Monthly ArchivesAugust 2008

So, you saw the PCI 1.2 announcement? standard

Is anyone else still just wondering what exactly this means for your business? The summary does definitely answer a few questions, but I am wondering if someone was pressuring the council to release something, ANYTHING, about the new revision. One thing that concerns me as a QSA is the amount of variance that will be introduced in the interpretation of some of the clarifications. For example, right off the bat we see the opportunity for interpretation in the clarification under Requirement 1: Added flexibility in the time frame for review of firewall rules, from quarterly to every 6 months, based on Participating Organization feedback. Now the control can be better customized to the organization’s risk management policies. On the surface, ...

Continue Reading

The Internet is falling down (falling down, falling down)! standard

Last month, we saw Kaminsky release details around a particularly nasty flaw in the DNS infrastructure. The tubes exploded with traffic on this flaw and security pundits beat their chests, telling the masses that they have been reporting this for years. Well, it’s a new month, and we have a new flaw. Slashdot has posted a story about a BGP flaw that has been around for years that could easily bring down major portions of the internet. Wired has an article here, and the PDF of the presentation by Kapela and Pilosov is here. I was a system and network administrator in a previous life (and to date have only had one system of mine EVER hacked… that pesky IMAP ...

Continue Reading

The Blame Game standard

First off, I want to apologize for the lack of posting. Travel across the date line is one of those things that looks like a productivity enhancer, at FIRST. Then the realization slowly sets in. One of the articles I wanted to post on was Bill Homa (Edit: Sorry, got the spelling wrong!), the former CIO of Hannaford, who is changing his tune a little bit. Apparently, the PCI Standard is not his problem, but now he blames Microsoft for the breach that occurred on his watch. I don’t know if you are like me, but I can’t wait for the lawsuits to start flying so that all of the speculation on this incident can end. Legal discovery can be ...

Continue Reading

Thank you SYDNEY! standard

No, not my niece, but the great city in Australia! I’ve finally made it back state side. I’m a little tired, but more so when I start working through the email! Thanks to everyone who joined our event in Sydney! I hope to talk to you all in the coming months. Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Continue Reading

Thank you Brisbane & Melbourne! standard

We’ve been true road warriors this week, and so far have done briefings in Brisbane and Melbourne, Australia! We are heading back to Sydney tonight to do our last PCI briefing of the trip tomorrow. Thanks for the hospitality Brisbane & Melbourne! I look forward to seeing you again soon! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Continue Reading

Where’s Brando? standard

Down Undero! Finally made it down here and nobody down here has said “G’day Mate!” or offered me shrimp on the barbie. So disappointed. Anyway… If you are in Sydney, shoot me an email and we’ll do a pub crawl! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup

Continue Reading

Timing is everything standard

So you all know (well the three of you that read this… Hi Mom!) that I am headed to Australia this week. I was doing my traditional pre-flight checklists to make sure that I had everything I needed before I started packing. Power converter? Check. Power supplies for devices? Check. Remove things that just add weight that you won’t need? Check. Log into my credit card account to make sure we’re good? DOH! My card has been compromised AGAIN! The DAY BEFORE I am headed to Oz. The new one is on its way (overnight now) but good gracious, talk about skidding across the finish line. Upside down. On fire. In eighteenth place. This is the only piece that annoys ...

Continue Reading

August’s Herding Cats is now live! standard

Entitled, The Carl Method to Security, I compare CIOs to our lovable friend Carl Spackler when it comes to reacting from a breach. If you read this and don’t believe me, just troll the news for recent CIOs responding to breaches. I don’t need to make this stuff up, people do it quite nicely on their own. Just like that time I was in the Las Vegas airport and a TSA agent came over the PA and said, “To the person who left your dentures and hearing aid at the security checkpoint, if you can hear me, please return to claim your items.” See? Don’t need to make it up. Anyway, go check it out! Possibly Related Posts: Equifax is ...

Continue Reading

Low Tech Security System Hacking standard

When I was flipping through some RSS feeds and saw this fantastic post from Gizmodo, I HAD to bring it here for discussion. Now keep in mind, this is a photographer’s artistic work, but it sure does open the door to other low tech ways to subvert security systems. One of my personal favorites is the McGuyver style (sans chewing gum and dental floss) method of defeating magnetic lock doors with a balloon, tape, and a straw. Convenience says that we should not badge in AND out. Just on the way in is fine. On the way out, we’ll put sensors there so that the door will magically unlock for you. It’s the high tech version of the black treadmill ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!