Daily Security News

general - Phisher-besieged PayPal directs users to faux log-in page

Thu, 20 Nov 2008 20:37:35 +0000

Error.com's missed opportunity

PayPal, the online payment service that is a major target of phishers, has been caught sending customer emails that confuse its own login page with a third-party landing site that offers spyware protection and a bevy of other products.…

general - US Army bans USB devices to contain worm

Thu, 20 Nov 2008 13:41:22 +0000

Unfriendly fire

The US Army has reportedly suspended the use of USB and removable media devices after a worm began spreading across its network.…

theory - Secret German IP Addresses Leaked

Thu, 20 Nov 2008 13:26:13 +0000

From Wikileaks: The PDF document holds a single paged scan of an internally distributed mail from German telecommunications company T-Systems (Deutsche Telekom), revealing over two dozen secret IP address ranges in use by the German intelligence service Bundesnachrichtendienst (BND). Independent evidence shows that the claim is almost certainly true and the document itself has been verified by a demand letter...

general - Cybercrooks making easy money from virtual worlds

Thu, 20 Nov 2008 12:05:34 +0000

EU agency launches campaign

Online gamers have become a soft target for cybercrime, with three in 10 users reporting the loss of items of virtual property through fraud.…

general - ACS planning to take a “leadership” role for e-security

Drazen Drazic — Thu, 20 Nov 2008 08:35:05 +0000

Just saw this on SC Magazine: ACS establishes e-security taskforce. Media release here.

I don’t know much about the ACS (have read about them but never really had any urge to join - if they’d even have me), but any initiatives if done well can only help. I am not aware of their expertise in the field of Information Security so it’ll be interesting to follow. Anyone here part of the ACS or know much about them and this new initiative?

general - Congratulations, Barack - Now fix your websites

Thu, 20 Nov 2008 01:24:03 +0000

Change? Start with security

President elect Barack Obama's embrace of online video and social networking may have propelled him to victory, but unless he's careful, his administration could be brought down by the same sloppy security problems that have plagued MySpace, Facebook, and dozens of other Web 2.0 properties.…

general - Promises, Promises

David Rice — Wed, 19 Nov 2008 23:24:49 +0000

Dennis Fisher posted an excellent article on his blog: Will Barack Obama keep his promises on cybersecurity? A highlight: [Obama's recommendations] are all points that were laid out in the National Strategy to Secure Cyber Space, the document that the Bush administration commissioned nearly six years ago. The plan was developed with the input of a long list of security experts, industry executives and academics and it had a wealth of good ideas in it, almost none of which were ever implemented. The national strategy became a punch line in the industry within days of its release, and within a...

theory - RIAA Lawsuits May Be Unconstitutional

Wed, 19 Nov 2008 19:33:11 +0000

Harvard law professor Charles Nesson is arguing, in court, that the Digital Theft Deterrence and Copyright Damages Improvement Act of 1999 is unconstitutional: He makes the argument that the Digital Theft Deterrence and Copyright Damages Improvement Act of 1999 is very much unconstitutional, in that its hefty fines for copyright infringement (misleadingly called "theft" in the title of the bill)...

general - Computer virus quarantines London Hospital for second day

Wed, 19 Nov 2008 15:51:36 +0000

Plucky Brits shrug off Mytob network blitz

IT staff at three major London hospitals have spent a second day struggling to restore IT systems following a major computer virus outbreak.…

general - Lame Mac Trojan limps into view

Wed, 19 Nov 2008 12:54:09 +0000

Malware targets grumble-flick fans

Security researchers have uncovered a rare example of a Trojan that affects Mac PCs.…

general - So we own your client database and everything important to you…

Drazen Drazic — Wed, 19 Nov 2008 12:23:58 +0000

Web Developer: “Just because you can do that doesn’t mean we have a major problem like you say it is. It’s just you that did it!”

SG dude: “Well more than likely, others have….we didn’t do anything fancy…”.

Web Developer: “Well nothing has ever happened so it’s just you guys!”

SG dude: “You have no logging”.

Web Developer: “We’ve never been hacked!”

What do you do? Scenario repeats every week - new developer, next website, next web app. See you then!

theory - Skein and SHA-3 News

Wed, 19 Nov 2008 12:14:48 +0000

There are two bugs in the Skein code. They are subtle and esoteric, but they're there. We have revised both the reference and optimized code -- and provided new test vectors -- on the Skein website. A revision of the paper -- Version 1.1 -- has new IVs, new test vectors, and also fixes a few typos in the paper....

general - MS kills off OneCare to introduce free security software

Wed, 19 Nov 2008 11:01:43 +0000

Pay less for Morro

Microsoft has abandoned its attempt to make money from selling anti-virus software to consumers, two years after entering the cut-throat market.…

general - Visa's digital credit card could raise legal stakes

Wed, 19 Nov 2008 10:45:55 +0000

Competitors may hop on bandwagon

Visa has introduced a computerised credit card which it hopes will help banks battle fraud. The innovation could force other card issuers and banks to implement similar technology, one data protection expert has said.…

general - Teen hacker confesses three-year crime spree

Wed, 19 Nov 2008 00:36:06 +0000

DDoS, botnets, SWAT calls, bomb threats, credit fraud...

A juvenile hacker with a reputation for stirring up trouble in online gaming groups has admitted to multiple computer felonies, including cyber attacks that overwhelmed his victims with massive amounts of data and the placing of hoax emergency phone calls that elicited visits by heavily armed police teams.…

general - Feds shutter one-stop stalker shop

Tue, 18 Nov 2008 22:16:35 +0000

'Spy on anyone from anywhere'

Federal watchdogs have shut down a website that advertised a comprehensive snooping service that included a stealthy trojan, online support, and a database that sorted and stored the confidential passwords, chat transcripts, and activities of those being stalked.…

general - Dead network provider arms Rustock botnet from the hereafter

Tue, 18 Nov 2008 20:13:40 +0000

McColo dials Russia as world sleeps

McColo, a network provider that was yanked offline following reports it enabled more than half the world's spam, briefly returned from the dead over the weekend so it could hand-off command and control channels to a new source, security researchers said.…

theory - Schneier for TSA Administrator

Tue, 18 Nov 2008 19:46:24 +0000

It's been suggested. For the record, I don't want the job. Since the election, the newspapers and Internet have been flooded with unsolicited advice for President-elect Barack Obama. I'll go ahead and add mine. [...] And by "revamp," I mean "start over." Most security experts agree that the rigmarole we go through at the airport is mere security theater, designed...

general - PC virus forces three London hospitals into computer shutdown

Tue, 18 Nov 2008 16:10:23 +0000

Too used to the other sort

Three London Hospitals shut down their computer systems on Tuesday in response to a computer virus infection.…

general - BNP membership list leaks online

Tue, 18 Nov 2008 14:31:59 +0000

Rightwingers left exposed

The British National Party has lost its membership list - the whole thing has been published online.…

general - EC slams national cybercrime responses as inadequate

Tue, 18 Nov 2008 13:30:35 +0000

Super regulator back on the agenda?

The European Commission has launched a consultation on how it can strengthen the European Union's response to computer attacks. The Commission is canvassing views ahead of a debate early next year about an EU-wide coordination of computer security.…

general - Palin webmail 'hack' trial delayed

Tue, 18 Nov 2008 13:16:04 +0000

Time-out for computer forensics

The trial of the student accused of breaking into the email account of Sarah Palin in the run-up to the US presidential election has been pushed back to next May.…

theory - The Neuroscience of Cons

Tue, 18 Nov 2008 12:32:42 +0000

Fascinating: The key to a con is not that you trust the conman, but that he shows he trusts you. Conmen ply their trade by appearing fragile or needing help, by seeming vulnerable. Because of THOMAS [The Human Oxytocin Mediated Attachment System], the human brain makes us feel good when we help others--this is the basis for attachment to family...

general - SSH sniffer attack poses minor risk

Tue, 18 Nov 2008 11:31:17 +0000

Shadow of a doubt

UK security researchers have discovered hard-to-exploit cryptographic weaknesses in the Secure Shell (SSH) remote administration protocol.…

technical - Risky Business #88 — Munir Kotadia returns and Kimberly Zenz talks McColo

ITRadio.com.au: security — Tue, 18 Nov 2008 05:03:48 +0000

This week’s edition of Risky Business is sponsored by Check Point Software Technologies and hosted, as always, by Vigabyte virtual hosting.

On this week’s show we’re taking a fresh look at “bulletproof” hosting services. Just last week a California-based hosting company, McColo, was de-peered by its upstream providers for hosting bot net command and control servers.

The result? A 65-75 percent reduction in global spam levels.

We’ll talk to iDefense Senior Threat Analyst Kimberly Zenz about the closure of McColo and what the lasting effect — if there is one — will be.

This week also sees the triumphant return of Munir Kotadia from ZDNet Australia. Munir drops in to discuss the week’s security news.

And Check Point’s Engineering Services Manager, Steve MacDonald, pops in for this week’s sponsor interview — the topic is capacity planning.

This week's edition of Risky Business is sponsored by Check Point Software Technologies and hosted, as always, by Vigabyte virtual hosting. On this week's show we're taking a fresh look at "bulletproof" hosting services. Just last week a California-based hosting company, McColo, was de-peered by its upstream providers for hosting bot net command and control servers. The result? A 65-75 percent reduction in global spam levels. We'll talk to iDefense Senior Threat Analyst Kimberly Zenz about the closure of McColo and what the lasting effect -- if there is one -- will be. This week also sees the triumphant return of Munir Kotadia from ZDNet Australia. Munir drops in to discuss the week's security news. And Check Point's Engineering Services Manager, Steve MacDonald, pops in for this week's sponsor interview -- the topic is capacity planning.

general - Feds prep gov domains for net address server swap

Tue, 18 Nov 2008 04:29:53 +0000

DNSSec rising

The US federal government is showing tangible progress as it works to meet a January deadline to implement a sweeping overhaul of its internet address servers, a move designed to harden them against attacks that could send millions of users to impostor sites run by scammers.…

general - Symantec's John Thompson to retire as CEO

Mon, 17 Nov 2008 21:49:16 +0000

Will remain chairman of the board

Symantec has announced that CEO John Thompson will retire in early April, at the end of the company's fiscal year.…

technical - Pushing the Limits of Windows: Virtual Memory

markrussinovich — Mon, 17 Nov 2008 17:41:25 +0000

In my first Pushing the Limits of Windows post, I discussed physical memory limits, including the limits imposed by licensing, implementation, and driver compatibility. This time I’m turning my attention to another fundamental resource, virtual memory. Virtual memory separates a program’s view of memory from the system’s physical memory, so an operating system decides when and if to store the program’s code and data in physical memory and when to store it in a file. The major advantage of virtual memory is that it allows more processes to execute concurrently than might otherwise fit in physical memory.

While virtual memory has limits that are related to physical memory limits, virtual memory has limits that derive from different sources and that are different depending on the consumer. For example, there are virtual memory limits that apply to individual processes that run applications, the operating system, and for the system as a whole. It's important to remember as you read this that virtual memory, as the name implies, has no direct connection with physical memory. Windows assigning the file cache a certain amount of virtual memory does not dictate how much file data it actually caches in physical memory; it can be any amount from none to more than the amount that's addressable via virtual memory.

Process Address Spaces

Each process has its own virtual memory, called an address space, into which it maps the code that it executes and the data that the code references and manipulates. A 32-bit process uses 32-bit virtual memory address pointers, which creates an absolute upper limit of 4GB (2^32) for the amount of virtual memory that a 32-bit process can address. However, so that the operating system can reference its own code and data and the code and data of the currently-executing process without changing address spaces, the operating system makes its virtual memory visible in the address space of every process. By default, 32-bit versions of Windows split the process address space evenly between the system and the active process, creating a limit of 2GB for each:

Applications might use Heap APIs, the .NET garbage collector, or the C runtime malloc library to allocate virtual memory, but under the hood all of these rely on the VirtualAlloc API. When an application runs out of address space then VirtualAlloc, and therefore the memory managers layered on top of it, return errors (represented by a NULL address). The Testlimit utility, which I wrote for the 4th Edition of Windows Internals to demonstrate various Windows limits, calls VirtualAlloc repeatedly until it gets an error when you specify the –r switch. Thus, when you run the 32-bit version of Testlimit on 32-bit Windows, it will consume the entire 2GB of its address space:

2010 MB isn’t quite 2GB, but Testlimit’s other code and data, including its executable and system DLLs, account for the difference. You can see the total amount of address space it’s consumed by looking at its Virtual Size in Process Explorer:

Some applications, like SQL Server and Active Directory, manage large data structures and perform better the more that they can load into their address space at the same time. Windows NT 4 SP3 therefore introduced a boot option, /3GB, that gives a process 3GB of its 4GB address space by reducing the size of the system address space to 1GB, and Windows XP and Windows Server 2003 introduced the /userva option that moves the split anywhere between 2GB and 3GB:

To take advantage of the address space above the 2GB line, however, a process must have the ‘large address space aware’ flag set in its executable image. Access to the additional virtual memory is opt-in because some applications have assumed that they’d be given at most 2GB of the address space. Since the high bit of a pointer referencing an address below 2GB is always zero, they would use the high bit in their pointers as a flag for their own data, clearing it of course before referencing the data. If they ran with a 3GB address space they would inadvertently truncate pointers that have values greater than 2GB, causing program errors including possible data corruption.

All Microsoft server products and data intensive executables in Windows are marked with the large address space awareness flag, including Chkdsk.exe, Lsass.exe (which hosts Active Directory services on a domain controller), Smss.exe (the session manager), and Esentutl.exe (the Active Directory Jet database repair tool). You can see whether an image has the flag with the Dumpbin utility, which comes with Visual Studio:

Testlimit is also marked large-address aware, so if you run it with the –m switch when booted with the 3GB of user address space, you’ll see something like this:

Because the address space on 64-bit Windows is much larger than 4GB, something I’ll describe shortly, Windows can give 32-bit processes the maximum 4GB that they can address and use the rest for the operating system’s virtual memory. If you run Testlimit on 64-bit Windows, you’ll see it consume the entire 32-bit addressable address space:

64-bit processes use 64-bit pointers, so their theoretical maximum address space is 16 exabytes (2^64). However, Windows doesn’t divide the address space evenly between the active process and the system, but instead defines a region in the address space for the process and others for various system memory resources, like system page table entries (PTEs), the file cache, and paged and non-paged pools.

The size of the process address space is different on IA64 and x64 versions of Windows where the sizes were chosen by balancing what applications need against the memory costs of the overhead (page table pages and translation lookaside buffer - TLB - entries) needed to support the address space. On x64, that’s 8192GB (8TB) and on IA64 it’s 7168GB (7TB - the 1TB difference from x64 comes from the fact that the top level page directory on IA64 reserves slots for Wow64 mappings). On both IA64 and x64 versions of Windows, the size of the various resource address space regions is 128GB (e.g. non-paged pool is assigned 128GB of the address space), with the exception of the file cache, which is assigned 1TB. The address space of a 64-bit process therefore looks something like this:

The figure isn’t drawn to scale, because even 8TB, much less 128GB, would be a small sliver. Suffice it to say that like our universe, there’s a lot of emptiness in the address space of a 64-bit process.

When you run the 64-bit version of Testlimit (Testlimit64) on 64-bit Windows with the –r switch, you’ll see it consume 8TB, which is the size of the part of the address space it can manage:

Committed Memory

Testlimit’s –r switch has it reserve virtual memory, but not actually commit it. Reserved virtual memory can’t actually store data or code, but applications sometimes use a reservation to create a large block of virtual memory and then commit it as needed to ensure that the committed memory is contiguous in the address space. When a process commits a region of virtual memory, the operating system guarantees that it can maintain all the data the process stores in the memory either in physical memory or on disk. That means that a process can run up against another limit: the commit limit.

As you’d expect from the description of the commit guarantee, the commit limit is the sum of physical memory and the sizes of the paging files. In reality, not quite all of physical memory counts toward the commit limit since the operating system reserves part of physical memory for its own use. The amount of committed virtual memory for all the active processes, called the current commit charge, cannot exceed the system commit limit. When the commit limit is reached, virtual allocations that commit memory fail. That means that even a standard 32-bit process may get virtual memory allocation failures before it hits the 2GB address space limit.

The current commit charge and commit limit is tracked by Process Explorer in its System Information window in Commit Charge section and in the Commit History bar chart and graph:

Task Manager prior to Vista and Windows Server 2008 shows the current commit charge and limit similarly, but calls the current commit charge "PF Usage" in its graph:

On Vista and Server 2008, Task Manager doesn't show the commit charge graph and labels the current commit charge and limit values with "Page File" (despite the fact that they will be non-zero values even if you have no paging file):

You can stress the commit limit by running Testlimit with the -m switch, which directs it to allocate committed memory. The 32-bit version of Testlimit may or may not hit its address space limit before hitting the commit limit, depending on the size of physical memory, the size of the paging files and the current commit charge when you run it. If you're running 32-bit Windows and want to see how the system behaves when you hit the commit limit, simply run multiple instances of Testlimit until one hits the commit limit before exhausting its address space.

Note that, by default, the paging file is configured to grow, which means that the commit limit will grow when the commit charge nears it. And even when when the paging file hits its maximum size, Windows is holding back some memory and its internal tuning, as well as that of applications that cache data, might free up more. Testlimit anticipates this and when it reaches the commit limit, it sleeps for a few seconds and then tries to allocate more memory, repeating this indefinitely until you terminate it.

If you run the 64-bit version of Testlimit, it will almost certainly will hit the commit limit before exhausting its address space, unless physical memory and the paging files sum to more than 8TB, which as described previously is the size of the 64-bit application-accessible address space. Here's the partial output of the 64-bit Testlimit running on my 8GB system (I specified an allocation size of 100MB to make it leak more quickly):

And here's the commit history graph with steps when Testlimit paused to allow the paging file to grow:

When system virtual memory runs low, applications may fail and you might get strange error messages when attempting routine operations. In most cases, though, Windows will be able present you the low-memory resolution dialog, like it did for me when I ran this test:

After you exit Testlimit, the commit limit will likely drop again when the memory manager truncates the tail of the paging file that it created to accommodate Testlimit's extreme commit requests. Here, Process Explorer shows that the current limit is well below the peak that was achieved when Testlimit was running:

Process Committed Memory

Because the commit limit is a global resource whose consumption can lead to poor performance, application failures and even system failure, a natural question is 'how much are processes contributing the commit charge'? To answer that question accurately, you need to understand the different types of virtual memory that an application can allocate.

Not all the virtual memory that a process allocates counts toward the commit limit. As you've seen, reserved virtual memory doesn't. Virtual memory that represents a file on disk, called a file mapping view, also doesn't count toward the limit unless the application asks for copy-on-write semantics, because Windows can discard any data associated with the view from physical memory and then retrieve it from the file. The virtual memory in Testlimit's address space where its executable and system DLL images are mapped therefore don't count toward the commit limit. There are two types of process virtual memory that do count toward the commit limit: private and pagefile-backed.

Private virtual memory is the kind that underlies the garbage collector heap, native heap and language allocators. It's called private because by definition it can't be shared between processes. For that reason, it's easy to attribute to a process and Windows tracks its usage with the Private Bytes performance counter. Process Explorer displays a process private bytes usage in the Private Bytes column, in the Virtual Memory section of the Performance page of the process properties dialog, and displays it in graphical form on the Performance Graph page of the process properties dialog. Here's what Testlimit64 looked like when it hit the commit limit:

Pagefile-backed virtual memory is harder to attribute, because it can be shared between processes. In fact, there's no process-specific counter you can look at to see how much a process has allocated or is referencing. When you run Testlimit with the -s switch, it allocates pagefile-backed virtual memory until it hits the commit limit, but even after consuming over 29GB of commit, the virtual memory statistics for the process don't provide any indication that it's the one responsible:

For that reason, I added the -l switch to Handle a while ago. A process must open a pagefile-backed virtual memory object, called a section, for it to create a mapping of pagefile-backed virtual memory in its address space. While Windows preserves existing virtual memory even if an application closes the handle to the section that it was made from, most applications keep the handle open. The -l switch prints the size of the allocation for pagefile-backed sections that processes have open. Here's partial output for the handles open by Testlimit after it has run with the -s switch:

You can see that Testlimit is allocating pagefile-backed memory in 1MB blocks and if you summed the size of all the sections it had opened, you'd see that it was at least one of the processes contributing large amounts to the commit charge.

How Big Should I Make the Paging File?

Perhaps one of the most commonly asked questions related to virtual memory is, how big should I make the paging file? There’s no end of ridiculous advice out on the web and in the newsstand magazines that cover Windows, and even Microsoft has published misleading recommendations. Almost all the suggestions are based on multiplying RAM size by some factor, with common values being 1.2, 1.5 and 2. Now that you understand the role that the paging file plays in defining a system’s commit limit and how processes contribute to the commit charge, you’re well positioned to see how useless such formulas truly are.

Since the commit limit sets an upper bound on how much private and pagefile-backed virtual memory can be allocated concurrently by running processes, the only way to reasonably size the paging file is to know the maximum total commit charge for the programs you like to have running at the same time. If the commit limit is smaller than that number, your programs won’t be able to allocate the virtual memory they want and will fail to run properly.

So how do you know how much commit charge your workloads require? You might have noticed in the screenshots that Windows tracks that number and Process Explorer shows it: Peak Commit Charge. To optimally size your paging file you should start all the applications you run at the same time, load typical data sets, and then note the commit charge peak (or look at this value after a period of time where you know maximum load was attained). Set the paging file minimum to be that value minus the amount of RAM in your system (if the value is negative, pick a minimum size to permit the kind of crash dump you are configured for). If you want to have some breathing room for potentially large commit demands, set the maximum to double that number.

Some feel having no paging file results in better performance, but in general, having a paging file means Windows can write pages on the modified list (which represent pages that aren’t being accessed actively but have not been saved to disk) out to the paging file, thus making that memory available for more useful purposes (processes or file cache). So while there may be some workloads that perform better with no paging file, in general having one will mean more usable memory being available to the system (never mind that Windows won’t be able to write kernel crash dumps without a paging file sized large enough to hold them).

Paging file configuration is in the System properties, which you can get to by typing “sysdm.cpl” into the Run dialog, clicking on the Advanced tab, clicking on the Performance Options button, clicking on the Advanced tab (this is really advanced), and then clicking on the Change button:

You’ll notice that the default configuration is for Windows to automatically manage the page file size. When that option is set on Windows XP and Server 2003, Windows creates a single paging file that’s minimum size is 1.5 times RAM if RAM is less than 1GB, and RAM if it's greater than 1GB, and that has a maximum size that's three times RAM. On Windows Vista and Server 2008, the minimum is intended to be large enough to hold a kernel-memory crash dump and is RAM plus 300MB or 1GB, whichever is larger. The maximum is either three times the size of RAM or 4GB, whichever is larger. That explains why the peak commit on my 8GB 64-bit system that’s visible in one of the screenshots is 32GB. I guess whoever wrote that code got their guidance from one of those magazines I mentioned!

A couple of final limits related to virtual memory are the maximum size and number of paging files supported by Windows. 32-bit Windows has a maximum paging file size of 16TB (4GB if you for some reason run in non-PAE mode) and 64-bit Windows can having paging files that are up to 16TB in size on x64 and 32TB on IA64. For all versions, Windows supports up to 16 paging files, where each must be on a separate volume.

general - Cybercrooks launch DDoS assault on anti-fraud site

Mon, 17 Nov 2008 16:37:08 +0000

Backhanded compliment

Updated Unidentified miscreants have launched a denial of service attack on a UK-based anti-fraud website.…

general - MS explains 7-year patch delay

Mon, 17 Nov 2008 15:02:59 +0000

Legacy networking problem cure as bad as disease

Microsoft has explained why it took seven years to patch a known vulnerability. Fixing the bug earlier would have taken out network applications and potential exploits alike, it explained.…

general - Agile fraudsters prey on clueless UK surfers

Mon, 17 Nov 2008 11:14:35 +0000

Get Safe Online week aims to curtail easy pickings

British attitudes to online safety remain patchy at best, leaving surfers vulnerable to scammers who typically empty funds from compromised accounts before moving onto the next victim.…

theory - Most Spam Came from a Single Web Hosting Firm

Mon, 17 Nov 2008 11:11:07 +0000

Really: Experts say the precipitous drop-off in spam comes from Internet providers unplugging McColo Corp., a hosting provider in Northern California that was the home base for machines responsible for coordinating the sending of roughly 75 percent of all spam each day. Certainly this won't last: Bhandari said he expects the spam volume to recover to normal levels in about...

general - PCI DSS Compliance Projects - The road to nowhere….

Drazen Drazic — Mon, 17 Nov 2008 08:40:09 +0000

It’s getting to that time of year where we are seeing an influx of PCI business and a constant stream of phone calls and emails from organisations who are only now either hearing about it or have realised that they’ve dropped the ball on it and their compliance deadlines are only a few months away.

The majority of the people we talk with for the first time are shocked to say the least when we explain how tough compliance is going to be if you’re starting from a base of pretty much nothing. (As an aside, this highlights how bad business IT security practices have been all along - across all sectors and all sizes of business). Bottom line is that any business who has had good security practices in place should find PCI DSS compliance relatively not that daunting, as there is not much in the standard itself that is not just plain good ol’ security practice. Why many are under the misconception that the PCI DSS is some radical set of requirements imposed upon poor businesses is still beyond me!

This is what we try to explain to organisations that we talk with for the first time. I acknowledge that for most, the concepts of basic security practices and controls are new to them - that is why it [PCI DSS] is a struggle. If anything, PCI DSS has demonstrated that across the world, very few organisations have ever taken security seriously. It’s rare when see an organisation that blows us away with what they have been doing! Interesting posts here on the PCI Discussion Forum.

So back to the post topic: PCI DSS Compliance Projects - The road to nowhere….

The number 1 biggest issue that we see when it comes to PCI DSS compliance projects, regardless of company size is that they are still seen as IT Security projects - generally delegated to the IT Security Manager to “fix”! And here’s where the games begin, to the detriment of everyone involved - major waste of time, resources and money as every step is a battle. Some of the responses I and others have posted cover much of this so I won’t repeat everything here.

End of the day, if the PCI DSS compliance project in your organisation is run as an IT Security or IT project, it ain’t going to get very far quickly, and in many cases, an organisation will be years down the track and still nowhere near compliance. It’s not that skilled people aren’t able to comprehend what needs to be done - far from it. It’s just that these people don’t have the support of the business and senior business management to get things done. Let me repeat - if the business and senior business management (up to the CEO in some cases) are not involved and actively supporting the project(s), almost EVERY PCI DSS compliance project is going to fail and it’s going to fail over many years - work out the costs of that?! Is that how other major business and IT projects are run? You’d like to think, of course they are not!

So here’s the tip if you’re an IT Security Manager or IT Manager who’s been “dumped” this on your desk. Tell the business:

1. Unless this becomes a “business” project and not an “IT” project, it’s not going to work.
2. Unless the business actively supports this project, with business management being actively involved in all phases of the work, it’s not going to work.
3. Unless the business heeds the advise of the previous 2 points, expect many years of pain, waste of resources, money and staff morale going downhill. Don’t expect to be PCI DSS compliant even then!

At this years AISA Annual Seminar day, we’re going to deliver a different PCI DSS presentation. (Most cover the same old stuff (yawn….). We’re (well Declan) at least is going to look at many of these issues, present case studies and look at areas that many may not be considering. If you’re an AISA member, come along!

Related posts - some relevant, some less so:
http://beastorbuddha.com/category/pci/

One of the better PCI sites that you should consider on your essential reading list is:
http://pcianswers.com/

One last thing to add quickly, spending a lot of money on QSAs and expecting them to magically get you sorted in quick time is also a big mistake. We QSAs can help greatly and do, but end of the day, we’re also hamstrung by the same issues I have raised above BUT, good QSAs though should be able to work with you to help your business understand these critical success factors. Choose your QSAs wisely. It’s not hard to become a QSA organisation but there are very few good ones. Quick Securus Global plug:
http://www.securusglobal.com/services/pcicompliance.html

Do give us a call even if it is just for a chat about your situation.

Anyway, this is not a Securus Global ad, do consider the points raised above as from our experience, this is why after so many years, PCI DSS compliance is still considered a long tunnel with no light at the end of it. PCI DSS has copped a lot of crap but as I said, it’s nothing more than basic good security practice. It’s not perfect and we all know that, but it’s probably the best driver of good security practice globally we’ve ever had! Keen on your thoughts.

technical - A good protocol attack ...

halvar.flake (noreply@blogger.com) — Sat, 15 Nov 2008 08:58:09 +0000

... is like a good joke. This one, while requiring special circumstances to succeed with high probability, was responsible for a lot of laughter on my side.

business - PCI search terms and their meaning

Michael Dahn — Sat, 15 Nov 2008 05:29:06 +0000

From time to time I check out the search terms that bring people to this blog. Instead of just posting them, I’m going to do a little interpretation of what they might mean about the individual.

“not pci compliant” - Concerned merchant that has just been notified they need to get P-C-I compliant. Could also be a service provider whose clients say they will not work with them due to them being “not pci compliant.”
“site:pcianswers.com segmentation” - Network administrator that is trying to reduce the scope of compliance. They are targeted and want to get right to the point, while having someone define for them what “sufficient segmentation” really means.
“pci compliance fines” - CFO or business analyst trying to create a business case analysis for why their company should get PCI compliant. See also: “not pci compliant”
“cpism certification” - Individual looking to advance their career, gain prestige, or increase the letters on their business card. Also, person who is going toe-to-toe with a QSA and wants to improve their payment industry knowledge.
“27001 vs pci” - European or Asia-Pacific compliance manager who is trying to better understand PCI through the eyes of ISO 27001.
“atm skimmer icq” - ‘Carder’ or computer cracker interested in the illegal sale and distribution of credit card data. Sorry, you won’t find that here!

So I suppose this web site is for all types. We always hope to provide globally relevant data on the payment-card industry. We do the research so you don’t have to.

general - Online identity card scheme aims to remove password headaches

Sat, 15 Nov 2008 00:24:33 +0000

Can Equifax succeed where OpenID failed?

Credit reference agency Equifax has launched an online identity card scheme that aims to reduce consumer security and password headaches.…

general - Judge: No cryptographic hash analysis without warrant

Sat, 15 Nov 2008 00:08:04 +0000

It's a search

In a case that could have important implications for law enforcement investigations throughout the US, a federal judge has ruled that the cryptographic fingerprinting of suspects' hard drives constitutes a search for purposes of the Constitution.…

theory - Friday Squid Blogging: Vintage Squid Can Labels

Fri, 14 Nov 2008 22:41:29 +0000

Mostly sardines, but some squid....

general - Still sending naked email? Get your protection here

Fri, 14 Nov 2008 20:22:45 +0000

Buckle your seatbelt, encrypt your bits

Security How-to In this age of brazen, warrantless wiretaps and never-ending data breaches, you'd think email encryption would be considered de rigueur. Alas, even among the digerati it's rarely given the time of day because encryption is seen as an exotic undertaking that brings more hassle than benefit.…

theory - Datamation Interview

Fri, 14 Nov 2008 18:52:20 +0000

Interview with me from Datamation....