Branden R. Williams, Business Security Specialist

So, you saw the PCI 1.2 announcement? standard

Is anyone else still just wondering what exactly this means for your business? The summary does definitely answer a few questions, but I am wondering if someone was pressuring the council to release something, ANYTHING, about the new revision. One thing that concerns me as a QSA is the amount of variance that will be introduced in the interpretation of some of the clarifications. For example, right off the bat we see the opportunity for interpretation in the clarification under Requirement 1: Added flexibility in the time frame for review of firewall rules, from quarterly to every 6 months, based on Participating Organization feedback. Now the control can be better customized to the organization’s risk management policies. On the surface, ...

The Internet is falling down (falling down, falling down)! standard

Last month, we saw Kaminsky release details around a particularly nasty flaw in the DNS infrastructure. The tubes exploded with traffic on this flaw and security pundits beat their chests, telling the masses that they have been reporting this for years. Well, it’s a new month, and we have a new flaw. Slashdot has posted a story about a BGP flaw that has been around for years that could easily bring down major portions of the internet. Wired has an article here, and the PDF of the presentation by Kapela and Pilosov is here. I was a system and network administrator in a previous life (and to date have only had one system of mine EVER hacked… that pesky IMAP ...

The Blame Game standard

First off, I want to apologize for the lack of posting. Travel across the date line is one of those things that looks like a productivity enhancer, at FIRST. Then the realization slowly sets in. One of the articles I wanted to post on was Bill Homa (Edit: Sorry, got the spelling wrong!), the former CIO of Hannaford, who is changing his tune a little bit. Apparently, the PCI Standard is not his problem, but now he blames Microsoft for the breach that occurred on his watch. I don’t know if you are like me, but I can’t wait for the lawsuits to start flying so that all of the speculation on this incident can end. Legal discovery can be ...

Thank you SYDNEY! standard

No, not my niece, but the great city in Australia! I’ve finally made it back state side. I’m a little tired, but more so when I start working through the email! Thanks to everyone who joined our event in Sydney! I hope to talk to you all in the coming months.

Thank you Brisbane & Melbourne! standard

We’ve been true road warriors this week, and so far have done briefings in Brisbane and Melbourne, Australia! We are heading back to Sydney tonight to do our last PCI briefing of the trip tomorrow. Thanks for the hospitality Brisbane & Melbourne! I look forward to seeing you again soon!

Where’s Brando? standard

Down Undero! Finally made it down here and nobody down here has said “G’day Mate!” or offered me shrimp on the barbie. So disappointed. Anyway… If you are in Sydney, shoot me an email and we’ll do a pub crawl!

Timing is everything standard

So you all know (well the three of you that read this… Hi Mom!) that I am headed to Australia this week. I was doing my traditional pre-flight checklists to make sure that I had everything I needed before I started packing. Power converter? Check. Power supplies for devices? Check. Remove things that just add weight that you won’t need? Check. Log into my credit card account to make sure we’re good? DOH! My card has been compromised AGAIN! The DAY BEFORE I am headed to Oz. The new one is on its way (overnight now) but good gracious, talk about skidding across the finish line. Upside down. On fire. In eighteenth place. This is the only piece that annoys ...

August’s Herding Cats is now live! standard

Entitled, The Carl Method to Security, I compare CIOs to our lovable friend Carl Spackler when it comes to reacting from a breach. If you read this and don’t believe me, just troll the news for recent CIOs responding to breaches. I don’t need to make this stuff up, people do it quite nicely on their own. Just like that time I was in the Las Vegas airport and a TSA agent came over the PA and said, “To the person who left your dentures and hearing aid at the security checkpoint, if you can hear me, please return to claim your items.” See? Don’t need to make it up. Anyway, go check it out!

Low Tech Security System Hacking standard

When I was flipping through some RSS feeds and saw this fantastic post from Gizmodo, I HAD to bring it here for discussion. Now keep in mind, this is a photographer’s artistic work, but it sure does open the door to other low tech ways to subvert security systems. One of my personal favorites is the McGuyver style (sans chewing gum and dental floss) method of defeating magnetic lock doors with a balloon, tape, and a straw. Convenience says that we should not badge in AND out. Just on the way in is fine. On the way out, we’ll put sensors there so that the door will magically unlock for you. It’s the high tech version of the black treadmill ...

DNS, Schmee-enn-ess standard

OK, yeah, that was a reach. As long as it makes me giggle, things will be just fine. I assume most of you are away from your RSS readers this week because you are furiously patching your DNS servers. The attack is actually quite genius, and continues to demonstrate the inordinate amount of trust we place in servers and data that should not be trusted. The details of how the attack works can be read in the above linked article if you are interested. You probably don’t have the time right now because you are rushing to patch though. Bruce Schneier takes this opportunity to lash out at the patching process. While some security pundits don’t take Bruce seriously, he’s ...