Branden Williams' Security Convergence Blog

OK, yeah, that was a reach. As long as it makes me giggle, things will be just fine.

I assume most of you are away from your RSS readers this week because you are furiously patching your DNS servers. The attack is actually quite genius, and continues to demonstrate the inordinate amount of trust we place in servers and data that should not be trusted.

The details of how the attack works can be read in the above linked article if you are interested. You probably don't have the time right now because you are rushing to patch though.

Bruce Schneier takes this opportunity to lash out at the patching process. While some security pundits don't take Bruce seriously, he's got a point. The state he speaks about is a bit Utopian in nature, but the points are valid.

Can we get to a state where software is written with security baked in? Even if we can, would that prevent this or much more sophisticated attacks from occurring?

Electronic crime is a profitable business. As we cut off the money supply, they get more creative to recover their losses. My true fear is that they will get creative enough to create a vulnerability that goes undetected for some period of time, until a trigger point hits that causes mass chaos. If we're struggling to deal with relatively simple fixes today, what will we do when something like that hits?

Posted by Branden Williams at 12:04 PM | Permalink | Comments (0)

ZDNet is reporting that Oracle has released an emergency patch today, the first of which that has been released since their quarterly update cycle. I can just hear the Oracle DBAs of the world screaming and bitching about this.

I know the Oracle code base is mammoth, but wouldn't it be nice for them to do a full security code review (which VeriSign's Enterprise Security Services group offers) to shore up some of these things. I don't think anyone at Oracle is delusional enough to believe that they are extinction proof, but something like this may go a long way to ensure that the tusky software giant remains in play well into the future.

Posted by Branden Williams at 8:49 AM | Permalink | Comments (0)

No, Toto is not coming. I'm referring to Australia! I'll be making a trek down under in August to discuss PCI with banks and merchants alike. If you are in the area and want to meet up, please drop me an email! Hope to see you there!

Posted by Branden Williams at 7:15 AM | Permalink | Comments (0)

I have to admit, I needed some coffee and cobweb remover to decode this message from the Council this morning. They posted their Lifecycle Statement on the standard yesterday. After reading it a few times (and having a cuppa), I believe what they are trying to say is that there will be a new version of the PCI-DSS every 24 months. If you see a major number incremented (say 2.0 from 1.X), it is considered a new version. If a minor number is incremented (say 1.1 to 1.2) it is a revision. Regardless, you still have to do it and you will have some amount of time to implement.

The next revision is due out on October 1, 2008 and will be version 1.2.

To whomever drafted this document, will you please read William Zinsser's On Writing Well, and Paula Larocque's The Book on Writing -- The Ultimate Guide to Writing Well. Seriously guys, simplify your writing. There are many non-native speakers trying to digest this stuff, and I guarantee the first sentence in that release has them so confused that many just tossed it aside.

Posted by Branden Williams at 7:17 AM | Permalink | Comments (0)

Don't worry, you are not alone. A partnership of several companies released DLP In Depth today, a website that is set off to unravel the mystery of Digital Loss Prevention (DLP). DLP technologies have been around for some time, but last year we saw a fury of activity in that market as RSA picked up Tablus, and Symantec picked up Vontu.

At VeriSign, we regularly recommend using DLP products as part of your security strategy. Knowing where your data lives is the first step to being able to secure it.

So if you are looking for more info on DLP, go check out www.dlpindepth.org!

Posted by Branden Williams at 9:29 AM | Permalink | Comments (0)

Thanks to everyone at EUCI and their great hospitality in Vail. I'm looking forward to working with some of you soon!

Posted by Branden Williams at 6:40 PM | Permalink | Comments (0)

If so, drop me a line! I'm leaving the home base here in a few hours to head there for the conference. I will be discussing personally identifiable information and why it is important to secure.

After I speak, I'll be high-tailing it to Denver International to catch a return flight home. Hope to see you there!

Posted by Branden Williams at 11:16 AM | Permalink | Comments (0)

Well look no further! Come join VeriSign's Premier Global PCI Consulting practice!! If you are a current QSA in good standing, take a look at the job listings below. If you are a security professional that wants to get into PCI related work, we can train you!

Click here and enter keywords "qualified security assessor" to learn more!

Posted by Branden Williams at 7:28 PM | Permalink | Comments (0)

Before you click on the link to read the article, I should warn you. Things got a little silly with this one. I even had to edit a cleverly-placed word as my editor threw up a little when he hit publish on this one.

SILLY.

Anyway... I hope you enjoy the July edition of Herding Cats entitled, The Forward Looking Future!

Oh, and it looks like Twitter lost me. I'm there, but you can't see my updates. *shrug*

Posted by Branden Williams at 12:46 PM | Permalink | Comments (0)

Dave Taylor has another guest post on StoreFrontBackTalk, this one alluding to a lack of audit resources to mind the storefront (like Minding the Gap!).

Store front security continues to be an issue for retailers even outside of PCI. Take physical security for example. Realize that a major retailer's data center tends to be a hardened facility that is not easily accessed (with the exception of a few notable ones that are for another post). There are security guards, badged access, and sometimes even man traps. Now visit that same retailer's store front. You might find accessible Ethernet jacks, or worse, a system room door that is unlocked or left wide open. Walk into there with an official ID and you might just jack in to that same VLAN or security level as if you jumped through all the hoops at the data center!

The point that Dave makes is the same one I'll make here. There are two things that will greatly mitigate the risks associated with weak physical security in the stores.

1. Remove all card data from the store (How about most of it? Or just unencrypted data?)
   
2. Deploy end-to-end encryption from the POS Terminal to the data center.
   

Posted by Branden Williams at 4:18 PM | Permalink | Comments (0)

It's time to celebrate American Independence! I'll be taking a holiday for a few days, but will return next week. I will have a post hit on Monday though, so keep your eyes peeled (ouch?)!

Posted by Branden Williams at 5:42 AM | Permalink | Comments (0)

The deadline has passed, do you know where your children web application firewalls are? If you scratched your head and then saw a shiny object fly by to steal your attention, you are not alone. Information Security Magazine interviewed me for an article on this topic. Go check it out!

Posted by Branden Williams at 12:13 PM | Permalink | Comments (0)