Thursday, September 20, 2012

PCI Council releases Security Guidlines for Mobile Payments Acceptance applications

Fresh from the oven -- "PCI Mobile Payment Acceptance Security Guidelines" – released last week, is the first outcome of the PCI council "Mobile taskforce" which was established late last year, in order to handle the rapidly evolving and spreading (yet lacking security best practices) mobile payment acceptance solutions.

This first of a kind formal guidance regarding cardholder data security and PCI compliance in payment acceptance mobile applications (such as mobile POS), provides an extensive (while not exhaustive and not without its limitations) guide for both traditional and less conventional mechanisms to isolate account data and protect it from exposure in mobile payment acceptance solutions/applications.

Most importantly, this release somewhat eases the conclusive tone towards the P2PE standard as the only way to gain compliance with PCI DSS in mobile payment acceptance solutions, and serves as a more practical way in terms of PCI DSS and specific mobile security guidelines.

Sunday, September 2, 2012

Much Ado Over JAVA

Earlier this week, FireEye released an article mentioning a new breed of an attack that involves zero-day exploit directed at JAVA® 7 (JRE1.7), the exploit (that was later revealed to contain 2 different attacks simultaneously) was mentioned as being used as an attack vector for malware spreading.

It wasn't 24 hours until the exploit code was tracked down by several sources, which probably focused their malware tracking beams by FireEye's article, and was pasted on sites such as and similar, for all to see and research. It took merely several hours for Rapid7 to pick it up from there and turn it into a fully automatic Metasploit exploit module. By releasing such a dangerous exploit into a publicly available exploit kit such as Metasploit, the story hit its climax and there was much debating on Rapid7's team part on giving such a devious device that probably fell to the hands of wrongdoers and security researchers alike.

Up until this very morning there was no public acknowledgement on Oracle's side (the latest owners of JAVA® codebase), but the fiasco apparently got a happy ending by this morning's patch from them.

Consider testing and implementing the latest patch from Oracle on your systems that involve JAVA 7 in any constellation.