Monthly ArchivesAugust 2013

Visa Updates Memory-Parsing Malware Warning standard

Visa released a public update to their Memory-Parsing Malware Warning yesterday bringing forward signatures and IPs from their original alert in April based on recent activity. This very effective technique can present itself leveraging commonly used debugging techniques for software. Essentially, this malware will access a few readily available routines to hook into the memory in a way that allows them to access and export full track data. So all of you folks who told QSAs like me this would never happen in a million years (this was a constant conversation from 2004 to 2009), baZINGA. Now that we have bazinga’d, let’s focus on how to prevent this from happening. Remember that post I did a while back about the ...

Continue Reading

Hurry Up and Wait, PCI DSS 3.0 standard

The PCI Council announced some highlights to the upcoming changes to PCI DSS 3.0. Here’s an article from TechTarget with comments from Bob & Troy that you might want to check out as well. The Council’s press release and available documentation does give us some insight into what they are thinking with respect to the changes, but as is with most things PCI, the devil will definitely be in the details. Based on the doc, here is a quick good/questionable list of these changes: The Good: Scoping is always an issue with PCI DSS, and now there is a formal requirement to maintain an inventory of system components that are in scope. Frankly, I don’t know how you could manage ...

Continue Reading

The Art of the Interview standard

Yes, I know. There are some cobwebs around here. Don’t worry, I’m working on clearing those out. I’ve finally taken a position with a company and have been buried with all kinds of great stuff. More on this soon! But in the meantime, I found an article in the ISACA Journal from Tommie Singleton entitled, “What Every IT Auditor Should Know About Using Inquiry to Gather Evidence.” If you are in the information security business and have to deal with assessing or auditing, do yourself a favor and take ten minutes to read this article. This technique is what separates the pros from the newbs in our industry. If you have worked with me in the past, you probably remember ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!