Posts Tagged: security

Security News Roundup: The Demise Of The Human

With the US version of the RSA conference in full swing this week, we’re pleased to be able to present some signal despite the noise. It turns out that China is being hacked by the US. There, we said it. As they say, it takes two to tango, so we presume this comes as no great… Read more »

Logging & Top 20 Default Username Attempts

 It’s true to say that default or weak passwords remain a significant cause of compromise and data loss for many organisations. For years, lists of default usernames and passwords have been widely available (and indeed are a useful resource for penetration testers as well as the less ethically motivated). Whilst it’s great to focus on… Read more »

ATM & E-Commerce Security Guidelines

A couple of new information supplements have been released by the PCI SSC, covering E-commerce and ATM PIN security. “PCI DSS E-commerce Guidelines”  contains a nice summary of common E-commerce models, vulnerabilities and some recommendations too. From the intro: “This Information Supplement is intended for merchants who use or are considering the use of e-commerce technologies in… Read more »

8 Recurring Themes Within The PCI DSS

The PCI DSS is a security standard that embodies a number of underlying principles. What are these principles? As with all PCI compliance questions, the answers usually lie in understanding the intent behind the requirements of the standard. Although there are many individual requirements detailed within in the PCI DSS, collectively they are based upon… Read more »

7 Security Warning Signals

2011 featured plenty of news about high-profile data loss and cybercriminal activity. And so did 2012. Any guesses for 2013? Some common causes emerge in all of these cases. Poorly managed infrastructure, insecure web applications, and a lack of attention to security procedures are often cited. But how do these conditions arise? How is it… Read more »

New: Mobile Payment Acceptance Guidelines

Fresh from the PCI SSC – Mobile Payment Acceptance Guidelines. These are guidelines on payment acceptance using smartphone apps, and will be interesting reading to many of our readers. Download from here. Useful links: https://www.ambersail.com/what-is-sequel-injection/ https://www.ambersail.com/pci-dss-penetration-test-policy/ https://www.ambersail.com/blocking-your-penetration-tester/ https://www.ambersail.com/gdpr-now-the-dust-has-settled/

ASV Reports: The BEAST Inside

Many of our ASV customers are seeing scan reports making reference to a “BEAST” attack susceptibility. But what is it, and more importantly, how can you fix it? The bad news is that our ASV scan report is informing you that the strong encryption on your “secure” web server could be rendered useless and your… Read more »

PCI DSS Vulnerability & Penetration Testing

As a standard that pays a lot of attention to practical activities, the PCI Security Testing includes a range of activities. We frequently see confusion about what needs to be tested, how and when. At the end of this post is a link to our short guide to all PCI DSS testing requirements. Some key… Read more »

The Cloud & PCI – Propagating Failure?

The cloud may be nebulous, but the security of your valuable data assets should be clearly defined. We’re all seeing a continued movement of services in to the cloud, especially in the Infrastructure-as-a-Service (IaaS) arena. The security issues around cloud computing seem, to us at least, to be similar to the traditional issues – hardening,… Read more »

What Isn’t 2-Factor Authentication?

We’re often presented with environments where the PCI DSS mandates that two-factor authentication (2FA) is required. Sometimes, we see implementations that sound like 2FA, but aren’t. What is 2FA? Two factor authentication is a generic term describing a system that strongly confirms the identity of the person trying to gain access. It does this by… Read more »