NetworkJew » Security Links

MasterCard announces Changes to Level 1 and Level 2 PCI DSS Requirements

Network Jew — Tue, 30 Jun 2009 14:09:34 +0000

In a move that is sure to cause headaches amongst IT staff and Execs, Mastercard has decided to tighten the reigns further in their never ending quest to secure people’s credit card data.

By December 31, 2010 and on a going forward basis, all level 1 and 2 merchants must validate PCI DSS compliance via an annual onsite assessment conducted by a PCI Security Standards Council (PCI SSC) certified Qualified Security Assessor (QSA). Level 1 merchants who previously conducted onsite assessments using internal resources will no longer be permitted to do so. Level 2 merchants who were previously permitted to validate via a Self Assessment Questionnaire (SAQ) must now also begin validating with an onsite assessment by a QSA. All level 1 and 2 merchants must submit a fully compliant Report on Compliance (ROC) from their QSA by December 31, 2010.

While this is surely a boon to the Network Security consulting industry, its a move that is going to cost alot of companies a great deal of money. Previously, Level 2 merchants were only required to submit to a quarterly external network scan and a yearly self-assessment questionnaire. Now, they, like Level 1 merchants, must have a yearly onsite assessment performed. For many companies, depending on the size, this are going to be in depth audits that may force them to change man of the ways they do business.

PCI-DSS, unfortunately, is a useless standard. Companies should perform best practices, and if they don’t, they should pay for it. The fact that they have to be beaten into submission through scans, audits, and fines is silly. All of the recent major breaches of credit card data were all from PCI certified companies. So what does that tell us?

Here’s a great article about some of the problems with the PCI standard:

http://securitybuddha.com/2007/03/23/the-problems-with-the-pci-data-security-standard-part-1/

Iphone 3.0 patches over 40 Security Flaws

Network Jew — Thu, 18 Jun 2009 13:48:59 +0000

In addition to all of the wonderful new features available on the new iphone os 3.0, there are over 40 security vulnerabilities that have been fixed. Some of these include this one which may pertain to Exchange admins out there:

Accepting an untrusted Exchange server certificate results in storing an exception on a per-hostname basis. On the next visit to an Exchange server contained in the exception list, its certificate is accepted with no prompt and validation. This may lead to the disclosure of credentials or application data. This update addresses the issue through improved handling of untrusted certificate exceptions.

and this interesting one:

A logic issue in the handling of ICMP echo request packets may cause an assertion to be triggered. By sending a maliciously crafted ICMP echo request packet, a remote attacker may be able to cause an unexpected device reset.

So, in case you’re waiting for some reason to update, go ahead and take the plunge and do it. Its my belief, that as users become more mobile and start keeping more of their private information on these devices, the attempts at hacking mobile devices will become more common.

Here’s a link to more info straight from Apple regarding these fixes:

http://support.apple.com/kb/HT3639

Let’s be safe out there…

Top 10 Free Windows Network Security Tools

Network Jew — Fri, 06 Feb 2009 15:45:51 +0000

Here are my top ten Windows security tools. There are so many more that could be included, but these are the ones I use most often. These are tools you can use to help diagnose network problems, scan for vulnerabilities, and analyze your network. These aren’t tools that will increase your security profile, like disk encryption or vpn utilities, but rather ones that you may use in troubleshooting or performing analysis. These are in no particular order, and many of these are available on other OSX and/or Linux.

1) NMAP - incredibly powerful command line utility. In addition to port scanning, it can perform OS detection and do all kinds of other great. Its great for troubleshooting network services availability.

2) Cain and Abel – Careful with this one. Password “recovery”, ARP poisoning, sniffing…

3) Nessus - #1 Vulnerability scanner. It will check for everything under the sun on your network. You’ll be surprised at what’s running out there.

4) BSA - Straight from MS. Microsoft’s free security and vulnerability assessment scan tool

5) Wireshark - World-class packet sniffer. Enough said.

6) Netstat – command line for displaying network connections and other net-related info about your PC. Great quick way to figure out What’s running and who’s it talking to, and no installation required!

7) NetStumbler - This is great for doing wireless network assessments. Where are the dead spots? What AP’s are interfering?

9) TCPView - Great tool from SysInternals (MS). Like Netstat on steroids in a gui.

10) Snort - Open Source IDS (Intrusion Detection System) – very powerful, extensible, Lightweight, IDS.

Fannie Mae Computer Plot Thwarted

Network Jew — Tue, 03 Feb 2009 14:50:23 +0000

This is a very interesting story about a fired admin at Fannie Mae, who dropped a malicious script on their servers. Bottom line- He was fired in October ‘08, they didn’t kill his access until later in the day, he was pissed off and left a Unix script which was supposed to zero out ALL Fannie Mae’s data on January 31st. Apparently the scripts were found by accident a couple months later.

Some important lessons to be learned here:

Always terminate employees access immediately upon termination. Double check remote access privileges.
Escort them to their workspace to gather their stuff, and escort them out of the building.
Don’t use shared logins/passwords.