Monthly ArchivesFebruary 2010

The RSA Conference, Are You Ready? standard

The annual RSA conference descends upon the Moscone center in San Francisco next week, and I can’t tell you how excited I am to be attending this year.  Not only do I work for the company that bears the conference’s name, but we’re making some big announcements about our future and direction.  More on that next week! Outside of that, if you want to catch up with me you will have several opportunities. Monday: Arriving in the late afternoon.  Meeting with some folks and gearing up for the conference! Tuesday: Client meetings and booth duty!  Come find me at the RSA booth from 11am to 2:30pm in the Expo. Wednesday: This day is stacked with meetings and I will be ...

Continue Reading

Subscriptions Deal with Transactions Times Twelve standard

I was talking to a company that accepts credit cards for monthly subscription or service dues (think something as simple as paying your electric bill with your credit card) and when I asked them what level merchant they were, I was shocked to have them tell me they were at the top end of the Level 3 bracket!  While I do not advocate focusing your PCI DSS efforts based only on your validation requirements, but it is interesting to consider what might happen if you were to reduce the number of payment cards you process in one year. Is there a way to game the system?  Well, maybe two ways.  First is to delete PCI DSS data, but that’s not ...

Continue Reading

Think Blackberry is Safe? Think again! standard

Chris Eng at Veracode put together a pretty sweet little presentation based on a tool Tyler Shields created to infiltrate Blackberry Smartphones called BBSpy.  Blackberry’s seem to be viewed as a more secure mobile platform for a smartphone or PDA than any other, to the point of speculation about the existence and future of President Obama’s Blackberry. When I first got a Blackberry smartphone, not only did my ability to separate my personal and professional life change, but I remember as a security professional liking some of the features provided.  Remote wiping, encryption, and a password attempt bomb made me feel that should I lose my Blackberry, I would be able to prevent any sensitive data on it from falling ...

Continue Reading

Satellite Hacking, Not Just for Pros! standard

I found a great article by Stan Shyshkin last week on hacking internet satellites. Satellite networking has always interested me, especially when it comes to learning how to take advantage of foolishly trusted links.  Most of these links manifest as a form of a “carrier grade” link such as MPLS or Frame Relay.  These links are inherently considered private, even though they typically do not take advantage of encapsulated encryption. Fifteen years ago we extended our network footprint through private network links.  Companies extended their WAN in the form of a frame relay in 64-Kbit increments1. These links were rarely (if ever) encrypted partly due to the technology at the time and to inherent trust in telcos. Companies running frame ...

Continue Reading

Personal Liability for QSAs standard

I was chatting with a colleague this week, let’s call her Anne, who had a very interesting question. “Should Anne carry personal liability insurance as a QSA working for  a QSA company?” She was trying to assess her personal liability for doing QSA work.  So let’s say Anne made a mistake, and that mistake caused a merchant to be breached, would her former employer go after Anne to make her a scapegoat after she left? I had a brief discussion with David Navetta of the Info Law Group about the idea (and please note that anything found here is NOT legal advice, and you should always talk to an attorney if you have an issue… entertainment purposes folks), and he ...

Continue Reading

Data Destruction is YOUR Responsibility! standard

Matt Springfield (formerly of I-Net Solutions, those were the days) posted about a problem he is having with his Apple Time Capsule, and what happens to the data when they blow up.  In his situation, a bad power supply prematurely ended the life of his device.  When he asked an Apple representative what they do with the old hard drive contained inside the device, she responded that there was no data destruction policy. No data destruction policy?  Wow, there must be some fun stuff in old equipment at Apple. For the record, I’m a Mac user.  The first computers I used were early generation Macs (think System 6), and then I switched to a PC for a while in college.  ...

Continue Reading

Herding Cats February: The Retreat to Centralized Computing standard

Have you checked out ISSA Connect yet?  The next issue is up there with my column, The Retreat to Centralized Computing.  I’m traveling abroad right now so I don’t have the ability to put it up here on the site, but will do it when I get back next week. If you are a member, log into ISSA Connect and join the discussion!  Interact with great professionals globally as well as the authors that you enjoy reading every month.  If you are not a member, go sign up!

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!