Category Archives: InfoSec

UK Organisations still struggling with PCI:DSS Compliance… Time for fines?

Apparently only 9% of the UK’s level 1 retailers are confirmed as being PCI:DSS compliant, and most of these are virtual retailers, who most likely have a slightly easier task at becoming and demonstrating compliance.

So with the fact that organisations still seem to be lacking, VISA and MasterCard are apparently taking steps to up their game and apply some more pressure / persuasion. I know what your thinking, most likely the same as me. We have heard it all before, and with disclosure being the way it is we dont get to hear about it anyway.

So what does this mean. Well the fines are starting to flow, many organisations are being fined (apparently a little under half a million a month), as well as taking steps to prevent acquirer hopping which is common if an organisation is getting to much hassle, they simply jump ship to another. Now if organisations are suspected of doing this to dodge regulation they are effectively black listed.

Of course I cant prove this is happening, same as no one else can because disclosure laws dont allow for it, and companies are not going to be actively publishing this on their sites, and customers I have worked with obviously share information under NDA.

All you can be sure of is the fact that companies are making progress, but its slow and non impressive, and obviously isnt a big enough priority. To provide encouragement fines are and will continue to be handed out, and they will be increasing. It can sometimes be hard to find out about the fines, so here is the current schedule of fines, correct on 2nd Feb 2010.

Fines are represented in US Dollar and Euro respectively

MasterCard fines for non compliance are:

Level 1 & 2 Merchants

  • First Violation – Assessment Amount: Up to 25,000
  • Second Violation – Assessment Amount: Up to 50,000
  • Third Violation – Assessment Amount: Up to 100,000
  • Fourth Violation – Assessment Amount: Up to 200,000

Level 3 Merchants

  • First Violation – Assessment Amount: Up to 10,000
  • Second Violation – Assessment Amount: Up to 20,000
  • Third Violation – Assessment Amount: Up to 40,000
  • Fourth Violation – Assessment Amount: Up to 80,000

Visa expects level 1, 2 and 3 merchants to demonstrate that they are actively engaged in the programme to become compliant. A merchant will not be at risk from Visa fines for non-compliance if they are compliant with milestones 1-4 of the Prioritised Approach

  • Confirmation of compliance not received within 30 days of notification letter
    – Assessment Amount: €5,250
  • Confirmation of compliance not received within 90 days of notification letter
    – Assessment Amount: €10,500
  • Confirmation of compliance not received within 120 days of notification letter
    – Assessment Amount: €26,250

The merchant will continue to be assessed €26,250 every 30 calendar days until compliance is achieved

Further fines will be applied if you suffer an actual data compromise and are found to be non compliant with PCI DSS.

Fines for Merchant Data Compromise

MasterCard fines for an account data compromise consist of several elements:

  1. Case Management Fee – this fee goes towards recovering costs related to administering ADC events, and is based on the type and complexity of the case, along with the number of cards involved. The minimum fee ranges from USD 2,500 to USD 150,000.
  2. Forensic Investigation – the merchant may be required to engage a third party forensic investigator at their own cost, in order to investigate the cause and extent of the problem.
  3. Dependant on the number of cards compromised, card issuer losses, and monitoring costs, further charges may also be passed onto merchants at MasterCard’s discretion.
  4. MasterCard also retains the right to charge for other costs relating to the ADC investigation, such as legal fees.

Visa fines for an account data compromise are:

  1. Sufficient remediation would be satisfied through demonstration that the following PCI DSS requirements have been implemented:
    1. Remove sensitive authentication data and limit data retention
    2. Protect the perimeter, internal and wireless networks
    3. Secure applications
    4. Protect through monitoring and access control
    5. Removal of CVV2 data must be achieved with 30 days
  2. The initial fine assessment of €2,500 would only apply for compromises notified to acquirers until October 31 2009 and will also apply to e-commerce merchants in Level III in the same period.

  • Visa may also pass on issuer reimbursement of fraud losses which is unlimited and dependant on each individual issuer’s claim.

Do the right thing when testing with production data

I thought I would write a post about organisations not doing the right thing (in my opinion) when they are using production data for carrying out testing. Perhaps I am alone on this one, and I would appreciate any feedback and opinions in the forms of comment.

Now when I talk about production data, I am talking about data that could be considered personal or sensitive data. This could be credit card information, bank details, national insurance number, address, date of birth, medical records, sexual preference, etc. All of this data would be considered highly valuable to a criminal /  fraudster, and as a result should be considered a significant business risk, not to mention the compliance implications regardless of the industry the organisations operate in.

So with this in mind, why is it that so many organisations seem to think that serious consideration doesn’t need to given when it comes to the protection of data when its comes to using production data in a testing environment. Now I fully understand the value of using production data, and the possibly improved quality of testing that can be achieved, however this data shouldn’t be used as is. This data should be removed and sanitised to make it anonymous / de-personalised. This ensures that should the data be compromised, or not cleaned down appropriately or migrated into production this is no real world impact. Also I think we all know that test environments are not often a full representation of a production environment, especially when it comes to security controls.

I have seen this happen in organisations and it can have a real impact on an individual. Put yourself in this situation. Perhaps an organisation who offers health insurance is testing a new premiums engine. They use production data, and kick off testing, changing various parameters, including illness information, and decide to test the impact of having a sexually transmitted disease. Testing then completes, and by some error information is migrated back into production. Next thing the customers knows is they receive a letter saying they can no longer be offered insurance due to being a sufferer of HIV. This information will have been linked with other databases of other organisations, and the domino’s begin to topple.

When we think how something might impact us as an individual we tend to take a little more ownership and care, and I think this is something lacking in alot of organisations. I am not saying creating test data or converting production data for testing purposes is a trivial process, but that doesn’t mean its something that shouldn’t be done. There are various tools and scripts available to do the necessary to production data, and some companies also offer off the shelf test data that may be appropriate.

So next time your involved in testing, make sure you do the right thing. Understand what the goal of testing is, and what the results might look like. Review the data sets that are relevant and the risks and exposures may bring. Then as appropriate do what is needed to mask, scramble, randomise and de-personalise the data. During testing ensure access levels are appropriate, and the necessary logging is in place. Then when all the testing is completed, follow the appropriate steps to clear down the environment ready for next time.

Ideally all this would be clearly defined in security and testing policies and processes, but regardless you will know you are doing the right thing, and this will also help greatly with meeting compliance and regulatory controls. Its probably not considered that this occurs from a consumer level, but doing the right thing could also be considered a marketing benefit.

So rant over, maybe you agree, maybe you don’t, but I would be interested in your comments.

Internet Explorer Zero Day Patch

Microsoft has announced that today (21-01-2010) at approximately 6pm (UK time), it will release an emergency out-of band patch to fix the Internet Explorer zero day security vulnerability that has been used by attackers in various high-profile targeted attacks, specifically the recent Trojan.Hydraq attacks waged against Google and a number of other companies. The vulnerability affects Internet Explorer 6, 7 and 8, which make up the bulk of the versions used today. However, the only in-the-wild exploit code for this vulnerability detected thus far is confirmed to affect just Internet Explorer 6.

Keep an eye on the Microsoft Security Site for more information.

Also check out the Mircrosoft Advisory on this matter (979352).

Here is the patch MS10-002

Secure USB Devices Vulnerable – Lists here…

This information might be about a week old now, but seeing as I have been going over the Enterprise and Personal offerings from Ironkey, I thought I would briefly touch on this newly found vulnerability, and what devices are currently known to be vulnerable.

So late Dec 2009 SySS produced a couple of papers detailing how they have managed to bypass the security on Sandisk and Kingston Secure USB storage devices. Basically they have designed a tool that produces a static unlock code to always unlock the affected devices. Its my understanding that this is possible due to a flaw in how the users passcode is verified on the PC and signaled to the device.

This is obviously a significant issue, and I know personally of many organisations that have deployed these devices in their organisations, and this will also include Government organisations as most of the devices are classified as FIPS 140-2 compliant.

So should you be worried, well yes if your using one of the following devices:

  • SanDisk Cruzer Enterprise FIPS Edition USB flash drive, CZ32 – 1GB, 2GB, 4GB, 8GB
  • Verbatim Corporate Secure FIPS Edition USB Flash Drives 1GB, 2GB, 4GB, 8GB
  • SanDisk Cruzer Enterprise with McAfee USB flash drive, CZ38 – 1GB, 2GB, 4GB, 8GB
  • SanDisk Cruzer Enterprise USB flash drive, CZ22 – 1GB, 2GB, 4GB, 8GB
  • SanDisk Cruzer Enterprise FIPS Edition with McAfee USB flash drive, CZ46 – 1GB
  • Kingston DataTraveler BlackBox (DTBB)
  • Kingston DataTraveler Secure – Privacy Edition (DTSP)
  • Verbatim Corporate Secure USB Flash Drive 1GB, 2GB, 4GB, 8GB
  • Kingston DataTraveler Elite – Privacy Edition (DTEP)

As I was looking at Ironkey devices at the time of all these, I have had confirmation from Ironkey that as far as they are aware they are not susceptible to this type of vulnerability due to the architecture used in their devices, and the fact that all verification occurs at the onboard hardware level.

Ironkey S200 Personal Review

I don’t wont to go over to much of what has already been covered by the Enterprise Review from last week. The main focus of this review is to demonstrate that you don’t have to be part of a large organisation to benefit from what the Ironkey has to offer, as the personal versions are great to. As I previously said I have been using Ironkeys for a while myself and these are personal devices.

Below will be a brief recap of what the Ironkey Personal is all about and how you go from opening the box, to secure storage and browsing.

Personal Version Specs:
Rugged Metal Casing
Waterproof
Tamper-Resistant
AES 256BIT Hardware Encryption
FIPS Validated 140-2 Level 3
Strong Authentication
Secure Browser / Portable Apps
Secure Password Management
Self Service Password Recovery

So you have just got your hands on your nice new shiny S200 Ironkey personal, you have popped open the nicely designed black box and popped it into your USB slot. The first step is to initialise your key.

Its important to give your Ironkey an appropriate name, so that you can easily identify it in your personal online console, because your going to want more than one at some point. The next one is to obviously select a strong passphrase. It might be AES256 bit encrypted, but using the password “password” isnt going to be that secure.

The part it to read through and accept or reject the T’s and C’s.

Once thats all out of the way the Ironkey will start doing its thing, encryption, configuring and installing.

As with the enterprise version, you need somewhere to keep track of your keys, backup your password for recovery, etc etc. So now you need to create online account, or if like me add your Ironkey to your existing account.


Now your account is setup, Ironkey will send you an email with an activation code. You will need to enter this into your online account, to setup and confirm association with your account and your Ironkey.

Now your good to go. You should find that the Ironkey control panel has also launched, and this gives you access to the various pre-installed application and services. Secure Firefox browser, password managers, update manager and more.



You will also notice there is an option to fill in some Lost and Found information. This is then displayed to anyone who inserts and attempts to activate the Ironkey. They can then contact you to make you aware of how foolish you were to lose your precious key 🙂

So thats pretty much you good to go. However I will add one thing, that seems to be very unclear when your looking around online. People seem to think for some reason you are unable to install new applications onto your Personal Ironkey. Well of course you can. I will quickly go through how to install Pidgin, and other applications should be the same.

First off head along to Portable Apps, and get yourself a copy of Pidgin.

You then simply install this to the secure files location on your Ironkey. Then from your Ironkey control panel right click on the applications screen and select add application.

Now select the Pidgin Executable in your secure storage location. Then Bob’s your uncle you have Pidgin good to go.

I hope this review was information and helpful to a few of you. For more information on Ironkey and where to buy one check out their website.

The Real Hustler Blogging – Paul Wilson

I first found out about Paul’s work on the TV show in the UK “The Real Hustle”. They carry out some excellent cons on this show and explain how this goes down. Paul does some awesome slight of hand work, and I really admire his knowledge. Its great to see Paul has decided to set up a blog, and hopefully share some of his insight further with the rest of us.

Paul Wilson
A world renowned expert on cheating and con games, Paul is writer/presenter of hit BBC show The Real Hustle. He is also the co-creator, producer and star of Court TV’s “The Takedown” and has pulled more cons than anyone in history.
So check out Paul’s blog The Real Hustler, and check back regularly has he updates the contents.
If your not familiar with the show “The Real Hustle” check out this YouTube clip of Paul below doing his thing.