Everyone is on the WAF bandwagon!!!……WTF?

July 5th, 2008 Drazen Drazic

I can’t believe the number of security “specialists” (many well known guys) who have jumped on the Web Application Firewall bandwagon! (WAF, f**king hate each new acronym). Amazingly, these dudes have done it all….by chance/coincidence to coincide with PSS DSS requirement 6.6! Where were they before this???? All  heroes now! Put your hands up! Driving business….that is it….oh wow….I discovered a vendor that does this!

If your favourite blogger per chance is all of the sudden lately a fan of a WAF and helping push a product, I reckon you need to think about what they are doing! (talking to industry dudes, cred may have already be gone). Were they 12 months ago pushing the same message? Are they now a QSA (not that that matters so much but may ride on PCI DSS  6.6) and using that to drive business?

Has our situation changed that much that previous anti-WAF dudes are now sold on the benefits?

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Firewalls, IDS, PCI, PCI DSS, To cool, Vulnerability Management, WTF, Web Application Security, cyber crime | 7 Comments »

PCI DSS 6.6 - Getting on the comment bandwagon……

June 24th, 2008 Drazen Drazic

This one’s had quite a bit of press time, and discussion around the blogs recently - moreso as the deadline has approached. In Australia, it’s been relatively quiet in comparison to the US though. I think the fact that compliance across the board here is a way behind the US has a lot to do with that, with many organisations here still either unaware of their responsibilities or far off from being compliant.

Is all the publicity and debate around PCI DSS requirement 6.6 a bit of a storm in a teacup? I think so. I’ll put the case forward also that if your are compliant with the PCI DSS now, the new requirement 6.6 is superfluous:

Read the rest of this entry »

Posted in PCI, PCI DSS, Vulnerability Management, Web Application Security | 1 Comment »

More on not logging - “Reverse Compliance”

May 8th, 2008 Drazen Drazic

Declan’s recent post on logging being a double edged sword started some interesting discussion. Anton Chuvakin follows-up further on his blog and writes:

“Reverse compliance” is a motivation to purposefully avoid technologies that have a chance of telling you that you are NOT in compliance. Sadly, logging is featured very high on the list of such technologies that a) tell you about all the problems with your compliance posture (e.g. direct violations of regulatory requirements, lack of controls, inefficient controls, policies not followed, etc) as well as b) are mandated by various regulations (e.g. PCI DSS) and c) actively used by auditors for finding compliance issues.

Read the rest of Anton’s post.

Posted in Disclosure Laws, Forensics, PCI, PCI DSS, Risk Management, cyber crime, governance | 3 Comments »

My update with the PCI Security Standards Council….

April 30th, 2008 Drazen Drazic

The following is an enormous bitch about the PCI Security Standards Council. If you are sick of hearing about PCI DSS or reading about it from me, hit the “back” key now.

Securus Global/DD is industry focused so if this means I lose business because I piss off the PCI SSC, so be it! They’ve already cost me business because of how they operate. Before I rant, let me start with this from a couple of weeks ago; my last rant about them. Interesting responses! Also thought it was finally getting better at the end. Little did I know…….

Now for the latest in Fawlty Towers operations:

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, PCI, PCI DSS | 6 Comments »

Logs - A double-edged sword? Beating PCI Fines by bad security practices?

April 23rd, 2008 Drazen Drazic

By Declan Ingram

PCI clearly states in requirement 10: “Track and monitor all access to network resources and cardholder data” And rightly so. It goes on to say “Determining the cause of a compromise is very difficult without system activity logs.”

It certainly is. Infact, for nearly all attacks where card data is at stake, it can border on impossible. Enterprise log management is hard. It is expensive, and there are few organisations that do it well. Not only that, but the organisations that do it well are also much more likely to have their general state of security much higher - meaning that (all things being equal) they are less likely to suffer a breach in the first place.
Read the rest of this entry »

Posted in Industry Specialists Talk, PCI, PCI DSS, cyber crime | 7 Comments »

Security People vs. Security Vendors

April 15th, 2008 Drazen Drazic

Maybe I should be nicer and say Security People vs. Security Vendor Sales guys. Two different worlds as we’ve talked about before and as we had a laugh about here with the Symantec Guarantee.

Security product sales guys can be dangerous to an organisation that takes on trust these products are going to be their security salvation. Remember this one? Happy to send the press release out but when actually questioned by Michael Crawford……no response! I got a nice wrap for this from Marcus Ranum and the boys at SANS at the time.

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, PCI, PCI DSS, Web Application Security | 4 Comments »

We’re too important to bother with PCI DSS compliance…we make the banks too much money!

April 8th, 2008 Drazen Drazic

I now need more than 2 hands to count the number of times an organisation has told me that they make too much money for the banks to have PCI DSS compliance forced upon them. It doesn’t matter what you say or what case studies you provide (eg; TJX and the millions it has cost them), it just does not hit home. They believe their size means they don’t have to play by the rules. As covered previously here.

Maybe it’s an Australian thing and they’re just not aware of what is happening elsewhere in the world. You never wish bad upon someone, but you sometimes do think; “yeah….why don’t you just keep testing your theory….lets see how nice the bank and PCI will be if/when something happens”. (Does that make me a bad person?)

Posted in Bad Stuff, Dumb Security, PCI, PCI DSS, cyber crime | 3 Comments »

PCI Security Standards Council….Good Job….?

April 6th, 2008 Drazen Drazic

The following is my bitch about the PCI Security Standards Council.

“Hey..WTF?”, you may say, “Draz, you have been a huge supporter of PCI DSS for a long time!…We always see you in the press being quoted on the positives of PCI DSS and we read stuff in Beast or Buddha all the time about your positive thoughts on it!”…..Yeah, I have been, but my patience/interest with the “governing” body is in some serious problems! Where do I start…no particular order:

Read the rest of this entry »

Posted in PCI, PCI DSS, WTF | 10 Comments »

Auditing for security - not just for compliance

March 31st, 2008 Drazen Drazic

It used to be a standout and bold new statement; “Compliance vs. Security - one goes one way and the other goes the other way and rarely the two meet - as they should!” People would think about it and go; “Yeah….wow…that is so true now that I think about it!”. How times change and this has now almost become accepted as fact?!

PCI DSS compliance is somewhat heading down this path. I am hesitant to say it is totally but the indications are not good. Given recent news about Hannaford and ongoing news about TJX and other breaches plus things we see in the industry ourselves, I thought it might be good to re-hash this one:

http://beastorbuddha.com/2007/09/05/pci-choosing-your-auditors-carefullypart-ii/

Posted in Bad Stuff, PCI, PCI DSS, Risk Management, cyber crime | No Comments »

Oops….another big one…..

March 18th, 2008 Drazen Drazic

Everyone is reporting it now but here’s one feature from the SMH. You gutsta love the spin put on the announcement:

http://www.hannaford.com/Contents/News_Events/News/News.shtml

Somehow they make the following sound like it’s not too bad at all! Good luck guys:

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, PCI, PCI DSS, Vulnerability Management, Web Application Security, cyber crime | 11 Comments »

How tough will the Payment Card Industry and Acquiring Banks be on continued non-compliance with the PCI DSS?

March 3rd, 2008 Drazen Drazic

In 2008, PCI DSS finally seems to have some good traction (in Australia and New Zealand at least). Most organisations that should be compliant are now aware of the requirements imposed upon them - many still though are at the early stages. Compliance levels in terms of percentage of compliant organisations are still low from what we see but progress is being made - albeit slowly.

But, there are some organisations who are not budging and have decided that they will not be doing it. They have stated they see no business value in it, with costs of compliance not being worth their investment. As a rule, these organisations have been large companies who believe their value to the acquiring bank gives them the right to say no. (Under threat of taking business elsewhere should the bank push the point).

Read the rest of this entry »

Posted in PCI, PCI DSS, governance | 6 Comments »

straxd on Group Psychology, IT Security and PCI…..

February 20th, 2008 Drazen Drazic

From straxd - an unassuming dark horse

I have always had a bit of a fascination with the concept of group psychology. It’s at the same time the most evil and the most successful marketing tactic that a company can launch.

Take De Beers’ creation of the diamond industry as an example. By giving the right general impression the entire psyche of society can change (and the diamond cartel made billions as a result). Coke has converted a version of caffeinated carbonated sugar water into a drink pretty much everyone has every day. The records and movie industries have converted copyright infringement into theft, and created the previously alien idea that artists would stop creating new art if they weren’t millionaires.

Read the rest of this entry »

Posted in Bad Stuff, Industry Specialists Talk, PCI, PCI DSS, Risk Management, cyber crime | 8 Comments »

Hacker Safe - ScanAlert….only a matter of time…how funny is this?

January 12th, 2008 Drazen Drazic

ScanAlert recently were sold to McAfee as I posted here a while ago. Good luck to them! But seriously, running a basic VA test and selling that as a full blown website security review/solution was always a bit of BS! Marketing over actual ability yet companies get duped! How smart is this Geeks mob to think a logo on their website and a basic VA meant they were secure?!

Checkout this story about Geeks.com being hacked and have a look at the “Hacker Safe” logo on the site! LOL

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, PCI, PCI DSS, Vulnerability Management, Web Application Security, cyber crime | 9 Comments »

You no longer even have to sign Credit Card purchases……when you are there!

December 14th, 2007 Drazen Drazic

In recent times, we’ve had proud announcements from some banks that you will no longer even have to sign for purchases on your credit cards. Just swipe it and that will be it!

I know at places like Sydney Airport carpark, amongst many, as long as you hold a card, you’re sweet! Swipe and Go!

Are we going backwards or what?

Some banks even in the last 2 weeks here are marketing “smart card” (yeah right) technology and promoting the ease of how good this is…so simple for the consumer……swipe and go! These are not pre-paid cards……these are credit and debit cards!

So let me get this right? You give us a credit card…we decide to purchase something…..we swipe it…..the cashier acknowledges there are funds and we move on?! WTF?!

We work with PCI DSS on the backend and on the other side we have this? It’s not normal!

Carl G passed me this some time ago…..well worth a read and laugh…..Makes it all irrelevant doesn’t it:

http://www.zug.com/daily/journal/archive/2002_05_05_index.html

Posted in Bad Stuff, Dumb Security, PCI, PCI DSS, Risk Management, WTF, cyber crime | 3 Comments »

Lessons to be learned from weak security practices…..

December 1st, 2007 Drazen Drazic

The great case study in what can go wrong, (TJX) continues as reported in TechNewsWorld, but are lessons being learned from this? I asked this question a while ago and the answer probably has not changed.

At the recent AISA Seminar day in Sydney, PCI DSS compliance was a big talking point and a presentation from “Sense of Security” covered the state of the industry in Australia. While the IT security community talks about it though, the feelings from the major players (PCI, Banks and IT Security people) is that there is a long way to go. There is progress….but it’s slow…really slow! Australia is reported as being leaders in Asia Pacific. Gees, how bad is everyone else in the region?!

Every step forward is a battle; PCI to the Banks. Banks to their own Account Managers. Account Managers to vendors and services providers. Security Managers to the business stakeholders. Why is the loop is large? Why isn’t the link to the CEO/CFO direct? Make sense? I ranted around this topic on ITSecurityLink and put the case for quicker progress out there but as usual, we (IT security people) are a very insular community in some respects - viewed from the inside and unfortunately from the outside.

2008 is now supposed to be THE year but we said that for 2006 and 2007 in regards to PCI. Are we then taking further steps away from what the core issues are that we are trying to address? Compliance vs. Security - heading in two different directions? (A topic also covered at the AISA day by Nick Ellsmore from SIFT - best presentation of the day).

Related posts: http://beastorbuddha.com/category/pci-dss/

Posted in Bad Stuff, PCI, PCI DSS, Risk Management, cyber crime, governance | No Comments »

Interesting Paper on e-Crime

November 16th, 2007 Drazen Drazic

“An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants” is Produced by Jason Franklin (CMU), Adrian Perrig (CMU), Vern Paxon (ICSI) and Stefan Savage (UCSD).

This is a good read on many levels. Take the findings and information presented how you will, but it can’t be denied that this is happening. This is one of the more detailed research reports I have seen.

Paper Abstract:
“This paper studies an active underground economy which specializes in the commoditization of activities such as credit card fraud, identity theft, spamming, phishing, online credential theft, and the sale of compromised hosts. Using a seven month trace of logs collected from an active underground market operating on public Internet chat networks, we measure how the shift from “hacking for fun” to “hacking for profit” has given birth to a societal substrate mature enough to steal wealth into the millions of dollars in less than one year.”

Thanks to Donal for passing this one through to me.

Posted in Bad Stuff, PCI, PCI DSS, Research, cyber crime | 1 Comment »

TJX saga continued….it just seems to get worse

October 25th, 2007 Drazen Drazic

It should almost be time to give this TJX saga its own category here. Just as we think it’s quieting down, the story unfolds further. See The Register; TJX breach was twice as big as admitted, bank says. Can there be a better case study for poor security management consequences?

But, are other organisations learning from the TJX experience? The answer is probably only a small percentage are. We see it every day.

Another PCI compliance deadline passed here in this region recently. I’ll put it out there and say that of all the organisations that must be compliant with the PCI DSS, I would be surprised if more than 5% are! Happy to be proven wrong but I just don’t think it’s the case.

So who’s pushing the rest of the business community that doesn’t come under PCI DSS compliance obligations?

Related Links:
Risky Business 35 (Patrick Gray talks PCI with Verizon Consultant)
Beast or Buddha PCI Archive

Posted in Bad Stuff, Disclosure Laws, Dumb Security, PCI, PCI DSS, cyber crime, governance | No Comments »

PCI - Retailers and the Storage of Credit Card Information

October 22nd, 2007 Drazen Drazic

The following is well worth a read if you are involved with PCI compliance within your organisation. Thanks to our PCI specialist, Fatemah Beydoun for the heads up and links.

The National Retail Federation recently sent a letter of concern to the PCI Security Standards Council discussing the storage of credit card information. This has drawn a lot of discussion across PCI related and other IT security sites. Some good points and interesting debate:

http://pcianswers.com/2007/10/11/retailers-do-not-need-to-store-credit-card-data/
http://www.schneier.com/blog/archives/2007/10/merchants_not_s.html

Posted in Disclosure Laws, PCI, PCI DSS, cyber crime | 1 Comment »

Arnie gets involved….

October 16th, 2007 Drazen Drazic

From California:

http://www.theregister.co.uk/2007/10/16/schwarzenegger_vetoes_data_bill/

The discussions that we see around data security is a positive step. More than lip service like we see in Australia in most cases.

Posted in Disclosure Laws, PCI, PCI DSS, cyber crime, governance | No Comments »

TJX - trying to settle things down….

September 25th, 2007 Drazen Drazic

It will be interesting to see if this attempt to settle is the end of the TJX saga. Somehow I think not but who knows.

And, for “All Customers”, the following:

“TJX will hold a future, three-day Customer Appreciation special event in which prices at all T.J. Maxx, Marshalls, HomeGoods, A.J. Wright stores in the U.S. and Puerto Rico and all Winners and HomeSense stores in Canada will be reduced by 15%. “

I’m serious….have a read through the link……you couldn’t make this stuff up!

Posted in Disclosure Laws, PCI DSS, Research, Vulnerability Management, cyber crime | 3 Comments »