News

By “liking” ex-girlfriend’s Facebook pics, man may have violated protective order

Days after judge forbade contact with ex-girlfriend, Justin Bellanco back in court.

PCI-DSS 3.0 Security Now Officially a Standard

After months of review and years in development, a new iteration of the Payment Card Industry Data Security Standard is ready for deployment. The Payment Card Industry Data Security Standard (PCI-DSS) 3.0 is now officially a global standard and with it come a host of new security requirements and guidance that aim to make electronic payment infrastructure more secure. Bob Russo, Payment Card Industry Security Standards Council (PCI SSC) general manager, told eWEEK that over the last few months as his organization has been discussing the new standard with its members, the response has been very positive.

The PCI SSC started to publicly promote and discuss the new PCI-DSS 3.0 standard in August.

The new standard places renewed emphasis on continued security monitoring and clarifies the rules that merchants will need to comply with to be PCI-certified. "A lot of companies are already doing most of what's in PCI-DSS 3.0 as there really isn't very much that is actually different in many areas," Russo said. "It's a lot of re-emphasis in the areas that merchants need to make commonplace, rather than just treating security compliance as a once-a-year event." That said, there are some items that Russo expects will cause merchants some angst, as more work will be required. Most of those new areas that require more work are initially being labeled as best practices by the PCI-DSS 3.0 standard and are not required for full certification until Jan. 15, 2015. One of the new best practices that will not be required until 2015, Troy Leach, CTO of PCI SSC, told eWEEK, is a need for agreements between merchants and third-party service providers about the responsibilities of protecting cardholder data. Another area that will be an initial best practice is requirement 9.9, which stipulates further requirements around the inspection of physical security and protection for payment terminals. Proper Malware Detection One of the requirements in PCI-DSS 3.0 that merchants will need to comply with in 2013 is to have proper malware detection. Requirement 5.1.2 has been added to make sure that merchants and anyone handling payment card data have a good risk management process in place for handling malware. "In the past, a merchant might have said they had a mainframe or were using Linux and they couldn't put antivirus software on the system as there are few, if any, Linux viruses," Leach said. The new 5.1.2 requirement recognizes that threats are likely to evolve and merchants need to be diligent, he said. "It's not just that the PCI standard explicitly says that a merchant should or shouldn't install anti-malware; it's more about making sure there is a malware risk management process in place," Leach said. Passwords Throughout the PCI-DSS 3.0 standard, there is an emphasis on providing more flexibility for security controls to be met in different and evolving ways, and that includes password complexity, according to Leach. "Previously, the language in PCI was that passwords needed to be a seven-character or greater, alpha-numeric combination," Leach said. "We recognized that there might now be other means to have an equivalent type of value in the integrity of the authentication, so it might not just be a password; merchants could also use a passphrase." What's Next? PCI-DSS 3.0 is now an official standard, and it becomes effective for implementation in January 2014, according to Russo.

There was a three-year time span between the PCI-DSS 2.0 standard and 3.0, he said, and it will likely be another three years until PCI-DSS 4.0 comes out.  That doesn't mean the standard is standing still for the next three years. Russo said that errata documents are likely to be published, as well as additional documentations and frequently asked questions (FAQs) about the certain requirements. The goal of PCI-DSS is to secure the payment card industry, and Russo said that a key metric for the success of the PCI-DSS 3.0 standard will be a reduction in data breaches. "If we happen to see a large data breach, we will immediately look to see if there is something in the standard that needs to be addressed, or something new that we need to add," Russo said. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Point-and-pwn tool for posers dumbs down ransomware spreading

I'm Guybrush Threepwood, mighty hacker Spreading ransomware has become a point-and-click exercise following the release of a file-scrambling malware interface for unskilled wannabe cybercrooks.…

Verizon’s $70 gigabit Internet is half the price of older 750Mbps...

FiOS customers on 750Mbps plan will get speed boost and automatic price cut.

After Snowden, Australia’s cops worry about people using crypto

Proposal for reform has state police asking for Web browsing history, too.

Five arrested in crackdown on bogus UK government websites

The National Trading Standards eCrime Team has arrested five people in a crackdown on bogus government websites. The operation has shut down at least 25 fraudulent websites set up to defraud UK citizens by tricking them into paying for services that cost less or are free of charge through official government sites. The fraudsters are targeting government services relating to tax returns, passports, driving licences and tests, car tax discs and European health insurance cards. The crackdown comes after more than 5,000 complaints were made to the Citizens Advice Bureau in 2013 and 700 were made to the Advertising Standards Authority (ASA). “Our eCrime team is clamping down on the cyber fraudsters behind these websites and we are making it as difficult as possible for these online hoaxers to operate,” said Toby Harris, chair of the National Trading Standards Board (NTSB). “We have been working with search engines such as Google and Bing to remove adverts from online search results and we continue to gather intelligence across the country to help tackle this issue,” he said. Copycat web features The NTSB is urging UK citizens to avoid unofficial websites because of the risk of fraud and identity theft by using only government services found on the Gov.uk website. The bogus websites often use addresses that include elements such as  "govuk", "directgov" or relevant organisation names to make them appear as official providers of certain services. Similar design features are incorporated to replicate the look and feel of official service websites. The NTSB has appealed to anyone discovering a copycat government website to report it to the Citizens Advice consumer service on 03454 040506. How to avoid fraud Martin Lewis, creator of MoneySavingExpert, said users of government services online need to be vigilant not to be tricked by copycat sites. “I have lost count of the number of people who contact me upset and want to know how to get their cash back, but generally that is very difficult. “To avoid being duped, go to Gov.uk to search for the required service instead of using search engines,” he said. Minister for the Cabinet Office Francis Maude said the UK is a world leader in digital reform, and the government will do everything necessary to clamp down on websites that mislead users of government services. “We’ve streamlined our services onto the award winning Gov.uk to ensure there is one government website that people can trust and to make things easier for users,” he said. In June 2104, the government announced £200m of savings made using technology in the past year. The bulk of the savings were ascribed to improvements in government’s digital services through moving websites to GOV.UK and introducing online transaction services. The Government Digital Service, is mid-way through a  transformation programme to move 25 of the most-used government services online. NTSB educational video on copycat websites Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Jeremiah Grossman: Focus on ransomware, SDLC, and endpoints

With so many elements in information security -- application, network infrastructure, the endpoint, perimeter defenses, and data-centric approaches -- it's easy to fall in the trap of touting one as more important than the other. But it's a mistake to consider information security as a series of silos when it's actually an intersection of different areas. That overlap is most evident with application and endpoint security. For Jeremiah Grossman, the new chief security strategist at security vendor Sentinel One, application security and endpoint security are just different steps in the kill chain. As the founder and former CTO of the consultancy WhiteHat Security, Grossman has been the go-to-expert for web application security for years, and his new focus on endpoint security at Sentinel One does not mean that he has given up on securing web applications. Jeremiah Grossman "From an adversary kill-chain perspective, if we can get the bad guys not to be able to break into the website, great, let's do that. But if we can't, let's makes sure that if the system gets compromised and malware is on it, we can detect it really, really quickly and stop it, or eradicate it," Grossman said. Many of the latest data breaches began with the adversaries exploiting a vulnerability in a web application, and then pivoting in the network to find other vulnerabilities and weaknesses. The web application is the doorway, but the actual attack happens on the endpoint, whether that's valuable data stored in a database or, in the case of ransomware, documents that could be locked up to demand ransom. Web application security and endpoint security are intricately tied up together, he said. Back in 2001, when Grossman first started working on web application security, cross-site scripting flaws and SQL-injection errors were rampant, with pretty much every website affected. Fast-forward to 2016, and such attacks are incredibly rare among major sites. Cross-site scripting and SQL injection still exist on many websites, but it's no longer as widespread. App security still matters, but SDLC has to be done judiciously Information security professionals frequently talk about inserting security throughout the SDLC (software development lifecycle): Developers adopt secure coding principles and perform regular testing to catch and fix bugs before the application goes to production. The SDLC is a good thing, and more organizations need to adopt the secure development mindset. But it isn't practical to demand all existing applications be rewritten under the SDLC. Legacy software, which powers the majority of the web and is installed on billions of endpoints around the world, has vulnerabilities. Fixing those flaws is part of what Grossman calls "legacy janitorial work." No company can shoulder the cost of rewriting all their applications and starting over with a secure coding mindset. And then there are all the open source projects out there for which there's often no one to shoulder any such legacy janitorial work. Microsoft is frequently touted as the poster child for how SDLC makes a difference, but that's an interesting -- and possibly unrepeatable -- case, Grossman said. The Microsoft that said it was going to start over and make its applications more secure was a monopoly, dominated the industry, had strong market share, and had "multiple billions" in the bank to spend on the effort, he noted. That's not the case for most companies faced with the prospect of revamping their software portfolio. And today, a decade after Microsoft made that commitment, Microsoft itself couldn't likely make that commitment. "No one's going to disagree that the later versions of Windows, from Windows 7 to now, are solid. Microsoft did really good work. But what was the ROI for Microsoft in that?" Grossman said. Instead of trying to revamping all the software, the effort should be two-pronged: 1) improve the process for remediating vulnerabilities as they are found, and 2) run new code, or actively managed code, through the SDLC.  That doesn't mean just incorporating SDLC elements, but also assessing the effectiveness of the new practices. "After you do a whole bunch of SDLC stuff, does the software actually come out more secure? If so, by how much? And is it worth it?" Grossmand said. Security investments aren't going where they're most needed The industry has made progress finding vulnerabilities, but the immensity of the web -- at a billion-plus websites strong -- means the cleanup effort is going to take a lot of time and resources. That means there will be more compromises, attacks, and infections in the meantime. While the industry focuses the efforts toward fixing vulnerabilities and writing new code, there has to be a parallel effort to improve endpoint security to block the adversaries. "You could compromise a company just by sending an email. That's a pretty attractive route" for criminals, Grossman said. "The spending models are all backward," Grossman said. Enterprises spend most of their IT budgets on software, followed by endpoints, and very little on networks, whereas the lion's share of the IT security budget goes to perimeter defenses, such as firewalls and endpoint security, and very little is spent on software.  Ransomware must be tackled now, before it's too late Organizations need to look at what the adversaries are doing and allocate efforts and funding accordingly. And right now, the adversaries are looking at ransomware. The FBI has estimated payments of $23 million to $25 million were made to ransomware gangs in 2015, but that figure has ballooned to more than $200 million in the first quarter of 2016 alone. That's a staggering growth rate, especially since the latest research indicate ransomware still account for less than 5 percent of overall malware attacks. While ransomware itself might not account for a big portion of the overall malware scourge, it is a serious problem, and creative minds need to start thinking of new methods and techniques to detect and foil these infections. "While we're still going to have the big malware problem overall, we're going to have another one in the form of ransomware," Grossman predicted. Worse, it's not as if the general malware problem has been solved: Despite nearly $8 billion to $12 billion spent annually fighting malware, malware is rampant, he said. Still, the latest anti-ransomware efforts, such as what Grossman will work on as part of his new role at Sentinel One, are an opportunity for information security professionals to get ahead of a problem before it becomes entrenched. There's no need to wait for ransomware to get bigger as a problem before coming up with new solutions. "We always seem to be ambulance chasers. But ransomware, we can see it coming. It's right there," Grossman said. Grossman believes ransomware will be a billion-dollar market by 2018, and at that point it will be too late to do something about it. "We can fight an uphill battle, but for those who want to get ahead of it, we can do it now," Grossman said. The web is too valuable not to actively protect Many in the security industry, whether they came into the field by design or by accident, view the work as a calling. The web is the "greatest invention we'll see in our lifetime," Grossman said, who called it his mission to protect it and the billions of people using it every day. Whether that's endpoint security or fixing vulnerabilities in web applications, the end result is the same. "I want to be able to protect people, protect websites, protect the web. It's that important. We're all using it today," he said.

Surprising Trends Emerge in Threat Landscape

[unable to retrieve full-text content]In a new M-Trends report, Mandiant provides insight into the overall threat landscape, including a look at some surprising trends.

VU#525132: Foscam IP camera authentication bypass vulnerability

The FI8910W Foscam IP camera running firmware version 11.37.2.54 fails to properly authenticate users.

After months of silence from feds on flying phone surveillance, EFF...

Since WSJ report on "dirtboxes" flown by US Marshals, few details have come out.

The Moose is loose: Linux-based worm turns routers into social network...

Malware can infect IoT devices—including medical devices—with weak authentication.

Merriam Webster updates tech word list—and you will believe which ones...

Includes "net neutrality" and "EpiPen"; still on the sidelines about how to say "GIF."