Unintended Consequences

Cell Phone as Scanner + 3D printers = End of Keyed Security?

" KeyMe says it will even duplicate keys marked “do not duplicate,” including some high-security keys sold by Medeco, Mul-T-lock and Schlage."

Not sure I can valet park ever again.

#security #3dprinters



The App I Used to Break Into My Neighbor’s Home | Threat Level | WIRED
Leave your ring of cut-brass secrets unattended on your desk at work, at a bar table while you buy another round, or in a hotel room, and any stranger—or friend—can upload your keys to their online collection.

Check this out on Google+

Breached

Anonymous has allegedly been using an Adobe ColdFusion vulnerability to compromise US government agencies on a large scale, gathering large amounts of data.

#security

Exclusive: FBI warns of U.S. government breaches by Anonymous hackers
By Jim Finkle and Joseph Menn. BOSTON/SAN FRANCISCO (Reuters) – Activist hackers linked to the collective known as Anonymous have secretly accessed U.S. government computers in multiple agencies and stolen sensitive information in a campaign that began almost a year ago, the FBI warned this week …

Breached

Anonymous has allegedly been using an Adobe ColdFusion vulnerability to compromise US government agencies on a large scale, gathering large amounts of data.

#security



Exclusive: FBI warns of U.S. government breaches by Anonymous hackers
By Jim Finkle and Joseph Menn. BOSTON/SAN FRANCISCO (Reuters) – Activist hackers linked to the collective known as Anonymous have secretly accessed U.S. government computers in multiple agencies and stolen sensitive information in a campaign that began almost a year ago, the FBI warned this week …

Check this out on Google+

The Hayes Command Set

Inherent trust by baseband processors of over the air command instructions. What could possibly go wrong?

It's kind of a sobering thought that mobile communications, the cornerstone of the modern world in both developed and developing regions, pivots around software that is of dubious quality, poorly understood, entirely proprietary, and wholly insecure by design.

#security



The second operating system hiding in every mobile phone
OSNews is Exploring the Future of Computing with news on desktop, server, mobile, and specialty operating systems and new computing technology.

Check this out on Google+

Time to Step Up your Security Practices

The United States Secret Service, working in collaboration with Verizon, recently released a report [PDF] investigating cybercrimes which reveals that data breaches of electronic records last year involved external agents 70% of the time, insider agents 48% of the time, that 11% of the events implicated business partners, and that 27% involved multiple parties.  The good news was that the overall number of data breaches was down from the previous year.  While we are making progress, this report should serve as a call to all businesses to step up their security practices, as the report shows that organized crime was responsible for 85% of all of the data stolen last year, and they are not going to simply give up and go away.

An important step that any business conducting electronic transactions needs to take is to make sure they are PCI DSS compliant.  Recently MegaPath took the step to become a PCI Security Standards Council Participating Organization, so that we are in a better position to be able to assist our customers with meeting the core elements of the standard.  Step one is to Build and Maintain a Secure Network so that your business can Protect Cardholder Data. Your business also need to Maintain a Vulnerability Management Program and Implement Strong Access Control Measures.  Regularly Monitoring and Testing Networks is an important part of the continuous security process, and Maintaining an Information Security Policy is a best practice your business needs to implement to achieve its security goals.

PCI DSS 2.0 is nearing release, which also makes this an important time to review your current practices.  Computerworld has an article talking about what is included and the new standard, as well as what is not, and InformationWeek has a recent blog post with some idea on how you can maintain compliance while keeping costs in control.

As always, MegaPath is ready to secure your network with our Managed Security Solutions.  As a PCI Compliant Network, and a Participating Member of the PCI Security Standards Council, we continue to be in a leading position to help your business achieve compliance. In addition, the MegaPath Payment Processor Extranet service is ready and able to provide quick, reliable connectivity to top credit, debit, gift and private label card payment and check payment processors through our fully redundant network connections.  And as always, our NOC offers proactive 24×7 monitoring and support on these services, so you can have the peace of mind from knowing experts are managing your security and communications, allowing you to focus on your business.

Posted on  the MegaPath Connectivity Blog as “Now is the Time to Step Up your Security Practices”.

Be Ready for PCI Changes Coming July 1

Just a friendly reminder to those who process credit card transactions that July 1 is a key date, in terms of security compliance.  On this date all North American merchants who process transactions must be making use of Payment Application Data Security Standard (PA-DSS) verified  payment applications, in support of the Payment Card Industry Data Security Standard (PCI DSS).  A payment application is anything that processes a credit card transaction.  For example, the machine that swipes a credit card in a gas pump and the point of sale (POS) device at a convenience store counter are both considered payment applications, and need to be certified.  Failure to use verified devices could result in penalties.

Also, as this post over at NetworkWorld points out, all PCI DSS compliant businesses that are processing credit cards need to make sure that none of their Wi-Fi networks are using WEP (Wired Equivalent Privacy) to secure their access points after June 30, 2010.  Current access points offer WPA or WPA2 (Wi-Fi Protected Access) as a security protocol; however, if you have older access points in your network, you need to make sure they are not using the deprecated WEP protocol, as it is not secure.  Leaving such access points in place would jeapordize the PCI DSS standing of a merchant.

One last bit of PCI DSS news this month concerns the cycle at which updates to the PCI DSS standard will be published by the the PCI Security Standards Council.  It was announced earlier this week that it will move to a three-year cycle when updating the technical standards for protecting payment card information. This new schedule will give merchants more time to adopt the changes, which has been a common request.

If you have questions about how to make sure your network is up to the task of providing compliant data security measures to safeguard your business and protect customer data, give us a call.  We’re ready to assist you with PCI DSS issues, and connect you to our PCI DSS approved payment processor extranet, which will ensure your business is using a secure network that is ready to protect the transactions your business relies on.

Posted on the MegaPath Connecticity Blog.

Credit Card Security Is Serious Business

 Yesterday Janet Wong published an article on our blog about how a lack of security compliance can be costly to your business. Fewer than 24 hours later, VentureBeat reported how a certain Google search revealed the credit card numbers of some Blippy users. (Blippy is a social shopping site that describes itself as ‘a fun and easy way to see and discuss what everyone is buying’). The most recent post I’ve seen on VentureBeat asks if this incident will damage their business.

Philip Kaplan, one of the cofounders of Blippy (who some may remember as Pud at F——dcompany.com), has posted his response to the situation on Blippy’s blog. Blippy reports they worked with Google to remove the search results in about 2 hours time. It is also interesting to note that Blippy includes a special section entitled ‘Security’ on their Privacy Policy page.

All of this makes Janet’s post very timely, and I encourage you all to read it. To note that protecting the private data that customers (or in this case site users) entrust to your business is critically important almost seems like a given. While the saying goes ‘there’s no such thing as bad publicity’, in a case like this, I doubt it will hold true.

Posted on the MegaPath Connectivity Blog.

10 Topics for 2010

With the end of the year coming up fast, it seems like it is a good time to take a look at what 2010 has in store for us. Several trends in business connectivity have developed over the last year, and will continue to further evolve in 2010. Here is a list of 10 topics you should take into consideration as you do your planning for next year.

SIP Trunking – VoIP really exploded this year, due both to the increased functionality and the cost savings it offered to so many companies. In 2010, combining SIP trunking with MPLS and security is going to really take off.

Managed Security – Everyone knows that security is vital in today’s business climate. In fact, in many instances it is mandated. More SMBs and small enterprises, who don’t necessarily have dedicated IT staff, will be outsourcing this function to a partner whose 24/7/365 NOCs will monitor and ensure that communications integrity is maintained.

Extended Workforce – Several events over the last year, including the H1N1 flu pandemic and various disasters, highlighted the need for the workforce to be able to access corporate communications from their home offices. Telecommuting will see large scale adoption in 2010. Make sure you work with a partner who can reach your team wherever they are, and with DSL, Cable, Satellite and Wireless options.

Enterprise Social Networking – Facebook and Twitter exploded in 2009, and the communication capabilities they offer will invade the workplace in 2010. Look for various offerings in both internal and cross-company social networking in 2010, and make sure your network has the security and connectivity necessary to meed the demands of these applications.

Cloud Computing – We’ve been hearing about this one for a while, but I expect 2010 will be the year many companies move to adopt this technology. With Google and Microsoft both prepared with web applications, and with many companies having broadband connectivity in place, it seems like this is the year this might all come together.

Business Ethernet – Ethernet has always been a simple, high speed bandwidth option used for the LAN. In 2010, we will see large scale adoption of Business Ethernet for the WAN by SMBs and Enterprises due to the new economics that allow you to leverage these large pipes for a low cost.

Enterprise Video – Telepresence, Video Conferencing, Video Surveillance and Video Training will all see a major push in the next year, as businesses leverage these technologies to save costs, increase revenues and keep their workforces up to speed. It is vital that your network partner be ready with QoS enabled across many bandwidth options so you that you can be sure the video gets through loud and clear.

Extended Enterprise – People now work wherever they happen to be. In 2010, we will see more adoption by Enterprises of systems and policies that allow people to access anyone, from any location, on any device, at any time. Managed SSL VPNs will enable businesses to realize such a goal, while lowering costs and ensuring the security of sensitive data at all times.

Wireless Data – The application of wireless technologies to business communications will continue to grow. For years now, businesses have leveraged wireless voice applications to great success. In 2010, we will continue to see more deployment of data applications across wireless networks, both 3G and 4G. Wireless data technologies can enable rapid provisioning of communications to a store, offer an excellent option for backing up wireline communications, and can be used by your mobile workforce to access corporate data on devices such as Netbooks.

Payment Card Security – Securing credit card transactions will be the focus of a great deal of activity in 2010. The Payment Card Industry Data Security Standard (PCI DSS) will continue to evolve (PDF), and changes in areas like wireless networking will need to be implemented in 2010. All levels of merchants should be working with a PCI DSS Validate Service Provider (PDF) payment card extranet partner to make sure they are ready for the changes in the coming year.

Posted on the MegaPath Connectivity Blog as “10 Topics for 2010.”

Top 10 Managed Security Services

Internet Security issues have been getting a lot of press lately. Facebook, Twitter and LiveJournal have been the targets of recent attacks, and CNET points out that not keeping your security up to date could be part of what is enabling such activitiy. SMBs and Enterprises should take this time to review their security profile, and make sure they have considered these 10 managed security services. By working with a service provider that can offer managed services such as these, you know you have a team of professionals working 24/7 to mitigate and respond to any security threats.

  1. Managed Firewall: Detect and block suspicious network traffic
  2. Intrusion Prevention: Proactive protection against known and emerging threats
  3. Anti-Virus/Anti-Spyware: Comprehensive real-time network protection
  4. Spam Tracker: Detect and manage spam on end-user desktops
  5. Web Filtering: Manage employee Internet access with White list/Black list and content filtering
  6. Site-to-Site IPsec VPN: Securely share files, applications and resources among fewer than 5 locations
  7. Site-to-Site MPLS VPN: Securely share files, applications and resources among 5 or more locations
  8. Managed SSL VPN: Securely connect retail owners to their franchises, and workers to corporate applications in case of disaster
  9. Personal Protection Suite: Managed protection for your entire workforce
  10. Secure Payment Processing: Secure, PCI Compliant connectivity to credit, debit and gift card processors

Posted on the MegaPath Connectivity Blog as “Top 10 Managed Security Practices.”

Nevada Bets on PCI

Nevada has become the latest state to integrate the PCI specification into state law. Previously, Minnesota’s Plastic Card Security Act (PDF) had gotten the ball rolling by including part of the specification, but Nevada (PDF) has written the entire standard into its law.

Looks like a trend to me, and I won’t be surprised to see other states using the Nevada law as a basis for their own efforts into the area of fraud prevention.

If you’re doing credit card transactions and your not PCI compliant right now, I think that pretty soon you will be. We have a white paper (PDF) available on Payment Data Security which will help you in getting started in your PCI efforts

Posted on the MegaPath Connectivity Blog as “Nevada Bets on PCI.”