Archive for April, 2010

Apr 28 2010

Traveling…a LOT

Published by under General

The last couple of months I’ve been on the road almost as much as I’ve been home.  Some of it’s been local travel, like RSA in March.  Some of it’s been cross country, like spending two weeks in New Jersey in February (during the snow storms, none the less).  And I don’t see any slow down to the travel, with several cross-country trips for business and a week in Florida for the FIRST convention in June then Black Hat and Defcon in July/August.  And there was even supposed to be some training in there somewhere, but it’s luckily been canceled.

I’ve fallen into a habit when I start a new job that I stop blogging for a while when I start a new job.  Part of it’s just getting familiar with the job, part of it’s learning what I can and can’t get away with.  But I’d say the largest part of it is just getting used to the demands of the job and how I can fit my blogging and podcasting into the requirements of the job and home life.  Blogging is fun, blogging is my passion, but blogging doesn’t pay the bills!  So I’ve learned to take the time to understand the demands of the job and make sure they’re met before I spend the time and energy required for blogging and podcasting.

This is not to say that I’m not continuing to do many of the things that got me into blogging to begin with.  More and more I am getting the chance to see reports and papers from companies as they become public, and sometimes even before they do.  A couple of weeks ago, I got to read John Kindervag’s papers on tokenization and end-to-end encryption.  Right now I’m in the middle of reading the Microsoft Security Intelligence Report for the second half of 2009.  And I have a few more papers in my in box waiting to be read when I have the time.  Commentary on the reports will have to wait until I have the time and energy to write after a day of travel.

All in all, I’m almost to a point that I have figured out how to work and blog and podcast and still keep a modicum of sanity in my life.  I still have some distance to go before I can get back in the habit of blogging daily, but I’m confident it will come again.  It’s a bit counter to my other goal of longer, better thought out posts, but I’m hoping to figure out how to do both.  In the mean time, I’ll blog when I can and feel bad about it when I can’t.  I’m sure there’s at least a few other bloggers out there who are taking up the slack.

One response so far

Apr 20 2010

Network Security Podcast, Episode 194

Published by under Podcast

Hopefully the world hasn’t been smashed by an asteroid since Sunday, since that’s when we recorded this show. Martin is off with a client, and Rich and Zach are cramming for Source Boston. Well, Rich is probably half in the bag right now since it’s his birthday, but if he isn’t too hung over he’ll be headed to Boston in the morning.

Network Security Podcast, Episode 194, April 20, 2010
Time: 34:40

Show Notes

2 responses so far

Apr 14 2010

Forrester: Explaining tokenization & E2E in layman’s terms

Published by under General

If your company is trying to understand tokenization and end-to-end encryption (E2E) you could do a lot worse than purchasing a copy of the Forrester research paper, Demystifying Tokenization and Transaction Encryption.  And by ‘you could do worse’ I mean that I haven’t seen a better paper that tries to explain tokenization and end to end encryption but I do have a couple of bones to pick with the paper.  As someone who’s looking at both of these technologies on almost a daily basis, I think John Kindervag glossed over several important points people who are considering either technology need to be aware of.  But if your company is wanting to be proactive about removing credit card data from your environment and wants to learn about these emerging technologies, there’s more than enough in this paper to get you started.

First off, let’s talk about what I like about the paper.  The opening sections are all about comparing the credit card ecosystem to a back alley poker game.  For me, this metaphor works and it works well; there’s something about comparing the credit card companies and merchants to a gambling house and the players that’s less than flattering, but does an excellent job of highlighting the fact that most of what goes on behind the scenes in the card processing is a complete mystery to most merchants and all but the most savvy of customers.  And quite frankly, like back alley poker games, it’s not something most of us deal with (or want to deal with) on a daily basis. 

The metaphor is extended to help explain tokenization.  In and of itself, a poker chip is of very little value, but it can be turned in to the house to get money.  Similarly, if your company has tokenized the credit card numbers you store, those tokenized numbers no longer hold much value to a thief and there is no longer any financial incentive for the thief to target your company. 

The explanation of tokenization was good, but this was one of the first issues I had with the paper.  It assumes that tokenization is happening between the merchant and the acquiring bank.  In other words, once the credit card has been authorized, rather than the merchant storing a credit card number, they store a token that the acquiring bank has provided to be a placeholder for that card number in the merchant’s database.  This is one form of tokenization, but it completely ignores another form of tokenization that’s been on the rise for several years; internal tokenization by the merchant with a (hopefully) highly secure database that acts as a central repository for the merchant’s cardholder data, while the remainder of the card flow stays the same as it is now.  There are several companies selling solutions that let merchants perform this internal tokenization independent of the acquiring bank using their own hardware and software.  Several of the solution providers that were interviewed for the paper offer merchants this form of tokenization, so it should have at least been mentioned.

Another criticism I have of the paper is that while it does a good job of explaining that true end to end encryption is from the POS to the acquiring bank, it doesn’t do as good a job in explaining the complexities and pitfalls of point-to-point encryption(P2P).  It may be that I’m dealing with this on a daily basis and see all the pitfalls of the different points that a point to point solution can have with encryption, but I wish more time had been spent filling some of these out.  And then there’s the issue that a P2P solution can be combined with an internal tokenization solution to really complicate things.

I think that overall these are minor critiques of the paper by someone who may be too close to the issue.  If you’re looking to educate yourself and your company on both of these technologies, this paper is an excellent start.  But you have to be aware that this is just a primer, a starting point to truly understanding the complexities of the emerging technologies of tokenization and end-to-end encryption.  And this also only the first part of the paper, there may be more to follow that answers some of my gripes. It’s rightly pointed out that there’s very little set in stone about either technology, so you owe it to yourself to start getting educated now so you can know the difference between the a bluff and a full house when it comes time to place your bets.

No responses yet

Apr 13 2010

Network Security Podcast, Episode 193

Published by under Podcast

In spite of being frustrated, exhausted, and just plain beat, Martin, Rich, and Zach pulled together again (noticing a trend? Maybe we all need more sleep). In an unusual change of flow, we kicked off tonight’s show with one of our main discussion topics, rather than just covering the news. In this episode, we’re joined by Nick Selby of Trident Risk Management to chat about fraud in small financial institutions and stats on spending to protect corporate data.

Network Security Podcast, Episode 193, April 13, 201
Time: 36:06

Show Notes

No responses yet

Apr 06 2010

Network Security Podcast, Episode 192

Published by under Microsoft,Podcast

Martin, Rich, and Zach talk with special guest Katie Moussouris, Senior Security Strategist at the Microsoft Security Response Center. Katie has been doing some work on ISO work item 29147 (“Responsible Vulnerability Disclosure”) and shares with us her experiences in this process, as well as her thoughts on software security improvement. Oh, and Rich gawks about some new gadget which shan’t be named.  We went a little long tonight because Katie has so much experience in the real world, but we think it was worth it.

Network Security Podcast, Episode 192, April 6, 2010
Time:  40:25

Show Notes:

No responses yet

Apr 02 2010

Payment Card Industry Rock!

Published by under PCI,Video

Do you remember those old School House Rock commercials from the 70′s?  I do, in part because someone gave my kids a DVD set with all of them on it.  And apparently the folks at the PCI Council remember them too, because they’ve created a video that looks a lot like those old commercials.  My favorite part is the fact that Bob Russo let a cartoon version of himself be part of the video.  I wonder if the real Mr. Russo can sing and play the guitar? 

3 responses so far