Electronic “Muddy” Footprints? standard

Sharon Gaudin at Computerworld writes about a new way to use RFID tags. In this article, a new physical security technique is discussed where a worker who walks into a restricted area would pick up hundreds of tiny RFID sensors on their shoes. As they track their feet across the doormat on the way out, sensors pick up that this employee has entered a restricted area, and then release the hounds. Cooler than LED Throwies? You be the judge. Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly ...

Continue Reading

All QSA’s Are NOT Created Equal! standard

In an unpublished (and scrapped to my knowledge) Top 10 Security Predictions for 2008, I predicted that we would see a breach in 2008 from an entity that had validated compliance (hey, come on…. It’s true, I promise). Does that mean that the standard is not tough enough? Or that companies validating compliance are having a hard time maintaining it? Or possibly that a QSA is not doing their job properly? The first has been discussed at length in the industry. While there are loud detractors to the standard, insiders agree that compliance does not equal security. Compliance is a baseline and security should be layered on top. The PCI standard as it stands is GOOD. Getting companies to comply ...

Continue Reading

See me featured in the March ISSA Journal standard

This month’s issue of the ISSA Journal features my article on simplifying data flows entitled “Data Flows Made Easy.” So far, the feedback has been positive, but what do you think? Also in this issue, the first installment of my monthly column, “Herding Cats: Practical Security Tips for a Wacky World” (Thank YOU Fred Langston!). In here, I explore a simple tip for locating that sensitive data inside your organization. Finally, we have another VeriSign consultant being published this month, Bindu Sundareson’s article entitled “Converged Compliance Management” is included in the March ISSA Journal. Check out the links and read up on the thought leadership that is common in the Global Security Consulting group at VeriSign! Possibly Related Posts: Top ...

Continue Reading

A SQL Injection Attack! standard

(This post is brought to you today by the letter A). This weekend, I took a hiatus from the computing world and headed down to the family lake house. Time to get ready for summer and clean out all the junk! Well, not junk, but lots of ladybugs for some reason. When we arrived home yesterday, I caught up on my personal email, and noticed that someone posted a comment to my personal blog. Like this blog, when someone comments, I get excited since I’m never sure if anyone is reading. (Please leave comments, it makes me feel useful. Just like all the characters in Sodor want to be.) The comment in particular was an attempt to run a SQL ...

Continue Reading

Rerouting the Boss’s Luggage? standard

StorefrontBackTalk’s Evan Schuman writes about a serious hole in an airport wireless network that could allow people to reroute luggage. Oops… More reasons to carry-on. As it relates to PCI, VeriSign has extensive experience in the travel industry and has dealt with some of the challenges that airlines have. Like a few other industries, it is very unique in its constraints around compliance and security. For instance, something you may not know is that the airports typically own all of the networking and computing equipment used by their tenants. So unlike most companies that have control over the chain of systems that deal with sensitive data, airlines may be forced to start off with a lack of control at the ...

Continue Reading

PCI Security Council releases FAQ standard

The PCI Security Standards Council looks as if they have released that FAQ they have been working on! I can tell you that this is a huge relief for everyone involved (merchants, service providers, QSAs, ASVs, etc.) as the volume of questions that the council was dealing with prevented them from turning around answers quickly. Course, quickly is a relative term. But consider their position. Here at VeriSign, we might submit 1 question every couple of months, but other QSAs may submit more. For every question that VeriSign (or any QSA) submits, they must get buy in on the answer from all 5 members before it can be turned around. You can see how this can easily take days or ...

Continue Reading

Credit Card Security Code Broken by UV Students standard

WJLA News reports that a University of Virginia graduate student and two fellow hackers have cracked code contained in smart cards. Information security rears it’s head again! The company claims they only got a portion of the code, but depending on what they got, it could be enough to launch a feasible attack against those keys. Any reduction in bits can make a huge difference in the time required to retrieve a key. You know, those smart card guys would have gotten away with a sub-par setup if it weren’t for those meddling kids… Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, ...

Continue Reading

Dude! Will you blog or something?! standard

Greetings folks! How about a headline wrap-up? Ready? OK! Liquid Bombs? Trivial or did they use a lab? False advertising on drive encryption? Recovering disk encryption keys from RAM? Cracking GSM in 30 seconds? What a week! Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”

Continue Reading

From the Dept of Obvious Statements: PCI Not Just for Cardholder Data! standard

Evan Schuman (Storefront Backtalk) wrote on Valentine’s Day that PCI is not just for payments anymore. Hate it or love it, PCI is a great standard for a baseline of security. You can replace Cardholder Data with just about any type of data you want to protect, and you can establish a minimum baseline that will do a reasonable job of keeping that data protected. Security consultants have been pointing this out for a while. I think the part of this that is the most telling is that the security and IT programs in some companies are so bad and so far gone, that PCI is what is standing it up. Again, I still believe that the PCI-DSS is a ...

Continue Reading

MasterCard updates compliance dates standard

In a recent update to their website, MasterCard has altered its merchant levels to match Visa’s, and is giving Level 2 merchants until December 31, 2008 to validate compliance. This is another entry in the long standing debate about compliance dates, and what that means for merchants. Most of these merchants are already being fined in conjunction with the Visa Compliance Acceleration Program if they have not validated, so the extended dates may indicate fines or tougher pressure by MasterCard as the date passes (this is PURE speculation). This should not add any pressure to existing Level 2 merchants that have not validated, though having 2 card associations looking at you is definitely worse than one. Possibly Related Posts: PCI ...

Continue Reading