ebook-credential

New Varonis eBook Helps You Hacker-Proof Passwords and Other Credentials

Are you really who you claim to be? That’s the key question that authentication tries to solve. NTLM, Kerberos, one-way hashing, challenge-response protocols, and two-factor authentication are just some of the technologies that have been developed to prove user identities and foil intruders. In recent years though, hackers have become far cleverer about getting around…

password generator

How to Be Your Own Best Password Generator

Let’s face it people, we’re bad at coming up with our own passwords. They’re too short, too obvious, and hackers have gotten very good at breaking them —either by outright guessing or looking up  password hashes in large pre-computed tables. How bad is our collective password making abilities? You can see for yourself. After the epic…

SL-Access_card

PoS Malware Mitigation Advice from the Pros

There’s still much we don’t know about the attacks that targeted retailers’ PoS systems over the last year. We do know for certain that Backoff, BlackPos, and its variants were used as the RAM scraping software, and the hackers had considerable time to remove or exfiltrate the data. But there are still questions about how…

health-spreadsheet-tilted

The Worst Assumption You Can Make About Healthcare Information

There’s a common misconception that HIPAA only applies to database records. It’s somewhat understandable because “health record” is used frequently on the Health and Human Services (HHS) web site. However, if you read the actual language of HIPAA more closely, you’ll see that the rules cover protected health information (PHI) in any electronic format. Have…

Traitorware

PoS Cyber Attack Insight: Malware Isn’t What You Think It is

As headlines over the last few months have shown, hackers are becoming more and more resourceful at getting through corporate firewalls to directly attack retail terminals and back-end PoS servers. If IT can’t stop them from getting through the front door, is there a second line of defense to, at a minimum, contain the cyber-thieves…

dhs - backoff

Driving a Stake through Backoff and other PoS Malware

Despite a US CERT warning and several well-publicized hacking incidents over the summer, Backoff malware continues to add new corporate victims. Krebs has been on the case and has more details on the most recent attacks against two well-known brands. The government warning pointed out that anti-virus vendors may not have the latest signatures for…

399px-Buckingham-palace-guard-11279634947G5ru

Getting Ready for PCI DSS 3.0 and Beyond: A New Focus on Testing

To get a sense of where the PCI Data Security Standard (DSS) is heading, it helps to take a look beyond the actual language in the requirements.  In August, PCI published a DSS 3.0 best practices document that provided additional context for the 12 DSS requirements and their almost 300 sub-controls. It’s well worth looking at. The…

Test_(student_assessment)

PCI Penetration Testing and Vulnerability Scanning: There’s Room for Improvement

One of the criticisms against PCI DSS is that it isn’t keeping up with the dynamic threat environment. As we all know, phishing, APTs, and PoS malware have been especially effective in the retail sector. The Verizon PCI report I mentioned in my last post has some revealing data as to why this may be…

tilt-cards

State of PCI Compliance: Verizon Report Tracks Highs and Lows

In addition to publishing the Metadata Era’s favorite source for hacking stats, Verizon also has a separate survey on PCI Data Security Standard (DSS) compliance. Since 2009, Verizon and its associated QSA testers have done 4,000 assessments of mostly large multi-national companies. With the recent high-profile credit card number heists, it’s a particularly opportune time…

privacy ftc

FTC Says Do the Reasonable Security Thing

Metadata Era readers know the FTC has become the de facto enforcer of data privacy and security protection. When there aren’t specific laws to apply, it uses the broad powers given to it by Congress—back in the earlier part of the last century—to prohibit “unfair or deceptive acts or practices” in the digital realm.  A…