Categories ArchivesEnterprise Security

PCI v1.2 saves the travel industry standard

One major change to PCI version 1.2 is the new requirements and testing procedures for Req. 12.8. 12.8 deals with how merchants and service providers should handle their third parties that can affect the security of cardholder data. The card brands have told us in the past that they would not expect a service provider to prevent a merchant from being compliant, but that the merchant must understand that they will carry the liability for a breach at their service provider’s site. We’ve seen 12.8 morph considerably from PCI version 1.0 to 1.2. The intent was to help merchants understand how service providers deal with their data, and make sure that they are protected if there is a breach at ...

Continue Reading

Still think passwords are reliable? standard

Researchers Martin Vuagnoux and Sylvain Pasini recently released video demonstrating the ability to pull electromagnetic eminations from wired keyboards. Both videos show how various configurations of standard keyboards could have keystrokes intercepted through the air. Many of us have heard of the old TEMPEST project that was made famous by their demonstration of the ability to intercept the data that would be displayed on Cathode Ray Tube monitors. Imagine having someone sit outside your office or home and being able to see on their monitor the very same things you are looking at on yours. I wonder how many more corporate scandals would hit the press if this happened regularly. Now it appears that simply typing your passwords or authentication ...

Continue Reading

PDF Wars: The Rise of the Evil Document standard

VeriSign’s Managed Security Services group provides all kinds of services to assist organizations in the heavy lifting associated with some security tasks. Those tasks that are easy if you have one, but not easy if you have a thousand. In a recent internal email string, one of our engineers told us they are seeing a dramatic increase in the amount of PDFs that have malicious JavaScript embedded in them. These exploits use the OpenAction function (like the HTML document.onload() function) as a vehicle to obtain full machine compromise with a root kit. I’m not sure why we feel the need to embed scripting into a PDF (isn’t that what the web and offline browsing is for?), but it appears that ...

Continue Reading

So you think your memory is safe? standard

One of the topics that I often get into discussions with customers is pulling data out of volatile memory (RAM). The argument that is usually made related to insecure RAM storage is, “Well, someone would have to get on the machine and know exactly where to look in memory and it would just not be feasible for someone to do.” My response to this argument is typically something along the lines of “Obscurity is NOT Security.” Obscurity is a poor defense against security problems. It now appears there is evidence of malware that can grab data in memory to the hacker’s delight. It’s not really rocket science folks; it is actually pretty simple. This technique has legitimate uses in programming, ...

Continue Reading

September Herding Cats is available! standard

Another month, and another dose of brain vomit by me! September’s edition of Herding Cats is entitled, The Softer Side of Security. In here I give you four tips on how to be more effective as a security professional. Yes, the touchy-feely crap has entered our model for success. As a side note, I’ll be writing closer to 750 words of content excluding the bio now. Hopefully that will let me fill all three columns. While you are looking at this month’s ISSA Journal, please also take a look at Bindu Sundaresan & Jennia Hizver’s (two brilliant consultants in our Global Security Consulting practice) new article entitled, 10 Tips on How to HACK the PA-DSS! Possibly Related Posts: Selective Domain ...

Continue Reading

Why SSL is not the Catch-All standard

Billy Rios, application security extraordinaire, posted commentary on Sandro Gauci’s paper entitled “Surf Jacking – HTTPS will not save you.” It’s based on an attack called “Side Jacking” that was introduced during the 2007 BlackHat conference. Essentially, this type of attack allows someone to hijack a web session which would give them access to your account on a particular website. Branden… In English please… Ok, so let’s say you make use of some stretch time that the office gives you (assuming they know about it), and head down to the coffee shop of your choice to get a nice fresh cuppa. You bring your laptop with built-in WiFi with the full intention of working on that presentation for Johnson. That ...

Continue Reading

Silos and Cross-Dysfunctional Teams standard

I may not be the first to use the term, but this concept is killing security and compliance across the globe. What am I talking about? I’m talking about the lack of function in companies with silos. We see silos rear their ugly heads in virtually every customer we deal with. Sometimes it is the disgruntled manager that was passed up for a promotion that is no longer being a team player. Other times it is a team in another region of the globe that wants to do things their own way. Or maybe it is just a jerk sitting next to you in Prairie Dog Land. So what do we do when these turf wars break out in our ...

Continue Reading

How fast will your data walk out the door? standard

Cyber-Ark has released a new study (article on ars technica) suggesting that 88% of IT workers would steal data if fired. Every 88 in 100 IT employees would steal data if they were shown the door. That’s more than the 4 out of 5 dentists that recommend chewing Trident after meals! I’m not sure who they were polling, but it sure makes IT folks look like a bunch of criminals. At a minimum it does reinforce one point that often shows up in my presentations. At the end of the article, we learn that every third administrator would write down an administrative password. Administrators are often the worst offenders when it comes to breaking security policies and procedures. This is ...

Continue Reading

The Internet is falling down (falling down, falling down)! standard

Last month, we saw Kaminsky release details around a particularly nasty flaw in the DNS infrastructure. The tubes exploded with traffic on this flaw and security pundits beat their chests, telling the masses that they have been reporting this for years. Well, it’s a new month, and we have a new flaw. Slashdot has posted a story about a BGP flaw that has been around for years that could easily bring down major portions of the internet. Wired has an article here, and the PDF of the presentation by Kapela and Pilosov is here. I was a system and network administrator in a previous life (and to date have only had one system of mine EVER hacked… that pesky IMAP ...

Continue Reading

Timing is everything standard

So you all know (well the three of you that read this… Hi Mom!) that I am headed to Australia this week. I was doing my traditional pre-flight checklists to make sure that I had everything I needed before I started packing. Power converter? Check. Power supplies for devices? Check. Remove things that just add weight that you won’t need? Check. Log into my credit card account to make sure we’re good? DOH! My card has been compromised AGAIN! The DAY BEFORE I am headed to Oz. The new one is on its way (overnight now) but good gracious, talk about skidding across the finish line. Upside down. On fire. In eighteenth place. This is the only piece that annoys ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!