The PCI Council’s Revenue Generation Capability standard

The other day I was thinking about all the programs that the Council currently maintains and I wondered if it was possible to see how much money the Council actually brings in every year. I mean, every year seems to see more programs with more fee collection opportunities for the Council, but had anyone ever added all that up? So I got to researching. I started with the usual sources: LexisNexis, Hoovers, Dun & Bradstreet, and found very little information. Only one report by Dun & Bradstreet, who is notoriously inaccurate when dealing with privately held firms, of around $3.7M in 2016. Then I headed over to the IRS’s website to see if the Council had ever filed a form ...

Continue Reading

More Printer Security Talk standard

If you don’t have the context, read my previous post on comparing printers to VoIP—i.e., it’s another computer on our network. Now that you are in the right mindset, look around your office and see if you see a printer sitting somewhere. It might even do copies, scanning, and faxing. Super fancy ones might even connect to WiFi networks to make things easy for interoperability. So many of them have hard drives in them for document storage, logs, configuration, and the operating system that powers the device itself. When is the last time you upgraded the operating system on that printer? Are you using a default configuration or have you locked down all the things you don’t need? Better yet, ...

Continue Reading

That Printer is gonna GIT ya! standard

Of all of the devices we have out there on our networks, is it going to be printers, cameras, and thermostats that cause our undoing? “Wait… did you say, PRINTERS!?! Are you off your rocker, Brando?” That was one of the key warnings that came from HP, Inc. in January of this year. I was one of a dozen individuals invited to a day long summit at HP, Inc., where their product leaders and various security experts talked to us about hidden security problems in the enterprise, provided live demonstrations, a tour of the facility, and the highlight, an evening at the HP Garage in Palo Alto. Let’s take a moment and think back to the advancement of Voice over ...

Continue Reading

More EMV Bypass Fun standard

So I’m sitting here in San Diego, which we all know is German for… never mind. As I pay for my lunch, I present my chip card and there is some kind of error. I know I entered my PIN correctly, but it immediately came back as failed. The bartender taught me a neat trick that I am sure we all need to be aware of as people capture magstripes and write them to new cards. “Oh, no problem on bypassing that. Just turn the card around and insert it, it will fail, and you can swipe!” The Verifone VX-675 terminal this place used detected that a card was inserted without a valid chip read, and immediately told me to ...

Continue Reading

PCI Compliance, Version 3.2 Now Available! standard

Well folks, it’s finally here. What started as an experiment back in April has finally come to fruition. I’m happy to announce that PCI Compliance, Version 3.2 is NOW AVAILABLE! If you order via the CreateSpace bookstore, please use coupon code 4JRH748R for $2 off through the RSA Conference. You can also order it via Amazon here. For those who want to get the e-Book, it will be available in Kindle format by February 15 (same link as above). As always, huge thank you to all of you out there who keep the conversation going!

Continue Reading

Conference Wrap-Up, 2016 standard

As we get ready to close out 2016, there have been quite a few events I have neglected to post here. I know I owe a larger update and more tools soon, but here’s one in the meantime to recap October and November. For this post, I’m taking a cue from Bill Brenner and supplying some mood music. My mood music is a little more fun than his is, though. October and November was a busy month for speaking and writing. Here’s a quick recap. Ever wonder why it might be a good idea to segment your home network? All those smart devices have to connect somewhere. I wrote an article for Tactics and Preparedness that discusses some of these issues ...

Continue Reading

Is Retail Ready for the 2016 Holiday Season? When Toasters Attack! standard

The holiday season is upon us, and the biggest days for retailers to make their 2016 plan commitments is coming. The popularity of online shopping always seems to claim a few retailers every year who did not plan capacity accordingly. We’ve seen both Black Friday and Cyber Monday shut down websites in the past, and even though elastic computing has grown in popularity, we can expect one or two that under planned their capacity for this year. But this post is not about poor IT capacity planning—it’s about the latest string of Distributed Denial of Service (DDoS) attacks that has claimed a number of prominent web properties over the last month. Internet of Things (IoT) devices, when improperly designed, can ...

Continue Reading

Netgear (In)Security and their Failed Remote Management standard

I’ve been having issues with some home networking equipment and decided that after a couple of years, I needed to make some updates. I did my research and ultimately settled on the Netgear R8000. Not just because it looks dead sexy or because it’s called the Nighthawk, but because it had really great reviews and I’ve generally been on board with Netgear’s product quality and technology. That is, until today. One of my biggest complaints about today’s networking equipment is that it really wants to be the only router in your house. It wants to be the command center. So if you have a couple of pieces of networking equipment, they both want to be in charge. I get it, ...

Continue Reading

Why I am Skipping the PCI Community Meeting standard

I know, you guys have given me crap for so long. “Suuuure you are going to skip this year. Whatever, Brando, see you in X city at  happy hour.” This has been the discussion over the last few years, and every year I have made my way to the city in question going back to the initial meeting in Toronto, 2007. This will be the first year I will miss. For me, it comes down to two things: content and how the hard questions go unanswered. Content: I looked at the agenda this year. For new people to PCI DSS, there are quite a few great sessions to attend. If you have more than one year experience and perhaps have ...

Continue Reading

My Tea Journey, so far! standard

Many years ago, I started a long journey into the world of tea. I still consider myself a n00b, but a no0b who knows what he likes and is not afraid to try something new. A friend of mine was asking about my tea obsession so I ended up putting together this long email that represents my current thinking around the leaf. After spending all that time, I figured I’d post it here, and possibly update it over time. BTW, I recently found a guy who has an AMAZING YouTube channel if you want to learn about tea. I visited his shop in Camden Town (London) in October of 2017 and absolutely fell in love. Don Mei of MeiLeaf Teas ...

Continue Reading