Because shortly you will not be the only one with the card. As others mentioned there is a skimmer attached somewhere on the ATM. This reads the data contained on the magnetic stripe of your card and records. It may transmit this data via bluteooth to a local attacker, or store it locally. Skimmers usually can contain anywhere from 7-10,000 cards on them roughly.
Once this is accomplished the attacker will then either sell the data online, or begin creating his own fake credit cards. This process involves purchasing blanks, which look like plain white cards, and reloading your mag stripe onto it. They may be more sophisticated as well but that gets more expensive. Then its off to the local big box retailer to buy a few TVs courtesy of you!
ATMs are the obvious case as well, this can be easily done in gas pumps as well...
It works EXTREMELY well on most dogs. In fact my dog goes absolutely crazy for it, like crack fiend crazy. She gets so excited she shakes, and that is just when I reach near the box that the laser pointer is in. Then she will run until she passes out, literally, chasing the thing. And finally she goes into withdraw if she doesn't get it for a few days. Like crying, shaking, skittish angry withdraw. She has been clean about two months now, I'm tired of the damn thing.
I'll save you 4 minutes and 55 seconds: www.wireshark.org And it runs on linux! The nontrivial technical ability probably refers to how you have to hit a button to start the thing running.
My BlackBerry requires 7 characters/numbers or greater, and I even add in special characters to make things a bit more fun. Do you have any idea how hard it is to type Hunter2! into a BlackBerry?!? The upside is that the phone auto-wipes after three failed attempts, so I get put out of my misery pretty quickly.
*Please excuse typos, posted from any mobile device other than BlackBerry
You pay these companies through web money accounts, which are effectively the same as cash. These transactions are usually non-reversible and run through companies like Western Union or Liberty Reserve. Credit cards are a completely worthless form of payments on those sites, and they recognize that.
PCI definitely is a joke but not for the reasons you listed. Self assessments are only done when a company is pretty small and processes a limited number of card transactions. In a large firmer like hosting companies they probably have to have a QSA conduct a formal and more rigorous audit. Companies like heartland were pci compliant when breached so it's definitely not perfect.
But on the other hand a pci and sas70 are most likely the only insight your likely to get into the companies security unless your going to be a huge client. It not perfect but it can certainly be used as part of a layerd security assessment.
Otherwise your advice is good but only a small part of what needs to be done to ensure an entire site is secure. Reading through the pci requirements might not be a bad idea either. Sure they are a checklist, but if you take the guidance and ensure you implement in ways that make sense and don't just check boxes you will do alright.
Not a bad component to have a pen tester come in. You might want to start however by working through a hardening guide like the ones available over at the Center for Internet Security. They are very detailed, easy to follow, and do an excellent job of security your target. Test in development first though as it is too secure in a lot of cases and will kill needed functionality.
Once you've accomplished that have a pen tester look things over and see if its secure. Then put in logging and monitoring, ensure your security controls don't change and that you aren't seeing suspicious activity in the logs.
In terms of evaluating the hosting company, it depends on how open they will be with you. See if they have audit results from PCI or SAS70 and request them. See if they have pen test results available for you as well. Check and make their encryption looks reasonable, are they using SSL etc. Ask their security staff basic questions and see how knowledgeable they are. Request references with highly audited customers to see what they think.
My grandmother plays Wii like a champ, backs up her computer more frequently than most people, and has an Android phone. My grandfather doesn't recognize his own daughters anymore, but can still use an iPad...
I believe Microsoft included detection in their MSRT (Malicious Software Removal Tool) so as long as users and regularly updating they should have this taken care of on its own shortly. I imagine the FBI is probably assuming most users aren't actively updating, or targeting "high value" or infrastructure type computers for a more aggressive removal strategy.
For the tin-foil crowd, if the FBI really wanted to do bad things to your files, they wouldn't have made it public they captured the command and control servers:)
The botnet owners can't take preventative action against the uninstall because they don't have valid Command and Control servers running. Since the FBI is controlling those at the moment, the individual bots are hanging in limbo doing nothing. If however the malware is actively looking for new C&C servers to be spun up to receive commands again, there is the potential that the FBI could lose control again. Hence why it is necessary to remove the infection while they maintain control, and only one step in their strategy to cripple the botnet.
I pretty much only watch SyFy (pretty sure pronounced like syphilis) when I've consumed way to much of my favorite mind altering substance. Watching Sharktopus drunk really tops of a night...
1. Robots want to be able to marry > Marriage is between a fleshing and a fleshing (cyborgs or flesh covered robots allowed too in Massachusetts) 2. FemBots want to be able to choose to have an EMP burst > EMPs are nuclear based malicious malfunctions! 3. Robots want to "open-source" themselves, no debate ensues but its only legal in the outskirts around Las Vegas.
Slashdot Mirror
Agreed, but really the first step of a successful business is to poplar your cherry in the patent area. So I wood say hes ahead of the grain already.
Because shortly you will not be the only one with the card. As others mentioned there is a skimmer attached somewhere on the ATM. This reads the data contained on the magnetic stripe of your card and records. It may transmit this data via bluteooth to a local attacker, or store it locally. Skimmers usually can contain anywhere from 7-10,000 cards on them roughly.
Once this is accomplished the attacker will then either sell the data online, or begin creating his own fake credit cards. This process involves purchasing blanks, which look like plain white cards, and reloading your mag stripe onto it. They may be more sophisticated as well but that gets more expensive. Then its off to the local big box retailer to buy a few TVs courtesy of you!
ATMs are the obvious case as well, this can be easily done in gas pumps as well...
You know how these things go if you have to ask, you probably couldn't shell out enough...
My brain exploded at the first word, its recovered enough to now feel like an idiot
That word... it doesn't work that way.
A pretty huge advantage if you aren't track/field inclined.
and crusty jugglers.
This is not the troll you are looking for *waves hand*
That stings, don't be such a queen :'(
Good point, exciting new mods will create quite the buzz.
It works EXTREMELY well on most dogs. In fact my dog goes absolutely crazy for it, like crack fiend crazy. She gets so excited she shakes, and that is just when I reach near the box that the laser pointer is in. Then she will run until she passes out, literally, chasing the thing. And finally she goes into withdraw if she doesn't get it for a few days. Like crying, shaking, skittish angry withdraw. She has been clean about two months now, I'm tired of the damn thing.
No worries nuclear companies only use the best! Siemens gear!
I'll save you 4 minutes and 55 seconds: www.wireshark.org And it runs on linux! The nontrivial technical ability probably refers to how you have to hit a button to start the thing running.
My BlackBerry requires 7 characters/numbers or greater, and I even add in special characters to make things a bit more fun. Do you have any idea how hard it is to type Hunter2! into a BlackBerry?!? The upside is that the phone auto-wipes after three failed attempts, so I get put out of my misery pretty quickly.
*Please excuse typos, posted from any mobile device other than BlackBerry
You pay these companies through web money accounts, which are effectively the same as cash. These transactions are usually non-reversible and run through companies like Western Union or Liberty Reserve. Credit cards are a completely worthless form of payments on those sites, and they recognize that.
PCI definitely is a joke but not for the reasons you listed. Self assessments are only done when a company is pretty small and processes a limited number of card transactions. In a large firmer like hosting companies they probably have to have a QSA conduct a formal and more rigorous audit. Companies like heartland were pci compliant when breached so it's definitely not perfect.
But on the other hand a pci and sas70 are most likely the only insight your likely to get into the companies security unless your going to be a huge client. It not perfect but it can certainly be used as part of a layerd security assessment.
Otherwise your advice is good but only a small part of what needs to be done to ensure an entire site is secure. Reading through the pci requirements might not be a bad idea either. Sure they are a checklist, but if you take the guidance and ensure you implement in ways that make sense and don't just check boxes you will do alright.
Not a bad component to have a pen tester come in. You might want to start however by working through a hardening guide like the ones available over at the Center for Internet Security. They are very detailed, easy to follow, and do an excellent job of security your target. Test in development first though as it is too secure in a lot of cases and will kill needed functionality.
Once you've accomplished that have a pen tester look things over and see if its secure. Then put in logging and monitoring, ensure your security controls don't change and that you aren't seeing suspicious activity in the logs.
In terms of evaluating the hosting company, it depends on how open they will be with you. See if they have audit results from PCI or SAS70 and request them. See if they have pen test results available for you as well. Check and make their encryption looks reasonable, are they using SSL etc. Ask their security staff basic questions and see how knowledgeable they are. Request references with highly audited customers to see what they think.
That should keep you busy for a little bit.
All I really want to know is if it can print Crysis 2?!?!
I totally agree and will add my own as well:
My grandmother plays Wii like a champ, backs up her computer more frequently than most people, and has an Android phone. My grandfather doesn't recognize his own daughters anymore, but can still use an iPad...
The TV show was most likely AMC's The Walking Dead. They make it to the CDC right before it automatically self destructs to prevent the spread of the various other diseases they are keeping in storage: http://science.slashdot.org/story/11/05/18/1539244/US-Preserves-Smallpox-For-Defense
I believe Microsoft included detection in their MSRT (Malicious Software Removal Tool) so as long as users and regularly updating they should have this taken care of on its own shortly. I imagine the FBI is probably assuming most users aren't actively updating, or targeting "high value" or infrastructure type computers for a more aggressive removal strategy.
For the tin-foil crowd, if the FBI really wanted to do bad things to your files, they wouldn't have made it public they captured the command and control servers :)
The botnet owners can't take preventative action against the uninstall because they don't have valid Command and Control servers running. Since the FBI is controlling those at the moment, the individual bots are hanging in limbo doing nothing. If however the malware is actively looking for new C&C servers to be spun up to receive commands again, there is the potential that the FBI could lose control again. Hence why it is necessary to remove the infection while they maintain control, and only one step in their strategy to cripple the botnet.
In space... no one can hear you poo
I pretty much only watch SyFy (pretty sure pronounced like syphilis) when I've consumed way to much of my favorite mind altering substance. Watching Sharktopus drunk really tops of a night...
No kidding and then the debate really heats up:
1. Robots want to be able to marry > Marriage is between a fleshing and a fleshing (cyborgs or flesh covered robots allowed too in Massachusetts)
2. FemBots want to be able to choose to have an EMP burst > EMPs are nuclear based malicious malfunctions!
3. Robots want to "open-source" themselves, no debate ensues but its only legal in the outskirts around Las Vegas.
Won't someone think of the child-bots?