Network Security Blog

Greg Sandoval at News.com has a little more information about the leakage of debit card information.  Apparently at least part of the fault lies with cash-register software made by Fujitsu, though the company states their software couldn’t be solely at fault.  And their probably right; I’m willing to guess that they’re software is just the front end of a system and has no built-in database.  They probably just collect card information which is passed onto a database and a whatever back-end integration software the retailer uses.  It’s improper management of the data by the merchant that is the root cause of this compromise.  One thing I’m glad to see is that the author of this article isn’t lumping debit cards in with credit cards as if they were subject to the same requirements.  The PCI standards are very explicit about credit card information, but to the best of my knowledge never once refer to debit card information. 

Technorati Tags: security, PCI, credit cards

Google is declaring victory in the first part of the war with the Department of Justice.  The judge has placed end user privacy above the DoJ’s need for the data, which makes me feel that there is hope.  But I feel this was simply the opening salvo in a war between the government and the search engines over our search data.  I believe the government is trying to establish a case history that allows them to require information from the search engines without subpeona or with minimal paperwork.  Judge Ware’s decision sets this plan back on it’s heels a bit, but I’m sure the Department of Justice will be back in the near future.

Technorati Tags: security, privacy, google

I’ve been hearing for a couple of years now that Brazil is one of the hotspots for hacker activity, but the APB Infosec Blog is the first security related blog I’ve heard about.  Augusto Paes De Barros has been blogging for several years in Portugese, but has decided to also share his thoughts in English now.  I really like last week’s article on Threat Evolution.  The English-language site is still relatively new, but I hope to see more good things from Augusto in the future.

Technorati Tags: security, blog

Of course, it won’t give the key to decrypt them unless you pay for it.  Luckily Sophos has already figured out what the password is.  Read the full story at Ars Technica

Technorati Tags: security, malware, encryption

News.com has another article spelling out how and why merchants may have been keeping debit card PIN information.   The author made one unfortunate mistake, which is treating PCI requirements as if they applied to debit cards.  They apply to your credit card if you use it as a debit card, but they do not apply to your bank debit card, unless it is also a credit card.  I guess it’s really a minor point, but as someone who looks at the PCI requirements on a daily basis, I feel it’s important to know the difference.

Technorati Tags: security, PCI, debit card

Last night I wrote a short piece on the Podcast Rountable about how important customer perception is.  This morning SearchSecurity has an article backing this up with some statistics.  Everyone wants to feel safe if they’re doing business online.  The fact that businesses aren’t doing as much as they could to protect our data makes most people nervous and is having an affect on online sales.  I think the answer lies in business organizations creating more standards like Visa and Master Cards Payment Card Industry (PCI) Data Security Standards.  But if the industry doesn’t start policing itself better, more legislature may be the only answer.

Technorati Tags: security, PCI, breaches

This Israeli couple were using targeted spyware to help several companies spy on their rivals.  They were installing the software on the target machines via floppies and email.  The spyware they were creating was specifically made to avoid detection by the antivirus programs in place at the target companies.  And their reward is several years in prison each.

Technorati Tags: security, spyware, conviction

Edit: Dana left me a comment, but it mistakenly got tagged by the computer as possible comment spam. I should learn to check the spam filter more often

I don’t know if Dana read my commentary or if someone else had a similar criticism, but he has split his 5 Rules article into two parts:  The first is the majority of the original article, The 5 Rules of the Regulatory Process.  The second part is Using SBS 2003 to Meet Objectives in the 5 Rules of Regulatory Process.   As strange as it may sound, I think that the act of splitting up the article actually strengthened the point of each article.  Where before they had conflicting purposes, they now stand well on their own.

The 5 Rules of the Regulatory Process are an excellent extension of the original article, The 8 Rules of Security.  I’ve spent the last six months waist deep in the regulatory processes of the Visa/Mastercard Payment Card Industry(PCI) Data Security Standards, the 5 rules do cover the intent behind almost every point in PCI.  They’re an excellent rule of thumb to use when looking at any item covered by regulatory guidelines.  Thanks Dana.

Technorati Tags: security, regulations

Dana Epp’s article, ‘The 5 Rules of the Regulatory Process‘ had me enthralled, up until the point he started espousing the virtues of Microsoft Small Business Server.  What had up to that time been an excellent article on a way for small businesses to look at regulatory compliance suddenly became a sales pitch for Microsoft.  I’m hoping that this is just in the way I’m reading the article, not the way it comes across to everyone.   Don’t mistake me, it’s still an article worth reading, I just don’t like feeling of being sold a product in what would have otherwise been an excellent article. 

I like Dana’s 5 rules, and I may have to look at incorporating them into some training material I’m working on.  With proper attribution, of course.

Technorati Tags: security, regulations

News.com has a story about a card ring that was busted recently in New Jersey.  This card ring may be the ones responsible for the recent Citibank debit card compromises, and the compromised information appears to have come from OfficeMax.   OfficeMax was denying there had been any compromises at their site, but now they don’t appear to be responding to inquiries.

This is the first concrete information I’ve seen on this compromise.  I still wonder why any merchant would be keeping magnetic stripe information from a debit card along with the PIN, even if they are encrypted.  I foresee either new industry compliance regulations coming out of this event, if not several new state laws.  I also hope that there are a number of other businesses that are already looking at their data retention policy for debit card information and weighing the benifits of keeping that information versus the possible downside of a compromise.  I hope they realize that there’s no positive benifit to keeping the information in the first place.

Technorati Tags: Security, hacking, compromise