The Security Pub

Random Thoughts About Security

Monthly Archives: March 2010

Another State Makes PCI a Law

PCI DSS Map

Washington has enacted a statute to provide financial institutions with a cause of action against certain entities involved in payment card transactions that fail to take reasonable care to guard against unauthorized access to account information where that failure is found to be the proximate cause of the breach. The law goes into effect on July 1, 2010. The new Washington law is similar to an existing statute in Minnesota and shows that Payment Card Industry Data Security Standards (“PCI DSS”) compliance continues to be codified on a state by state basis.

Read the article here – [Kelley Drye & Warren LLP]

TJX Hacker Gets 20-Year Jail Sentence

Hacker mastermind Albert Gonzalez was sentenced Thursday in U.S. District Court to two concurrent 20-year stints in prison for his role in what prosecutors called the “unparalleled” theft of millions of credit card numbers from major U.S. retailers.

U.S. District Court Judge Patti B. Saris announced the concurrent sentences in two 2008 cases against Gonzalez, 28, a Cuban-American, who was born in Miami, where he lived when the crimes were committed.

Check out the article – [IDG News Service]

Are You Ready For PCI 2010?

I’d like to share some key deadlines with you so that you are aware of what is going on with PCI this year. This information came from an article for Bank Technology news that I read from Bruce Rutherford, chairman of the PCI Security Standards Council.

November 2009 – April 2010: PCI DSS and PA-DSS feedback review process.

March: Council shares summary of feedback with market.

Late April: New PIN transaction security (PTS) standard released (formerly PIN Entry Device (PED) Standard).

Spring: Council shares framework on emerging technologies, and the first piece of guidance.

Early summer: Summary of proposed changes to the DSS provided to participating organizations and market.

May-September: New version/revision and final review.

September 21-23: 2010 US community meeting in Orlando.

October 18-20: 2010 European community meeting in Barcelona.

October 2010: Next iteration of both PCI DSS and PA-DSS released to public.

This year’s events follow the defined 24-month lifecycle of the PCI standards. The lifecycle ensures a gradual, phased use of new versions of the standard without invalidating current implementations of the standards or putting any organization out of compliance the moment changes are published.

Security Breach Notices for Canadian Data by W. Scott Blackmer

Great information from the Information Law Group as usual.  If you don’t follow their blog you are truly missing out on a lot of good information. If your interested in following these guys below is a link to their blog and twitter page.

There’s some Canadian data on that lost laptop or hacked server. Do you have to notify individuals or authorities in Canada, as you are often required to do in the United States?

The US model of security breach notice laws has not been widely emulated abroad, although several jurisdictions are considering similar measures. Nevertheless, a duty to give notice of significant security breaches has been inferred in some cases from general principles found in comprehensive privacy and data protection laws in Europe, Canada, Japan, and elsewhere. Privacy commissioners in Canada have applied such general principles in publishing guidelines for companies suffering a data leak involving personal information. In addition, the province of Ontario expressly requires notice to individuals if their personal health information is compromised.

Check out the entire article – [Information Law Group]

Blog – http://www.infolawgroup.com/

Twitter - http://www.twitter.com/infolawgroup

Google Releases Skipfish Application Security Scanner

Picture by: Nerdboy550

Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

However, the Skipfish scanner is not meant to be a replacement for commercial scanners, it appears. Google says in the documentation that the scanner doesn’t meet many of the evaluation criteria set out by the Web Application Security Consortium for such scanners, and also “extensive database of known vulnerabilities for banner-type checks.”

The Security Pub Poll

It’s that time again to take another poll.  If your concerned about users accessing Social Network Sites like Facebook, Twitter and many others.  Please choose the answer that is most appropriate and then leave a comment as to why your concerned.  Comments could be… I’m very concerned company information could be leaked out.

[polldaddy poll="2925101"]