Thursday, April 29, 2010

Banking virus Zeus strikes back

A new survey conducted by Web security experts has revealed that Zeus, a virus that steals online banking details from infected computers, is back and more powerful than ever.

The Zeus family of malware is the number one botnet online, with an estimated 3.6 million PC infected in the U.S. alone. The malware will infect a system and wait until the user accesses one of the predefined banking URLs. Additionally, Zeus has the ability to inject HTML into the pages rendered by the browser, so that its own content is displayed together (or instead of) the genuine pages from the bank’s Web server.

Once the virus is installed on an affected computer, it can record users’ bank details and passwords, credit card numbers, and other personal details such as passwords for email accounts and social networking sites. This sensitive information is then relayed in real time to a remote server to be used and later sold by cyber criminals.

Earlier this year, many parts of the systems used for the Zeus botnet were destroyed when the Kazakhstani ISP that was being used to administer it was cut off. However, it has not taken long for the malware controllers to spring up elsewhere, and the battle between anti-virus software vendors and botnet developers persists.

Zeus 1.6 has the ability to infect computers using both Firefox and Internet Explorer Web browsers. Experts say the new version of Zeus is expected to significantly increase fraud losses, especially with the growing number of users who regularly bank online. What makes this virus especially dangerous is its ability to bypass even up-to-date anti-virus protections.

A recent study conducted by Trusteer, a web security company, who sampled 10,000 users on a single day, showed that 32% were not using anti-virus protection, 6% percent were using an outdated version, and 71% were using anti-virus with current updates applied. What was particularly striking is that when it came to Zeus infected systems, 31% had no anti-virus protection, 14% were running outdated anti-virus software, but the majority, 55% were using current anti-virus software. Essentially, this means that the majority of infections are going undetected, which is bad news for consumers, banks, and anti-virus providers who were only effective at preventing the virus 23% of the time.

So, what can computer users and financial institutions do to reduce the risks of becoming a victim of cyber crime, whilst continuing to utilize the benefits of online banking?

The development of pro-active technology is fast becoming an important defense mechanism and may include faster and smaller updates and global threat detection networks. More technically savvy users can check their computer’s registry key, which lists software that starts upon a user’s login to their computer. Typically Zeus will add itself to the list as ‘ntos’, but this name may change at any time.

All computer users can reduce risks by installing up-to-date anti-spyware software, updating programs and being secure on the Web by disconnecting from the Internet when not in use. The virus has the capability to inject additional pages into online banking login screens. So if you are suddenly asked for a secret question, security number or other unusual items during the login process, abort the login, and call your bank or try the login from another computer. Users should also be careful when opening attachments or following links on emails & websites, investigate new unknown software before downloading and ensuring that passwords are kept robust and secret.

(The full report can be downloaded from

Thursday, April 22, 2010

Understanding the PCI:DSS - Not Just Complying with It

Upon the establishment of the Payment Card Industry's Data Security Standards (PCI:DSS), many relegated the PCI:DSS to a derivative of the ISO standards and just another "tick in the box" of international standards, without much staying or enforcing power. The PCI:DSS, have since grown and taken on a significant role in the evolution and enforcement of real information security standards within organizations around the globe, and have even expanded to include the Payment Application Data Security Standards (PA-DSS) requiring software developers and vendors to comply with a high level of application security standards.

These standards now represent an integral part of information security practices, and have even instigated a true change by mandating the integration of best practices in data security in organizations of all sizes and types that store, transmit, or process prohibited credit cardholder data such as a full magnetic stripes, CVV2s or PIN data.

In addition, the instituting of the PA-DSS places a whole new emphasis and importance on the development of secure code by software vendors – and the maintenance of a secure software development lifecycle. While companies around the globe have all taken on the challenge of PCI compliance, at times requiring large-scale and pan-organizational information security changes within large networks/infrastructure, many companies still find themselves “in the dark” about the actual requirements themselves.

Because of the complex nature of the PCI:DSS and the PA-DSS, the QSA/PA-QSA, needs to have an in-depth understanding of the standard, including all of the intricacies involved, to enable a pragmatic approach and a tailoring of the technological, procedural, and administrative controls to your organization's needs. A QSA/PA-QSA that brings with them experience and expertise in the area of PCI and PA-DSS certification, will be able to recommend the necessary measures for your company, and to distinguish between the most relevant and applicable requirements as they apply to your company's internal business flow. Your organization will then be confident when integrating the QSA/PA-QSA's professional recommentations knowing that these are the most cost-effective, and critical requirements for your organization's compliance with the PCI and PA-DSS.

With much experience under our belt with these compliance processes, Comsec is able to provide a few guidelines on the most prevalent issues and “grey areas” encountered in the different PCI processes by different sized organizations, to facilitate what is sometimes perceived as a complex and resource-draining process:

Don't be afraid of the standard! Know the most important stipulations of the standard, to be able to maintain an ongoing dialogue with your QSA/PA-QSA regarding the solutions that are best-suited for your organization, as only you possess the in-depth knowledge about your internal business processes that are unique to your organization, and can suggest the methods of operation that are most appropriate for your company, contributing to the feeling of involvement and a level of control of your compliance process.

• Be aware of wherein the pitfalls lie for diverse technologies from legacy systems through Web-based platforms, and the possible constraints they may pose with regards to complying with this standard.

• Correct scoping of your CHD environment is imperative to prevent the inclusion of unnecessary systems in the compliance process. When properly done, this scoping and will in essence reduce the timeframe for compliance and efforts that need to be invested to ensure all of the systems and network comply with the PCI standards.

• Assessing the added value of storing sensitive cardholder data in different systems, may lead to potentially de-scoping systems that do not require the storage of sensitive CHD for ongoing business processes, significantly reducing the number of systems required to be in compliance with the standards and streamlining the overall compliance process.

• There are "quick wins" available to organizations, that may be less known, that make the compliance process much more friendly and attainable. For example:
o Tokenization
o Encryption
o Hashing
o Truncation

Being informed about the different solutions available to your organization, will enable you to take the initiative in suggesting the appropriate solution to your QSA.

• There are many solutions available for the outsourcing of parts of the clearing/payment process. These solutions many times serve to greatly facilitate the compliance process for many organizations.

• The implementation of best practices in secure coding will facilitate the PA-DSS compliance process, as security consideration will have already been taken into account in the development process.

• Be familiar with the different technological solutions involved in the compliance process (e.g. purchasing a web application firewall, or performing code review), and assess which solutions are best-suited for your organization—and are the quickest and most effective to implement.

When it comes down to it, many parts of the PCI and PA-DSS standards are subject to the human interpretation of the QSA/PA-QSA. Complying with the PCI standards does not have to be complicated and time-consuming process for organizations, and knowing the different options available to you, can help in correctly mapping the compliance process and making the correct decisions at the different junctures in the process.

It is also important to bear in mind that these standards serve the purpose of protecting your organization against the many malicious entities who will invest inordinate resources to obtain your clients' sensitive personal information. Complying with these standards will help your organization preserve their long-standing reputation, and will provide your clients with the much-needed assurance that their data is in safe hands when undertaking business transactions with your company.

Do you have questions about PCI:DSS or PA-DSS certification? Feel free to be in touch with our dedicated PCI teams for all of your certification needs, contact: or