Wednesday, July 28, 2010

Facebook directory listing

Ron Bowes sent the following on the SANS mailing list yesterday.

"Hey everybody,

I spent some time recently spidering Facebook to get every person's name who has an account and is searchable. I released the data from phase 1 of that project today, and thought I'd share:
http://www.skullsecurity.org/blog/?p=887"



Basically, if you are looking for a directly listing of all Facebook users, similar to your phone directory, then head over to http://www.facebook.com/directory/. Some of the other interesting and publicly available searches are:


http://graph.facebook.com/. Replace the ID with any digit above 4


Sunday, July 25, 2010

Top 5 Threats for Banking Institutions

If you work for a banking institution or provide services for banking industry and wondering what are some of the biggest threats you need to look out for, here is the list. According to FDIC, the US bank deposit insurance organization, the top 5 threats are:


  1. Malware and Botnets
  2. Phishing
  3. Data Breaches
  4. Counterfeit Checks
  5. Mortgage Fraud

Tuesday, July 20, 2010

Microsoft 0-day Malformed Shortcut (.lnk file) Vulnerability

This may not be breaking news for many. Brian Krebs posted this on his blog last Thursday, Microsoft published the advisory last Friday and followed it up with an update on Tuesday, where they mentioned


Microsoft is currently working to develop a security update for Windows to address this vulnerability.


This post is not about the vulnerability but an interesting observation from the Microsoft announcement. As you can see below, they have omitted Windows XP and SP2 from this, it may not be a surprise as the support for XP SP2 ended on July 13.



It will be interesting to see if Microsoft does come up with a patch since the vulnerability announcement and the support end date were very close and the fact that this is a critical vulnerability.

As for this specific vulnerability mitigation for large organizations, I recommend software restriction policies (SRP), there is an interesting article by Didier here on this topic. More information on SRP is available here.





Saturday, July 17, 2010

PCI updates

VISA issued two "best practice" documents

  • Tokenization best practice. I touched on this topic here while discussing the new version of PCI, in this document VISA gives a broader requirement for tokenization.


  • The second document, PAN truncation best practice is a clarification on the requirements for merchants to store the card number for things like chargeback and refunds. National Retail Foundation discussed this in detail in their review here.

Here is an excellent guide that provides simple and quick information security steps for small to mid-size merchants that accept credit and/or debit cards as a form of payment. It covers topics such as:

  • Laws and Mandates Governing Securing Customer Data
  • Securing Customers Data
  • What are five minimum security actions a small business should implement?
  • Information Security "Do's" and "Don'ts"

You can download the document here.

Friday, July 9, 2010

DSCI Best Practices Meet 2010 - 28 July 2010 Bangalore

India based readers may be familiar with DSCI, if not, it is an arm of NASSCOM involved in developing best practices for Data Security and Data Privacy in India.

This meet will focus on addressing the security challenges, which are becoming more complex in the wake of evolving threat scenarios; compliance regulations that are becoming more stringent. How should the security organization respond with organizational boundaries disappearing; how should it structure itself to respond effectively? It will also give an opportunity to interact with the leaders in security and understand the practices that are evolving to address specific challenges. They deliberate on different approaches that are being adopted either while implementing technologies or establishing processes. We expect that the meet will be attended by over 250 participants from diverse industry verticals.

More information and registration details are available here.