Branden Williams' Security Convergence Blog

USA Today had an interesting article on Monday detailing how Cybercrooks are getting craftier (is that a word? more crafty? more craftierest?) on the scams designed to trick people into parting with personal information. A couple of the attacks listed include:

• Email greeting cards that give intruders control of your router (specifically a popular router in Mexico).
• Turn-key phishing kits with everything needed to create bogus bank websites.
• Click fraud targeting small e-commerce sites to drive up fake ad revenues for crooks.

And here's someone else with too much time on their hands (thanks Springtown!)!

Posted by Branden Williams at 10:51 AM | Permalink

As a follow up to the last article, here's a pretty interesting story about a teenager in Poland who figured out a way to control how trains change tracks. He didn't hack through the internet, or some rogue access point at a station. He used a TV remote.

Between this and the Boeing 787 Dreamliner's issues, I wonder if this will force companies to take a hard look at the software they use to drive their products.

Posted by Branden Williams at 10:29 AM | Permalink

This week, Bruce Schneier blogged about the CIA's disclosure of hacking incidents to public utilities. I've been wary of utilities ever since I learned about SCADA systems, and their implication on security. I've heard about consultants primed with a copy of NMap accidently shutting down large SCADA networks simply because of their age & lack of security.

The thing that is scary is that we have come across companies reliant on SCADA systems for their factories or assembly areas that are also subject to PCI.

Eek!

The good news is that with careful planning and a good network segmentation strategy much of the impact can be reduced.

Posted by Branden Williams at 09:57 AM | Permalink

After getting an extended battery for my laptop (yaay! Less whipping out the iGo for power on the plane!), I am wondering if anyone has had problems with the new TSA Battery Guidelines. My battery is well below any proposed limit, and I rarely check bags (thank YOU London Airports!), but it seems any time a new TSA regulation is put into place there can be some difference in interpretation.

What say you?

Posted by Branden Williams at 07:11 AM | Permalink | Comments (3)

In Mike Dahn's PCI Answers blog, a post was made over the break about the Secure hashing of PANs

As this blogger has said on many occasions before, hashing is a double edged sword.

Theoretically, you could create a hash that is as secure as a CipherText from an encryption algorithm. If you used a 10 kilobit salt (effectively the Key) plus the PAN, you would have something quite secure and would not run into issues with collisions. The problem is that you cannot change your keys without retaining the original PAN. If you did change your key, new hashes of the same PAN would not match old hashes.

Perhaps the biggest issue, people treat hashes differently then they do CipherText. Hashes are seen as "non-real values that cannot be reversed." Unfortunately, you can subvert the complex math by building rainbow tables. Something we don't see is symmetric encrypted values thrown around an organization in the same manner. Why? Just attitudes on treating certain data in certain ways I think.

If you could solve the key change issue, plus keep hashed computations secure like you would CipherText, then maybe we can make an apples to apples comparison.

Posted by Branden Williams at 12:38 PM | Permalink

Yep! Time to tackle the world! Hope everyone's holiday was fantastic.

Posted by Branden Williams at 12:38 AM | Permalink