Payment Card Industry – Data Security Standard version 3.0

Posted on November 19, 2014 by Carmelo

I’ve been doing some extensive studying for the PCI DSS v 3 and there is a vast improvement on the requirements.

There are 6 goals of PCI

  1. Remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised. Remember – if sensitive authentication data and other cardholder data are not stored, the effects of a compromise will be greatly reduced. If you don’t need it, don’t store it.
  2. Protect systems and networks, and be prepared to respond to a system breach. This milestone targets controls for points of access to most compromises, and the processes for responding.
  3. Secure payment card applications. This milestone targets controls for applications, application processes, and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data.
  4. Monitor and control access to your systems. Controls for this milestone allow you to detect the who, what, when, and how concerning who is accessing your network and cardholder data environment.
  5. Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, Milestone Five targets key protection mechanisms for that stored data.
  6. Finalize remaining compliance efforts, and ensure all controls are in place. The intent of Milestone Six is to complete PCI DSS requirements, and to finalize all remaining related policies, procedures, and processes needed to protect the cardholder data environment.

Below are the requirements and the sub-requirements. Continue reading

Posted in Security Blog | Tagged , , , , , , , | Comments Off on Payment Card Industry – Data Security Standard version 3.0

CryptoWall and Dickson County Sheriff’s Office

Posted on November 16, 2014 by Carmelo

Sheriff’s department of The Dickson County, Tennessee was attacked by a Ransomware trojan ware that encrypts all of the files on the system and can be decrypted only (HA, yeah right!) if the ransom has been paid for them to the malware handlers/creators.

Detective Jeff McCliss said that a Ransomware malware on a computer locked the agency’s case files, which included autopsy reports, witness statements and crime scene photos.

A few things ran through my mind while watching this:

  1. Why are you storing sensitive case files locally
  2. “An Accident
  3. What? No backup?
  4. Director of IT? More like Sheriff who knows how to install MS Office. AmiRight?
  5. lol

Click here to go to the video at http://nypost.com/2014/11/13/sheriffs-office-pays-500-bitcoin-ransom-to-access-their-own-files/.

Posted in Security Blog | Tagged , , , , , , , | Comments Off on CryptoWall and Dickson County Sheriff’s Office

Visual Studio Community 2013 Is Free

Posted on November 16, 2014 by Carmelo

ROdjJWU

Start coding the app of your dreams for Windows, Android, and iOS.
http://www.visualstudio.com/products/visual-studio-community-vs

Pair that up with Microsoft Virtual Academy, for free coding lessons.

Here is the official blog post on giving Visual Studio away.

Posted in Security Blog | Tagged , , , , | Comments Off on Visual Studio Community 2013 Is Free

The Raspberry Pi: Impact on Hacking

Posted on November 16, 2014 by Carmelo

So, this video is a little old, but very relevant. Sure the Raspberry Pi has been available for some time now, but has the awareness about them spread out of IT and into the minds of the business leaders? Are they even aware that this is an attack vector? Once the awareness of the threat is made to a leader, it’s important to let them know that this has been around for years.

Installing Pwn Pi
Install Kali on Raspberry Pi

Posted in Security Blog | Tagged , , , , , , , | Comments Off on The Raspberry Pi: Impact on Hacking

Aiden and Birthday Dinner

Posted on November 16, 2014 by Carmelo

Carmelo and JR’s birthday dinner! Totally coincidental by the way, we drove to Gilbert to visit Pat, Courtney, and Beau; and to meet Aiden. We went to have dinner and following Courtney, we went to an Olive Garden. An Olive Garden further than we expected at that. While in line, waiting to eat, Jasmin and JR show up with Victor and Viviana!
Carmelo and Family

Here is Aiden! He’s so cute!
Aiden

Posted in life | Comments Off on Aiden and Birthday Dinner

Privacy Comic: The Phone Book

Posted on November 14, 2014 by Carmelo

Plain Text Private Information

It wasn’t that long ago that if you wanted to find somebody, you just looked in the phone book.

It’s a little more evolved now.
sarahconnor

Posted in Security Blog | Tagged , | Comments Off on Privacy Comic: The Phone Book

Conmen Evolved

Posted on November 11, 2014 by Carmelo

Unless you are completely off the grid and don’t even read newspapers, it is hard to avoid the data breaches announced in the news. It’s not just techie news anymore either, with the big named news shows on the television and radio, and most every social media outlet, it is near common knowledge to know about an institution, agency, or large corporation, that has had their systems attacked and precious data exfiltrated.

Regardless of the target’s level of certified compliance, it still happens.

What happens with all this data that is copied out? A lot of it is financial data, which gets imprinted onto blank payment cards and sold in the new black market in the underground Internet, called the ‘Deep web’. Sold in bulk or one-offs. But it is not just payment information, like credit and debit cards. It’s health insurance information of the healthy, replicated, then modified and sold to a not-so-healthy person so they can get medical attention under a nicer plan.

What about the personal information? Like names, addresses, and email addresses? Well, that gets kept and used as well. With names and addresses, its easier to perform research on a target victim, figure out their likes and dislikes through their social networks, and then an attacker can craft very specific emails that are very appealing to try to get a target to click on a link or download an attachment. Even if the target has anti-virus, by downloading an attachment that is crafted well enough, the target is basically running the command, unknowingly, to allow remote connections or launch a spying program, that bypasses the security protocols that the anti-virus normally tries to defend against.

362-ca-03-phishing-emails-illo

The lesson here is to be weary this holiday season, of emails. They are going to be a large attack vector of the bad guys. Black Friday and Cyber Monday are just around the corner and digital aged conmen have baited their hooks in an attempt to catch a phish.

Here is a great article about the rise in Amazon Phishing Attacks and a blog post about how 600,000 phishing emails this month, have been caught already and how users think they are so real, they go into the quarantine folder to try to release them so they can click on them.

Posted in Security Blog | Tagged , , , , , | Comments Off on Conmen Evolved

Marine Corps Birthday Message 2014

Posted on November 10, 2014 by Carmelo


Happy birthday my brothers and sisters!

Posted in Security Blog | Tagged , , | Comments Off on Marine Corps Birthday Message 2014

The Postal Service Suffered a Cybersecurity Breach

Posted on November 10, 2014 by Carmelo

The data of 800,000 people potentially compromised for employee and customer personal information, including addresses, Social Security numbers and emails. The USPS is working with the FBI, Justice Department and the U.S. Computer Emergency Readiness Team to investigate the breach. Some are saying the attacker was China.

This year forward, be on the lookout for phishing attempts. Phishing is the activity of defrauding an online account holder of financial information by posing as a legitimate company. They may call, email, or even send official looking letters, looking at ways to get information that leads to financial information that can be used and abused.

Here is a great video on Phishing by SANS

Posted in Security Blog | Tagged , , , , , , | Comments Off on The Postal Service Suffered a Cybersecurity Breach

Operation Onymous… 414 Onion sites Taken Offline/Seized

Posted on November 7, 2014 by Carmelo

seized

Tor (The Onion Router) is an anonymizing program that allows access to the Dark Web, it works by basically routing packets through an anonymous proxy network. (See Searching the Deep Web)

Europol, the FBI, and the Department of Homeland Security, arrested 17 people in as many countries and seized hundreds of Dark Web domains that catered to to the illegal and dark. Agents have taken from criminal suspects more than $1 million in bitcoin, $250,000 in cash, and an assortment of computers, drugs, gold, silver and weapons that they had yet to fully catalog.

In all, the agencies say it has seized 414 “.onion” domains, the web addresses used by the anonymity software Tor that hides the physical location of those sites’ servers.

Read more on wired

Posted in Security Blog | Tagged , , , , , , , , , | Comments Off on Operation Onymous… 414 Onion sites Taken Offline/Seized