Branden Williams' Security Convergence Blog

As a preview for next month's Herding Cats, I decided to take a suggestion from a colleague and turn it into a column. We're going to explore Hizver's Insecurity in Large Numbers Theorum!

Think you are safe in a crowd? Think again! Think that your company is too small to be noticed or targeted? Danger is afoot!

Without ruining the punchline, consider this. Let's say you work for a large company with a few thousand employees. Each one has at least one Microsoft Windows device assigned to them. Remember the emergency patch from last month? Are you 100% confident that every single last one of those devices was patched?

Also, another preview... All previous versions of Herding Cats will be posted in their printed glory by December 1!

Posted by Branden Williams at 7:24 PM | Permalink | Comments (0)

Yep, it's been a PCI heavy week. Want me to discuss other topics? T and suggest one!

Last week I sat through the Certified Payment-card Industry Security Manager training here in Dallas. The folks at Aegenis planned it at a hotel that happened to be about 10 minutes from my house, so getting there was easy. There were several bigwigs from the information security and PCI industry there with me in the sold out training, and the industry perspectives were valuable.

If you are not an employee of a QSAC and are looking for a GOOD source of training around PCI, data breach laws, and a detailed look into the payment industry, this training is for you. If you opt for all three days of training, you will be taken through the process first as an auditor, then as a manager. The tests are given on the final day.

For those merchants that have been begging for solid, industry-specific training around PCI, this is where you need to go.

Posted by Branden Williams at 7:37 AM | Permalink | Comments (0)

The PCI Security Standards Council released the new version of the Self Assessment Questionnaires yesterday, as well as a new Navigating PCI-DSS for version 1.2.

Enjoy!

Posted by Branden Williams at 6:30 AM | Permalink | Comments (0)

The day has come! I can't tell you how many merchants have hounded me for compliance dates outside the US and Canada, and then looked at me like I just told them the sky was red when I could not provide them. Visa, Inc. has formally announced global compliance deadlines (thanks JKA!).

If you are a global retailer, or a retailer not based in the US or Canada, the pressure is now on to become compliant with the PCI Standard! Feel free to reach out to a VeriSign QSA if you need assistance!

Posted by Branden Williams at 11:31 AM | Permalink | Comments (0)

The PCI Security Standards Council posted a document on Data Storage Do's and Don'ts this week. This document does an excellent job breaking down the storage piece of PCI for merchants big and small, but especially for the smaller folks out there.

Now, for all of you out there, don't forget that PCI is NOT just a data storage initiative. Just because you don't store cardholder data does not exempt you from being compliant. That said, locating your data is step one in understanding how you measure up to the PCI Standard. Consequently, it is also step one in VeriSign's PCI Program Management methodology.

How healthy is your compliance program? If it needs work, drop us a line and we'll see how we can help!

Posted by Branden Williams at 10:13 AM | Permalink | Comments (0)

Here at VeriSign, our email filtering is pretty effective. We have a corporate solution run by Postini (Google) that I am sure processes an amazing amount of SPAM for us. In most cases, one email that I would consider truly SPAM might slip through every couple of months. Not a bad track record.

Today one of those messages got through, and I was amazed at what the bad guys doing to try and commit fraud nowadays. I remember several years ago that one effective method to get money out of large corporations was to just send an invoice for a small amount to the Accounts Payable department. Somewhere in the next two months, a check for that amount would show up in your mailbox.

As corporations tracked invoices more closely, these holes closed up and the bad guys had to get more creative. They started going after individuals through phishing and other types of con games. An acquaintance of my wife got suckered into one of those a few years ago when she sent cash to a company she got an email from claiming to fix credit problems.

The message today was someone claiming to be a professor, and their title being "Head Payment Commission." The interesting thing here was that instead of an invoice, this SPAM apologizes for paying late! It includes a bank reference and a bogus bank account, with a set of questions that I would need to answer to get paid. Aside from the obvious grammar issues and OverUse Of Studly Capital Letters on Common Nouns Like "Wrong Account," they ask you to re-confirm the payment details to make sure that payment can be rushed. Here's what they are asking for.

1. Your Full Name:
2. Phone, Fax And Mobile No:
3. Company Name, Position And Address:
4. Profession, Age And Marital Status:
5. Working Id? D/Int?l Passport:

Note the bold underlines. I certainly cannot remember seeing anything like that on any supplier form I have either sent out or filled out. This is definitely something that smells like classic social engineering. Most social engineers would be a little more sneaky and only ask one or two of those types of questions among legitimate questions. They would then finish with a legitimate one or two to bury the one that should set the alarm bells off.

It's pretty ingenious, but nothing new. Bad guys have been doing this for years, and I would see this as nothing more than a smarter version of the Nigeria scams. We all know that stuff like this works, especially on people that are too trusting.

If it didn't work, it would not have shown up in my Inbox anyway.

Posted by Branden Williams at 10:43 PM | Permalink | Comments (0)