Old vs New: A Comparison of Magnetic Stripe and Chip-and-PIN
I was doing some poking around on the internet recently, reading various stories about different network breaches and loss of credit card numbers and I was reminded of the semi-recent Target breach and how they're making a push to switch to chip-and-PIN cards. This made me think it would be a good idea to do a a write up on the differences between chip-and-PIN and traditional magnetic stripe credit cards.
Passwords & Underpants
I don't know how I missed it before, but I stumbled upon a little InfoSec analogy that has been floating around for a while now. It goes a little something like this: "Passwords are like underpants...". They then proceed to list all the things that passwords and underwear have in common.
Q.E.D Is Fast Approaching
We are getting excited around here for the first ever QSA Educational Discussion! This is going to be a great event to hone your PCI compliance skills, get answers to those complex compliance questions and PCI DSS interpretations.
I Have Vulnerabilities On My LAN. So What?!
During the course of my penetration testing engagements (where I pretend I'm a malicious user and attempt to do naughty things on the network), I usually see or detect many vulnerabilities that are typically not found on the public internet. These vulnerabilities range from a small information disclosure (yawn) to full remote code execution (OH YES!) and of course everything in between. As a good security professional, my recommendations are to fix every single vulnerability found. This would exclude vulns that exist due to a specific business need, such as legacy systems or applications, or other legitimate reasons. When I suggest that we fix all of them, I often receive pushback from IT staff and sometimes even the stakeholders.
Microsoft My Bulletins & PCI Compliance
Microsoft just released a new tool for their Security TechCenter. Its a pretty straight-forward service called My Bulletins [^1]. Basically it provides a customized dashboard to present Microsoft security bulletins. The nice thing is that you can customize the dashboard to only receive notices for those Microsoft products you use and care about.