Friday, January 28, 2011

Level 2 Schools (And Maybe Everybody Else) - Read This

The PCI Council now has the full schedule of Independent Security Assessor training on its website (click here to view). Why is this important to all Level 2 Higher Ed institutions? Because under the new MasterCard validation requirements, you either have to have an ISA sign your Self-Assessment Questionnaire (SAQ), or you get to hire a QSA (did I give you my email???) to do it. And as everybody knows, if you are Level 2 for Visa, you are Level 2 for MasterCard even if you have only 1 transaction on that card.

It is great the Council has published the full 2011 schedule. Now you can plan which will be the best one for you. I recommend you surf over and have a look. The ISA training is a bit different this year:

Beginning in 2011 the New ISA training course will have a new look and feel to it to accommodate many of the suggestions the Council has received on the course. The course will consist of two parts: an on-line course followed by a short exam and a two-day instructor-led session ending with an exam.
You should note that only five of the courses are in the US. The other are at other cities worldwide, so depending on your budget you can choose between San Diego or Sydney. There are some basic requirements to qualify for the training, and you can learn all that at the PCI Council's website.

The training is not free: $2,595 for schools that are not Participating Organizations, and $1,595 for those that are. Yet another benefit for those Higher Ed institutions that become POs.

Speaking of price, did I mention that the Treasury Institute's PCI Workshop is a fraction of this price, although you don't get the 2-day in-depth training on every requirement, and you don't get the ISA certification. (Yeah, I's a shameless plug, but what do you expect on the Institute's own blog!?!)

More and more larger institutions are finding that they are Level 2 merchants (over 1 million Visa or M/C transactions per year), and that they have a new PCI validation regime this year. I know this from my own experience with some of these institutions. If this describes your situation, you might want to take a look at this training.

Thursday, January 27, 2011

2011 PCI Workshop Agenda now Online

The agenda for the Treasury Institute's PCI Workshop is now available online at the Institute's website (click here). This is an unique opportunity exclusively for and by Higher Education institutions. NACUBO's support and participation are also valuable in putting on this workshop.

You can register online. I hope to see many of you there! It is a great opportunity to hear great industry and Higher Ed speakers, and a super place to network with your colleagues at other institutions who face the same challenges as you do.

Thanks go to the sponsors: Nelnet Business Solutions; TouchNet; Higher One Payments; CampusGuard; and Fifth Third Bank Processing Solutions. Because of their support the Institute can keep the workshop price the same for the past three years.

Thursday, January 13, 2011

Is Your Website Hacked?

A report today in ThreatPost identifies a number of university websites that have been hacked to redirect visitors to sites hosted by some bad guys.

The Web sites of some of the nation's top universities were discovered to be serving up links to bogus online stores offering everything from popular software by Microsoft to student visas and Viagra, according to a report from security firm zScaler. Portions of Websites belonging to Harvard University, The Massachusetts Institute of Technology (MIT) and Stanford University were found to be redirecting visitors to phony online Web "stores," using multiple languages, that claim to sell software and other goods at discounted prices. The hijacked Web sites have relatively high search engine rankings, which are used to promote the phony Web stores in search results, Zscaler said.

Other sites were similarly compromised including some commercial and government ones. The pattern was the same: redirecting visitors to phony store sites.

How is you school's website doing? It may be worth a look.

Tuesday, January 4, 2011

"The Best PCI Presentation...Ever"...Sort of

As I look forward to the upcoming PCI Workshop for Higher Ed institutions (click here to learn more and register!) I am reminded of last year's very strong agenda and great presenters. In particular, I recall Anton Chuvakin's The Spirit of PCI. In case you missed it (or just somehow forgot), he first unveiled his famous "kitten" line...sorry, you'll have to go to Anton's site to see it.

Speaking of the workshop, I am still looking for a presenter or two, especially from a smaller institution. If you think you have a good story to share with your peers, shoot me an email ( and let's discuss.

In the meantime, start making your plans to join us May 9-11 in Indianapolis.

You Have Lost Control of Your Data

I recommend that if you have anything to do with protecting cardholder data -- or any sensitive personal data -- that you read this post at Securosis. It deals with the reality that business needs will trump security any day of the week. I and others have addressed this topic lots of times in lots of places, but this one post captures the heart of the matter:

First let's point out the elephant in the room: Control. If you feel the need to control your end-user computing environment you are in the wrong profession. The good old days of dictating devices, platforms, and applications are gone -- along with the KGB interrogation lights. You may have missed the obituary, but control of devices was pretty well staked through the heart by the advent of cool iDevices. Yes, I'm talking about iPhones, iPads, Androids, and Palms. OK, Palm not so much, but certainly the others. Some smart IT folks realized, when the CEO called and said she had an iPad and needed to get her email and look at those deal documents, that we were entering a different world.

Lots of folks are calling this consumerization, which is fine. Just like anything else, it needs a name, but to me this is really just a clear indicatiion that we have lost control. But you don't have to accept it. You can try to find a job with one of the five or ten government agencies that can still dictate their computing environment (and good luck as they move all your stuff to the cloud). But the rest of us need to accept that our employees will be bringing their own devices onto the network, and we can't stop them.

Even if you don't read the whole post, just have a look at the Data Loss paragraphs. As my friend Anton Chuvakin is fond of saying, read it for "its sheer awesomeness."

Monday, January 3, 2011

Beware E-Cards!

I saw two recent reports of malicious email containing innocuous-looking e-cards that reinforce a basic rule that should be part of every organization's security training: Do not ever, EVER click on any attachment (particularly an e-card) unless you are expecting it.

A number of people who should have known better didn't follow this advice. Read on...

In the first case, Krebs on Security reports on a fake Christmas card that appeared from the White House which led to gigabytes of sensitive files being uploaded to a server in Belarus. Merry Christmas, indeed. The card read, in part:

“As you and your families gather to celebrate the holidays, we wanted to take

a moment to send you our greetings. Be sure that we’re profoundly grateful
for your dedication to duty and wish you inspiration and success in
fulfillment of our core mission."

Recipients who clicked the links and opened the file were infected with a ZeuS Trojan variant that steals passwords and documents and uploads them to a server in Belarus. The bad guys managed to collect more than 2 gigabytes of PDFs, Microsoft Word and Excel documents from dozens of victims. According to Krebs on Security, among those who fell for the scam e-mail were:

-An employee at the National Science Foundation’s Office of Cyber Infrastructure.

-An intelligence analyst in Massachusetts State Police gave up dozens of documents that appear to be records of court-ordered cell phone intercepts.

-An unidentified employee at the Financial Action Task Force, an intergovernmental body dedicated to the development and promotion of national and international policies to combat money laundering and terrorist financing.

-An employee at the Millennium Challenge Corporation, a federal agency set up to provide foreign aid for development projects in 15 countries in Africa, Central America and other regions.

There certainly were others. You can read all the details here.

The second case is reported in Threatpost and describes an attack that recently emerged and is (again!) sending millions of emails that appear to be holiday e-cards. The messages all contain short messages similar to this:

Tom has created a New Year ecard.

To view this page please click here:

This message will be stored for 14 days.

Unsuspecting - or untrained - victims who click on the link in the email were sent to one of a number of compromised domains, which then redirect the user to another page that displays a message asking the user to download a fake Flash player. This, of course, installs a piece of malware on the victim's machine.

You can read the full account here.

The bottom line from both these stories is that your sensitive data are only as secure as the least trained user. Remember that when you plan your PCI training for campus merchants and administrators.

In fact, this might be a pretty good lesson for everyone on campus that has email.