Security rundown for week ending Aug. 12
- — 13 August, 2011 05:46
Not unlike the week before, this past week saw hacking once again grab everyone's attention. This time it was an alleged threat from the shadowy group Anonymous to "kill" the social-networking site Facebook. The reason given? Anonymous supposedly thinks Facebook abuses people's privacy and cooperates with authoritarian governments.
This rumored destruction of Facebook by Anonymous is not supposed to happen until Nov. 5, and though it's not readily apparent why that date was selected, it's worth noting that Nov. 5 is the traditional Guy Fawkes Night in Great Britain. Also called Bonfire Night, it commemorates how Fawkes in 17th century England was convicted and put to death for plotting to kill King James I in the "Gunpowder Plot." It's celebrated with effigies of Fawkes hung and burned on a bonfire. Is Anonymous thinking of treating Facebook creator Mark Zuckerberg like this?
Whatever you think of Anonymous, panelists at the recent Defcon conference said the success that Anonymous has had attacking its targets just shows that corporate security isn't that great. One security vendor took Facebook to task this week, saying the social-networking giant should beef up defenses if Anonymous is going after it.
SECURITY BACKGROUND: USB devices: The big hole in network security
Hacking got political in the eyes of a Taiwanese political party that said it suspects the Chinese government is behind a hacking attack that stole information about the party's election activities. Taiwan's Democratic Progressive Party last week said it traced attacks to China's Xinhua News Agency, the state-run press group. Now it's news employees doing the hacking? Well, seems that was why Great Britain's tabloid News of the World (not state-run, so far as we know) was shut down.
We were reminded this week that security holes comes in all shapes and sizes, such as USB devices, according to the Ponemon Institute survey of more than 700 IT and security managers and their difficulties controlling USB devices in their organizations.
News last week also focused on the Payment Card Industry (PCI) data-security standards, which are issued by the PCI Security Standards Council.
These influential standards are required to be used by any business accepting payment cards or processing them, and PCI has been a strong influence on network security in the past few years. However, it can cost a lot -- like more than half a million dollars -- to go through PCI validation for compliance each year through a special audit. Interestingly, Visa last week said it would waive the PCI validation requirement to qualified merchants that agree to install dual-use EMV point-of-sale devices that also support near-field communication (NFC), the wireless technology for mobile payments in smartphones.
If Visa thinks the main incentive to get chip-based payment cards and NFC into the U.S. is by telling merchants they can wave goodbye to their annual PCI validation costs, is this a sign of the beginning of the end of the reign of PCI?
The PCI Security Standards Council would only comment, "Let's see what happens next," but they're still churning out security PCI guidelines, such as the one published last week on tokenization technology and how to use it to help with PCI compliance.
In other smartphone news, Heartland Payment Systems -- remember them from the devastating breach they suffered from hackers three years ago -- unveiled a mobile-payment device called "Mobuyle" that works with any Android or tablet to turn it into a payment-card processor. It's a direct jab at the Jack Dorsey "Square," the little mobile-payment device made by the guy who brought you Twitter. There's no PCI standard for mobile payments yet, but the council says it's trying to have one ready by yearend.
Read more about wide area network in Network World's Wide Area Network section.
MORE IN Open Source Security