Categories ArchivesEnterprise Security

Try the Middle of the Current (Just for Fun) standard

I was having a fantastic discussion with a close friend yesterday about how the security industry harbors people that fight battles just for the sake of fighting battles. It’s the stuff that makes Sun Tzu shake his head knowing that you are on the losing side. My friend said, “Hey, didn’t you write about something like that a while back?” Once again, Past Brando hosed Future Brando. One of Sun Tzu’s biggest teachings is that the preferred method to win a battle is to win without fighting. If I were to take some literary liberty with this edict and apply it to the security space, it’s better to win within the established rules of the game instead of spending all ...

Continue Reading

More Hacks! standard

It’s been a busy weekend. Since last week, we’ve seen annoucements from PF Chang’s, AT&T Mobility, and Domino’s Pizza, all with varying levels of disclosure. PF Chang’s looks to be yet another payment card breach while Domino’s Pizza was a privacy-related breach in Europe (no cardholder data apparently disclosed). But the AT&T Mobility one is the kicker with an unknown number of customers impacted, and the big no-no is on this one—social security numbers. Lovely! All that aside, because at this point none of this is really exciting or unexpected, I want to direct your attention to a short and sweet blog post from Mike Rothman who discusses a comparison (with reference) to emergency managers and information security professionals. It’s ...

Continue Reading

More Fun with EMV standard

Yes, it’s time to go hit your local university library again (or just join the Association for Computing Machinery) to see a great article from Anderson & Murdoch entitled, “Inside Risks EMV: Why Payment Systems Fail.” For those of us in the US that are now on the cusp of a wide-scale EMV rollout, there are still many questions that need to be answered. Drs. Anderson and Murdoch do a great job of summarizing the issues that we will face here in the US, including some of the attacks that were common in other implementations of EMV. Turns out, the French may be the best experts at cracking this thing. EMV tokens make an appearance in the article, but there ...

Continue Reading

EMV as an E-Commerce Fraud Driver standard

Oh what a year it has been so far. Breach here, breach there, breaches everywhere! EMV to the rescue, right? RIGHT?!? Well, yes and no. EMV does add tremendous security (when configured properly) to a Card Present (CP) transaction, but EMV does nothing to help the security of Card Not Present (CNP) transactions. And given the increased digitization of business and commerce, we would expect that over time the number of CNP transactions would increase at the expense of CP transactions. Meaning, as more digital business models drive people to purchase goods and services without physically presenting their card for purchase, people will opt for that style as it could be seen as more convenient. Don’t forget that CNP transactions ...

Continue Reading

Heartbleed and Passwords standard

Right around this same time last week there was a flurry of activity for those responsible for deployments leveraging OpenSSL. Yep, I’m talking about Heartbleed. So after we go through all of the patching and re-keying, it’s now time to consider password changes. This post isn’t about Heartbleed, it’s about passwords and what the bad guys already know. Melanie Pinola from Lifehacker wrote a very interesting piece on Friday about how our password tricks don’t fool the modern hacker. I’m not sure what happened to recommendation number 3 in her piece, 1, 2, and 4 are spot on. What’s the solution? Ultimately it comes down to using some software to help you out. Password managers are now built into some ...

Continue Reading

Subject to PCI DSS? Time for defense! standard

For those of you that have been reading this since it was part of the VeriSign blogging program, you know that my posts tend to follow what is most important in my daily life. Or, if not most important, the loudest thing in my daily life that really needs a comment or two. After joining RSA, I spent quite a bit of time talking about advanced threats, especially after the breach. I also sat on the PCI Board of Advisors during that time, but the reality is that my daily work around information security and what the Board was tackling were very far apart. Given the release of 3.0 and the commentary from that to date, I would still agree ...

Continue Reading

Swing and a Miss: Target and the Council Respond standard

I happened upon the Council’s news page today and saw a couple of great attention grabbing headlines entitled, Time for Smartcards and PCI Council Responds to Critics. I found both of these interesting given the landscape of breaches we have seen over the last couple of months, but I found that both missed key points in their communication. Let’s start with the Council’s response. First, we should be clear. What Russo is saying is absolutely accurate. The majority of breaches that happen, including the Target one, happen due to basic security failures that are already covered in the standard. Go take a look at requirement 8.3 and 8.5.6.b which directly address the latest disclosures surrounding the event. I also agree ...

Continue Reading

Data Discovery, It’s A Thing! standard

Those of you who have been following me for a while know that I am a proponent of data discovery tools, and Data Loss Prevention tools where appropriate. I partnered with one while running the consulting business at VeriSign, and worked with the teams at RSA that developed their product. I even talked about finding the data as the security equivalent to Dave Ramsey’s first Baby Step for security. It’s becoming even more critical with PCI DSS 3.0 as data flow maps must be maintained and validated (to some degree). At Sysnet, we have tools for doing all kinds of scanning including data discovery scans. One of the challenges with most of the DLP solutions available is that the vendor ...

Continue Reading

What the Leaked Target PIN Data Actually Means for You standard

Before you read this, consider checking out my first post on the Target breach. Payment systems are complex. If you have ever assessed one or looked under the curtains going all the way back to the issuer, you know this. So it is not a surprise that there is a ton of misinformation flying around about the PIN data that Target admitted was taken. Before we get to far down the road here, I want to review a few items to make sure we’re all on the same page. First, let’s talk about track data. The type of data in the magstripe on the back of your card is sensitive, which is why PCI Requirement 3.2 forbids storing it. I’ve ...

Continue Reading

For the Super Geeky Crypto Guys standard

Of course, if you are a super geeky crypto guy (in which I am envious because math is not my strong suit) you probably already saw this amazing paper by Daniel Genkin, Adi Shamir (the S in RSA), and Eran Tromer in which they prove a side-channel attack against RSA encryption. Since the math behind RSA is such that decryption becomes infeasible through brute force, attackers must get creative in how they go after the protocol. Previous attacks on prime number generation have been published, as well as weak implementations of software that leak parts of the key. But this one is really ingenious. The authors are able to extract the RSA key by simply listening to the noise put ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!