Categories ArchivesHeadlines

Want more information on Heartland’s breach? standard

Anton Chuvakin has assembled three fantastic roundup posts that pull both news articles and prominent bloggers opinions together for a couple of hours worth of reading (if you hit everything). Check them out: On Heartland I On Heartland II On Heartland III Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down

Continue Reading

End to End Encryption is NOT the PCI Silver Bullet! standard

Evan Schuman of StorefrontBacktalk has a pretty shocking article today. Apparently, the Heartland malware hid in the unallocated file space. Right on the heels of my last blog post too. Nuts. Our forensic examiners at VeriSign look for this type of malware during every investigation because it is not a new trick. It surprises me that it was almost missed. Even still, I stand by my original premise which is that the standard (properly implemented) would prevent this. In order to get the malware on there, a software flaw or credential had to be exploited. Both of those vulnerabilities are addressed by PCI-DSS. What is more troubling is the same noise that came out after the Hannaford breach last year. ...

Continue Reading

What CEOs (and CISOs!) Can Learn from Heartland standard

It’s one week later. With limited public announcements, what is this post going to tell you? Well, let’s start off by stating what it won’t tell you. You won’t find any gory details about the breach or the other parties involved. You won’t find anything here that cannot be deduced using public information sources. You won’t find anything here that has not been stated before. So what use is it? How about we assemble some key points and do a little bit of analysis to understand how something like this can be prevented in your company. According to the original press release, the investigation uncovered malicious software that compromised data that crossed Heartland’s network. Before we start attacking PCI and ...

Continue Reading

PCI Compliant Companies Don’t Suffer Breaches standard

We’ve got another one in the news. Heartland Payment Systems recently reported a breach that may have affected up to 100 million cards. That’s a lot. Heartland joins another elite group of companies that suffered a breach, but was also validated as compliant by a QSA. I want to make something very clear in this next paragraph, but before I do, none of the comments here should be tied directly to any incident that has been in the news. We keep our customer lists private unless we get permission to use one as a reference. There is a big misnomer out there that needs to be cleared up. I’ve even written about it before in this blog. In our investigations ...

Continue Reading

Discover Matches Merchant Levels (pretty much) standard

James DeLuccia IV noticed that Discover has officially matched their merchant levels to Visa (sorta). While this is a big step for Discover, I think most will find that they become Level 1 merchants of Visa before they become Level 1 merchants of Discover. There are exceptions. Some merchants are exclusively Discover. Those merchants will have to double check their levels (if Discover has not already told them they are a Level 1) to see if they have new compliance requirements. Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Equifax is only half the problem, your SSN ...

Continue Reading

Free Compliance Webcast! standard

Greetings all! Join me for a Free Compliance Webcast put on by BrightTALK! I’m one of the featured speakers and will be discussing “Beating PCI in 2009!” You can review the agenda and register here: http://www.brighttalk.com/webcasts/2158/attend. You should also be able to look below this paragraph and log in and register there! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down

Continue Reading

Will 2009 finally be the year for the insider threat? standard

Finance and Commerce Magazine published an article based on a survey revealing that most companies are unprepared for IT risks. *blink* What? You mean that with all the emphasis we put on it, and all the spending after some of the biggest breaches in history, we’re still not ready? This is not coming from the consultant who sees this stuff every day, this is coming from people working for these unprepared companies. With the economic situation as it is, will your own employees finally turn on you and take advantage of weak security controls in your network? This may be an unpopular position, but while the risk is definitely much higher for insider threat, it doesn’t seem to make the ...

Continue Reading

ACK! No browser is safe!! standard

What a confusing time it is for me those of us who just like sitting around all day and poking at the interweb through a browser. We have a rather nasty 0-Day exploit for Internet Explorer roaming around, and Mozilla Firefox makes Bit9’s list as one of the most vulnerable applications in 2008 (surprisingly, IE is not on there). The Internet Explorer 0-Day is so bad that some experts are urging users to switch to another browser. Naturally, the first choice for a number of users would be Firefox. But now Bit9 has released this telling report saying that it was one of the most vulnerable apps in 2008. So where do you turn? Well, the list is not the ...

Continue Reading

Past Issues of Herding Cats now ONLINE! standard

Herding Cats is the monthly column that I write for the ISSA Journal. If you have read my previous posts on Herding Cats, you probably noticed that the links require membership in the ISSA. If you are a reader of this blog and NOT a member of the ISSA, you should join today. Society membership rant aside, I now have a small page that has all of my past columns and publications for the Journal. Please navigate over to http://www.brandenwilliams.com/brwpubs/ to download those versions! These will be posted one month behind the printed version. Navigate over and enjoy! Possibly Related Posts: Preventing Account Takeover, Enable MFA! Proofpoint Patches URL Sandbox Bypass Bug Improve Outbound Email with SPF, DKIM, and DMARC ...

Continue Reading

PCI 1.2 is taking off! standard

Less than two months after its release, we’ve seen our first announcement from a company that has become compliant! I think that companies will find 1.2 easier to comply with when they examine it in detail. Have you performed a gap analysis yet? If not, maybe the downtime around the holidays (as long as it does not impact holiday lockdown!) would be good to review your last ROC and see what changes you may need to make! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Equifax is only half the problem, your SSN needs a redesign! Orfei ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!