Visa recently sent a confidential memo to selected business partners advising them of a potentially major security threat involving Fujitsu POS software.
We all know this because the memo was leaked to the Wall Street Journal, which prompted tons of media—including eWEEK, of course—to cover the story. The culprit seemed to be a tracer testing utility that Fujitsu provided to some customers, which apparently at least one customer continued to use in a live environment, which is a major security no-no. That parts old news. But what has gone on in the days since the memo leaked is sadly reminiscent of the old public security conundrum: the need to alert customers to a major security problem in as public and fast a way as possible, knowing that satanic evildoers—which could accurately describe criminal hackers intending to steal credit card information or my in-laws, but thats another column—will immediately try to take advantage of the security hole.
Most of the smarter bad guys know that they have an XX-hour (and often an XX-day) window after a major security hole is announced before most systems administrators will install the patch or make appropriate adjustments.
That forces companies like Visa—and, for that matter, almost every major software vendor—to play their game of risk/reward ratios: Will announcing this hole likely cause more harm or good?
As a compromise, many vendors have experimented with an in-between approach, whereby they reveal the information to a select group of partners/customers, the ones that will impact the most people and the ones that presumably have a good track record of keeping such information secret.
That seems to be what Visa has been trying to do. The problem: What to do when the secret memo becomes decidedly no longer secret. Should Visa throw up its mag-stripe hands and say, “Oh well. This stuff happens. Well now announce it to the world” or should it stick to its original script, hoping that no one notices what hundreds of newspapers, magazines and countless Web sites are reporting?
Visa has apparently opted for that latter scenario.
But wait, this gets better. In this memo, Visa talks about security problems and then mentions two specific Fujitsu products: RAFT and GlobalStore, according to the Journals March 17 story. (eWEEK has spoken with people on both the Visa and Fujitsu side, but has not reviewed the still humorously secret document.)
Fujitsu then steps to the podium and tells every reporter it can find that the memo was flawed, sort of. Ed Soladay, the COO for Fujitsu Transaction Solutions, said the Visa alert was “somewhat misleading” and “not fully correct.”
In recent days, Fujitsu people have been more explicit in saying that the memo was “wrong,” but thats not very meaningful unless they will say what specifically is wrong, which they wont.
Both Fujitsu and Visa people have said the two sides have been talking for weeks, and a Fujitsu person said Wednesday afternoon that nothing had been resolved. Fujitsu is hoping that Visa will issue a clarification statement.
Its almost impossible to comment on that without resorting to sarcasm, but lets just say that I expect to see that statement moments after the U.S. Senate bans all lobbyist campaign contributions.
Where does this all leave retail IT execs, whose business depends on the security of their POS applications? Visa has definitely forced them to be where they do not want to be.
Do they believe the relatively vague Visa advisory? Remember that the vast majority of them have never, ever seen the advisory, so they are forced to deal with vague partial reports of memos, which were apparently not overly specific in the first place.
What Retail IT Needs
to Do About This”> Forget about whether to believe the memo. Are retail IT execs forced to interpret the memo or the media reports referencing the memo?
Visa refuses to release the memo, nor will it describe or elaborate on its content. Most pointedly, they have refused to even offer advice to retail IT managers who are begging for some clarification. Based on the vague Visa data, what is a user supposed to think?
Now lets add the equally vague Fujitsu denials, saying that something in the secret advisory is “somewhat misleading” and “not fully correct.” Fujitsu also will not be more explicit.
Is a retail IT exec supposed to find Fujitsus protests credible? Maybe. Maybe not. There is far too little information from either side to make any kind of reasonable judgment.
I posed this conundrum late on Wednesday to Mark Rasch, who is one of the smartest security people I know, despite the fact that hes an attorney.
Although Raschs day job is serving as a senior VP for security vendor Solutionary, I first met him back in 1989 when he was a prosecutor for the U.S. Justice Department and I was covering his prosecution of Robert Tappen Morris, who is credited with having created the first wide-scale worm to disrupt the Internet.
I mention this to illustrate how little IT has changed in the roughly 17 years since that happened. Morris argued that he unleashed the worm to make systems administrators more aware of the security holes within Unix, so that they could be plugged.
That same thought process—that sometimes security holes must be made very public or no one will bother to fix them—still has some legitimacy today.
“The worst thing you can possibly do is to send out half an advisory,” Rasch said. “Theres a whole user community out there, and they need to be kept aware of what they need to do to remain secure.”
Ultimately, one of the most likely scenarios is that user apathy—in great part bred by these hard-to-act-on advisory rumors—will cause the “Boy Who Cried Wolf” problem. Thats where people stop acting on the memos at all.
Rasch points out that the Boy Who Cried Wolf scenario is already starting to play out. “A large number of retailers already ignore the valid memos,” he said. Thats because they typically “dont have the resources or the expertise to even do anything for the real and detailed advisories,” unlike “the vague advisories” in this case.
Will Visas alerts ultimately cause retailers to ignore even more security alerts, in the same way that the American public quickly stopped paying attention to the Homeland Security color-coded threat level advisories?
By the way, were still at a yellow elevated risk of terrorist attack. Anyone who thinks that the government will ever reduce it to guarded blue or—heaven forbid—low green needs to either read more or promise not to vote for awhile.
To be effective, security alerts need to be taken seriously. For that to happen, they need to be explicit and accurate, and they also need to include specific instructions telling IT want its supposed to do about this.
In the meantime, maybe Visa can start announcing that its gone to Code Blue PCI Security Level. Heck, its not like the government will be needing to use that color any time soon.
Evan Schuman is retail editor for Ziff Davis Internets Enterprise Edit group. He has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop anytime soon. He can be reached at [email protected]
Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.