Visa USA has released a best practices document for Payment Applications
As part of their due diligence, acquirers, merchants and agents should ensure that the payment application companies they use have passed a rigor of mature software processes including the Visa Top Ten Best Practices for Payment Application Companies, Version 1.0.
The top two problems are insecure remote access and vendor defaults.
A researcher from Kaspersky says their honeypot in Japan is seeing a large number of attacks attributed to China and South Korea. Does this correlate to other honeypots or is there a regional bias?
A few months ago we set up a new honeypot (http://www.mwcollect.org) in our Japanese research centre in Tokyo. The honeypot is mainly used to collect malicious Windows executables, which it does pretty well by emulating shellcode when it finds network exploits. A side effect of using the honeypot to listen on all ports is that we get statistics (as well as unexpected data) coming in on various network ports of the host, which has a global IP address. […] Take a minute to compare it to the previous graph! You can see that the number of MSSQL attack attempts is mirrored by attacks coming from China. And recently, South Korean hosts have joined this massive attempt to exploit the service.
Tempting to say that the Chinese and South Koreans are attacking the Japanese honeypot when in fact the source is probably elusive and mostly irrelevant.
Another massive spill, this one in Michigan. I remember process and security engineering used to look up to the oil and gas industry. Models for information security often borrowed concepts like fail-safe monitoring. Diagrams and images of oil rigs and pipelines were used to illustrate risk in terms of care and dilligence. The theory was the risk was so high for them, they had developed extensive controls. The BS7799 standard was even developed in a large part by oil companies, if I remember correctly, involved in the high-risk high-reward North Sea and Middle East operations.
The oil companies clearly have a very different public image these days. Oil spill update: State of emergency declared as 800,000 gallons of leaked oil begins flowing through Kalamazoo County.
County officials said they began an emergency response at about 6 p.m. Monday after news spread that a 30-inch oil pipeline in Marshall sprung a leak and released oil into the Talmadge Creek, which feeds into the Kalamazoo River. Houston-based Enbridge Energy Partners said the pipeline has been shut down but that did not happen before more than 800,000 gallons flowed into the creek.
The rate of flow must have been very high but a 30-inch pipeline still would take a while to lose almost a million gallons. Loss prevention has large body of scientific study for the oil and gas industry. What was the delay in detection and response? Maybe things have shifted so far now in the management of energy and risk that they could learn a thing or two from information security.
GovInfoSecurity reports on a flash drive that breached the US Department of Defense
Deputy Defense Secretary William Lynn III, in an article to be published by the journal Foreign Affairs, writes that a flash drive inserted into a laptop on a military post in the Middle East in 2008 caused the most significant breach of military computers.
The incident is now being declassified. Lynn says this is to increase awareness of threats. However, we know that malware spreads from flash drives. The real news is here:
That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control
Lack of segmentation between classified and other systems? While it is nice that a Deputy Defense Secretary would come forward with details that say the military did not manage security well, just to educate congress, perhaps there is another motive.The story reads less about threats of sophisticated malware and more about poor segmentation controls.
The more I hear and read the military focus the discussion on “threats” the more I wonder if they are trying to stir fear in American politics to establish control or at least major influence over Cyber Command.
This is the new political landscape. I see it as a career-related move on their part (they want to be seen as the new generation of leaders) as much as an organizational fight with civilian leadership.
I asked the esteemed panel at DefCon about this and their response was “No one thinks that…. Howard Schmidt is a civilian.” I guess that makes me no one, because I still think that these military-led presentations are not a token of mere goodwill but rather part of some political process. The breach review should include threat analysis but the vulnerabilities are often more interesting; I hope we will soon find out why military leaders left classified systems so easily exposed.
Update: More on this topic in Civilians giving away too much control of US CyberSecurity?