I just hate when people rustle up some FUD and such to try and paint a false picture of PCI. Two people who I know, respect and should know better have done just that it seems. Over on Dark Reading, Rob Lemos has an article up called “Small And Midsize Businesses Look For Ways To Cut Compliance Costs“. In the article Rob seems to rely on Josh Corman to paint a picture of the high costs of PCI compliance for SMB businesses. Either Rob missed the point Josh was trying to make or they have mistaken SMB with really big or both.
Lets be clear, the average SMB merchant is paying next to nothing for PCI compliance. That is because the overwhelming majority of the level 4 merchants out there don’t even use the internet or other public network to store, process or transact credit or other electronic cards. Most merchants have a PA-DSS certified terminal they received from their merchant service provider connected to a phone line. When someone pays buy credit card they swipe it over the terminal and it is done. They don’t store any cardholder data. For them complying with PCI is no more than annually filling our SAQ “B” which is about 45 or so questions, to which they will answer yes to almost all of them and move on.
For the small minority of merchants who process credit cards via a public network, a good chunk of them will take themselves totally out of scope by using Authorize.net or some other gateway where their customers enter the credit card information. For those merchants they have totally outsourced the processing process. Their PCI compliance costs and experience is even easier. The fill out SAQ “A” once a year. It has even less questions than SAQ “B” and again they just answer yes to almost all of them.
So I am not sure how Rob and Josh come up with stuff like:
In fact, according to IT security analyst firm The 451 Group, nine different security technologies are required for PCI compliance alone: antivirus, firewalls, intrusion detection systems, encryption for data at rest, file integrity, log management, multifactor authentication, a Web application firewall (or a security development life cycle), and a vulnerability management solution.
Then there are the services: a qualified security assessor, an approved scanning vendor, and, in the case of a breach, a qualified incident response assessor.
For small and midsize businesses (SMBs), the costs can be overwhelming, says Joshua Corman, research director for The 451 Group’s security practice.
and later on:
Finally, SMBs must pay an auditor to verify they are complying with regulations
What SMB business is paying for a QSA? Only Level 1’s need a QSA and that is basically for people who have over 6 million transactions a year. Hardly an SMB. If the merchant is not storing any of this data, has no CDE attached to a public network (as most of them do not), they don’t need any of this stuff.
I think Rob and Josh need to go back and say what they mean by SMB. Josh does say one thing here though that I agree with:
Don’t use the same company to assess your compliance and provide a solution — even if it costs less, Corman says. It’s not unheard of for an assessor to fail a client in a specific area in order to sell a product that “fixes” the problem, he says.
Of course this applies to Level 1 merchants who need a QSA, not SMB. But for those who do, it is dead on. You can’t be both the auditor and the consultant. Otherwise Trustwave could wind up being spelled Arthur Anderson.
After working with more and more merchants, merchant service providers and the other players in the PCI food chain, I feel like the Crypt Keeper. So with that in mind, here is another story from the PCI Crypt:
Medical office calls up to say that they think they need to fill out SAC D because they store credit card numbers. Your friendly Crypt Keeper asks them why they are storing credit card numbers. It seems that their medical services are usually not covered fully if at all by insurance. As such they charge their patients every month, actually twice a month in some cases. So they keep their credit card numbers on file in their system.
OK, there are probably ways to set this up so they don’t have to store the numbers in their own system which is locally hosted in the their office. I suggest that, but they are pretty hung up on storing their own information on premises (don’t ask me why). So I start asking about their office network. They refer me to their “computer guy” who is a consultant who comes in every month and runs the network.
So I call the computer man. He tells me security isn’t his thing, but he is pretty sure there is a firewall built into the Netgear router they have. You do need a password to access their application, no encryption, no vulnerability scanning, no AV on endpoints,no regular patching, pretty much no security to speak of.
I tell him this is not good. I send him a whole mess of pretty PDFs from the PCI Council. A spreadsheet showing the 12 areas of PCI and tell him we can work with him and the medical office to get them on the right side of PCI.
I get an email from computer guy today. He tells me sorry for not getting back to me sooner, but great news. He has talked the office into buying and he will install a UTM on the network. That other stuff on this PCI thing seems like it is for bigger networks so they are just going to pass on that! How is that? He is putting a UTM in, he is fine storing all of his patients credit card numbers.
So what does it take to put the fear of the PCI gods into these people? Do they need a break in and maybe a half million dollars in fines before it sinks in? PCI is minimal security, but if the merchant won’t even do that, is there any hope?
Well I am going to be the bearer of bad news tomorrow and try to make “the computer guy” understand. How many other customers does he have that he is “securing” as well. It is pretty sad I tell you.
I am back to podcasting after a few months off. My guest is Caleb Sima, the CEO of Armorize and founder of SPI Dynamics. Caleb tells us why he chose to head up Armorize and why drive by malware is such a threat.
Hopefully this will be the first in a new series. If you are interested in appearing, drop me a line at info@ashimmy.com
Of all the parties you would expect to adhere to PCI-DSS controls, I would think American Express would be at the top of the list. After all, AMEX is one of the five companies that founded the PCI organization and is asking all merchants accepting AMEX to follow these guidelines.
Enter the world of AMEX Daily Wish. Daily Wish is a site specifically for AMEX customers where after signing up and validating you’re an AMEX cardholder, you get specials deals and offers to buy goods and services.
So how does AMEX verify that you’re a cardholder? They ask you for your AMEX number of course upon signing up. Here’s where the problem is (was).
As you can see in the image above, they ask you for your first and last name, then AMEX card number. Next to the field that asks you for your number, there’s a link which says “this page is secure” that when clicked on, will take you to the AMEX Online Privacy Statement page. Now most people would never read the privacy statement page, but you would think that AMEX would be encrypting this traffic, especially when sending your credit card number over the Internet. PCI control number 4 states “Requirement 4: Encrypt transmission of cardholder data across open, public networks”
Pretty simple, no? Not really…
Up until yesterday, that traffic was all sent in plain text, including your credit card number. A quick snoop with TCPDump, Wireshark or whatever your favorite packet sniffer is shows first name, last name, card number, exp. date and security code. I could do some serious damage with that info
AMEX fixed this issue pretty quick, within hours of its discovery, so I guess they get credit for that, but it’s unbelievable to me that they allowed this to happen in the first place. I spend my entire working day dealing with merchant PCI. I explain to merchants why they need to become compliant, what that means, how they can accomplish compliance, etc. Not sending credit card data in the clear over public networks is at the top of the list of what I talk to clients about. They seem to understand why it’s not a good idea, but AMEX doesn’t? I’m sure AMEX does in fact understand this. I’m sure this was just an oversight, but come on! That’s a pretty big oversight!
I hope none of my customers say to me “AMEX doesn’t do it, so why do I need to?” I won’t have much of a comeback for that!
My friend Martin McKeay can be so idealistic sometimes. Martin is infatuated with tokenization and end-to-end encryption as the answer to making all things PCI good (or out of scope at least). Never mind for the moment that as Martin says neither tokenization and E2E2 are fully baked yet and are not ready for prime time. For the moment lets humor Martin and agree that if not now, they will be soon.
Martin thinks that this will come about as merchants push vendors to incorporate these technologies even though they are not mandatory but as a way to move out of scope of PCI. Now as a QSA Martin deals with some very big merchants. Maybe they are clamoring for this. On my end of the world if I asked merchants about it I would probably get the HUH? face. You know the face I am talking about, like the guy who said it took his Grits only 5 minutes to cook in My Cousin Vinny.
Martin seems to think that merchants will flock to these solutions as a way of moving much of their credit card processing out of the scope of PCI. I think that unless the PCI Council themselves mandated the use of these technologies, even the idea of making their life easier would not be enough to move a majority of merchants. Merchants want to follow the letter of the law in the regulations. If the regs are not going to say use tokenization and E2D2, it is a tough sell.
Beyond that Martin asks, ”
But without the threat of PCI (and potential fines/fee increases) will merchants keep up the minimum security safeguards that PCI mandated or will they revert to their old ways and ignore security for the most part?
At the end of his article Martin recognizes the inevitable, merchants are going to do the minimum they have to to be compliant. That could mean once they adopt tokenization and E2E2 they are done with the rest of PCI because they will be out of scope.
First of all there is not a doubt in my mind that if merchants did not need to do all of the other stuff PCI mandates they wouldn’t do it for one second longer than necessary. But I don’t think that is the way it is going to go down.
I think when and if the PCI Council mandates tokenization and E2E2 they will do so in such a way that it will not put an end to the rest of what they have built up over the years. Self-preservation of the institution kicks in here. It is like trying to kill a government agency. These technologies will be layered in over what is already there, but they will not replace having and IDS, logs and all the rest. To think otherwise is I think naive.
The fallout from the largest data breach in history continues with news that Heartland Payment Systems has proposed an agreement to settle the class action law suit brought by consumers who may have been victims in the breach. Hey there was only about 130 million of them!
According to this report on the settlement which has garnered court approval, the only ones really making out are the lawyers as usual. They will stand to make $725,000 dollars representing the plaintiffs in this case. Not a bad days work. The lead plaintiffs meanwhile will receive the whopping sum of between $100 and $200 dollars each for all of their time and efforts. They take their 15 minutes of fame and ride off for a modest dinner for their trouble.
The rest of the settlement, about 2.4 million dollars will be set up in a fund to compensate consumers damaged by this breach. Anyone one consumer can recover up to the sum of $10,000 dollars. But this is deceiving. Only $175 dollars for out of pocket expenses are covered. Anyone who has spent any time trying to get a credit report corrected can tell you how much time and out of pocket money that costs.
When you project these amounts over the potential 130 million cards stolen, it just doesn’t seem like a lot. But attorneys for the plaintiffs (that would be the consumers for those following along at home) thought this was an “excellent” settlement for consumers. Hey if they were paying you 3/4 of a million dollars you would think it was excellent too.
This is on top of the 3.6 million American Express has already charged Heartland to pay for their damages and the 60 million VISA has charged them. Though the VISA settlement seems like a large number, it is reportedly actually less than half of what VISA’s own internal investigation showed the damages to banks should have been.
So Heartland is coming out of this much better than it could have hoped. In the meantime are the numbers involved here, given the scope and breath of this breach enough to serve as a deterrent to the next Heartland? As much as the fines and settlements are supposed to cover actual damages, they should serve as a lesson to others about taking security a bit more seriously.
Mac OS X has a built-in ingress (inbound) firewall, but what about all of those egress (outbound) connection attempts that you’re unaware of? Welcome to the world of Little Snitch.
Little Snitch is an application created and sold by Objective Development for $29.95 for a single seat license. There is also a trial version available that will work in a fully functional mode, but shutdown after 3 hours.
So why do you need an outbound firewall you might ask? There are a lot of reasons. Let’s say you download a new piece of software that you’re not sure about. How do you know what it’s actually doing besides running an application? It could be sending information out to a 3rd party that you don’t necessarily want sent out. Maybe someone sent you a link via email. Don’t you want to know where and what information is being sent from your computer? Not that any of us here would do this, but maybe you’ve downloaded some software via a torrent or other questionable source, you DEFINTLEY need to know what it’s doing.
I guarantee that running Little Snitch for the first time, you will be amazed at how many outbound connections your computer attempts to make. Little Snitch gives the user a very simple and straightforward GUI to manage these attempts. There are 2 basic parts of the application.
The first part is where and how rules get set on the fly. If a connection attempt is made, Little Snitch will pop up and ask you what you want to do with it and for how long. For example, let’s say some program tries to ping www.yahoo.com. Before that connection is allowed, the user will get a pop up window as shown below. You’ll be show which program is initiating the connection (in this case it’s iTerm) and where the connection is being made to (the example shows a mirror site of www.yahoo.com). You can choose the time you would like this newly created rule to apply (once, until quit of the program or forever) and further specify which ports/protocols you want to allow.
Little Snitch will put this rule into its ruleset and apply it for any future attempts. You can always go in and manually add/remove/edit rules at anytime as well.
The second main part of Little Snitch is the network monitor that will sit on your desktop like a widget and show you in real-time all of the network activity happening on your machine. You can see in the screenshot below that amongst a few other programs, the second entry down from the top is my iTerm program pinging the www.yahoo.com mirror site again. I choose not to run the network monitor all the time, but that’s a matter of personal preference.
Little Snitch might be a tad overwhelming for new users in the beginning with the amount of pop up’s you get as it creates rulesets, but that shouldn’t last long and once that part is finished, there’s not a lot of work to be done with the application.
The bottom line is that any user concerned about security and information should give Little Snitch a good, strong look. It provides information that you shouldn’t be in the dark about and does it in a simple, easy to manage manner. The support is great from the company and the user forums are full of good information.
Objective Developments other programs are worth a look too, especially Launch Bar.
For the record, I have no affiliation with Objective Development aside from having Little Snitch and Launch Bar on my short list of “must-have programs”.
I know, I know. Everyone is probably pretty sick of hearing about the iPad already, but in case you’re not…
I preordered my iPad on the first day and it showed up on Saturday afternoon. The first thing you notice is how bright the screen is. Everything looks really nice. The device itself is beautiful, the functionality is cool, on and on and on. But this is a security related blog, right? So let’s tie the iPad into security.
Weak and re-used passwords are one of the largest faults of a weak security strategy. Your kids name, your dogs name with a 1 at the end, your anniversary date, etc. We’ve all been at fault for weak passwords at one point in our digital lives. I used to have 3 or 4 passwords that I would alternate between. One for everyday sites, one for sensitive sites, etc. That was until I discovered 1Password.
1Password is a password manager for all intents and purposes, but it’s so much more. The basic functionality is the ability to create random generated passwords of varying lengths and store them. 1Password has a “master password” that allows you to access the “vault of passwords” in the program.
For example:
I go and sign up for Wells Fargo online banking. It asks me to create a user ID and password. I can click on 1Password (in my browser menu bar) and choose “generate password”. It will create a password for me, fill it into the Wells Fargo online banking site, then ask me if I want to store that for future use. Now, anytime I go back to www.wellsfargo.com, I simply click on 1Password in my menu bar again and it knows I’m at Wells Fargo, asks me for my “master password” (the only one I need to remember anymore) and auto-fills my information. It even clicks “log in” and boom! I’m logged in!
In addition to that, 1Password can store credit card information, account information (email, iTunes, logins, etc), and store notes. So how does this tie into the iPad?
Agile Web Solutions, the creator of 1Password released their universal app which means it works on both iPhone’s and iPad’s (the same version). The great news about this is if you buy one, you own the other. A lot of people (including myself) have both iPhone’s and iPad’s, so this is a great deal for me. The OS X version in separate.
The bottom-line it that between my Mac, iPhone and iPad, I’m never without my passwords, notes and sensitive information. If for some reason I’m ever without all 3 of those (kill me now!), I’ve synced 1Password to my DropBox account and can read my password over the Web.
1Password is a must have for any Mac user. Period. I don’t know how I ever lived (and felt secure) without it. There are similar programs for you poor, blue-screen loving Windows users
Martin McKeay over at Network Security blog turned me on to this one and I had to share. If nothing else, it shows Bob Russo and the PCI Council folks have a great sense of humor:
My friend and colleague wrote about this a few weeks ago, but it’s in the news and on TV again. A simple posting on Facebook about the new movie you’re going to see or the concert you’re going to can end up costing you a lot of time, money and grief.
It’s a simple concept. You get a Facebook friend request and you accept it. How much harm can that do, right? Well think again. Is it someone you really know? Are you friends with this person in real life? Do you want this person knowing where you are, how long you’re gone for and when you’ll be home?
Criminals are using Facebook and Twitter status updates as a means of “virtually staking out your house”, then knowing when to come in and steal your possessions. I’m not a huge reality TV person and I don’t keep up on Lindsay Lohan’s whereabouts, but I’ll admit, “Pretty Wild” on the E! channel caught my eye the other night. Maybe it’s the fact that it’s about 3 good looking sisters, maybe it’s the fact that it’s filmed in LA (my hometown – keep the LA comments to yourself) or maybe it’s the fact that the middle sister, Alexis, 18, is in the middle of being tried for being part of “The Bling Ring”.
The Bling Ring is a group of LA kids that allegedly started burglarizing homes and cars of people to support their drug and party habit, but that soon turned to robbing celebrity’s homes. Paris Hilton was the first to suffer when the group robbed her home of millions of dollars worth of jewelry and purses over 2 visits. How did they know when to hit Hilton’s home? Her Facebook status. The ring continued to track celebs on social networking sites and eventually robbed the likes of Lindsay Lohan, Megan Fox and Audrina Patridge.
In a more recent event, a seemingly nice couple from Indiana decided to post on Facebook that they were headed out to an 8pm concert for the night. At 8:42pm, two men broke into their home and robbed them of over $10,000 of electronics and jewelry. The couple had security cameras installed in their home and when watching the video of the robbery, recognized one of the men as a guy that “friended” the woman months ago. They weren’t friends in real life, they hadn’t talked in more than 20 years, but they grew up across the street from each other when they were young. A lot can happen in 20 years of not seeing someone and you might not want to give your whereabouts out to just anyone.
Think of it like this… if someone you didn’t really know called you on the phone and asked you if you were going to be home for the night, would you tell them? If someone you didn’t really know walked up to you on the street and started talking to you, would you tell them about the new 60” plasma TV you just bought? If a stranger started up a conversation with you in Starbucks, would you tell them that you were going on vacation for 2 weeks and no one was going to be at your house, and by the way, here’s my first and last name, email address and the city I live in? I’m willing to bet the answer is no to all of those questions, so why would you put that on Facebook?
People need to start thinking of the Internet as real life and protecting themselves as they would in real life. Don’t put something on the Internet that you don’t want the entire world knowing. Don’t put personal information online that you wouldn’t shout from a rooftop in public. Don’t open email attachments called “cute cat dancing.exe” from email addresses that “kinda look like a friend”. If you wouldn’t do something in the real world, it’s probably a good idea not to do it online.
I’m off now to go catch up on Pretty Wild. I think the youngest sister is having her birthday party tonight!
I just hate when people rustle up some FUD and such to try and paint a false picture of PCI. Two people who I know, respect and should know better have done just that it seems. Over on Dark Reading, Rob Lemos has an article up called “Small And Midsize Businesses Look For Ways To Cut Compliance Costs“. In the article Rob seems to rely on Josh Corman to paint a picture of the high costs of PCI compliance for SMB businesses. Either Rob missed the point Josh was trying to make or they have mistaken SMB with really big or both.
