[SecurityRatty] tag: retailer

PCI V1.2, a good start but still not enough

Wed, 03 Sep 2008 12:56:31 +0000

Blogger: Randall Gamby

Two weeks ago the PCI Security Standards Council released the preliminary details of the PCI Data Security Standard (DSS) V1.2 that’s due out in October. While many Analysts and Reporters have already written on the topic (I’ll be releasing an extensive update on Burton Group’s PCI coverage around the October release date), they really haven’t commented on what’s still not been addressed by the standard for enterprises still working on attaining compliance.

While I applaud the PCI Security Standards Council in further clarifying and adjusting the standard, a lot of work still needs to be done. I receive about one or two PCI questions a week from our clients and they seem to revolve around a couple of topics I’ve yet to see addressed:

Guidelines for selecting a Qualified Security Assessor (QSA) – while there are a large number of QSA organizations listed on the PCI Security Standards Council web site; they can’t really recommend a particular QSA for an individual organization. This leads a lot of organizations to struggle with determining what criteria they should use in selecting a QSA for their certification.
The role of the QSA – organizations are also still trying to understand the role of a QSA. Should they get a QSA involved in the gap and remediation process in advance of certification? If so, should it be the same QSA that will do their certification (knowing there’s a risk that the QSA will be pre-disposed to only care about certain vulnerabilities)?
Industry-specific best practices – while each organization may have different infrastructures, in general, most industries try to be consistent with the major functions they perform. So are credit card transactions handled differently between say, a major retailer with 10,000 POS systems and an insurance company that has hundreds of independent agents receiving remittances? Probably, so what are best practices around these industry-specific configurations?
Virtualized environments – while the PCI Security Standards Council recognizes that some organizations have moved to virtual services for consolidation and management, the DSS really doesn’t provide guidelines for QSAs to evaluate and certify these environments.
Monitoring and audit – while the PCI DSS recommends minimum timeframes for scanning, doing pen tests, etc. what are the real levels of monitoring and audit needed for ensuring security? With the Hannaford and Okemo breaches that occurred (both where PCI compliant), neither discovered the problem until months after the breaches had happened. So identifying what should be scanned and tested and if some of this should be on a continuous basis still requires refinement.
PCI as part of an overall security model – what are the best practices around merging PCI security requirements into an enterprise’s overall security model? Should it be maintained separately? Should some components be integrated with similar security mechanisms? Should PCI be at the top of the security model and other configurations be based upon its requirements? There are really no answers coming forth on this topic and the other question is where will they come from? Surely enterprises won’t expect the PCI Security Standards Council to tell them how to run their security services.

I will be providing Burton Group’s perspective on most of these questions in my upcoming report, but rather than relying on third parties to resolve these, I’d hope that the PCI Security Standards Council will be able to continue to provide answers to the questions they can in future updates, and releases, of the PCI DSS.

Target Web Sites Sued for Being Inaccessible to Blind Students

Thu, 28 Aug 2008 09:33:49 +0000

I fully support people’s civil rights and freedoms, and regulations that help people with disabilities survive and succeed in society. Still, I sometimes wonder if certain things can go a bit too far. Recently, a blind student sued the retailer giant Target for having a web site that couldn’t be parsed by his special reader…and won, even though no regulations actually exist to control the accessibility of web site content…

Target has settled a class action lawsuit with the National Federation of the Blind over accessibility complaints with Target.com. Despite the law being unclear as to whether the Americans with Disabilities Act (ADA) applies to websites, the company will pay a substantial fee and update its web site to make it accessible to the blind.

In February 2006, Bruce Sexton Jr., a student at the University of California-Berkeley and president of the California Association of Blind Students, sued Target because its web site was inaccessible to the blind. Filed in conjunction with the National Federation of the Blind, the suit was used as to spotlight many corporate sites that don’t play well—if at all—with screen reading technology.

Read the full article here.

7 Online Blunders That Threaten Your Identity

Mon, 11 Aug 2008 09:26:52 +0000

#7 - 'Shopping Online the Same Way You Do in Stores' -- Online shopping requires special precautions because the risks are different than in a walk-in store: You can't always be sure who you're doing business with. You must disclose more personal information, such as your address, to the online retailer....

PC Universe is shrinking thanks to McAfee Secure's cluelessness

Fri, 27 Jun 2008 06:11:00 +0000

My web app sec friends know exactly how to push my red buttons. "Heh-heh, send it to Russ, he'll go off." Yep. ;-) Thanks, Rafal. Now I'm all spun up. I was sent two moronic gems this morning; one on the merits of McAfee Secure / Hacker Safe and the 109% sales increase it resulted in for PC Universe, the other an interview with the Internet's single biggest dillweed, Cresta Pillsbury. These articles are both a bit dated, but they equally embrace the premise of "trust" logos as a predominant sales driver, rather than any actual motivation to secure a site and protect consumers.
An example:
"If you’re doing conversion marketing and statistical testing on your website and you haven’t explored trust logos yet, then you’re missing out."
I must be the most naive person in the world; this enrages me. When will the idiots who write this crap get a clue? They've bought right into the hype the snake oil salesmen hoped they would and are now complicit in their failures.
Case in point, as seen in the Internet Retailer piece. By the way, I realize that Internet Retailer and basic web application security practices are completely at odds, but this one deserves direct abuse.
"PC Universe first tested Hacker Safe on its own site in an A/B split test in which half the visitors saw the Hacker Safe seal and half did not. During that test, 7.3% more orders came from Hacker Safe shoppers than from the control group. PC Universe, which operates on the web at PCUniverse.com, is No. 360 in the Internet Retailer Top 500 Guide."
Really? Let's see what McAfee Secure / Hacker Safe has done to actually provide any measurable security benefit.
How about absolutely nothing.
Here's PC Universe's very current, verified McAfee Hacker Safe cert.
Now, here are a few ridiculous examples of reality from the this universe as opposed to the McAfee-twisted alternate universe. Please note, this is the "accountid" variable, and the fact that the marquee is rendered no less than eight times.
1) Marquee
2) XSS Deface
3) Cookie
If you rather just see a video of these vulns, it's here.
PC Universe, rather than lauding your sales increases thanks to some POS logo, try securing your site code. I guarantee you have other issues.
McAfee Secure, once more, you are simply fraudulent to the core.

del.icio.us | digg

Links for 2008-06-17 [del.icio.us]

Tue, 17 Jun 2008 20:00:00 +0000

Andy, ITGuy: GRC - Love it or hate it
Five questions to ask before trusting your data to Amazon or other storage cloud provider - Network World
Will I have access to logging and auditing data? Such access lets you find out whether anyone other than you is modifying or changing your data, says Joel Snyder, senior partner with Opus One and a Network World product tester. Amazon.com and Nirvanix
Learning from Server Logs
Log Talk » Blog Archive » Ten reasons you will be unhappy with your SIM solution – and how to avoid them
Ten reasons you will be unhappy with your SIM solution
Schneier on Security: How to Sell Security
PCI Blog - Compliance Demystified » Blog Archive » PCI Compliance and Virtualization
PC World - Business Center: Most Retailer Breaches Are Not Disclosed, Gartner Says
Data breaches at retailers are the top cause of credit and debit card theft, accounting for about 20 percent of all incidents, Gartner said.
Proposed SEC Rules Broaden Scope of InfoSec Compliance Responsibilities | BlogInfoSec.com
Rational Survivability: The Ghost Of Future's Past: VirtSec Innovation Circa 2002
Fortinet buys assets of security vendor IPLocks - Network World

Data security and the "chasm of protection"

Tue, 17 Jun 2008 09:25:00 +0000

I was thinking a bit more about the notion of data-centric or information-centric security and why this is absolutely the future of data protection...

Say you are a retailer. You have data in your POS devices, encrypted with the POS application as cards are read in. As this data is required by another application, it has to be first decrypted so this in-store application can read it. It may then encrypt it again as it stores on in-store servers. Now assume you have another application in the data centers that is used for card settlement. Another decrypt-encrypt cycle from the store to the data-center!

This scenario is not limited to a retail environment. Consider a similar cycle repeating itself in most companies as data is moved from location to location, analyzed and processed by multiple applications and on multiple devices and multiple internal and external networks - each time being decrypted, stored or transfered in the clear till it gets encrypted again. Each time this cycle repeats, there is a weakness that can be exploited - since there is a gap in the consistent protection of data.

Being data-centric however, brings in persistence and consistency in the protection of that data element, thereby removing this "chasm".

Security Briefing: June 2nd

Mon, 02 Jun 2008 06:49:57 +0000

I’m baaaaaack! As many of you noticed, Myrcurial was a trooper last week manning the battlements here at Liquidmatrix as I handled a personal project. And now, I can share the good news. My wife and I had our first child last week! Both mother and baby are doing great!

Thanks to all of our new subscribers that joined us yesterday. Welcome!

Click here to subscribe to Liquidmatrix Security Digest!

And now, the news…

Phishers Target New Victims on LinkedIn | PC World
Banks and Google mailing PIN codes on pieces of paper | the Inquirer
Sourcefire rejects Barracuda bid | vnunet
MediaDefender Defends Revision3 SYN Attack | Wired
US FAA database corrupted by hard drive failure | Blocks and Files
Bruce Schneier Q&A: The Endless Broadening of Security | CSO Online
Card issuers passing on fraud costs to retailer | Colorado Springs Gazette
H-1B opponents challenge Bush administration in court | Computerworld

Tags: News, Daily Links, Security Blog, Information Security, Security News

Blogtard or Hero ?

Tue, 27 May 2008 11:30:53 +0000

In a recent The Register article, the firing of a TJX employee who blogged about security deficiencies was noted…

TJX Companies, the mammoth US retailer whose substandard security led to the world’s biggest credit card heist, has fired an employee after he left posts in an online forum that made disturbing claims about security practices at the store where he worked.

Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards. Benson said he was fired on Wednesday after managers said he disclosed confidential company information online.

Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers. He said he brought the security issues to the attention of a district loss prevention manager name Allen in late 2006, and repeatedly discussed them with store managers. Except for a stretch when IT managers temporarily tightened password policies, the problems went unfixed.

So happy shiny Liquidmatrix Security Digest readership…

Is he a Blogtard or a Hero?

… and do you have a published, communicated, and monitored employee policy on blogging about your company?

Tags: TJX, Blogtard, Whistleblower, Internet Asshattery

Most retailer breaches are not disclosed, Gartner says

Fri, 23 May 2008 20:00:00 +0000

While nearly half of U.S. retailers have been hit with some kind of information security attack, only a small percentage of them have actually reported breaches to their customers, research company Gartner reports.

Internet retailer sues Yahoo for $1 million

Wed, 16 Apr 2008 09:00:00 +0000

Online retailer Bigreds.com is suing Yahoo for $1 million, claiming it was overcharged because it was the victim of click fraud.