New Credit Card Handling Rules effective Jan 1, 2015

For those businesses that accept credit cards, here is a summary of changes to how you process and store client credit card information.   These rules went into effect January 1, 2015.  These points are important in maintaining compliance with new PCI rules.  Failing to follow these requirements at the least could cost you money and could even suspend or lose your ability to accept cards altogether.

2015 PCI Rules/Requirements Changes

 Requirement - Build and Maintain a Secure Network and Systems

• Install and maintain a perimeter firewall to protect cardholder data.
• Do not use vendor-supplied defaults for system passwords and other security settings

Requirement - Protect Cardholder Data

• Protect stored cardholder data in a secure manner, preferably in encrypted format when stored.
• Encrypt transmission of cardholder data across open, public networks

Requirement - Maintain a Vulnerability Management Program

• Protect all systems against malware and regularly update your
  anti-virus software.

Requirement - Implement Strong Access Control Measures

• Restrict access to cardholder data by business need to know.
• Identify and authenticate access to system components (no more shared user ID’s and passwords!).
• Restrict physical access to cardholder data.

Requirement - Regularly Monitor and Test Your Network

• Create an audit trail system to track and monitor all access to network resources and cardholder data.
• Regularly test your security systems and processes.

Requirement - Maintain an Information Security Policy

• Maintain a policy covering information security for all personnel and make sure all employees follow it.

Requirement - PCI Requirements for Shared Hosting Providers

• If you’re using a third party to process your credit card transaction, those shared hosting providers must protect the cardholder data environment and you should verify their compliance.

Remember also that there are new chip-based credit cards coming this year.  Some of the rules for handling them mean big changes for you too and some dovetail with these rules to shift the consequences for fraudulent use of credit cards to "the most in-secure" party in the transaction stream which could be you if you're not prepared.


Jeff Hoffman is Chief Security Zealot at ACT Network Solutions, a leading IT security provider in Illinois.  He can be reached at jhoffman@act4networks.com.  He is also the author of "Intruders At The Gate - Building an Effective Malware Defense System" which is available at Amazon.com.

New PCI Compliance Rules Effective Janiary 1 2015

Hi, we’ve changed the format of our Security Newsletter to provide a little more depth on specific Security Issues that are current and may impact your business.   We hope that you like the change.  This week we’re talking about the new Security and Reporting Requirement of PCI for those organizations that process credit/debit cards.  If you aren’t up-to-date on the recent PCI changes please read on . . .

PCI 3.0 Security and Reporting Requirements just got tougher!

Beginning January 1, 2015, the new Payment Card Industry Data Security Standard 3.0 (PCI DSS 3.0) went into effect.  It contains significant changes that will require businesses to do more to tighten credit card processing security, and many may not realize it.  The DSS 3.0 standard imposes increased security requirements for all organizations that process credit cards or use third parties to perform that function for them.  If you haven’t begun working on compliance with that standard, you should start immediately.

Here are several common misconceptions about PCI compliance and reporting:

1. Outsourcing card processing makes us compliant – Wrong!
   
   
   Outsourcing simplifies payment card processing but does not provide automatic compliance.  Both the process AND you must complete security assessments and file reports. 


2. PCI compliance is an IT project – Wrong again!
   
   
   PCI compliance is a business issue that is best addressed by a multi-disciplinary team. The risks of compromise are financial and reputational, so they affect the whole organization.  Some aspects of PCI compliance are technical but many more are procedural.  


3. We don’t take enough credit cards to be covered by PCI.  - Not So!
   
   
   PCI compliance is required for any business that accepts payment cards – even if it is just one, you must comply.

Frequently asked questions about PCI 3.0:

Can I transition my PA-DSS v2.0 application to v3.0?

All payment applications will need to undergo a full PA-DSS v3.0 assessment in order for it to be considered fully validated so the answer is no.

Am I still required to report even if I outsource my Credit Card Transactions?

In version 2.0 of the PCI DSS, if merchants fully outsourced their e-commerce payments, their web environment was out of scope for the standard – meaning they did not need to go through the compliance process for their e-commerce website.   However, under the PCI DSS 3.0, most merchants will be faced with more than one hundred security controls that include firewalls, vulnerability scanning, penetration testing and more.

Here are some of the KEY requirements of PCI 3.0 that are now in effect:

1. Merchants must Install and maintain a firewall configuration to protect cardholder data.


2. You must Encrypt transmission of cardholder data across open, public networks.


3. Restrict access to cardholder data by business need-to-know.


4. Assign a unique ID to each person with computer access (think Login ID’s and passwords)


5. Restrict physical access to cardholder data.


6. Track and monitor all access to network resources and cardholder data.


7. Regularly test your security systems and processes.


8. Maintain a policy that addresses information security.

Failure to meet these requirements may result in fines or termination of credit card processing privileges.

Another key consideration is responsibility when something goes wrong.  In the past, the credit card companies were likely to take the financial hit on a fraudulent transaction.  Now, that responsibility could fall directly to you if you haven’t maintained full compliance.

On April 15, 2015, the PCI Security Standards Council also released PCI DSS version 3.1. 

Here's what you need to know about this update:

PCI DSS 3.1 updates key requirements addressing insecure SSL and early TSL protocols:

• By June 30, 2016, merchants cannot use SSL and early TSL protocols as standalone security controls for payment data.  If you’re unsure if your web-site is using any of these protocols, you should contact your web author immediately and get ready to pull them out of your credit card processing system.


• Merchants should immediately cease using the SSL and/or early TSL protocols in any new implementations.

What then is the merchant to do?
-- First, have a good set of policies and well-documented business practices. Also encrypt or otherwise protect all of your credit card data (if the entire card number is stored).

-- Second, have those policies and practices reviewed on a periodic basis (annually at a minimum) by one or more experts in the field. These include law, privacy and security experts.

-- Finally, question yourself over retention. Is the risk and cost of retention worth the benefits of having the data on hand?

-- Some merchants have been entirely too lax when it comes to in-house security. 

-- If you’re one of those organizations that lets employees share Login ID and/or password, those days must come to an end or you could lose the rights to accept credit or debit cards in your business.

We hope that you find this information useful.  If all of this mystifies you, you’re not alone but you can call ACT for help with insuring that your business is compliant with these new standards.

If you have any security questions that you’d like answered, please send us an e-mail and we’ll include the answer in our next Security Round-up.

Thank,

Jeff and your friends at ACT.

ACT Security News For The Week of May 1st, 2015

ACT Security News For The Week of  May 1st, 2015
Beware of Word, Excel and Zip attachments from strangers

As malware writers get more clever, file types that were historically considered harmless are now being loaded with scripts and macros that can deliver potentially dangerous payloads using old standbys like Word and Excel files.  Malware writers embed their payloads within these documents to hide from A/V programs.  The same is true of ZIP files.  Hackers love to hide malware in .ZIP files because many Anti-Virus programs have difficulty deciphering data inside of these files. 
Open a “loaded” .DOC, .XLS or .ZIP file and out pops a rogue program!

How do you get infected by document-based malware?

 It can happen in a number of ways: The most obvious and avoidable way is when the questionable document is attached to a questionable email. A spam or phishing email with a subject line “Here’s that document that you requested” or something similar is easy to spot (though a surprising number of malware attacks

are successful in what should be obviously risky email messages).

 How about documents on a website?  Sure, these documents may seem safe to download but hackers are very adept at burying malicious files on otherwise legitimate web sites.  These are often tough for people to avoid.   What if the document is attached to the email from someone you know? And it really is “that document that you asked for”?  Some document-based malware has the ability to spread to other documents on an infected system.  Once there, any legitimate document a user sends to friends and colleagues  could end up spreading the malware.

Sometimes this type of malware uses embedded scripting to silently download and install other malware from sites on the Internet. Often these downloaded payloads take the form of some of the worst kinds of malware out there like rootkits that steal information from your system or botnets that make your system part of the malicious networks used to attack both companies and networks to continue the spread of malware and spam.

Other types of document-based malware hide malicious payloads within the document itself. These executables and programs get launched separately by the macros or scripts within the document and continue to spread the malware infection throughout the user’s system.

Document-based malware can also be used to steal identities or even prevent access to files and data. A recently discovered PDF-based attack was used as a form of “ransomware,” encrypting
a user’s files and sending a message requesting a payment in order for the user to access their files again.

How Can You Prevent Infection?

First and foremost is simply being aware of the threat and exercising caution with incoming documents.

Then, make sure all of your software is up-to-date, from your operating system to your document programs to your anti-virus and security tools.  To a large degree, many of the most common document-based malware types take advantage of un-patched security holes.

Dedicated security tools or anti-malware features of IDS/Firewalls can also go a long way toward stopping document malware before it hits your system and off-premises spam scrubbers can often detect and stop infected documents before they even reach your network.

Finally, in both Word and Adobe Reader, it is possible to turn off macros and scripts, or generate a notification before they can run.  While not a perfect solution, this can prevent many potential problem.

The “We need your help for Nepal” Scam

There has been a big up-tick in fraudulent spam solicitations since the earthquake.

 It is best to ignore these solicitation and instead make your contributions through more traditional sites like the Red Cross.
Using E-mail Encryption

A friend of ours recently shared an experience that one of his attorney colleagues recently had with unencrypted email.  The attorney was working with a title company on a home purchase for a client.  As closing approached, the title company sent him an email with an unencrypted attachment containing instructions on how to transfer funds to settle the Transaction.  Before the attorney could complete the transfer, he received a follow-up email that looked like it also came from the same person at the title company with a revised Attachment changing the destination account number for the funds transfer.  Yup, you guessed it!  The second email was a fake but they didn’t discover that until they arrived at the closing and were informed by the title company that the transfer of funds never arrived.

The rest of the story takes on a more familiar theme.  The redirected funds were deposited into a bank account owned by a little old lady who fell victim to the familiar Nigerian Prince scam where she was offered a “handling commission” if she would take delivery of the funds in her new account, keep a portion of the total and then transfer the balance to an off-shore bank account. 

The authorities had no trouble tracking the fraudulent transfer to the little old lady but not the real bad guys.  Guess who’s on the hook for the fraud?

Is there a moral to this story?  Yes, all communication containing confidential communications should be encrypted – both emails AND attachments.  There are quite a number of very inexpensive (or even FREE) options available to protect confidential information as it moves across the Internet.  There is plenty of blame to go around on this one.

Thanks,  Jeff

Latest Malware Threats as of April 9, 2015

ACT Security Alerts For The Week of April 9^th, 2015

This week was a busy one for fighting Malware and Ransomware here at the old Digital Sweatshop.  Two local businesses were seriously infected with malware and another dodged a bullet when our techs were able to abort an infection before it took root when the user called us before opening an attachment.  Socially engineered e-mail attacks similar to those we’ve listed below are proliferating and we strongly recommend that you stress security training in your staff training plans.  Also watch for our upcoming free webinar “Web Security for the Workplace” coming in May.  More details will be forthcoming in future Security Alerts.

Beware of malicious "Internal ONLY" emails

Hackers are trying to trick users into downloading malware by sending out fake emails impersonating domain administrators.  The email, with "Internal ONLY" in the subject line, prompts recipients to follow a link to an encrypted message:

Multi-platform AlienSpy RAT turns off you’re anti-virus and steals data

A new Java-based, multi-platform remote access Trojan (RAT) called AlienSpy is being used to target both consumers and enterprise users.  AlienSpy is a Java-based RAT (Remote Access Trojan).

AlienSpy is capable of collecting system information, uploading and executing additional malware and surreptitiously captures audio and video via the computer's webcam and microphone, steals passwords stored in browsers, performs keylogging and, of course, it allows attackers to access the infected computer remotely.

This malware is able to deactivate a number of AV and security tools, as well as to detect sandboxes. It actually uses encryption to mask it’s communication with the hackers C&C server.

AlienSpy is delivered via unsolicited emails notifying the recipients about payment and Swift details, order details, remittance errors, etc. The malware is in the attachment, which is usually an archive file (.zip or .jar).

New CryptVault ransomware "quarantines" files and downloads an info-stealer

If one malware threat in an email wasn’t bad enough, now hackers are hitting potential victims with a Twofer!  Trend Micro researchers have found a new version of crypto-ransomware.  It’s called CryptVault and encrypts files, makes them look like files quarantined by an AV solution, asks for a ransom and then downloads info-stealer malware as a bonus.

It arrives on targeted computers after the user is tricked into downloading and running a malicious attachment.  It targets popular file types, mostly document, image, and database files.

After encryption, the malware will display a ransom note when opened like this.

Researchers have reported  that it may use 16 overwrite passes to make sure that recovery tools will have a hard time trying to reconstruct the deleted file(s).

If that isn’t bad enough, the ransomware also downloads and executes Browser Password Dump, a hacking tool capable of extracting passwords stored by a number of popular web browsers, which are then sent to the C&C server controlled by the attackers.

Emerging Trends in the threat landscape

Security researchers report that hackers are dramatically expanding their use of ransomware variants in their exploits.  Here are some of the trends we’ve seen cyber-criminals use for their crypto-ransomware attacks:
More file types or extensions are being targeted, in order to cast a wider net of victims.

1. CryptoLocker’s notoriety continues to live on—most new crypto-ransomware use CryptoLocker name to heighten the threat of loss by drawing on the reputation of its predecessor.
   
2. Volume shadow copies are now being deleted to prevent file restoration. Shadow Copy is a Windows feature that takes manual and automatic copies of computer files and volumes. Deleting shadow copies places the victims at the mercy of the cybercriminals.
   
3. Crypto-ransomware has gone “freemium.” Decrypting a few files for free might convince victims that they can still recover their encrypted files.

Bitcoin is still the preferred mode of payment so that the threat actors could stay anonymous.

Security Evolution and Vigilance

These kinds of threat improvements are reasons why users should always be vigilant in protecting their devices and their files.

Safety awareness training can go a long way to reduce your vulnerability to these threats. For example, never open emails from unknown or unverified senders.   It sounds so obvious but users fall victim to the tricks these hackers use all the time!  Users can first check the reputation of websites before visiting them. When it comes to dealing with unknown or unverified emails, files, or websites, it’s better to err on the side of caution than risk infection. Lastly, we cannot stress the importance of using security solutions for devices, which can block all forms of threats.

Victims who find their files held ransom might be tempted to pay the fee in order to get their files. However, there is no guarantee that the cybercriminals will hold their end of the bargain. Users who pay the fee might just end up without any files or money.

Users can help prevent such instances by regularly backing up their systems and verifying that those backups work and periodically testing the restore function of those backups. The recommended rule for backup best practices is the “3-2-1” Rule: keep at least three copies of your data in two different formats, with one of those copies stored off-site.

Watch out for web sites that prompt you to download Adobe Flash Updates

A malware, detected as TROJ_VICEPASS.A, pretends to be an Adobe Flash update. Once executed, it attempts to connect to your router or firewall to search for connected devices. It tries to connect to the devices to get information. If successful, it will send the information to a command-and-control (C&C) server and deletes itself from the computer.

Never let an unknown web site “update” your Flash Player, Java, Acrobat or other utilities!  Always update those types of files by going directly to the publisher’s site for updates.

E-mail Spoofing Flaw Found on Google Apps Admin Console

Researchers have identified a security issue in the Google Apps Admin console that can be exploited to claim any domain and use it to send out spoofed emails.

Thanks,

Jeff Hoffman and your friends at ACT Network Solutions
Security, Data Protection and Network Management are our specialties
Delivering Innovative IT Solutions for over 26 years