Monthly ArchivesOctober 2008

Win a free pass to CSI2008 in DC! standard

Thanks to the Security Blogger’s Network, I am pleased to offer one free pass to CSI 2008 in DC! You will need to put some thought into your entry as this is not just some easy give away. To enter into this contest, all you need to do is email me your favorite security related story. Something that you saw that was clearly a huge security problem. Like if you saw a metal detector in a building that was maybe turned off, or maybe a NEXT box running an e-commerce web server in the last year. Here are the rules: All entries must be received via email by Thursday, November 6th, 5PM Central time. One entry per person. Your entry ...

Continue Reading

PCI v1.2 saves the travel industry standard

One major change to PCI version 1.2 is the new requirements and testing procedures for Req. 12.8. 12.8 deals with how merchants and service providers should handle their third parties that can affect the security of cardholder data. The card brands have told us in the past that they would not expect a service provider to prevent a merchant from being compliant, but that the merchant must understand that they will carry the liability for a breach at their service provider’s site. We’ve seen 12.8 morph considerably from PCI version 1.0 to 1.2. The intent was to help merchants understand how service providers deal with their data, and make sure that they are protected if there is a breach at ...

Continue Reading

Still think passwords are reliable? standard

Researchers Martin Vuagnoux and Sylvain Pasini recently released video demonstrating the ability to pull electromagnetic eminations from wired keyboards. Both videos show how various configurations of standard keyboards could have keystrokes intercepted through the air. Many of us have heard of the old TEMPEST project that was made famous by their demonstration of the ability to intercept the data that would be displayed on Cathode Ray Tube monitors. Imagine having someone sit outside your office or home and being able to see on their monitor the very same things you are looking at on yours. I wonder how many more corporate scandals would hit the press if this happened regularly. Now it appears that simply typing your passwords or authentication ...

Continue Reading

PCI Europe Community Meeting, Q/A (Part 2) standard

Final round of questions from the field! The first question from this session was “Are end of life operating systems able to be used?” The thing that really worries me about retail is that information security does not seem to be built into the price of goods on the shelf. When someone asks if they are expected to replace hundreds or thousands of devices for PCI Compliance because Microsoft will not support them anymore, I worry more about the overall security of the company. This seems like a reactive approach without any forward strategy, which is unfortunately fairly common. I understand the business implications here. If your competitors are not doing this, you could face additional price pressures by trying ...

Continue Reading

PCI Europe Community Meeting, Q/A standard

I always enjoy the Q/A sessions that the Council has at these events. I don’t know how many sessions I will be able to blog about (we only want the interesting ones anyway), but here’s the first bunch of Q/A from this session! The first question was around segmentation and SANs. I’d never heard the question asked that way, but most SANs by nature are segmented from each other. The more interesting point here is what constitutes segmentation? So many assessors only consider firewalls a method of segmentation. According to the documentation provided by the council, segmentation can be accomplished in multiple ways–not just by deploying firewalls. QSAs should be looking at the whole solution, not just fixating on a ...

Continue Reading

October Herding Cats and Off to Brussels! standard

Greetings folks! Couple of updates in this post. October’s Herding Cats is up and ready for you to read! Pretty soon here I will be setting up a URL where you can download all the published versions of this column regardless of your membership status with the ISSA. Need a little time though baby birds. Until then, members of the ISSA can download the most recent version here. As you can tell, I have been reading a lot of James Patterson recently. Sorry about that. Also, if you are going to be at the PCI Europe Community Meeting this week, look me up! I’ll be wheels down in Brussels on Tuesday in time for the networking session. I am looking ...

Continue Reading

PCI v1.2’s Sneaky Omission standard

Look out merchants, there is a sneaky omission to PCI v1.2 that does not seem to be making any headlines, and I’m wondering if this will just fly under the radar until someone like me stands up and points it out. All the discussion thus far has been around Anti-Virus, Network Segmentation (or lack of a requirement for), WEP, and firewall rules having a six month review (vs. quarterly). But, does anyone remember this little tidbit from the PCI v1.1 when trying to determine the scope of a PCI Assessment? Any data repositories outside of the authorization and settlement environment where more than 500 thousand account numbers are stored [are in scope]. I’ve heard that this little loophole has saved ...

Continue Reading

PDF Wars: The Rise of the Evil Document standard

VeriSign’s Managed Security Services group provides all kinds of services to assist organizations in the heavy lifting associated with some security tasks. Those tasks that are easy if you have one, but not easy if you have a thousand. In a recent internal email string, one of our engineers told us they are seeing a dramatic increase in the amount of PDFs that have malicious JavaScript embedded in them. These exploits use the OpenAction function (like the HTML document.onload() function) as a vehicle to obtain full machine compromise with a root kit. I’m not sure why we feel the need to embed scripting into a PDF (isn’t that what the web and offline browsing is for?), but it appears that ...

Continue Reading

So you think your memory is safe? standard

One of the topics that I often get into discussions with customers is pulling data out of volatile memory (RAM). The argument that is usually made related to insecure RAM storage is, “Well, someone would have to get on the machine and know exactly where to look in memory and it would just not be feasible for someone to do.” My response to this argument is typically something along the lines of “Obscurity is NOT Security.” Obscurity is a poor defense against security problems. It now appears there is evidence of malware that can grab data in memory to the hacker’s delight. It’s not really rocket science folks; it is actually pretty simple. This technique has legitimate uses in programming, ...

Continue Reading

PCI Version 1.2 Changes standard

Are you interested in how 1.2 affects you? The Council provided a detailed list of changes between the two standards, but sometimes it can be a little overwhelming. The guys over at Aegenis have posted a good summary for those of you who want to cut to the chase. If you have specific questions to your business, why not reach out to a VeriSign consultant? We can provide you the expertise you need! Possibly Related Posts: PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization? Is All Good News REALLY Good News?

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!