Black Hat 2012 security conference starts next week in Las Vegas. I am going to both Black Hat and Def Con. It looks like Black Hat is extremely popular this year: regular room in Caesars Palace hotel, where the conference takes place, costs $900 (normally it is around $100)!
0 Comments
Interesting analysis of most frequently used passwords - thanks to recent Yahoo security breach:
"• 2,295: The number of times a sequential list of numbers was used, with "123456" by far being the most popular password. There were several other instances where the numbers were reversed, or a few letters were added in a token effort to mix things up. • 160: The number of times "111111" is used as a password, which is only marginally better than a sequential list of numbers. The similarly creative "000000" is used 71 times. • 780: The number of times "password" was used as the password. Apparently, absolutely no thought went into security in these instances." The question is - why were they allowed to set up such a password by the Yahoo software in the first place? BTW - have you changed your Yahoo password after the breach? I just returned from the 2 days PCI ISA training in Florida. The environment in Orlando (sun, close proximity to Disney, pools, and bikinis) does not help to concentrate on study of such a topic. And the exam... Even though, of course, you cannot compare it to something like CISSP, but still - it would require some efforts to pass (I don't know about the results yet though). Anyway, it was good experience - observing the QSA program from inside (basically, the ISA is the same as QSA but without ability to work as QSA). Now I even better understand the reason for ambiguous definitions and weird interpretations of PCI. The PCI DSS consists of 12 main requirements. In order to validate each of 12 requirements during the audit, QSA is provided with Testing Procedures which are listed in the same document. There are total of 310 (!) testing procedures. The net duration of training is about 10 hours or 600 minutes (2 days minus time for introduction, final exam, and breaks) which leaves the instructor with less than 2 minutes per testing procedure - including explanation, samples, questions, knowledge check etc. Note: Information about PCI DSS Requirements (including Testing Procedures) and QSA Training is publicly available which allows to calculate the numbers above without any "inside" knowledge. Bruce Schneier's CRYPTO-GRAM Newsletter in Russian - now officially available on my website6/13/2012 My translation to Russian of Bruce Schneier's CRYPTO-GRAM is now officially available -
see the link on Bruce Schneier's website at the CRYPTO-GRAM page under Translations -> Russian -> 04/2012- CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish, Twofish, Threefish, Helix, Phelix, and Skein algorithms. He is the Chief Security Technology Officer of BT BCSG, and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). Interesting blog article about Flame spreading. It demonstrates Flame's level of sophistication.
http://bit.ly/Kajttg PayPal's 'pay by mobile' application does not use NFC. Instead, it generates and shows the code which can be read (and keyed) by cashier or POS scanner. I suggested this technology 3 years ago. It was wrong time and... wrong place.
Video from PayPal: http://bit.ly/L3KGwE Video with my solution: http://bit.ly/LgBvp6 iPhone app: http://bit.ly/JNvCUR Android app: http://bit.ly/LU1DIl Dual NFC/EMV debit MasterCard was introduced in South Africa - they claim this is the first card with combined NFC ("Tap & Go") and EMV ("Chip & Pin") functionality: http://bit.ly/Jsn5QY
Update: Questions about new PCI QIR certification program which was just announced by PCI Council5/21/2012 Based on information received from PCI Council, it turns out that payment application vendors do not necessarily have to go through QIR program, which is designed primarily for third parties that do not have enough knowledge and experience with PCI security standards.
Original post 05/13/2012: Questions about new PCI QIR certification program which was just announced by PCI Council The second and last day of the conference was declared as the "attack" day (yesterday was the "defense"). I have not seen any breakthrough zero day presentations though. I have got more interesting facts from the "defense" day... Maybe that's why I am not a hacker? Click to set custom HTML |
Books
Recent Posts
Categories
All
Archives
March 2023
|