PKF AvantEdge

Page 29 of 40

PCI v3.1 is out and so is SSL!

April 21, 2015 / / 0 Comments

ssl-farewell

On 15th April, PCI became 3.1 versions old.

The ‘dot’ 1 from the version 3 that was just released around a year ago seeks to address the myriad of issues stemming from the old and dignified SSL protocol.

Ah, SSL. How I will miss thee. SSL itself had undergone its own transformation from a little protocol used by a little firm called Netscape to be one of the most used transmission protocol in the history of the entire universe. OK, that’s a little overstating it, but this is like the god father of Transmission Protocols. It’s like Don Vito’s father’s father. I will probably write another Ode to this wonderful protocol in another article, but suffice to say, SSL is no longer allowed in PCI. If Heartbleed hurt the protocol, POODLE killed it.

A lot of systems support both SSL 3.0 and TLS 1.0 in their default configuration. Newer software may support SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2. In these cases the software simply needs to be reconfigured. Extremely older software, dated back to the days when the T-Rex was still alive, may only support SSL 2.0 and SSL 3.0. This is an extremely rare sighting, and is often considered on par as the sighting of the Yeti himself.

On a more serious note, anyone still on SSL, even version 3.0 should consider migrating now to more secured protocols, such as TLS1.2. Like WEP, SSL and early versions of TLS will no longer be acceptable by PCI-DSS. The changes are requirement 2.2.3, 2.3 and 4.1. Current reviews for PCI will no longer accept these protocols. Passed certifications will be given a grace period until June 30th 2016 to change these protocols. Just use TLS1.2 and above (I know, you argue TLS1.1 is still secured, and it is, and it still can be used, so if you are using 1.1, then stick with it, else, might as well upgrade to 1.2)

OK, goodbye SSL and thanks for all the fish!

PCI-DSS V3.0 Training

March 27, 2015 / / 0 Comments

PCI

We had our first PCI-DSS V3.0 training, with a total of 15 participants from various industries ranging from Oil and Gas, Payment (of course) and service organisations participating. It was held in our Training area in PKF HQ at the penthouse floor of 1 Mont Kiara.

We spent the day covering various topics, from the basics of PCI-DSS, its history, history of breaches, a deep dive into the 12 requiremens, V3.0 differences and changes and more importantly, implementation scenarios. SAQs (Self Assessment Questionnaires), a constant source of consternation amongst our clients were also covered in detail, and examples of which industry or business model would fit which SAQ was given.

The final part was probably the most fun. We went through scenario by scenario and broke down the attack and defence scenarios of the Target Retail Breach in 2013.

Thank you, all participants for making the training interesting and fun, especially not an easy task given the dryness of PCI requirements – specifically after a heavy lunch.

Additional training materials for V3.0 is found at this link.

FREAK Vulnerability on Windows

March 7, 2015 / / 0 Comments

freak

As we do our penetration testing, we have to continue to get updated on some of the latest issues affecting systems out there. SSL seems to get the mother of all shares of vulnerability, with Heartbleed and then POODLE, and now, FREAK.

FREAK is found in detail at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204, which is basically a MiTM attack exploiting weak 512-bit keys. It affects OpenSSL, and upgrading to v1.0.2 fixes the flaw.

Basically, if you have weak cipher suites supported or SSL/TLS RSA-Export less than 512-bits, then get rid of it.

Resolution: We have always advocated to remove weak ciphers. Nobody really understood why, but now there is a vulnerability to include in our report.

If you need some assistance in vulnerability assessment, penetration testing or security audit to cover FREAK and other vulnerabilities, drop us an email at avantedge@pkfmalaysia.com and we’ll get a team to you.

A writeup on the recent FREAK vulnerability.

Hundreds of millions of Windows PC users are vulnerable to attacks exploiting the recently uncovered “Freak” security vulnerability, which was initially believed to only threaten mobile devices and Mac computers, Microsoft Corp warned.

News of the vulnerability surfaced on Tuesday when a group of nine security experts disclosed that ubiquitous Internet encryption technology could make devices running Apple Inc’s iOS and Mac operating systems, along with Google Inc’s Android browser vulnerable to cyber attacks.

Microsoft released a security advisory on Thursday warning customers that their PCs were also vulnerable to the “Freak” vulnerability.

The weakness could allow attacks on PCs that connect with Web servers configured to use encryption technology intentionally weakened to comply with U.S. government regulations banning exports of the strongest encryption.

If hackers are successful, they could spy on communications as well as infect PCs with malicious software, the researchers who uncovered the threat said on Tuesday.

The Washington Post on Tuesday reported that whitehouse.gov and fbi.gov were among the sites vulnerable to these attacks, but that the government had secured them. (wapo.st/18KaxIA)

Security experts said the vulnerability was relatively difficult to exploit because hackers would need to use hours of computer time to crack the encryption before launching an attack.

“I don’t think this is a terribly big issue, but only because you have to have many ducks in a row,” said Ivan Ristic, director of engineering for cybersecurity firm Qualys Inc.

That includes finding a vulnerable web server, breaking the key, finding a vulnerable PC or mobile device, then gaining access to that device.

Microsoft advised system administrators to employ a workaround to disable settings on Windows servers that allow use of the weaker encryption. It said it was investigating the threat and had not yet developed a security update that would automatically protect Windows PC users from the threat.

Apple said it had developed a software update to address the vulnerability, which would be pushed out to customers next week.

Google said it had also developed a patch, which it provided to partners that make and distribute Android devices.

“Freak” stands for Factoring RSA-EXPORT Keys.

– Source from Reuters

PKF Avant Edge is now HRDF certified training company

March 2, 2015 / / 0 Comments

hrdf

We are now a HRDF certified training company.

We have several training that is SBL claimable that includes training materials and certificate of attendance:

1) PCI-DSS Foundation Training (PCIP Led, QSA developed materials), certificate of training from PKF and our vendor QSA Control Case International

2) PCI-DSS Implementor Training (PCIP Led, QSA developed materials), certificate of training from PKF and joint QSA vendor Control Case International

3) GST Malaysia Training (Led by RMCD Certified Trainer)

3) Introduction to Technology Audit (Led by Certified Auditor and Certified Information Security Professional – CISA,CISSP)

5) Project Management Level 1: Foundations (Led by Project Management Professional Certified)

6) Project Management Level 2: Advance (Led by Project Management Professional Certified)

7) Personal Data Protection Act Training (Led by Certified Auditor and Certified Information Security Professional)

Stay tuned for more details. Our training site has been updated at http://www.pkfavantedge.com/training-programs/

If you need more information, please send your enquiries to training@pkfmalaysia.com.

MSC status for Rakuten Malaysia

February 25, 2015 / / 0 Comments

rakuten

Congratulations, Rakuten Malaysia for attaining your MSC Status!

One of our services is to provide consultancy and program management for MSC application and attainment. It helps that we have gone through the MSC status approval ourselves, but in general, any company intending for MSC needs to be aware that there is some work involved.

In general, you need to understand that you can do this on your own. There is no requirement whereby an independent third party is needed. That being said, in order to smoothen out the process, usually, someone who has gone through the process should be able to assist in a lot of areas. We are pretty flexible in how we work with our clients. For some, our involvement is very heavy, from writing business cases to financial projections etc. For others, we basically advise and manage the communications between MDEC and the company – which is less hectic, but more work for the client. Mostly, our clients come to us because they want MSC due to the tax breaks, and they have better things to do than to go back and forth with MDEC to iron out the business plan and stuff. For us, this IS our ‘better thing to do’, so you get a complete focus and a guarantee success fee attached to our quote.

Once you have decided to go for MSC, we will sit with you to decide on which is the best sector to go in for. Infotech, Creative Multimedia, Global Outsourcing, with each breaking up into subsets of their own. It’s easier said than done actually, because (strangely) sometimes the MSC activities might not be your core focus activities. For instance if you are a reseller, then trading cannot be part of your activities. If you are training, you cannot put that into your activities. However, if you have a branch out R&D or software development, you could technically park those as MSC.

After the decision, we fill in a pre-application form, then follow up with the business analyst. Not all BAs are created equal. We know because we have dealt with a whole train of them. Some are better than others – and we generally jostle to get the better ones for our client.

From there the bulk of the work is in defining the business and financial plan. There is more work than meets the eye here, because there will be a lot of back and forth with the BA before he/she is comfortable to present it. You generally will face some issues – we have faced more than our share – and having a good BA and a good rapport with MDEC is key to get things done here, both of which we will attain.

Once the BA is more or less ready – in general you are fine. However, like in this case, there were still a lot of clarifications to be done. I had to meet with the strategists and head of programs for MDEC in order to push our approval through, in terms of explaining to them our viewpoint. Where MDEC needs to improve is in how they view different business models and revenue models, especially in dynamic environments like cloud applications and such.

Overall, we give up to 75% of our fees as success based (means, no payment until certification). In some special cases, it’s even 100%, means there is no outlay (except for the RM2000 application fee direct to MDEC), until you get your cert.

If you need more information, feel free to contact us at avantedge@pkfmalaysia.com.

« Older posts Newer posts »

© 2024 PKF AvantEdge

Up ↑