Cybersecurity Insights

Kirsty Trainer

Marketing Manager & Design-fiend at Foregenix

Recent Posts

Kirsty Trainer

An introduction to PCI assessments in the cloud - Amazon Web Services

29/02/16 17:59

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix

Amazon Web Services and Microsoft Azure are the two most common cloud services used in practice. While many people will be familiar with Microsoft language for Active Directory users and groups, Group Policies, virtual machines, IIS webservers and SQL databases, the language used by AWS and the services provided are quite different in many cases. Reflecting this in practice is Microsoft’s support of the hybrid cloud whereas moving to AWS is typically a more complete migration or separation.

Read More
Kirsty Trainer

Malware Alert: iFrame Interception attack affecting websites with outsourced payment models

29/02/16 15:21

For those unfamiliar with the concept of outsourced payment models, it is essentially the adoption and implementation of eCommerce payment services from commercial Payment Service Providers (PSP) rather than merchants handling the payments themselves. You have probably experienced the concept when you suddenly get whisked off to a different site to present your payment details and then revert back to the eCommerce website once payment has been made. The idea of this being to make sure payment details pass directly from the consumer to the payment service provider who has had their operational security reviewed and certified as PCI DSS compliant. 

Read More
Kirsty Trainer

PCI DSS v3.2: Update scheduled for March/April release

25/02/16 17:31

Recently the PCI Security Standards Council announced an upcoming update to the PCI DSS which will increment the version from 3.1 to 3.2. We knew an update was coming to account for the changes to SSL and early TLS per changes from version 3 to 3.1 and additional guidance provided on mitigating the risk of using these protocols in recent months. Additional changes are also being introduced as due to the maturity of the PCI DSS, the update cycle is changing. Rather than have a significant update at the end of this year, we can anticipate a more dynamic standard with rolling updates to reflect the evolving threat landscape. The next version is scheduled to be released in the first half of this year and the Council is aiming for a March/April timeframe.

Read More
Kirsty Trainer

Malware Alert: Asymmetric Crypto Malware Dropper

29/01/16 11:55

In a previous article (Mage.jpg Malware Derivative) we discussed an interesting evolution we were seeing in the eCommerce security arena, that of asymmetric encryption techniques being used to obfuscate harvested payment card data. This is something that became prevalent many years prior with binary malware created for brick and mortar compromises.

The use of asymmetric encryption techniques makes the role of a digital forensic analyst somewhat tricker as we cannot (generally) provide any empirical insight into the contents of the harvest files. As such, the details of the exposure have to take a "worst case" approach which generally impacts the victim's organisation detrimentally.

Read More
Kirsty Trainer

Nude Web Design and Mole Productions join as FGX-Web Partners

18/12/15 15:35

Foregenix welcomes Nude Web Design and Mole Productions as official partners of its FGX-Web product. 

Read More

Kirsty Trainer

Marketing Manager & Design-fiend at Foregenix

Recent Posts

Kirsty Trainer

An introduction to PCI assessments in the cloud - Amazon Web Services

29/02/16 17:59

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix

Amazon Web Services and Microsoft Azure are the two most common cloud services used in practice. While many people will be familiar with Microsoft language for Active Directory users and groups, Group Policies, virtual machines, IIS webservers and SQL databases, the language used by AWS and the services provided are quite different in many cases. Reflecting this in practice is Microsoft’s support of the hybrid cloud whereas moving to AWS is typically a more complete migration or separation.

Read More
Kirsty Trainer

Malware Alert: iFrame Interception attack affecting websites with outsourced payment models

29/02/16 15:21

For those unfamiliar with the concept of outsourced payment models, it is essentially the adoption and implementation of eCommerce payment services from commercial Payment Service Providers (PSP) rather than merchants handling the payments themselves. You have probably experienced the concept when you suddenly get whisked off to a different site to present your payment details and then revert back to the eCommerce website once payment has been made. The idea of this being to make sure payment details pass directly from the consumer to the payment service provider who has had their operational security reviewed and certified as PCI DSS compliant. 

Read More
Kirsty Trainer

PCI DSS v3.2: Update scheduled for March/April release

25/02/16 17:31

Recently the PCI Security Standards Council announced an upcoming update to the PCI DSS which will increment the version from 3.1 to 3.2. We knew an update was coming to account for the changes to SSL and early TLS per changes from version 3 to 3.1 and additional guidance provided on mitigating the risk of using these protocols in recent months. Additional changes are also being introduced as due to the maturity of the PCI DSS, the update cycle is changing. Rather than have a significant update at the end of this year, we can anticipate a more dynamic standard with rolling updates to reflect the evolving threat landscape. The next version is scheduled to be released in the first half of this year and the Council is aiming for a March/April timeframe.

Read More
Kirsty Trainer

Malware Alert: Asymmetric Crypto Malware Dropper

29/01/16 11:55

In a previous article (Mage.jpg Malware Derivative) we discussed an interesting evolution we were seeing in the eCommerce security arena, that of asymmetric encryption techniques being used to obfuscate harvested payment card data. This is something that became prevalent many years prior with binary malware created for brick and mortar compromises.

The use of asymmetric encryption techniques makes the role of a digital forensic analyst somewhat tricker as we cannot (generally) provide any empirical insight into the contents of the harvest files. As such, the details of the exposure have to take a "worst case" approach which generally impacts the victim's organisation detrimentally.

Read More
Kirsty Trainer

Nude Web Design and Mole Productions join as FGX-Web Partners

18/12/15 15:35

Foregenix welcomes Nude Web Design and Mole Productions as official partners of its FGX-Web product. 

Read More