Feed aggregator

The original Bose® SoundDock® gave you the ability to put down the headphones and fill the room with Bose quality sound from your iPod®. The new Bose SoundDock Series II Digital Music System delivers the same high quality audio as the original while adding features that expand its functionality. The SoundDock Series II will connect, play and charge any iPod with a click wheel and dock connector without the need for additional cables or adapters. And now, the SoundDock Series II is iPhone® compatible (including all 3G models). In addition to iPods and iPhones, other audio devices can be connected to the SoundDock thanks to a built in auxiliary input jack. Listening to a Microsoft Zune, Roxy Rio or any other portable audio source is as easy as plugging it in. The included credit card sized remote offers basic controls and has been upgraded to provide playlist navigation. The Bose SoundDock Series II Digital Music System was specifically designed to expand and enhance the enjoyment of music from your iPod, iPhone or alternative audio source from a compact unit that offers the ultimate in audio performance.

First SoundDock System certified to work with the iPhone and iPhone 3G

Works with any click wheel iPod model and has an auxiliary input for other audio devices

Charges iPhone and iPod as it plays

Designed to reduce outside interference while providing rich, full sound

Remote control operates basic functions of iPhone/iPod and playlist navigation

Price: $299.00

Read more

A book on GCHQ, and two reviews. EDITED TO ADD (7/26): Another review....

Interesting journal article evaluating the EU's counterterrorism efforts....

Zach couldn’t make it tonight, but Rich and Martin open the show with a call to our listeners for more email questions and topic suggestions. After answering a listener question last week, we realized it would be nice to engage with all of you a little bit more. But not too much… I mean we don’t want to touch you or anything.

We also spend a little time talking about how we handle our connectivity and security while at Black Hat and Defcon, which happen to be next week.

Network Security Podcast, Episode 206, July 20, 2010
Time: 42:38

Show Notes:s

• Millions of Home Routers Vulnerable to Web Attack.
• Visa issues guidance on tokenization.
• Visa pushes acquiring banks to stop forcing merchants to store credit card numbers.
• Wikileaks founder skips HOPE conference to avoid feds.
• NPR story on shortage of US cyberwarriors.
• Alex Hutton proposes Evidence Based Risk Management for security.
• Tonight’s Music:  Brian Bergeron and the Late Greats with Avalanche
  

Cyron HT1506E Multicolor LED Lighting System is sure to visually enhance any environment. A value priced system that is not short on functions, it can produce any color of light at a push of a button. LED technology saves up to 80% energy, produces no heat, runs at low voltages, therefore eliminating dangers associated with traditional lighting devices. Cyron Multicolor LED Lighting System is ideal for accent lighting TVs, audio video centers, cabinets, furniture, and any area around your home or office.

15″ Lightbars

60 Super Bright LEDs per Lightbar

Smart Controller with 7 Pre-Programmed Modes

Music Mode Interacts with Ambient Sound

Hub with 6 Ports for Future Upgrades

60 Degrees Light Dispersion

System Operation: 12VDC 5W

Power Supply 100-240VAC

Price: $129.94

Read more

The Cyron HTW1000 Multicolor RGB Controller offers ease of IR wireless operation of 30 functions. The most feature-packed and functional wireless RGB/multicolor controller with infrared remote! 12 plug & play ports make HTW1000 fully compatible with Media Highlighter lightbars. Additional lights can be hardwired directly to internal terminal block for a total of 100W output! Can be used with all Cyron multicolor lighting elements, hardwire capability for ultimate system expansion. May also be used with some white elements for dimming capabilities. 100W nominal output, 150W peak. 12VDC power supply sold separately in 30W and 50W.

The IR Controller can be controlled by remote code partners, such as Crestron, Universal Remote and RTI. The standard codes can also be “learned” by all universal remotes having “learning” capability. By building macros in such remotes, the possibilities can be truly endless.

30 functions IR remote control

Color Dial with over 114,000 adjustable colors

Seven memory buttons

3 light show patterns: Color scan, Fade, and Step mode

3 speeds for each light show

Music mode, built in microphone and direct audio line input

Five auto-off timers

Price: $134.95

Read more

I really wish I had the time to fully explore the idea, but there’s a certain amount of resonance between the criticisms Adrian Lane at Securosis levels against Visa’s guidance on  tokenization and criticism of the PCI security standards in general.  I believe we’re to the stage as an industry that we mainly agree that the PCI standards are a good starting point but there’s so much more the PCI Council could be requiring merchants and service providers to do for security.  Visa’s guidance is much the same way, it’s a good start, but it could have been so much more.  And in both cases, I believe the reasons for the compromises can be boiled down to not wanting to require too much of the community and not wanting to limit the flexibility of the standards too much.

I believe that the Visa best practice papers for tokenization and truncation are just like the PCI standards themselves; they’re a good place to start your journey, but these requirements aren’t enough to build your entire security stance from.  It’s up to you to continue from here to determine how the particular technologies are going to impact and secure your environment.  I think the difference between providing guidance and issuing edicts is something we’ll be talking about next Sunday at Defcon, so this is good timing.

I agree with many of Adrian’s criticisms, including that Visa could have just given more specific guidance overall.  But I also understand Visa’s need to keep the guidance vague enough so as not to provide undue direction to what is basically a fledgling market space.   Which is exactly where I see the tie in with Josh Corman’s primary argument about the PCI Council; intentionally or not, they are steering the security market space through the PCI standards.  Visa could be a force for good in the tokenization and truncation markets if they predict correctly and back solutions that are for the best over the long term.  Or they could be seen as stifling innovation if they issue poor guidance.  Much like the PCI Council.

Earlier today I heard someone make the statement that the majority of companies who are compromised are using encryption in some form, but they still got compromised.  He was reminding me that none of the other silver bullet’s we’ve thought would save us from the bad guys have worked, so use truncation and tokenization, but know they won’t solve all our security issues.  As is so often the case, they’ll just move the attack to other targets and use other vectors.

The Cyron HTHUB6 Media Highlighter Hub with 2ft leads can be used to connect Media Highlighter lightbars to controllers without the plug & play ports. Use with controllers with terminal blocks. 6 outlet, 24″ cord, 30W max power.

Media Highlighter Hub

6-Outlet 24″ pigtail

Comes with 2ft lead

Connect Media Highlighter lightbars to Controllers

Price: $12.95

Read more

Two interesting research papers on website password policies. "Where Do Security Policies Come From?": Abstract: We examine the password policies of 75 different websites. Our goal is understand the enormous diversity of requirements: some will accept simple six-character passwords, while others impose rules of great complexity on their users. We compare different features of the sites to find which characteristics...

From the U.S. Government Accountability Office: "Cybersecurity: Key Challenges Need to Be Addressed to Improve Research and Development." Thirty-six pages; I haven't read it....

From Wired News: The four Wiseguy defendants, who also operated other ticket-reselling businesses, allegedly used sophisticated programming and inside information to bypass technological measures -- including CAPTCHA -- at Ticketmaster and other sites that were intended to prevent such bulk automated purchases. This violated the sites' terms of service, and according to prosecutors constituted unauthorized computer access under the anti-hacking...

This is excellent. And it's been cracked already....

Symbiotic relationship between the Hawaiian bobtail squid and bioluminescent bacteria, with bonus security implications....

Someone claims to have reverse-engineered Skype's proprietary encryption protocols, and has published pieces of it. If the crypto is good, this is less of a big deal than you might think. Good cryptography is designed to be made public; it's only for business reasons that it remains secret....

In what creepy back room do they come up with these names? The federal government is launching an expansive program dubbed "Perfect Citizen" to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants, according to people familiar with the program. The surveillance by the National Security Agency, the government's...

If you’ve been thinking about using tokenization or truncation to limit the scope of your PCI environment, you need take a few minutes to read the two documents Visa just released, Visa Best Practices: Tokenization and Visa Best Practices for Primary Account Number Storage and Truncation.  Neither of these documents are more than four pages in length, so they only take a few minutes to read, but they give you a good starting place for asking questions about both of these market spaces.  There’s nothing exciting or unexpected in either of these documents and you’ll need to do a lot more research to understand the more complex elements of both solutions, especially as they relate to your specific environment. 

If you’re part of a merchant organization or somehow dealing with credit card numbers and you’re not considering tokenization or truncation, why not?  Is it lack of time, lack of resources, lack of management backing or something else?  Have these technologies simply not risen to the level where you felt the need to take them seriously?  I’m curious as to why you might not be looking at a technology that could limit the amount of sensitive information on your network.  I’ve talked to a number of merchants over the last year and there’s been plenty of interest in the ideas of tokenization and truncation, but I’ve only seen a few merchants actually making a move towards implementation.

I hope the next guidance we’ll see comes from the PCI Council, giving instructions on how both of these technologies can be used to reduce the scope of a PCI assessment.  What can you take out of scope?  What common mistakes might bring systems back into scope?  What should we be looking for in an implementation?  These are still relatively new technologies, the implementations differ significantly enough that greater direction and care are going to be needed in their assessment and validation.  There are some things that are laid out in the Visa documents, but I think we need to look for more specific guidance from the Council.

Rich and Zach are still sweltering in their perspective heat waves, but Martin managed to nab an interview with Bob Russo, the head of the PCI Security Standards Council. We also cover a couple of stories and some honest to goodness listener mail!

Network Security Podcast, Episode 205, July 13, 2010
Time:  44:44

Show Notes:

• Listener Mail
• Interview with Bob Russo
• FBI Raids ‘Electronik Tribulation Army’ Over Witness Intimidation.
• Letter to the client.
• Tonight’s Music:  Missing You by Blue Matters

Last week another assessor friend of mine started a new blog, Fear Not the Assessor.  She started it off with an excellent post, Letter to the Client.  Almost every QSA goes into a new client with a certain sense of trepidation due to client’s preconceived notions and most merchants going into an assessment for the first time are nervous because they don’t know what to expect, all they know is what they’ve read online.  That first phone call with the client is always so much fun for everyone involved.  The Letter attacks some of those notions and list some of the steps a client should be taking before the QSA ever comes on site.  As a way of introduction, a letter like this really helps put many clients at ease, letting them know that you’re there to help and not simply pass judgment on them. 

Here’s a letter of my own with several more points to ponder.

Dear Client,

We’re about to start on an effort of many months of work that both of us hope will culminate in the issuance of a compliant Report on Compliance.  There will be surprises and setbacks along the way, but I’m sure that we can work together to overcome them.  My job is to help assess the security of your cardholder environment and provide you with honest feedback about your compliance with the PCI standards.  Your job is to provide me with the information I need to make that assessment.  Together we will document your environment and show that it is both secure and compliant.

Several things you should know:

1. Securing your data and your network should be the goal and PCI is just a signpost along the way.  Please, please, please don’t make the mistake of thinking once you pass your assessment that you’re secure and you have no more work to do until next year.  PCI is a good starting point for securing your environment, but each company is so unique that there are innumerable holes it leaves open to exploitation.  And the assessment only covers your cardholder data environment: what about the rest of your network?
2. I am judge, but I am not jury nor executioner.  I will make judgment calls on the state of your environment and I may find things I do not believe are compliant.  You may agree or you may think your controls and safeguards are sufficient.  Make your case to me, and if we still don’t agree, we can bring in other QSA’s within my company to review the situation, starting with my manager.  Sometimes they’ll see something I didn’t. 
3. I will never leave you wondering if I found something wrong.   I will always try to let you know at the end of the day, if not at the end of each meeting, if I have any questions or concerns.  It’s in both of our best interests for me to be as transparent as possible.  The sooner you know of an issue, the sooner you can begin investigating and getting it resolved.
4. You are my client and it is my job to help you receive a compliant RoC.  I will give you the best advice I can to help you achieve compliance.  But it is up to you to establish the policies, procedures and controls needed to reach this goal.  If I identify a requirement that is not being met, I will bring it to your attention and help you address the issue in a timely and cost conscious manner.

Clear communication is a good salve for many of the pains an annual PCI assessment brings.  I look forward to learning about your company, your network and your people.  And I hope that the lessons I’ve learned helping dozens of companies become compliant can be used to help you avoid some of the pitfalls and false starts of compliance.

Once again we have a wandering host; Rich has wandered off into the hinterlands of Denver (Boulder, I think) and is too busy to call in for the podcast.  Left to their own devices, Zach and Martin muddle through tonight’s podcast without major mishap.  We’ve got a little PCI, a little disclosure and some potential cracks in the Apple Store armor. 

Network Security Podcast, Episode 204, July 6, 2010
Time:  30:28

Show Notes:

• PCI Standards to be updated every 3 years
• US Largely ruling out North Korea in 2009 cyberattacks
• Apple’s app store filled with app farms
• Employees crack Facebook security
• Full Disclosure and no disclosure
• Tonight’s Music:  Missing You by Blue Matters

New show. Zach late. Show still good. Martin’s birthday. Mongo like.

Network Security Podcast, Episode 203, June 29, 2010
Time: 32:57

Show Notes:

• The National Strategy for Trusted Identities in Cyberspace.
• Sen. Bond says DHS shouldn’t oversee cybersecurity.
• Why the disclosure debate doesn’t matter.
• Disclosure via court.
• Tonight’s music: All India Radio with Endless Night