You can't secure what you don't acknowledge.SM

Friday, August 15, 2008

Access to one card at a time isn't a bad thing?

I'm writing an article series that includes some information about PCI DSS. In my research, I noticed something interesting - almost comical - about Requirement 12.7:
Screen potential employees to minimize the risk of attacks from internal sources. For those employees such as store cashiers who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.

So, "access to one card number at a time" won't put credit card data at risk? An employee with a shady history could gather quite a few credit card numbers day in and day out this way...

I know it's not realistic to screen every employee all the time - especially in high turnover jobs. Rather, I'm just pointing out how information security is not black and white and there are always loopholes and gotchas.

Thursday, August 14, 2008

But if knowledge relies on information, then...

I was thinking some more about the knowledge=power equation. To have knowledge we have to have information, right? But information is also a weakness in the context of the work we do, agreed?

So, does weakness=power? I don't know for sure...Having trouble wrapping my head around this. I never really did all that well in Algebra anyway. ;) back to work.

Knowledge is power but...

I came across this quote that applies to what we do in information security:
"Knowledge is power, but enthusiasm pulls the switch" - Ivern Ball

It applies to our careers and how successful we are....Knowledge is really the easy part.

It also applies to how well we manage risks...It's all a matter of choice.

Wednesday, August 13, 2008

Very clever way of recovering passwords from MD5 hashes

In his infinite wisdom, Vladimir Katalov with Elcomsoft has developed tool called MD5 Password Cracker that uses the computing power of NVIDIA graphics cards to recover passwords from MD5 hashes. Very cool. And it's free.

According to Elcomsoft, for comparison, this type of cracking on a 2.2 GHz Intel Core 2 Duo E4500 processor only yields about 30 million passwords per second and around 70 million per second on Intel Core 2 Quad Q6600 using all four cores. Using the NVIDIA graphics processor: up to 608 million passwords per second!

This is big folks...Check it out. Now if Vladimir can just come up with a reliable tool for cracking Web application and database passwords we'd be set.

Monday, August 11, 2008

Good recap of Black Hat Briefings

My colleague Mike Rothman over at SecurityIncite (great blog with lots of good stuff) has a couple of posts recapping the Black Hat show from last week...I was going to go until I realized it conflicted with some family stuff...anyway, good reads:

Black Hat 2008 Day 1: We're Screwed!
Black Hat 2008 Day 2: Web 2.0 mayhem

Back in action....

Had to take a mini-sabbatical to handle some cool things at home...hence the disconnection over the past 3 weeks.

Anyway, I'm back in action with lots of new ideas and content....AND, I'm working on my next Security On Wheels audio program - due out soon!