MasterCard SDP Program Changes

MasterCard announced new SDP Program changes to drive consistency and quality of Merchant QSA Training in the December 15, 2009 Global Security Bulletin. Tha main change is the fact that from 30 June 2011, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC-offered merchant training programs and pass any PCI SSC associated accreditation program annually in order to continue to use internal auditors.
For a more detailed information, please refer to http://www.mastercard.com/us/sdp/merchants/merchant_levels.html

Backtrack Applications for Your Ubuntu

This post is for those among us who use Ubuntu as they main operating system and would like to install their favourite forensic and/or information security tools.

First step is to create a .list file for the Backtrack repository: sudo echo http://deb repo.offensive-security.com/dist/bt4 binary/ > /etc/apt/sources.list.d/backtrack.list

Then, we need to download and import the GPG key wget http://repo.offensive-security.com/dist/bt4/binary/public-key && sudo apt-key add public-key

Finally, update the sources: sudo apt-get update

Just keep in mind Backtrack is Backtrack and Ubuntu is Ubuntu. Don't try to make Backtrack out of Ubuntu.

SHODAN - Computer Search Engine

SHODAN is a search engine that allows you to find servers/routers/etc. It scans the Internet and indexes the headers that come back. What this means is that instead of finding an exploit that works on a target system, you can grab any exploit then find a system vulnerable to it

To demonstrate, let us find an FTP server in China with anonymous access. To do that, I typed FTP port:21 country:CN. In response, SHODAN gives a list of systems matching the criteria:

Running an FTP command with a IP address from the list confirms that the server exists:

Please remember that it is illegal (in most countries) to scan and/or fingerprint a system without proper authorisation from the owner. Considering SHODAN capabilities, one should consider a question of ethical aspects of the "cloud hacking".

URL: http://shodan.surtri.com/

PCI SSC "Ask the Council" Webminar

This session will offer a brief update on PCI SSC initiatives, followed by a live Q&A session with opportunities to address Bob Russo, PCI SSC General Manager, and other members of the PCI SSC team. The updates will cover:

• Community Meeting outcomes
• Next steps in the lifecycle process
• Recently published Council resources

Questions many also be submitted in advance through the online registration tool.

To register for the Tuesday, December 8, 2009 session, please use the following link:
http://register.webcastgroup.com/l3/?wid=0801208094997
To register for the Wednesday, December 9, 2009 session, please use the following link: http://register.webcastgroup.com/l3/?wid=0801209094998

The webinars will be recorded and available for download on the Participating Organization’s area of the Council’s Web site for those Participating Organizations who cannot attend any of the sessions.

For more information, please refer to https://www.pcisecuritystandards.org/pdfs/pr_091130_open_mic.pdf