Monthly ArchivesOctober 2012

Preying on National Disasters: Today’s Get Rich Quick Scheme standard

Earlier this week we started to see warnings from news outlets, bloggers, and other media warning people about scams to collect money in the aftermath of Hurricane Sandy. Unsolicited calls asking for donations, websites that seem to appear official, and random numbers you can text to donate money automatically start to pop up and disappear quickly. So if you are in a giving mood, how do you find the good ones from the bad ones? The first thing to be wary of is someone calling your phone and asking for money. It can be a great reminder, but if you want to guarantee your money gets to people in need and not into someone’s pocket, go find your charity of ...

Continue Reading

On Whitelisting ASVs standard

This topic has made the rounds again—both due to the community meetings happening over the last four weeks and with some customer discussions I became involved in. Essentially, the issue is this. ASVs need the ability to scan through perimeter defenses like IPS and companies being scanned want to showcase their defenses such that they activate (like they should) upon a scan. Both groups have valid points. The ASV is following the program guide. In order to provide passing scans they must be able to scan through perimeter defenses to the actual systems to generate an accurate vulnerability report. Having a scan instantly blocked doesn’t necessarily eliminate the possibility that a vulnerability could be exploited, it just stops that scan’s ...

Continue Reading

Slow Down Patching? standard

The whole discussion around patching and vulnerability management is a big problem in general, but typically exacerbated by compliance initiatives like PCI DSS. Companies want to be secure, in general, but they have different risk procedures that can change the manner in which they do things like patching or how they lock down desktop controls. A good friend of mine turned me on to a presentation that happened at the San Diego ToorCon this past weekend that I am curious about. The abstract pushes us into dangerous territory, that of interpretation of QSAs (something we have often chatted about here). In the abstract, the presenter takes the opinion that rushing to patch is undesirable (potentially agree) and that the language ...

Continue Reading

The Power of Inference standard

Last week I spoke at RSA Conference about using social engineering techniques as a form of espionage—a way to “game” big data, as it were. I believe that our current estimation of what can be derived from innocuous appearing data is not only lacking, but it’s nearing the level of irresponsibility. In our talk, we discussed how an attacker might go after a prized piece of information, say the formula for Coca Cola. If an attacker wants to re-assemble such a formula, he could apply techniques often used in social engineering. Social engineers don’t bluntly ask targets for their social security number, they ask them for pieces they can use to reconstruct it. For example, people tend to give out ...

Continue Reading

“Non-Observables” standard

Security professionals are fraught with crazy obstacles unseen in other parts of the technology space. For example, we are often fighting enemies we cannot see. They out-maneuver us by attacking our partners, informational supply-chain, and even the people. But they are not completely invisible if we know what to look for. There was a recent thread on the SIRA mailing list that discussed the concept of “non-observables,” or elements in the security space that cannot be feasibly observed by defenders. These elements, in theory, would be critical in event detection, thus providing defenders with better capabilities to shrink the window of vulnerability. This is a foolish notion that leads security people into an unnecessary state of helplessness. Consider Locard’s Exchange ...

Continue Reading

September 2012 Roundup standard

What was popular in September? Well, we certainly couldn’t get enough of the new iPhone (and by the way, I think Samsung’s commercials are ABSOLUTELY GENIUS!). We enjoyed cooler weather for all, and a fantastic Oktoberfest. We had the PCI North American Community Meeting kick off a whole new round of discussions on everything that is right (and wrong) with PCI DSS. Oh yeah, and good ol’ Brando forgot to renew the domain, so the site was down for a couple of days. It’s back up now, so we can all rejoice and be glad. Here are the five most popular posts from the last month: PCI DSS Feedback 2012. The Council released some highlights from the feedback process including ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!