Secure Works: ZeuS Banking Trojan Report

The PCI Security Standards Council's (PCI-SSC) recently published March Assessor Newsletter, which contains rather "interesting" language for certain Approved Scanning Vendors (ASV). It is unclear what the penalty will be for firms who continue their misleading practices. For those curious, WhiteHat Security was once an ASV, but has not been for over a year -- largely because we already understood the following requirements. We actually do focus on 6.6 to the spirit in which its supposed to be applied, while the others pay lip service and take customers for a ride.

ASV: I'm a lawyer so let me be your heart surgeon

Several ASVs have received notices recently surrounding the marketing of services they sell related to being qualified by the Council. While the PCI SSC does qualify each and every ASV to conduct external vulnerability scans to meet the external scan validation requirement for PCI DSS 11.2, it does not give any ASV license to sell their services for other security practices as an agent of the PCI Council.

Here are two examples that are unacceptable and violate the ASVs contract:

1. "As an ASV, our company has been certified by the PCI Council for you to achieve both Requirement 11.2 for vulnerability scanning and Requirement 6.6

There are two issues with the above statement. First, and this is a common mistake, ASVs do not help merchants fully achieve DSS Requirement 11.2. The requirement requires both internal vulnerability scanning and external vulnerability scanning. The Council only qualifies ASVs to perform the second half of that statement. Although an ASV can separately offer internal vulnerability scanning services, internal vulnerability scanning is a) not required to be done by an ASV and b) is not part of the ASV qualification process by the Council. We clarified this with a note in the 1.2 release of the PCI DSS and possibly further clarity to come October 2010. The second and more egregious is related to using a conjunction (YouTube "School House Rock" if you need a refresher on the function of a conjunction) to include another service completely unrelated to anything that has been validated by the PCI Council. In this case, there is no program to validate those who review adherence with Requirement 6.6 and the ASV lab testing is not an exhaustive process to endorse any solution as an exhaustive annual evaluation of the web application security. for application scanning."

As its name implies: shellcode to send a Twitter update.

Sourcefire's Matthew Olney examines vendor response to security issues and highlights the value of exploit code as part of defending computer systems.

BT asked me to write a guest post on their blog, so I provided a new Reaction to Cyber Shockwave. I hadn't really addressed one of the main reasons why I liked Cyber Shockwave, despite the LOL-worthy "technical" aspects of the "simulation," when I wrote my first Reaction to Cyber Shockwave.

Please check out the post if you'd like to read more about this. Thank you.

A maintenance release mostly, lots of changes to rules and quite a few deletions. Two new rules added. Check out the changes here

Hosts: Anthony Gartner – @anthonygartner Christopher Mills – @thechrisam Chris Gerling  – @chrisgerling Jason Mueller – @securabit_jay Andrew Borel –  @andrew_secbit Guests: Brian Krebs  @briankrebs - http://www.krebsonsecurity.com/ VRT Blog Post: http://vrt-sourcefire.blogspot.com/2010/03/apt-should-your-panties-be-in-bunch-and.html Eric Chien, Symantec Zeus, King of the Bots: http://www.noryak.net/papers/zeus.pdf Chat with us on IRC at   irc.freenode.net #securabit

Attackers are attempting to take control of mail servers, in particular those running Postfix and SpamAssassin, by exploiting a security vulnerability in the SpamAssassin Milter plug-in

Mozilla has announced that it is officially discontinuing support for the 1.x branch of its SeaMonkey "all-in-one internet application suite", the successor to the old Netscape Communicator and Mozilla Application suites

If you havenapost yet disabled JavaScript on your browsers, itaposs high time to do it. TrendLabs warns about malicious advertisements popping up for users visiting a popular Web-based email service, whi...