Branden Williams' Security Convergence Blog

Dude.

Seriously.

Is anyone at the helm of the National Retail Federation? Did they forget to secure the dock lines on the U.S.S. NRF before they skipped into town for supplies, gleefully quoting Shel Silverstein's Where the Sidewalk Ends along the way?

Let us leave this place where the smoke blows black
And the dark street winds and bends.
Past the pits where the asphalt flowers grow
We shall walk with a walk that is measured and slow,
And watch where the chalk-white arrows go
To the place where the sidewalk ends.

In this recent three question interview with Dave Hogan, CIO of the NRF (courtesy of RIS Executive News Brief), there was either a massive case of misquoting, or he still doesn't get it.

We'll skip the first of the three questions as once again, being compliant and having someone validate your compliance are two different things. The second question starts off great, but then he wanders off the path like a three year old who sees a shiny candy wrapper. From the interview:

Question: "Do credit card companies need to shoulder some of the responsibility behind storing and safeguarding credit card data?"
Answer: "The credit card companies have been brilliant about shifting the burden and the associated risk of credit cards onto the merchant. It is their system."

Not too bad so far! The credit card system has been widely successful as our society continues to spend beyond our means, and/or move away from paper money to cashless payments. Then here comes that candy wrapper.

Shiny Object Answer: "The card associations should be promoting more secure forms of payment like Chip & Pin. This type of technology has been used in Europe and has significantly reduced credit card fraud. They should also provide (at no cost to the merchant) card readers that can accept these new types of cards."

Uhh... what? Chip & PIN is the new Holy Grail of secure card acceptance? Last I checked, it slows down the bad guys, but does not stop them. There are flaws in that system as well. Besides, you have an issue with Chip & PIN in the US... acceptance! What good is a reader if no one carries the card to use them!

I seriously doubt that the card associations would pay for the terminals. Even if they did, retailers will likely have to do major alterations to their software to be able to handle both types of transactions in parallel. That's definitely not free, and will likely cost extra with downtime and bugs that come out in production.

How about we just spend a little bit of time securing the data in flight? We can use the same technology to secure other types of data, like PII. It's clear that the extension of retail networks harbors unique information security issues.

The final question and answer is priceless.

Question: "Should credit card companies stop forcing retailers to store data for years on end?"
Answer: "Visa and MasterCard may indicate that they do not directly force retailers to store credit card data. But indirectly, they do store it through the retrieval request process that is in place. Rather than requiring that merchants keep reams of data (currently required under card company rules as a means of managing charge backs and other internal processes) credit card companies and their banks should provide merchants with the option of keeping nothing more than the authorization code provided at time of sale and a truncated receipt. I would like them to go on record and state that 'Retailers have the option to no longer store credit card data and they will not be penalized for not keeping credit card data.'"

. . .

Mr. Hogan, please read closely. If I can pound one message into your head, let it be this.

Ready? Here it comes.

CARD ASSOCIATIONS DO NOT REQUIRE MERCHANTS TO STORE CARD DATA. EVEN FOR CHARGEBACKS.

I have personally assisted numerous merchants of all levels handle this. Especially with respect to chargebacks! The most memorable hiccup was when one card association (name deleted to protect the misguided) informed one of my customers that it would take two years and several million dollars to allow a truncated PAN for chargeback purposes. It was not until we got to the right person over there and explained that a chargeback proof with a truncated number is sufficient did they realize the error in their ways. If there are banks out there requiring it, their PCI status should be clear to you... likely not compliant.

The best part of the article is actually at the beginning, where through a paraphrase Dave says that the "PCI mandate will never be an affective deterrent to professional hackers. "

Wait a second. First you said PCI was too hard. Now you are saying it is not hard enough?

Is anyone else as confused as I am?

PCI is a polarizing issue for sure, but most reasonable people will agree that it does provide a decent baseline, and that it should not be the limit of your security program.

FUD like this only serves to further confuse major players in the market, and pollute the underlying message of the PCI-DSS; protect the data! Smart retailers have expanded upon their PCI efforts and invested in securing the business (and not doing the bare minimum). Securing the business will allow for secure growth, something that VeriSign's Global Security Consulting group specializes in.

Posted by Branden Williams at 04:07 PM | Permalink | Comments (1) | TrackBacks (0)

Andrew Conry-Murray of Information Week writes:

Bottom line, PCI compliance is mutable. While a compliance certification is valid for one year, a retailer may perform actions, or fail to perform actions, that take it out of compliance. On the one hand, this is sensible. PCI rules are like the dietary guidelines a doctor issues to a patient. It's not the physician's fault if someone with through-the-roof cholesterol ignores advice and eats like Homer Simpson.

Could I have said it better? PCI? Program not Project? Homer Simpson? I think not.

This is the reason why we created the PCI Program Management offering at VeriSign. This helps customers maintain compliance, and get management confidence that they are compliant every day.

Oh yeah, and don't forget, all QSAs are not created equal!

Posted by Branden Williams at 06:20 AM | Permalink | Comments (0) | TrackBacks (0)

Sharon Gaudin at Computerworld writes about a new way to use RFID tags. In this article, a new physical security technique is discussed where a worker who walks into a restricted area would pick up hundreds of tiny RFID sensors on their shoes. As they track their feet across the doormat on the way out, sensors pick up that this employee has entered a restricted area, and then release the hounds.

Cooler than LED Throwies? You be the judge.

Posted by Branden Williams at 11:41 AM | Permalink | Comments (0) | TrackBacks (0)

In an unpublished (and scrapped to my knowledge) Top 10 Security Predictions for 2008, I predicted that we would see a breach in 2008 from an entity that had validated compliance (hey, come on.... It's true, I promise). Does that mean that the standard is not tough enough? Or that companies validating compliance are having a hard time maintaining it? Or possibly that a QSA is not doing their job properly?

The first has been discussed at length in the industry. While there are loud detractors to the standard, insiders agree that compliance does not equal security. Compliance is a baseline and security should be layered on top. The PCI standard as it stands is GOOD. Getting companies to comply and build additional security on top is the challenge. If I had a hundred dollars for every time I heard the phrase, 'What is the bare minimum I must do to comply,' this blog would not exist.

Unfortunately, with something as divisive as PCI, you will have people complaining about how hard it is, and then folks saying it's not hard enough. Rock? Meet hard place.

For the second, VeriSign answered struggling (shout-out to the P1) entities cries for help and instituted a service called PCI Program Management. This longer process sets up a program to support and maintain PCI. If you have an existing security program, we work within the guidelines of that program, and hopefully help improve it overall. Our goal is to get companies set up to maintain compliance on their own, as opposed to being afraid that one of the thousands of change control documents is overlooked and pushes them out of compliance.

That last one is a big ouch, but if you have been dealing with PCI for some time it makes perfect sense. How can it be possible to get a small PCI Assessment quote for 15K from one vendor and a 40K quote from another? We must not be comparing apples-to-apples. Do you notice that some QSAs are easier than others? How much management confidence do you have in the findings from the assessment? 15K or 40K?

The great QSA equalizer of 2008 was supposed to be the PCI Q/A Program that the council is instituting this year, not a breach of a validated entity (remember, validated is not the same thing as compliant). Time will tell as details come out how this will affect the industry, but I am betting it will force entities to look more closely at the QSA's work product.

Merchants & Service Providers alike can alleviate something like this happening by first checking the history of the QSA and lobbing a couple of hardball questions prior to starting the engagement. This can tell you how effective the assessment is. Is the majority done remotely? Do they recommend achievable controls? Are they missing things that you know are not compliant?

But most importantly, entities subject to PCI can avoid this by building a solid program to maintain their PCI compliance day-in and day-out. Don't aim for the minimum, aim for security without impacting the business. VeriSign believes in this mantra and ensures that its importance is conveyed to our customers.

Posted by Branden Williams at 06:26 AM | Permalink | Comments (0) | TrackBacks (0)

This month's issue of the ISSA Journal features my article on simplifying data flows entitled "Data Flows Made Easy." So far, the feedback has been positive, but what do you think?

Also in this issue, the first installment of my monthly column, "Herding Cats: Practical Security Tips for a Wacky World" (Thank YOU Fred Langston!). In here, I explore a simple tip for locating that sensitive data inside your organization.

Finally, we have another VeriSign consultant being published this month, Bindu Sundareson's article entitled "Converged Compliance Management" is included in the March ISSA Journal.

Check out the links and read up on the thought leadership that is common in the Global Security Consulting group at VeriSign!

Posted by Branden Williams at 07:12 AM | Permalink | Comments (0) | TrackBacks (0)

Uh oh, look out world, here comes some new fangled technology!

Well, not that new.

But VERY new for the PCI Industry! The PCI-SSC has put RSS on their website! They now have a feed for News & Events which can be picked up at https://www.pcisecuritystandards.org/pcissc_news.xml.

The card associations that make up the PCI-SSC should take note. Currently, the preferred method of communication for all five members is reviewing their security websites. Unfortunately, it is pretty hard to see what changes unless some kind of alert is posted (and one association actually changed the URL that is listed in the QSA training we receive without a forward). VeriSign suggested RSS a while back as a good way to keep people informed to changes in the program. Hopefully the power of RSS will be addicting, and all the associations will start pushing updates that way.

Go subscribe today!

Posted by Branden Williams at 11:08 AM | Permalink | Comments (0) | TrackBacks (0)

(This post is brought to you today by the letter A).

This weekend, I took a hiatus from the computing world and headed down to the family lake house. Time to get ready for summer and clean out all the junk!

Well, not junk, but lots of ladybugs for some reason.

When we arrived home yesterday, I caught up on my personal email, and noticed that someone posted a comment to my personal blog. Like this blog, when someone comments, I get excited since I'm never sure if anyone is reading. (Please leave comments, it makes me feel useful. Just like all the characters in Sodor want to be.) The comment in particular was an attempt to run a SQL Injection attack against my blog software.

Thankfully, it appears that my blog software caught this intrusion, but it left a nice record in my email. Here's what it looks like when someone (or a bot) tries to attack a field.

Bill364367','396455billy@msn.com','','15.13.14.4','2008-03-08 11:08:05','2008-03-08 11:08:05','','0','lynx','comment','0','0'),('0', '','', '', '', '2008-03-09 11:08:05', '2008-03-09 11:08:05', '', 'spam', '','comment', '0','0' ) /* (IP: 46.232.63.181 , titania.nameremovedtoprotect.com)

Names & IPs changed to protect the silly.

So the question is, is YOUR code vulnerable to this type of attack? When is the last time you had an application penetration test or code review performed on your custom code? VeriSign has seen quite an up tick in interest around these services (which we happily provide), though it still seems that most companies really miss the importance of this type of security review. Either it is easily dismissed as too expensive, or companies want to review every piece of code they can get their hands on (vs. a methodical and targeted approach to key apps and an overhaul of the SDLC).

Posted by Branden Williams at 08:35 AM | Permalink | Comments (1) | TrackBacks (0)

StorefrontBackTalk's Evan Schuman writes about a serious hole in an airport wireless network that could allow people to reroute luggage.

Oops... More reasons to carry-on.

As it relates to PCI, VeriSign has extensive experience in the travel industry and has dealt with some of the challenges that airlines have. Like a few other industries, it is very unique in its constraints around compliance and security. For instance, something you may not know is that the airports typically own all of the networking and computing equipment used by their tenants. So unlike most companies that have control over the chain of systems that deal with sensitive data, airlines may be forced to start off with a lack of control at the front lines.

Hopefully, this incident will be a reality check for airports.

Posted by Branden Williams at 08:50 AM | Permalink | Comments (0) | TrackBacks (0)

The PCI Security Standards Council looks as if they have released that FAQ they have been working on! I can tell you that this is a huge relief for everyone involved (merchants, service providers, QSAs, ASVs, etc.) as the volume of questions that the council was dealing with prevented them from turning around answers quickly.

Course, quickly is a relative term.

But consider their position. Here at VeriSign, we might submit 1 question every couple of months, but other QSAs may submit more. For every question that VeriSign (or any QSA) submits, they must get buy in on the answer from all 5 members before it can be turned around. You can see how this can easily take days or weeks to get answers turned around if you are getting any significant volume per day (say 10 questions per day).

So now that the common ones are up there, this should allow the more challenging interpretation requests to be processed quickly.

Posted by Branden Williams at 01:43 PM | Permalink | Comments (0) | TrackBacks (0)

WJLA News reports that a University of Virginia graduate student and two fellow hackers have cracked code contained in smart cards. Information security rears it's head again!

The company claims they only got a portion of the code, but depending on what they got, it could be enough to launch a feasible attack against those keys. Any reduction in bits can make a huge difference in the time required to retrieve a key.

You know, those smart card guys would have gotten away with a sub-par setup if it weren't for those meddling kids...

Posted by Branden Williams at 09:03 AM | Permalink | Comments (0) | TrackBacks (0)