re: YOU created the mess in the first place (Score:4, Interesting)
No, they hired a company to ferret out and fix their problems, paid a lot of cash for the service, and the company did a half-assed job.
Yes, that is the second problem that's also the Casino's fault: They hired someone else (twice!) to fix a problem instead of pointing out the problems and then make the decisions themselves, whether it would be to paint over the flaws or replace a broken design from scratch.
Yes, the security company is at fault for not delivering what they signed up to deliver, but the Casino messed up several times.
A good king's ruling would be to award the Casino a payback in full, with interest, only to be paid once the casino has fully replaced the broken systems, and shown that they have processes in place to prevent insecure designs from being approved and implemented.
Re: (Score:2)
Most businesses don't develop their own software. it gets contracted out. in fact they may not even contract out the development but contract out the usage of an existing product. Combine with maybe a few custom overlays specific for their needs and they are done.
When we switched to a new ERP software a couple of years ago that is exactly what we did. the new vendor even supplies updates and upgrades as part of their maintenance and support contract. however I am currently stuck as the PCI-DSS complian
Re: (Score:2)
Doesn't PCI-DSS mandate retaining outside firms to do these audits? So the casino couldn't (legally) direct everything themselves, lest there be the appearance that they weren't letting the auditor work independently. It just demonstrates how PCI-DSS is less about security and more about theatrics and blame-passing.
From what I understand (which, granted, is based on summaries), the regulations try to prevent blame passing, by specifically making the company who brings in outside help responsible for what the outside companies do or don't do, no matter what contracts say. You cannot pass the buck, but you're certainly free to sue your contractors.
Re: (Score:2)
Doesn't PCI-DSS mandate retaining outside firms to do these audits?
PCI-DSS itself does not say who audits a company against the standard, But depending on transaction volumes and assessed risk, banks certainly will required that audits be conducted both internally and by an approved 3rd-party QSA.
Comments needed (Score:1)
Let's see what Trustwave has to say about this. If their lawyers will let them comment. And why not? About time "silence is deafening" becomes a legal deficiency.
Exactly what we need ... (Score:2)
... to fix security -- litigation.
Instead of shrugging our shoulders with the fail of, "Well, that's just the Internet," we need to identify the incompetent and make them pay.
Businesses are not motivated to give a shit unless there's financial gain or cost avoidance.
That's the ONLY reason businesses have fire extinguishers, sprinklers, smoke alarms and fire exits.
Re: (Score:3)
Yes..... Trustwave was initially being sued over the Target breach as well. Seems this is like Strike 2 for Trustwave.
I imagine that cases like this coming to the media must be quite damaging to their reputation, and they should want to avoid further occasions and settle it quickly.
At least get the name right (Score:2)
Is it too much to ask for the article, or Slashdot's editors, to get the name of the affected company correct? It says right at the top of the lawsuit that their name is Affinity Gaming, not Affinity Games.
I wonder (Score:2)