Will Bar Mitzvah Be The Death Knell for RC4 Crypto?

RC4 is an encryption algorithm designed by RSA in 1987. It was attractive then because it could be implemented in a few lines of code, and wasn’t computationally intensive. PC’s were 8088 or MC68000 based at the time, and 64K was enough RAM, remember? Even today RC4 has advantages. It runs fast on small devices,

> Read More

Infosec Haiku

Anata no joho sekyuritei konshu no haiku

Surprise! PCI
Non-Compliance and Breaches
Correlate – Report


### Notes ###
* Thanks to Ms. Etsuko vdH for the translation.
* Thanks to everyone who’ve contributed their haikus … watch this space to see if yours is published.

> Read More

Supervalu Shoppers At Risk After Hackers Steal Credit Card Details – and other stores affected too

Customers who have used their credit cards at a US supermarket chain between June 22nd and July 17th 2014 are being warned to check their bank balances, after it was discovered that criminals had hacked their way into networks and potentially accessed shoppers’ private data.

Supervalu has published a security advisory on its website,

> Read More

What Does the Target Breach Tell Us About DSS and POS?

In the final analysis, it is going to be Target’s customers that pay the price for this winter’s breach. OK, CIO Beth Jacob has fallen on her sword and departed; but that could hardly be avoided, and “this is a good time for a change” is hardly contrition. Apart from that, the innocent will pay while the guilty will escape.

> Read More

Ain’t No Style Points in Infosec

It’s Winter Olympics time. I love watching them, especially safely ensconced in the American Southwest where we don’t have to deal with the snow and ice associated with the winter sports. Speed skating, (real) Biathlon, Hockey, Downhill and XC skiing, and all the rest of it.

But my friend the sports curmudgeon complains about sports that rely on judges to determine the outcome.

> Read More

Market Impact of a Data Breach

In my Changeup post the other day, I mentioned that my colleague Paul Henry had saved an organization an estimated $10M (or roughly 15%) in market cap by showing that an intrusion had no material impact. That got me to thinking: what *is* the typical market impact of a breach?

> Read More

Checkmark Compliance Will Get You Nowhere But Hacked

It used to be the only thing you could count on was death and taxes. But these days, you can bet on hackers going after your organization’s data too. Motives may differ – consider the hackers who want to make a statement and the cyber criminals who look to make a buck – but in the end,

> Read More

PCI spotlight on Europe

Alan Bentley, SVP International Sales, Lumension, asks Bob Tarzey, Analyst and Director with Quocirca about the difference between PCI compliance and a strong security posture.

Q: PCI standards are designed to be a starting point to helping build a strong security posture. Are retailers/organisations aware that they need to do more than achieve PCI compliance to achieve full risk management? > Read More

Passing an External Audit Doesn’t Mean You’re Secure

By now, most of us have heard of the data breach that affected Heartland Payment Systems.  It’s been front page news, and Heartland themselves went public with news of the breach in January 2009.  What many people might not know is that Heartland’s QSA (Qualified Security Assessor) had declared them as PCI compliant shortly before the breach took place.

> Read More

Naked Truth about Risk and Compliance: Bottom Up Vs. Top Down

There’s no question about it, no matter the differences between line-of-business executives, CIOs and security practitioners, the one thing they all have in common these days is a shared dread of a ten-letter word: compliance.

As regulations of technology practices have mounted over the years, most companies have struggled simply to keep ahead of the latest requirements while still managing the risks most important to them.

> Read More

Chris’ Security Cache Contemplation: Week 3

Miscellaneous interesting news / tidbits I’ve run across whilst trying to keep up with/clean out my RSS feed …

[Yeah, I know it’s been a while … sorry, but it’s been a busy week at my day job … and anyhow, I never said it’d be weekly, just that I’d only do it once a week.]

PCI Certification Liability?

> Read More

Where the Money Is

Willie Sutton is reputed to have said (although he didn’t, actually), when asked why he robbed banks, “Because that’s where the money is.” So, we’re not really surprised to learn that a new scam is on to liberate the contents of ATMs, and by more sophisticated means than the skimmers I’ve written about previously.

> Read More

Are PCI Requirements Losing their Bite?

It’s been long discussed in the industry that  the requirements for PCI compliance were woefully inadequate and some have gone as far  as suggesting that PCI be replaced with some form of an independent governing body that would actually raise the standard rather than  simply appeasing the vendors to become compliant.

One of the hot topics in PCI compliance discussed since 2006 was the PCI firewall requirement.

> Read More

Has Whitelisting Reached the Tipping Point in Endpoint Security?

McAfee, one of the largest AV vendors in the security space, recently acquired Solidcore Systems, a company that sells dynamic whitelisting technology, in a $47 million dollar deal that would add whitelisting capabilities to McAfee’s current product portfolio. While this comes as no surprise, this move by McAfee is just the tipping point for the whitelisting application control market.

> Read More