InfoSec Philippines

Information Security, Technology News and Opinions

Posts Tagged ‘pci compliance’

SPAM drops, DDoS Attacks, Whitepapers

Posted by Jaime Raphael Licauco, CISSP, GSEC on November 15, 2008

There’s apparently been a huge drop in SPAM after two ISPs were cut off.
Stories from Washington Post, and BBC. Brian Krebs of the Wash Post also talks about this in his Security Fix Blog.

More ISPs are allocating resources for DDoS attacks according to Arbor Network’s 2008 Worldwide Infrastructure Security Report. A related article is on ZDNet and an article on Vunet talks about ISP’s fear on IPv6 threats.

A study by Google, presented at the RIPE Meeting in Dubai reports that France and Russia are ahead in IPv6 .

Security Focus reports that, “Anti-malware testing group releases standards“, and they can be downloaded here.

SANS will also have a Webcast on Understanding the WPA/WPA2 Break.

Since we’re on the topic of webcasts, SourceBoston’s 2008 Conference from March of this year have been up on Blip.tv for a while now. They have great presentations on Incident response, Secure Coding, etc.

And since I enjoyed Schneier’s essay on, “The Psychology of Security“, I just thought that InfoSec professionals would find it funny that the Washington Times reports that Paranoia is on the rise :).

SC Magazine Whitepaper Roundup

Top five strategies for combating modern threats – is anti-virus dead?
By: Sophos Plc.
Today’s fast, targeted, silent threats take advantage of the open network and new technologies that support an increasingly mobile workforce. Organizations need innovative approaches to protect the web, email servers and endpoint. This paper discusses the security implications of modern…

Complying with the Payment Card Industry’s Data Security Standard
By: DeviceLock, Inc.
The Payment Card Industry Data Security Standard (PCI DSS) was drawn up in order to reduce leakage and inappropriate use of credit card information. It contains over 100 clear information security requirements for all companies who process, store or transfer data about cardholders: banks, processing…

Addressing the Operational Challenges of Administrative Passwords
By: ManageEngine
Enterprises making use of various IT systems (servers, devices, applications etc.) face numerous challenges due to the proliferation of administrative passwords (also called as privileged passwords). This white paper discusses the problems associated with administrative password proliferation with…

Tripwire PCI DSS Solutions- Automated, Continuous Compliance
By: Tripwire, Inc.
Find out step-by-step what it takes to become compliant with the Payment Card Industry (PCI) Data Security Standard (DSS), and how Tripwire can help your company achieve and maintain PCI compliance.

Malware Security: Taking the Botnet Threat Seriously
By: FireEye, Inc.
How does malware continue to infiltrate networks? Primarily because traditional defenses only address the threat in pieces and parts, which leaves gaps in the enterprise security infrastructure. Meanwhile, malware has become organized to form massive ‘botnets’ (networks of compromised…

ComputerWorld Technical Briefing: Mission-Critical Security – The Threat from Within
By: PacketMotion
We all know blind spots are bad for drivers but are you aware of how potentially disastrous they can be for IT security professionals? Take a few minutes to review this Computerworld report and you’ll get a clear picture of both the problem and the solution!.

Automating Code Reviews: How to Manage Application Risk on a Shrinking Budget
By: Veracode
In a tightening economy many organizations are faced with a “do more with less” mandate on their budgets and their security strategies. On-demand application security testing offered as an outsourced service – based on binary analysis and multiple scanning technologies…

Database Auditing Tools and Strategies
By: Sensage
Learn about a new set of software tools that provide low overhead audit collection with storage, alerting and reporting capabilities. This paper details the trade-offs and strategy of each option.

Advertisement

Posted in News, Whitepapers, Wireless | Tagged: , , , , , , , , , , , , | Leave a Comment »

Wireless Hacking part 2

Posted by Jaime Raphael Licauco, CISSP, GSEC on November 7, 2008

Yesterday, I had a post on Using Nmap to detect Rouge Wireless Access Points. With that post were various links to tools on hacking wireless networks that are freely available on the net. This is of course to help inform the public on the perils of wireless network computing. However, I also posted a link on the advantages on wireless and how to secure it. As is often the case, one must seek a balance or prioritize among that OTHER security triad of COST vs SECURITY vs CONVENIENCE.

For the history buffs, there is a A Brief History of Wireless Security from SecurityUncorked.com. CSOonline, back in May 2008, also published a very informative article on Wireless Security: The Basics.

News from SC Magazine US, SecurityFocus.com and Heise Security just came out that WPA can now be cracked in around 15 minutes.

The SecurityFocus.com news item above talks about Recovering a WEP key in less than a minute using the aircrack-ptw tool that is used with the aircrack-ng toolsuite.

I remember a few months ago Risky Business podcasts interviewed the maker of Metasploit framework, HD Moore, regarding his evil Eee PC. It’s about the new KARMA+Metasploit 3 framework which is a set of tools that listens to all client probe requests and can then become a fake wireless AP for any requested network. The scary thing here is that you can possibly get owned as long as your wireless is enabled and its automatically looking for a wireless access point, without the user even knowing it. The older Karma framework is available here.

If the Risky Business podcast didn’t get you a wee bit paranoid, an interview by Network World on, Wireless security foiled by new exploits, just might do the trick. They interviewed Joshua Wright who writes the security blog WillHackforSushi.com and is also the author of the six-day SANS Institute course, Assessing and Securing Wireless Networks.

I wonder what tools were used for the “Wall of Sheep” at the Defcon conferences, which was also at the BlackHat, this year. In case you’ve never heard of the “Wall of Sheep”, its a wall with a projection of Usernames and part of the passwords for the users foolish enough to not have enough security on their wireless connections. MySpace and Gmail accounts have also shown up (in spite of Gmail using the default https, but just for log-on) through the use of replay attacks. Apple iPhones and Window’s mobile phones have also shown up.

Since you’ll want to save some of the information from the KARMA+Metaploit 3 framework, I’m guessing newer mini-notebooks like the Acer Aspire One which retails for around $350, and Lenovo Ideapad S10 which retails for around $400, would both be great for this.

Since its related, there’s an On Demand Webcast sponsored by Nokia on, Corporate Mobility Policy and Device Management. In case your organization is PCI compliant or is looking forward (or dreading) compliance in the future, Network World will be having a webcast next month on PCI Wireless Compliance Demystified.

Posted in ISMS, News, Philippines, vulnerability, Wireless | Tagged: , , , , , , , , , , , , , , , , , | 1 Comment »

Recent Whitepapers from Search Security.com

Posted by Jaime Raphael Licauco, CISSP, GSEC on November 6, 2008

All the abstracts are from the searchsecurity.bitpipe.com website.

Accelerating PCI Compliance with Log Management and Intelligence.

Posted: 19 Sep 2008
Published: 19 Sep 2008
Format: PDF
Length: 6 Page(s)

ABSTRACT:
Today, all service providers and retailers that process, store or transmit cardholder data have a fiduciary responsibility to protect that data. As such, they must comply with a diverse range of regulations and industry mandates. One of the most important for the service provider and retailer is the Payment Card Industry Data Security Standard (PCI DSS), which sets forth 12 requirements for IT controls to ensure data security and protection. However, retailers both large and small face tremendous challenges in implementing policies and controls that enable PCI compliance, and the task of implementing best practices can be overwhelming.

Executive Summary: How to Achieve Comprehensive Network Security.

Posted: 16 Sep 2008
Published: 16 Sep 2008
Format: PDF
Length: 14 Page(s)

ABSTRACT:
Security practitioners need to think about security management along three separate axes – operations, investigations, and compliance reporting. Each of these functions is distinct, and typically involves different organizational hierarchies, which dramatically complicates the challenge of security management. The good news is that all of these management functions ultimately can be driven by a common data set, and that is the opportunity for a security management platform to aggregate this data once and leverage it for a number of suitable purposes.

Unauthorized Applications: Taking Back Control.

Posted: 01 Jul 2008
Published: 01 Dec 2007
Format: PDF
Length: 7 Page(s)

ABSTRACT:
This paper explains why it is important for businesses to control unauthorized applications such as instant Messaging, VoIP, games and peer-to-peer file-sharing and how malware protection is the simplest and most cost-effective solution.

The rapid emergence of Web 2.0 is beginning to redefine how individuals interact with the internet, and the related technologies pose a range of new threats. While there are a number of solutions available that help IT administrators to manage the problem, many require additional investment and, for many organizations, they can be expensive, unwieldy and difficult to maintain. A better solution is one which completely integrates the blocking of unauthorized applications into the existing anti-malware detection and management infrastructure.

Techniques for Transitioning to an IAM Suite.

Posted: 14 Oct 2008
Published: 14 Oct 2008
Format: PDF
Length: 5 Page(s)

ABSTRACT:
Organizations often fill their IAM needs with a variety of disparate techniques and applications, many of which are home grown or built by a variety of third parties. This tip will explain how an organization can ensure a successful transition from multiple products and tools to a single suite. It will look at:

* How to successfully map functionality from old product/tool functions to new ones
* How to evaluate and manage new and existing policy exceptions
* Guidelines for implementing custom connectors with legacy applications

Anonymous Proxy: A Growing Trend in Internet Abuse, and How to Defeat It.

Posted: 09 Sep 2008
Published: 09 Sep 2008
Format: PDF
Length: 5 Page(s)

ABSTRACT:
Anonymous proxies are an unseen threat-a student’s or employee’s backdoor to malicious or productivity-sapping sites on the Internet. If your URL filtering solution relies on the old-school URL database/keyword approach, your ship is leaking and you may not see the holes.

With hundreds of new proxy sites created each day, traditional URL filtering just can’t keep up, even when supplemented by standard keyword analysis. What follows is a primer on the problems, the sizable costs and time drain for IT professionals, and a discussion of an effective third-generation solution that goes far beyond the traditional strategy.

Posted in Whitepapers | Tagged: , , , , | Leave a Comment »