Monthly ArchivesJuly 2012

Payments and NFC Still Under Fire standard

After spending a few days around Security Week (BlackHat, Defcon, BSidesLV) last week, I was constantly amazed at the excitement and innovation around security. Unfortunately, most of this focused on the attack side, but nevertheless, it will drive security thinking forward (which is what we want!). Several researchers focused on Near Field Communication (NFC) implementations as this technology is quickly becoming embedded in many mobile devices. While you may not be an NFC expert, you certainly have used NFC before. Think about any time you have used your credit card in a contactless way, paid for transport in London with an Oyster card, or even started your new automobile, you are using a form of NFC. Businesses want NFC because ...

Continue Reading

BlackHat 2012 time! standard

One of the industry’s favorite conferences descends upon Vegas this week, which means you will find all manner of individuals casually, theoretically, or maybe maliciously looking for ways to own you and your devices. It’s one of my favorite times of the year because the kinds of research presented at BlackHat changes how people interact with technology. Even Apple is presenting this year! I’ll be out there on Wednesday and Thursday, and would love to catch up if you have a few minutes. Definitely stop by the RSA booth tomorrow and pick up a bracelet for our EPIC party tomorrow night. I know some of our execs will be there, and I’ve been assured that one particular exec will “stick ...

Continue Reading

Can You Trust Email Anymore? standard

I’ve been running my own email server for almost as long as I’ve had an email address. And when you roll your own, you have to figure out your own answer to the onslaught of SPAM that hits you every single day. A quick poll says that my SPAM server (Postini) blocked over 200 emails addressed to me today, and over the last sixty minutes there have been more SPAM than legitimate emails for all of my users. This isn’t surprising. We’ve all been victim to the, “Didn’t you get my email?” question countered by, “Just found it in my SPAM folder.” Postini is fantastic. It’s interface isn’t great (Google has done NOTHING with it), support is spotty, and frankly ...

Continue Reading

Semantics and Compliance standard

I was sitting in a meeting earlier this year and someone me asked a “quick” question about PCI DSS. Always happy to oblige, I listened to the person go through a very intricate discussion and setup for this question (as in, on the order of just over five minutes) to finally get to the punchline, “so is this out of scope?” I’ve been in those discussions before, and at times the systems were so complex that they warranted a five-plus minute review in order to set them up. In this case the majority of the discussion was around specific semantics and nuances in interpretation that could cause a particularly problematic system to be shifted off of this compliance managers desk. ...

Continue Reading

Does EMV Fix SMB Compliance? standard

By now you probably know that EMV is coming to the US. Some say it is long overdue, others believe it will only shift fraud to other methods. But what if EMV adoption would solve the PCI issues for small and medium businesses? That could be a really interesting case study to see how it applies as small businesses are typically caught unawares when bad things happen. As with all things, it may come down to acceptance more than anything else. Imagine for a moment if companies did aim to remove PCI DSS assessment activities from their annual audit schedule and converted all of their terminals to support EMV. Unless you and I as consumers get cards with a chip ...

Continue Reading

Healthcare Security, Where Are You? standard

Information security with electronic healthcare information is often discussed (not here) behind closed doors with lots of whispers. The state of information security in the healthcare space varies, but most insiders agree it is in conflict. Dismal even. Yours truly even took down an entire hospital’s printing network because they were running a super-duper-pooper vulnerable print server that just happened to get popped when doing what should have been innocent scanning. Security in many industries starts with compliance, but even that’s not working. HIPAA has been around for fifteen years—and its follow-up act(s) less than five—but we are constantly playing catchup. The results of a 2006 (yes five years old) survey showed that HIPAA had the lowest compliance rates among ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!