PCI SSC 2016 North America Community Meeting: Day 3

Day 3 photos of the #PCICM

I really enjoy watching (and knowing) about hacks. Most security conferences will include at least one demonstration or talk about hacking and it’s just fantastic. I made the switch in the 90s from IT Operations to Information Security after watching someone get through a firewall and take remote command of a server.

I didn’t take too many pictures today as the question, “Will these presentations be available online after?” was finally answered with a yes!









PCI SSC 2016 North America Community Meeting: Day 2

Yesterday was Day 2 of the conference and I had a full agenda. Here are some pictures (mostly of slides…)

My buddy Felix was working the Qualys booth!






I love how it has to be clarified that single factor can’t be used more than once within multi-factor.






Senator Elizabeth Warren vs. CEO John Stumpf

Senator Elizabeth Warren’s two round of questions for Wells Fargo CEO John Stumpf at the September 20, 2016 Senate Banking Committee hearing entitled: “An Examination of Wells Fargo’s Unauthorized Accounts and the Regulatory Response.”

Wells Fargo employees secretly opened unauthorized accounts to hit sales targets and receive bonuses.

Wells Fargo employees also submitted applications for 565,443 credit card accounts without their customers’ knowledge or consent. Roughly 14,000 of those accounts incurred over $400,000 in fees, including annual fees, interest charges and overdraft-protection fees.

Wells Fargo agreed to pay $185 million in fines, along with $5 million to refund customers.

5,300 firings took place over several years

PCI SSC 2016 North America Community Meeting: Day 1

The 10th Annual PCI SSC Community Meeting Kicked Off yesterday and I have the privilege of attending.

Here are some pictures of the event from yesterday.

Jeremy King, International Director
Stephen Orfei, General Manager


Tracy Kitten, Stephen Orfei, Jeremy King, and Troy Leach
Communicating PCI to the Boardroom
Selfie with Stephen, nice guy!
Existing and Future Threats to Cardholder environments and data

Fire Extinguisher Test Damages ING Banks Data Center

I’m going to drop a little knowledge first.
The common hard drive uses an arm holding read/write heads over spinning metal platters (like a record player! but smaller and faster with a lot of arms, heads, and platters).

Years ago, hard drives though were physically the same size, didn’t have near the storage capacity and precision as they do today, were tolerant (to an extent) to vibration, today’s hard drives with the terabytes they can hold can only tolerate 1/1,000,000 of an inch in vibration. Any more than that deviation will just stop the read/write heads from doing any reading or writing.

The Story
ING Bank was testing the inert gas within their fire suppression system at their data center and it was so loud (noise = vibration), it vibrated the read/write heads over the spinning metal platters more than 1/1,000,000 of an inch and it took greater than 10 hours to restart every system in their data center.

The bank put out a press release (written in Romanian, but if you use Chrome, you can auto-translate it)

On a side note, this proves screaming at your computer when it’s slow doesn’t make it work better.


IT Security vs Information Security

A pet peeve of mine is when Information Security is interchanged with IT (Information Technology) Security. Over the many years working this profession, I’ve heard people, clearly working in the Information Security realm, state they work in IT Security (though their job/role dictates otherwise).

People working for a CISO (Chief Information Security Officer and not a Chief Information Technology Security Officer) cannot always tell the difference.

It is accurate to say that IT security is a component of Information Security. Sometimes a CISO is tasked with giving clarity to an IT Organization regarding their role to reduce “not my job” syndrome. Hopefully this graphic helps.


Some of the technical areas are usually absorbed into IT Operations, for example Hardware Hardening. Governance will establish that hardware must be hardened, IT Operations, will follow suit and harden as they build.

Incident response should come from everybody being vigilant and reporting what they see. The police don’t just respond to what they see themselves, but they respond to what is reported by the public.


FAA Asks Public to Not Use Samsung Note 7 on Planes

Per the FAA site, the Federal Aviation Administration has asked the public not to turn on or charge the Samsung Note 7 on board aircraft and not to stow them in any checked baggage.

If you haven’t heard, there has been a massive recall on Samsung Note 7s as they were exploding on the charger. The phone retails for near $1,000 USD and the recall/exchange program is pulling back 2.5 million of them.

The issue appears to be in the construction of the battery used inside the phablet. Any damage to the internal mechanics of the cell or imperfections in the electrolyte can raise the risk of a short-circuit.

USB Killer… Now Publicly For Sale

It’s been some time since I last wrote about killing computers with a USB (here), and now the device is packaged nicely and available for the low price of approximately $55.

Just a note to the general public here, if you find a USB on the ground, don’t plug it into your computer. It can backdoor your system and probe your network, or even cause a fire!

What to Watch To Learn A Little CyberSecurity

Do you like to be entertained? I know I do!
Here are some shows and movies that I recommend.

Brian Brushwood’s Hacking the System

This show has a LOT of thinking outside the box and social engineering.

Mr. Robot
This show has real life examples from the Anonymous group. The story line and some of the trippyness is a little too much, but the hacks are modeled after current real world hacks.

The hacks are good, like the “falling for a phishing email” but the story is a little dumb and overplayed. But then again it’s Chris Hemsworth and who doesn’t like that guy?

CSI: Cyber
Actually, it’s not too bad.

A lot of cybersecurity attacks are getting really intermingled into mainstream television, which is great for raising awareness.

What shows do you like to watch?

Also, here is another list from Techworm