misc

Photo: regolare on Flickr.

Two not-so-nice highlights of my RSS feeds:

First, from Edent (via BoingBoing) that got stuck in a “stop and search” checkpoint (video in both links):

A Londoner was stopped by a London Transport Police officer under S.44 of the Terrorism Act 2000, and had the presence of mind to whip out his video camera and record the officers tearing through his stuff. They officers admitted that they had no suspicion of him, no reason to search him and told him he’d be arrested if he refused. [...]

So that is what you do in a democratic country. Nice.

And second, from Emily Feder at Alternet that got detained by US DHS returning from Libya:

[...] No one who had been detained knew precisely why they were there. A few people were led into private rooms; others were questioned out in the open at desks a few feet from the crowd and then allowed to pass through customs. Some were sent to another section of the holding area with large computer screens and cameras, and then brought back. The uninformed consensus among the detainees was that some people would be fingerprinted, have their irises scanned and be sent back to the countries from which they had disembarked, regardless of citizenship status; others would be fingerprinted and allowed to stay; and the unlucky ones would be detained indefinitely and moved to a more permanent facility. [...]

Lovely. Just lovely. It’s a good thing they’re safe from terrorists now though…

*shrug*

As an example of the free and diverse nature of the internet the MP3 blog “Meadow Music” has now launched an english version of their site complete with free (free for real, hard links) downloads.

I previously linked to them in this post.

From Meadow Music:

There is no longer any higher authority who decides what music should be presented to the public and how. Those who write the terms of the world of music, are no longer the record companies, the newspapers, the TV channels, the publishers, the radio channels or any other single participant.

Then who does?

Well, it’s you and me, all of us that listen to music, create music, sing, dance and love music. Everyone can be a part of creating the world of music we want, by ourselves or together.

And you just got to love some of the bands presented

Was lagging 3 days on my Wordpress upgrade and just upgraded.

Credits to WP for the new clean admin interface. Very easy to get used to.

G’night!

Hola!

Haven’t been posting for 2 months because work and other things are taking a lot of time and energy.

On the personal side, I’m now waiting for my second French bulldog from the kennel “Bullerbasius“. This one’s name is going to be Vera (a bitch) and is from a litter of five.

Four weeks to go, but me and the wifey almost can’t wait. French Bulldogs are wonderful

Also started helping out as a goalkeeper trainer in Tyresö Hockey (kids born 1994) and hopefully I can make a difference for them.

On the Panda front not much new (yet) but a lot of things are in motion and I’ll be posting some about this further on.

Oh yeah, btw, seems like Luis Corrons (Director of PandaLabs) stirred up some dust with this post. Seems AV-comparatives Andreas Clementi got a bit mad in a blogpost that has since been deleted. Comments and recap from Authentium and Kurt Wismer. I was too buried in work to even notice this lite skirmish at the time though (probably for the best).

I’ll try to keep posting more frequently from now on

Cheers,

.. and not much is happening.

Got my Flickr account up though. Feel free to have a look.

French Bulldog Ruby looking for her next adventure

Cheers,

…with my Wordpress setup. Hence the lack of updates. Hopefully it’ll work from now on

Shouldn’t blame it all on the crazy WYSIWYG editor though, as I’m also quite busy studying for my CISSP cert. Going to take the exam in 6 months so I have some reading to do.

In other news,

Symantec has discovered a malware distributor using the unpatched Quicktime RTSP vulnerability. This is a big deal as it is very easily exploited on the client and there is no patch in sight. To mitigate the issue you might want to block certain traffic and review your browsers security settings.

Also we are still waiting for the WPAD issue to be fixed by Microsoft, but this is not as serious as it only affects a limited number of “incorrectly configured” (maybe not the most correct description) clients.

F-Secure reported the first “Christmas greeting” malware they’ve recieved this year. Doesn’t seem t obe a very inspirating payload but it might evolve a bit when we get closer to the main event

That’s all for this post. Cheers and have a nice Monday!

After my post mentioning the PCI DSS I got some questions like “PCI D..what?” and “What is that anyways? I’ve heard of it but never read anything about it”. Well, after reading this, you people should feel a bit enlightened. Hopefully, CISSPs and similar will not find this as new information, but you might enjoy the refresher. So, read on folks, this is gonna be a (…another) long one.

PCI DSS stands for “Payment Card Industry Data Security Standard” and it was created by the larger players in the credit card business to ensure that those little 1’s and 0’s, that usually reside on your physical magnetic-strip card, does not end up in the hands of a criminal.The first version of the standard was developed and agreed upon in late 2004 and was (still is) intended to provide guidance for organizations that transfer, store or process credit card information in computer security related issues. The first standard was revised in 2006 to make it more up-to-date and more relevant to the current situation.The use of the word “Guidance” is used a bit freely in the description according to me, as if a requirement in the standard is not met by the merchant he might lose his right to handle the kind of data described in the standard, effectively shutting down their business (this is not a bad thing, btw).Before the PCI DSS was widely agreed upon, many of the CC companies had their own standards and recommendations regarding data security, such as: CISP/AIS (Visa), SDP (MasterCard), DSOP (AmEx), I&C (Discover) and DSP (JSB). The above mentioned was also the primary participants in the discussion that later led to the standard. Most of these financial actors still have their own security programs but they have aligned them so that they all have the same objective, help merchants become PCI DSS standard compliant.

The PCI Data Security Standard consists of 12 topics in 6 different categories. These are called “control objectives” and are:

• Build and maintain a Secure Network
  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect Cardholder Data
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
• Maintain a Vulnerability Management Program
  • Requirement 5: Use and regularly update anti-virus software
  • Requirement 6: Develop and maintain secure systems and applications
• Implement Strong Access Control Measures
  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data
• Regularly Monitor and Test Networks
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
• Maintain an Information Security Policy
  • Requirement 12: Maintain a policy that addresses information security

In order to verify whether or not the merchants/service providers are really compliant they have to undergo self-assessments, quarterly PCI Security Scans and possibly PCI Security Audits (Depending on the size and amount of sensitive information handled).

The PCI Security Scans are to be performed by a ASV (or, Approved Scanning Vendor) and is non-intrusive in their nature. This means that the scans should not interrupt day-to-day business or cause any damage to the systems evaluated. After one of these scans the ASV compiles a report detailing the different issues found, the associated risk (you will need a CISSP for this ) and also provide some guidance on how to remedy the issues. Every weakness found should also be categorised in a scale from one to five, five being worst case scenario. The PCI DSS considers level 3 to 5 as a failure to comply and a direct danger to cardholder data. This type of scans was the topic of discussion in the webinar that I based my previous related post on.

If you are a large merchant or service provider you might also be the subject of a PCI Security Audit which consists of a review of internal policies & documentation, internal penetration-testing & security evaluation and also interviews of selected personnel. This is done to actually verify that all guidelines in the PCI DSS has been implemented as they should.

One very interesting document regarding both types of audits was written in late 2006 by consultants from the German security company SRC. In that document (which contains a lot of good info) they listed the top 10 types of vulnerabilities found for both methods (internal/external). What’s very serious about the ones they listed are that they are very old. For example, I used one of them to compromise a network in 2002! This kind of vulnerability should not be present in any company that seriously tries to be secure. No matter the size. They are easily scanned for and can be exploited in under one minute. You can find the whole document here.

Other references on this subject:

PCI Security Standards

PCI Answers - This post was very interesting.

PCI Answers PCI Forum

PCI DSS News and Information

IT Governance PCI DSS information

Google…

That’s it for me now. If I’m mistaken about something or if someone has any questions please drop me a comment or an e-mail!

Cheers,

In other words, the blog is finally up and kicking