Thursday, July 3rd, 2008
These tips can help you make sure you are PCI compliant and tell you what it may cost your company if you aren’t.
June 26, 2008 — CIO — CIO.com and CSOonline.com team together to bring you the most pertinent information on PCI compliance. Whether you think you’re already in compliance or you’re in complete denial of the June 30, 2008 deadline, these tips can help you make sure you are compliant and tell you what it may cost your company if you aren’t.
FUD Watch: Vendor Hype Escalates Over PCI Deadline
Monday is the day merchants must be in compliance with PCI DSS Requirement 6.6. That means the security vendor PR machine is in overdrive.
PCI Is Security Simplicity, Not Complexity
Payment card industry data security: the standard that makes people stupid.
All About the PCI Data Security Standard
More than just another data-security standard, the PCI program is corporate America’s most ambitious effort yet to prove that it can self-regulate. But even a standard with everything going for it might not be enough to stop the loss of credit card data.
A Guide to Practical PCI Compliance
Myriad merchants find themselves at the end of the PCI compliance barrel and are spending significant amounts of time, money and effort in achieving PCI compliance. Advice from companies that have been there can help smooth your path.
Acceptance Growing for PCI Security Standard
PCI chief says the PCI DSS security requirements have gained considerable momentum in the US and globally.
PCI: Smart or Stupid?
The data security standard isn’t as complex as some would have you believe.
PCI Standards Body Moves Ahead on Payment-Application
PCI Security Standards Council releases list of certified payment applications under Payment Application Data Security Standard.
Does the PCI Standards Council Have a Clue?
In version 1.1. of the PCI DSS (Payment Card Industry Data Security Standard), there are requirements for securing the application layer of a credit card.
The PCI Data Security Standard
Learn about the validation requirements of the payment card industry’s data security standard (PCI DSS), including administrative and technical elements of the program, and the potential sanctions for failure to comply.
Building a Strategic, Comprehensive Solution for PCI-DSS Compliance
Security trends and hacking techniques are continually changing and, as a result, the PCI-DSS continues to evolve. To stay ahead of these trends and prove compliance, your organization needs a powerful solution for collecting and monitoring user activity. Learn more about how you can use compliance as a means of competitive differentiation.
Industry View: Calculating the True Cost of PCI Non-Compliance
Compliance costs, but the cost of non-compliance may be more.
Payment Card Industry Compliance
Ignoring the PCI Data Security Standard is risky business. Here’s how you can prepare for compliance.
Do We Need Whistle-Blower Laws in Security?
Security laws aren’t all black and white.
PCI Is Security Simplicity, Not Complexity
The payment card industry data security standard seems to make relatively smart people instantly dim-witted as they complain about its so-called complexity.
Can Mid-Market Merchants Comply with PCI Standards In Time?
If you want to transact business with credit cards, you have to follow the rules: the payment card industry security standards. Companies that don’t comply face fines or worse. So why aren’t more mid-market merchants already in compliance?
One-third of Visa Merchants Missed Security Deadline
Companies face fines for non-compliance.
Why Should Merchants Keep Credit Card Data?
The retail industry advocates keeping a bare minimum of customer financial information. Just enough to still serve your customers without providing potential thieves what they need.
Crushed by Compliance Tyrants
Are you beset by compliance regulations that just don’t make sense? Cutting back on important security measures to pay for them?.
Tear Down that Silo: Compliance in the Executive Suite
Treating compliance as a one-time project costs far more for IT measures than if you take a proactive and integrated approach.
I’ve Got My CrankyPants on Again
Will PCI’s PA-DSS (Payment Application Data Security Standard) be a mess?
© 2008 CXO Media Inc.
Posted in Information Security | No Comments »
Wednesday, May 14th, 2008
May 13, 2008 By Jaikumar Vijayan (Computerworld) In the third data theft incident of its kind to come to light since March, Dallas-based restaurant chain Dave & Buster’s Inc. today disclosed that credit and debit card numbers were stolen last year from the computer systems at 11 of its locations during the card verification process.
The thefts at Dave & Buster’s took place during a four-month period from May through August of last year and have resulted in fraudulent payment card transactions worth at least $600,000 using data stolen from one of the restaurants alone, according to a federal grand jury indictment of three individuals that was unsealed yesterday at U.S. District Court in Central Islip, N.Y.
The U.S. Department of Justice said in a statement (download PDF) that the three alleged perpetrators — two of whom are listed as living in Eastern Europe — have all been arrested in connection with the case and that they are charged with various crimes as part of the indictment.
The DOJ identified the arrested individuals as Maksym Yastremskiy, a resident of Ukraine, and Aleksandr Suvorov, of Estonia. The 27-count indictment against the two includes charges of computer fraud, wire fraud, aggravated identity theft and interception of electronic communications.
Yastremskiy, who also goes by the name Maksik, was arrested last July in Turkey, the DOJ said, adding that the U.S. government has made a formal request to have him extradited. Suvorov, who uses the online handle JohnnyHell, was arrested in March in Germany at the request of U.S. officials and remains in jail there while the German government acts on a formal extradition request, the DOJ said.
The third individual charged in the Dave & Buster’s case was identified as Albert Gonzalez, a Miami resident who faces one count of wire fraud. The DOJ said that Gonzalez, who uses the alias Segvec, was arrested this month by the U.S. Secret Service.
In a statement sent via e-mail in response to a request for comment, Dave & Buster’s said that the alleged thieves stole the so-called Track 2 data from the magnetic stripes on the back of credit and debit cards, including the card numbers and expiration dates. The company said that the information hadn’t been stored on its systems and was taken while the data was being transmitted to authorize transactions. It noted that the thieves didn’t get any other personal data, such as names, addresses, PINs, or bank account and Social Security numbers.
In the statement, which was posted on the Restaurant News Resource Web site, Dave & Buster’s said that it "was alerted to the potential data intrusion" late last August and that it "immediately" notified Secret Service officials. The company added that it notified the credit card companies of affected cardholders last September. But the data thefts weren’t publicly disclosed until after the unsealing of the grand jury indictment.
Dave & Buster’s, which operates 49 restaurants, said data was stolen from outlets in New York, Illinois, Michigan, Florida, Ohio, Colorado and Texas. Following the discovery of the data thefts, the chain "implemented additional security measures to prevent any such incident from occurring in the future," it said. But the company didn’t elaborate on what those additional measures were.
According to a description of the heist in the grand jury’s indictment, Yastremskiy and Suvorov allegedly managed to gain remote access to point of sale (POS) servers at the affected Dave & Buster’s locations — apparently by falsely representing that they were authorized to access the systems. The two then allegedly installed packet-sniffing software designed to capture Track 2 data as it was transferred from compromised POS servers to a central system for transmission to the chain’s payment processor.
The software stored the captured data in a log file, from which it was later collected by Yastremskiy and Suvorov, according to the indictment. The document says that a defect in the packet sniffer caused it to deactivate each time an infected server was booted up. But each time that happened, Yastremskiy and Suvorov allegedly went back into the compromised systems and reactivated the malware.
As an example of the thefts, the indictment says that a log file retrieved from one store contained data on about 5,000 credit and debit cards. The stolen data allegedly was later sold to other individuals, who used the information or resold it themselves — eventually causing losses of $600,000 or more to the financial institutions that issued the affected cards.
The disclosure by Dave & Buster’s follows similar ones in March by Hannaford Bros. Co. and Okemo Mountain Resort. In Hannaford’s case, the Scarborough, Maine-based supermarket chain said that up to 4.2 million credit and debit card numbers and their expiration dates were stolen by a packet-sniffing tool while the information was being transmitted to its external payment processor to authorize transactions. The malware was planted on servers at nearly 300 grocery stores in New England, New York and Florida, Hannaford said.
The Hannaford breach was one of the first confirmed data thefts in which such a large amount of information was stolen while it was in transit, as opposed to being stored on a company’s systems. Hannaford also said it was fully compliant with the requirements of the Payment Card Industry Data Security Standard, which is known informally as PCI. That claim has raised questions about how useful the security standard is in protecting companies against such thefts, although PCI officials in turn have questioned whether Hannaford really was compliant.
Two weeks after Hannaford made its disclosure, Ludlow, Vt.-based Okemo reported a breach involving the theft of data as payment cards were being swiped at the ski area’s cash registers. An Okemo spokeswoman said law enforcement authorities who were investigating the breach told the resort that they were are looking into about 50 reported incidents of the same sort in the Northeast alone.
The disclosure by Dave & Buster’s is another indication that data thieves are increasingly targeting retail POS systems, said Rosen Sharma, chief technology officer at Solidcore Systems Inc., a vendor of change management software in Cupertino, Calif.
The focus of efforts such as PCI has been on strengthening security at the network perimeter and at the points where payment card data is centrally pooled by retailers and then forwarded to payment processors, Sharma said. He added that in contrast, a lower priority has been placed on securing POS systems, making them a relatively soft target for attackers to go after.
At many retail locations, there are few restrictions on access to POS servers, Sharma claimed. "You can walk right up to these machines and stick a USB device into them," he said. The POS servers may not yield a large volume of payment card data at one time, he noted — but over a longer period, they can prove extremely valuable to data thieves.
Posted in Industry News, Information Security | No Comments »
Friday, May 9th, 2008
April 22, 2008 — Network World — Researchers are touting an innovative cryptography method they’ve developed called "functional encryption," which though largely untested in the real world, one day could have an impact on how enterprise data is encrypted, stored and decrypted.
UCLA associate professor Amit Sahai, who has worked with UCLA computer-science alumnus Brent Waters on functional encryption for three years, says the technology lets an individual encrypt data in a way that lets people decrypt it only if they have the right "attributes."
"The mathematical system will produce an encrypted record that only people matching the criteria can decrypt," says Sahai, who recently published a paper on functional encryption with Waters that was presented at last week’s Eurocrypt Conference. "To do this, you get a personalized key that expresses your attributes bound up in one key."
In an enterprise environment, the attributes bound up in users’ encryption keys might be associated with just a name or also with the jobs they do that require restricted access to scrambled data in business, government or a university. "There could be a one-way decryption function used in many ways in both custom or Web applications, for example," Sahai says Each personalized key, expressing the security attributes of what that person is permitted to view, would unlock only the appropriate encrypted data and nothing else.
A user’s key would be able to decrypt scrambled data because the data, always stored in encrypted form, would recognize through a mathematical process the people holding the right key with the appropriate attribute associated with that data. "It’s through all this math packed into the message that the reader is recognized," says Sahai, who says functional encryption makes use of elliptic-curve encryption, which is seen as computationally efficient.
Sahai says the hope is that the work he and his colleagues have done will one day improve server-based security. "We really want to make it so the server has no idea what it’s holding," he says. "Instead, we want to make sure the right people get the data, and this is through the mathematics itself."
Although Sahai says his technology can’t properly be called digital-rights management, he says it could be viewed as a type of "privacy-rights management" based on the concept of a system public key. The challenge of devising a tool for functional encryption is not just the complex math but also making sure the system can withstand so-called "collusion attacks" to undermine its integrity, Sahai says.
Earlier versions of a functional-encryption software tool were made public in the past at UCLA, and Sahai says he will soon make available a new version of the functional encryption tool for review so experts can test its efficacy.
The paper will also be published in a forthcoming edition of the Journal of Cryptography. UCLA says the research into functional encryption has been funded in part by the National Science Foundation, the U.S. Army Research Office and the U.S. Dept of Homeland Security.
Posted in Information Security, Risk Management | No Comments »
