Friday, March 30, 2012

Visa and MasterCard confirm breach

It broke today that Visa and MasterCard announced that a processor of their credit cards had been breached and allegedly more than 10 million credit card numbers have been stolen.  A couple of posts/articles that go into more depth are here:

Brian Krebs' KrebsOnSecurity
ZDNet's Zero Day
Sophos' Naked Security

While I had read the posts/articles earlier this morning, I just got "the call" from my credit card company this evening.  This has happened to me before, a long time ago when Egghead Software was breached (that had to be mid-90s, right?)  What a pain to have go through the rig-a-ma-roll again.

Allegedly, the processor is Global Payments.  It will be interesting to see if they are/were PCI compliant.  Further, it will be interesting to see if details of the breach emerge.

Global Payments has an announcement on their website.

What bothers me is that they determined that there was a breach in early March, took steps, yet announced today.  I would be interested in hearing what caused the delay.

Friday, March 23, 2012

DISA auditing of a SQL 2005 Express database

On my upcoming trip, I have to audit a SQL 2005 Express database and hold it accountable to the DISA SQL Server 2005 checklist.  I know that there are parts of the checklist that will be "Not Applicable" as Express just doesn't have all of the features that Server has.  My plan is to run the Microsoft SQL Server SRRs against the database, then connect and check as many of the manual checks as possible.

To connect to the database, I plan on use OSQL.  In this case, my command will be:

osql -E   - which will connect me to the database (assuming that it is the default.)

osql -E -S \instance name     - I'll use this if they have changed the instance name.

Upon connecting, I should be able to run any of the manual sql that is listed in the checklist in order to answer the controls.

(In an unclassified environment, I would bring along QueryExpress.exe and connect to the database that way to run queries.)

Thursday, March 22, 2012

A great messenger bag idea

Just recently, I had been thinking of switching from a backpack to a messenger bag for carrying all of my tech gear.  Don't get me wrong, my backpack has served me well over the years; in and out of airports, all over the U.S. It's a Swiss Gear Synergy, and I truly love it.  However, I'm not afraid to admit, it's a little large; it holds all of my stuff, with quite a bit of room to spare.  A couple of weeks ago I saw a neat messenger bag, and it got me to thinking.  The bag I saw wasn't too big, yet still seemed to have a lot of space to carry plenty of gear.  As I am frequently on a plane, I was looking for something that fits under the seat nicely, something my backpack does occasionally (depends on the plane.)

Yesterday, while reading Phandroid, I saw a review for a Powerbag.  While they make backpack and slings, I thought their messenger bag was pretty cool.  Here's Phandroid's review.  I would like to actually see one of these in a store somewhere so that I can check the size and weight; but it really looks cool.  The added bonus is that you can charge the phone, etc.

Text/Character Encoder

I was given this encoder in a class.  Recently, I was looking for the link and it took me forever to come up with it.  This post is just a bookmark for me.

Character Encloder

Wednesday, March 14, 2012

DISA Updates - Windows 7 STIG benchmark and a master list of STIGs

While checking DISA for specific guidance today, I noticed two updates.  The first update is for the ninth release of the Windows 7 STIG benchmark.  The current version is: Version 1, Release 9.  This was actually released on 12 March.  The second update I noticed is a Master List of STIGs.  To me, this is awesome, because sometimes I forget which category a particular STIG is housed.  Click here for the master list of STIGs.  (Be advised that some STIGs are in the CAC-protected section of DISA.)  The master list was released on 8 March.