Security

Gone in 60 Seconds – Lessons Learned and Pointers from my Smash-and-Grab

It’s probably because I insulted the city of Oakland by saying in a recent Facebook post that the Oakland Coliseum was post-apocalyptic, that karma came knocking at the door, or to be more exact, came smashing through the rental car window and stealing my backpack (which had my laptop) during the time it took to purchase my coffee at Starbucks. Since I’m pretty paranoid about these things – after all, it’s something I do for a living – I figured I’d parley this experience into something that may help you either avoid the situation – or at least minimize the impact.

Read More
By Steve Levinson on Nov 2, 2015 9:58:48 AM
Security

Can you Avoid Becoming the Latest Security De-pants Victim?

Visa recently issued a Security Alert to merchants, acquirers, and point of sale (POS) integrators discussing the most recent attack vector used (successfully) by miscreants to gain access to critical systems – in this case, POS systems. This posting is not only to provide a high level synopsis of that notification, but also to provide general advice to help prevent this type of attack, and to assist you in providing ongoing user awareness training so that your company’s employees can remain vigilant. In short, criminals are using social engineering techniques to trick users into clicking on a link – one of the oldest tricks in the book, but the criminals are becoming increasingly convincing in their ability to trick people into believing it’s the real thing. In this case, the criminals are focusing on the management remote access vectors (e.g., LogMeIn, PCAnywhere) to obtain credentials, and then using those credentials to gain access to POS systems and install malware such as RAM-scraping software to obtain cardholder data.

Read More
By Steve Levinson on Jun 9, 2015 11:12:11 AM
Security

Just a few Steps Away From PCI Nirvana?

My team and I have delivered or participated in several hundred, if not more, PCI assessments over the past ten years. I find that the PCI DSS has matured nicely as the PCI Council has done a great job of toeing the fine line between creating a standard that is both relevant and reasonable. The standard continues to evolve to address the latest threats and issues, and overall is one of the most detailed, prescriptive, and well-defined security frameworks in existence. That said, there are a few potential loophole areas that I would consider to be opportunities for improvement. This blog post is based on dozens of discussions with my peers (hey, when you’re on the road a lot, sometimes dinner conversations turn to information security or PCI!). I wouldn’t be surprised to see some variations of these loopholes addressed in future versions of the PCI DSS.

Read More
By Steve Levinson on Feb 24, 2015 9:55:01 AM
Security

What Good is a Steel Door with a Cheap Lock?

It seems hardly a few weeks pass by without yet another breach being announced. And it’s not just the big companies – smaller ones are targets as well. Attackers have become increasingly sophisticated in their methodologies while maintaining a high level of determination and perseverance to walk away with the trophy (compromised data) time after time. One common factor in almost all of these attacks has been the attackers’ ability to capture administrative credentials – once this has taken place, the probability of the attacker pilfering valuable data increases dramatically. What can organizations do to address this?

Read More
By Steve Levinson on Jan 26, 2015 4:51:27 PM
Security

Who is Your Nigerian Prince THIS Week?

For the longest time, when people discussed “Social Engineering” in the IT security arena, it was equated to schmoozing your way past the guard, or calling the Helpdesk to get a password. Social Engineers like Kevin Mitnik have been amazingly successful in working these angles to get inside hundreds, if not more, of applications and systems. But that was so 20th century – it didn’t scale well. As our connectivity to Everything Internet has become ubiquitous, there’ been a dramatic increase in the opportunity to exploit blissfully ignorant people. We’ve gone from being small fishing villages to one big huge phishing city!

Read More
By Steve Levinson on Dec 5, 2014 3:11:58 PM
Security

The Manifesto

This blog post is a culmination of dozens – no, hundreds – of discussions with clients, partners, and above all else, my awesome colleagues about the magic behind successful consulting. While some of these topics apply primarily to the art of security consulting, many of them transcend industry boundaries and apply to life in general. They are not presented in any particular order as some musings will resonate differently with each reader.

Read More
By Steve Levinson on Oct 10, 2014 3:10:01 PM
Security

Are You Just Going Through the Motions for Your Risk Assessment?

I’ve had dozens of discussions with our clients over the past decade to help them determine if they are doing a reasonable job in evaluating risk in their PCI environment (note – you can replace “PCI” with “any data/critical assets that you care about”). Over the course of participating in hundreds of PCI assessments, we have noticed that many companies’ risk assessment processes have been maturing nicely. Many moons ago, it was rather common for clients to ask, tongue in cheek, “Well, doesn’t the PCI assessment count as a formal risk assessment?” (Answer then was, tongue-in-cheek, “No… but…) The general mindset evolved over the next several years to “Well, we have our auditor come in each year to perform a SAS70 (now SSAE16) audit; surely that should count for something.” Unfortunately, while these audits are quite useful, they are more apt to let the world know the degree to which you adhere to your documented processes and focus less on risk to the enterprise. About 18 months ago, the PCI Risk Assessment SIG released some helpful guidelines pertaining to risk assessments, and I blogged about it then. While this was helpful information, it perhaps was not as prescriptive as many of us had hoped, so this blog post is to provide recommendations towards a good grass roots risk assessment with a little flair towards PCI (since the 3.0 version of the standard has specific call-outs).

Read More
By Steve Levinson on Jul 2, 2014 5:26:47 PM
Security

OpenSSL is More “Open” Than we Thought! Is Your Data Safe?

In the Internet we Trust. At least we used to. Given today’s announcement that the “Heartbleed” bug exposes vulnerabilities in the mechanisms that we’ve relied upon for protecting sensitive information on the web (think passwords, credit card numbers, ANYTHING that is entered on a website), it is cause for immediate concern. In layman’s terms, this vulnerability allows for an attacker to parse (capture) the memory of the web servers running particular versions of OpenSSL, a cryptographic software library, potentially exposing the very data that OpenSSL was supposed to protect in the first place. The scary thing about this vulnerability is that gone un-addressed, there is no way to know if an attacker has compromised sensitive information from the web server. This post provides information to help organizations, as well as consumers, better understand and address this issue.

Read More
By Steve Levinson on Apr 9, 2014 12:00:10 PM
Security

Will the (XP) World End on April 8?

As most folks know, Microsoft’s flagship operating system, Windows XP, is going end-of-life as of April 8. Given the fact that about one out of every three computers runs this OS, there may be some strong ramifications for those who opt for the “do nothing” alternative. If you are running this operating system, you may not be vulnerable the day that it goes end-of-life, but as soon as there is a known vulnerability and if you HAVEN’T done anything to address it, most people (and most likely a jury if you were to find yourself trying to explain your inactions to one) would find you negligent in exercising your due diligence to adequately address these issues.

Read More
By Steve Levinson on Mar 19, 2014 3:50:33 PM
Security

BlackPOS Down – Takeaways from Target Breach, and What You can do to be Proactive

As most of the world is aware by now, the recent credit card breach at Target (between November 27 and December 15) netted the attackers 40 million credit and debit cards, as well as personal information, such as phone numbers and addresses, of as many as 70 million more. For a few very long weeks, there was scant information about the attack vector and the malware involved with the attack. This posting is a follow-up to my recent posting where the community was taking stabs in the dark to determine how the attack took place. Well, wait no longer – this post provides further details about the attack vector, my thoughts as to why it was successful, and most importantly, what you can do to learn from this attack and to begin implementing controls that would thwart similar attacks in the future.

Read More
By Steve Levinson on Jan 21, 2014 10:04:14 AM