Branden R. Williams, Business Security Specialist

From the Dept of Obvious Statements: PCI Not Just for Cardholder Data! standard

Evan Schuman (Storefront Backtalk) wrote on Valentine’s Day that PCI is not just for payments anymore. Hate it or love it, PCI is a great standard for a baseline of security. You can replace Cardholder Data with just about any type of data you want to protect, and you can establish a minimum baseline that will do a reasonable job of keeping that data protected. Security consultants have been pointing this out for a while. I think the part of this that is the most telling is that the security and IT programs in some companies are so bad and so far gone, that PCI is what is standing it up. Again, I still believe that the PCI-DSS is a ...

MasterCard updates compliance dates standard

In a recent update to their website, MasterCard has altered its merchant levels to match Visa’s, and is giving Level 2 merchants until December 31, 2008 to validate compliance. This is another entry in the long standing debate about compliance dates, and what that means for merchants. Most of these merchants are already being fined in conjunction with the Visa Compliance Acceleration Program if they have not validated, so the extended dates may indicate fines or tougher pressure by MasterCard as the date passes (this is PURE speculation). This should not add any pressure to existing Level 2 merchants that have not validated, though having 2 card associations looking at you is definitely worse than one. Possibly Related Posts: PCI ...

See you at eTail 2008! standard

Greetings out there! If you happen to be at eTail next week, please stop by the VeriSign booth and say “Hi!” I would be happy to discuss the NRF or Tim Callan’s EV-SSL. See you there! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup

People Hacking! standard

Yes, it’s true that part of the reason I was not posting very frequently is because I was running out of ideas. It is also true that I’ve started following Schneier’s blog again. Anyway… He’s got an excellent post with 2 examples of how Social Engineering was successful in the theft of significant sums of money. Security is made up of People, Process, and Technology, and people are almost always the weakest link. Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers Selective Domain Filtering with Postfix and a SPAM Filtering Service Preventing Account Takeover, Enable MFA! Proofpoint Patches URL Sandbox Bypass Bug

Darn those crafty Cybercrooks! standard

USA Today had an interesting article on Monday detailing how Cybercrooks are getting craftier (is that a word? more crafty? more craftierest?) on the scams designed to trick people into parting with personal information. A couple of the attacks listed include: Email greeting cards that give intruders control of your router (specifically a popular router in Mexico). Turn-key phishing kits with everything needed to create bogus bank websites. Click fraud targeting small e-commerce sites to drive up fake ad revenues for crooks. And here’s someone else with too much time on their hands (thanks Springtown!)! Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the ...

More Utility Hacking standard

As a follow up to the last article, here’s a pretty interesting story about a teenager in Poland who figured out a way to control how trains change tracks. He didn’t hack through the internet, or some rogue access point at a station. He used a TV remote. Between this and the Boeing 787 Dreamliner’s issues, I wonder if this will force companies to take a hard look at the software they use to drive their products. Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”

Hacking Utilities? standard

This week, Bruce Schneier blogged about the CIA’s disclosure of hacking incidents to public utilities. I’ve been wary of utilities ever since I learned about SCADA systems, and their implication on security. I’ve heard about consultants primed with a copy of NMap accidently shutting down large SCADA networks simply because of their age & lack of security. The thing that is scary is that we have come across companies reliant on SCADA systems for their factories or assembly areas that are also subject to PCI. Eek! The good news is that with careful planning and a good network segmentation strategy much of the impact can be reduced. Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers ...

New battery restrictions got you down? standard

After getting an extended battery for my laptop (yaay! Less whipping out the iGo for power on the plane!), I am wondering if anyone has had problems with the new TSA Battery Guidelines. My battery is well below any proposed limit, and I rarely check bags (thank YOU London Airports!), but it seems any time a new TSA regulation is put into place there can be some difference in interpretation. What say you? Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”

Secure hashing of PAN requires salt standard

In Mike Dahn’s PCI Answers blog, a post was made over the break about the Secure hashing of PANs As this blogger has said on many occasions before, hashing is a double edged sword. Theoretically, you could create a hash that is as secure as a CipherText from an encryption algorithm. If you used a 10 kilobit salt (effectively the Key) plus the PAN, you would have something quite secure and would not run into issues with collisions. The problem is that you cannot change your keys without retaining the original PAN. If you did change your key, new hashes of the same PAN would not match old hashes. Perhaps the biggest issue, people treat hashes differently then they do ...

Welcome to 2008! standard

Yep! Time to tackle the world! Hope everyone’s holiday was fantastic. Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup