Friday, May 21, 2010

Memory Sticks Complete with Pre-Loaded Malware

Following is an excerpt from a letter (see here) IBM had to send to recent trade show attendees:

Dear AusCERT Delegate,

At the AusCERT conference this week, you may have collected a complimentary USB key from the IBM booth. Unfortunately we have discovered that some of these USB keys contained malware and we suspect that all USB keys may be affected.

The malware is detected by the majority of current Anti Virus products [as at 20/05/2010] and been known since 2008.The malware is known by a number of names and is contained in the setup.exe and autorun.ini files. It is spread when the infected USB device is inserted into a Microsoft Windows workstation or server whereby the setup.exe and autorun.ini files run automatically.

Please do not use the USB key, and we ask that you return it to IBM at Reply Paid 120, PO Box 400, West Pennant Hills 2120.

If you have inserted the USB device into your Microsoft Windows machine, we suggest that you contact your IT administrator for assessment, remediation and removal, or you may want to take the precaution of performing the steps below.


Now you know why I never, NEVER keep the ubiquitous memory sticks (aka, flash drives) vendors distribute at trade shows. You might want to adopt the same policy. "Free" can be very expensive.

Now, I wonder if the same people who manufacture the flash drives also make POS terminals...

Thursday, May 20, 2010

Advice for Keeping Your PC (or Mac) Safe

We all know the Internet is a dangerous place. In case you might harbor any doubts, take a look at this article in today's New York Times describing how to keep the bad guys away from your PC.

The suggestions/recommendations are:
  • Protect your browser. If you run Firefox, get NoScript (personal recommendation).
  • Download the Adobe updates as they come in, and the sooner the better. PDFs are an increasingly common vector for malware, so keep things patched.
  • Don't click on malicious ads. Duh...How about: Don't click on ANY ads!?! And especially, ESPECIALLY don't click on any pop-up telling you that your computer is infected and you need to upgrade your anti-virus. Check with your IT or security department -- that's what they do for a living, and most neither need nor want our help.
  • Watch out for poisoned search results. After every disaster, celebrity dust-up, or major news story hundreds of sits spring up with similar-looking URLs to lure you to a site loaded with malware. The bad guys know how to tweak the search engine results, so steer clear of one-off sites.
  • Keep away from social exhibitionism -- er, networking -- sites using any computer that you might remotely want to use for business.
There you have it. Read the article and surf carefully. It's a dangerous place out there!

Wednesday, May 19, 2010

PCI is Required - Even if Your Bank Doesn't Call You

One of the complaints I hear regularly from schools it that they have not had much contact with their acquirer or processor about PCI. In some cases, when they tried to talk to the acquirer they were either unable to get hold of someone in the Compliance area or their calls went unanswered.

While that may describe your situation, you don't get a free pass on PCI. To make this point, let me suggest you read this article in Forbes. The author also makes some excellent points about how you can lie on your SAQ, but you are really only fooling yourself. This gets back to the Validation-does-not-equal-Compliance argument I have made too many times already.

There are some great quotes from Anton Chuvakin and Martin McKeay, both of whom are PCI and security experts as well as friends.

Next time someone asks you about whether you think it's worthwhile complying with PCI, point them to this article.

Thursday, May 13, 2010

PCI Council Releases New PCI PTS Today

The PCI Council today released the new version of its PIN Transaction Security (PTS). This new version 3.0 streamlines requirements for manufacturers. There is a good overview in Dark Reading, so I won't repeat it all here.

As merchants, the big thing for you to know about this is that if you are replacing or upgrading your PIN devices, you need to go to the PCI Council website and look at the list of approved devices. Many of the requirements in v3.0 won't be effective for about a year, but that doesn't mean you should buy PIN pads or kiosks that accept PIN-based debit or anything that takes a PIN that isn't on this list.

Friday, May 7, 2010

PCI Workshop #7 Is Over

This week saw the Treasury Institute's seventh PCI Workshop in Indianapolis. We had about 140 attendees representing over 80 institutions nationwide. The agenda covered a good range of business and IT topics of current interest. Highlights included the great Higher Ed speakers who devoted the time and energy to share their experiences with PCI with the audience.

Two other highlights were our keynote speakers, Anton Chuvakin and Bob Russo. You can read Anton's take on the workshop (hint: he found it an education, too!) here and even download his best PCI presentation ever. BTW, if you download it, you might not want to share the 'kitten bit' slide (see his post script) with your children... Bob's always dynamic and informative presentation covered developments at the PCI Council including some general ideas, but nothing on the revisions to PCI in October. (Note: Bob made me promise not to blog about anything he said, so I am not going to get in trouble with him...again...)

Our expert panel -- which included both Anton and Bob plus Don Roeber of Fifth Third Processing Solutions and Marco Mabante of Elavon -- was outstanding. They answered questions on PCI scoping, hotel compliance, tokenization and end-to-end encryption, SAQs, and a whole host of specific attendee questions.

Congratulations to Dennis Reedy and the Treasury Institute for a great workshop. If you missed it, mark your calendars for early May next year when we'll do it all again but with a completely different program, as usual.

I don't know about the rest of the attendees, but I'm pooped. So I found the perfect way to relax and recharge: I'm running the 500 Festival half-marathon tomorrow (Saturday). Wish me luck!