If you read the whole article is mentions that you "have to clone a SIM as the last step". Which according to the researchers is "trivial" but general concensus says it's not.
Is it me or does this sound like an urban myth... to spoof an IMSI you need keys that are stored on the SIM card, how can changing the firmware achieve this? And why nokias from a specific factory, again, I'm struggling to find this believable - does anyone have any further information?
Downvoted due to advert. Not killed as its infosec-related (I guess) and would rather not censor. Next time please post something like an article on data recovery instead of your main site.
1) The Mandalorian subdomain doesn't put me off and as far as I'm aware there have been no posts deleted due to being hosted by a competitor. (Unless they're blatantly peddling their wares I guess). A "securitynews.com" type domain could increase traffic on the other hand..
2) Autospam killing would be good for the admins, doesn't really bother me though as I don't have to go through deleting things ;o) Getting users to re-register may require another burst of advertising/hassling people to do so which may drop numbers.
3) Personally I think the site works quite well.. a few thumbnails of "top" stories could be useful to grab attention but then again would probably slow the site down.. hmm. On the whole the site is laid out well and easy to post to, can't go wrong with that.
1) I'll stay out of this discussion, thanks - don't want to influence it unfairly. I will say that IU's always been a Mandalorian project that's generally independent, and I've always encouraged competitors et al to post links to their own stuff. We have heaps of links to portcullis, corsaire et al and I think that's a good thing (tm).
2) Auto-spam kill would be good. Subreddits and tagging would also be good
3) More users posting :) The above is nice to have but not essential IMHO.
That's why I've always gone for http://www.scanlesspci.com/ whenever I've needed to be PCI compliant. My motherboard is PCI compliant, thanks Scanless PCI!
Let's not forget that they WERE PCI "compliant" when they got
breached. How is hiring another clueless QSA going to change the
basic facts here?
The whole PCI "standard" is a joke. The PCI Standards Body needs to
go the way of the dodo, and the whole QSA concept needs to be
eliminated. The only way there will ever be any reasonable level of
assurance that credit card transactions are safe is for a body made up
of COMPETENT security professionals to come together to define
meaningful controls that will actually make a difference. And the
whole "pay to play" QSA game needs to be replaced with a process
whereby COMPETENT security professionals are able to demonstrate
proficiency by actions, NOT by virtue of the fact that their
application fee check cleared.
Actually, I wonder if they take credit cards for the QSA fees? :-^
Maybe the QSA criteria should be "show us that you have breached a
payment processor, and we'll let you test other payment
processors..." If that happened, the list of approved QSA providers
would be VERY small - and I'd bet that VERY few, if any of the people
on the current list would be on the new list.
This same thing is going to keep occurring over and over and over
until the PCI program itself is overhauled. With the current
"controls" in the PCI DSS, I'm not sure how any of these people sleep
at night. Especially when you consider that the QSA providers seem to
all be relying on automated scanning tools when they do their
assessments. Two words come to mind - unlimited liability.
I love the part about "more stringent conditions"... What? They have
to run Nessus or Qualys ONCE a month instead of quarterly? That's
definitely going to make a difference! Twice nothing is still
nothing. I suck at math, but even I can work that one out. (By the
way, no offense meant to Nessus - it's a great product that I use
myself - I just don't believe in basing C&A decisions on automated
tools.)
Gotta love this world we live in - the PCI people have mortgaged the
future of their industry in order to sell QSA "subscriptions"...
Acunetix + Acusensor on top wins but this is more a review of default settings than actual capabilities.
Surprised Burp Pro wasn't tried, but maybe that's more down to the semi-automated nature of the product.
Privacy options could still use some work IMHO
I might start writing these articles if they pay well.
I think my mum could have written that!
excellent idea. I wonder if its automated or if they do it manually
If you read the whole article is mentions that you "have to clone a SIM as the last step". Which according to the researchers is "trivial" but general concensus says it's not.
Is it me or does this sound like an urban myth... to spoof an IMSI you need keys that are stored on the SIM card, how can changing the firmware achieve this? And why nokias from a specific factory, again, I'm struggling to find this believable - does anyone have any further information?
But antivirus products are 250% secure, the nice salesman from Symantec said so!
Checked from a UK BT ADSL line, it wasn't blocked. Article suggests it might be mobile only, which is pretty odd.
Downvoted due to advert. Not killed as its infosec-related (I guess) and would rather not censor. Next time please post something like an article on data recovery instead of your main site.
Nice stuff, saves me having to mount offline and move executables around to get cmd.exe to spawn as SYSTEM on boot!
I want one!
Its worrying that you can enumerate correct pins. No need for burglars to march you to the ATM anymore (and get recorded by CCTV).
my tuppence worth....
1) Domain name doesn't really make any difference to me, but something related to the topic might improve the chance of catching passing traffic.
2) Can you get any easier than this?
3) I can't think of any additional features, it does what it says on the tin, what more do you need?
1) The Mandalorian subdomain doesn't put me off and as far as I'm aware there have been no posts deleted due to being hosted by a competitor. (Unless they're blatantly peddling their wares I guess). A "securitynews.com" type domain could increase traffic on the other hand..
2) Autospam killing would be good for the admins, doesn't really bother me though as I don't have to go through deleting things ;o) Getting users to re-register may require another burst of advertising/hassling people to do so which may drop numbers.
3) Personally I think the site works quite well.. a few thumbnails of "top" stories could be useful to grab attention but then again would probably slow the site down.. hmm. On the whole the site is laid out well and easy to post to, can't go wrong with that.
Dropping Worldpay is going to impact a lot of smaller retailers.
1) I'll stay out of this discussion, thanks - don't want to influence it unfairly. I will say that IU's always been a Mandalorian project that's generally independent, and I've always encouraged competitors et al to post links to their own stuff. We have heaps of links to portcullis, corsaire et al and I think that's a good thing (tm).
2) Auto-spam kill would be good. Subreddits and tagging would also be good
3) More users posting :) The above is nice to have but not essential IMHO.
I think Iwar did this first, but look forward to seeing Warvox grow.
That's why I've always gone for http://www.scanlesspci.com/ whenever I've needed to be PCI compliant. My motherboard is PCI compliant, thanks Scanless PCI!
Hasn't this already been done before? ;)
Jamie C. Pole
to dataloss
Oh wow! That's going to make a HUGE difference!
Let's not forget that they WERE PCI "compliant" when they got
breached. How is hiring another clueless QSA going to change the
basic facts here?
The whole PCI "standard" is a joke. The PCI Standards Body needs to
go the way of the dodo, and the whole QSA concept needs to be
eliminated. The only way there will ever be any reasonable level of
assurance that credit card transactions are safe is for a body made up
of COMPETENT security professionals to come together to define
meaningful controls that will actually make a difference. And the
whole "pay to play" QSA game needs to be replaced with a process
whereby COMPETENT security professionals are able to demonstrate
proficiency by actions, NOT by virtue of the fact that their
application fee check cleared.
Actually, I wonder if they take credit cards for the QSA fees? :-^
Maybe the QSA criteria should be "show us that you have breached a
payment processor, and we'll let you test other payment
processors..." If that happened, the list of approved QSA providers
would be VERY small - and I'd bet that VERY few, if any of the people
on the current list would be on the new list.
This same thing is going to keep occurring over and over and over
until the PCI program itself is overhauled. With the current
"controls" in the PCI DSS, I'm not sure how any of these people sleep
at night. Especially when you consider that the QSA providers seem to
all be relying on automated scanning tools when they do their
assessments. Two words come to mind - unlimited liability.
I love the part about "more stringent conditions"... What? They have
to run Nessus or Qualys ONCE a month instead of quarterly? That's
definitely going to make a difference! Twice nothing is still
nothing. I suck at math, but even I can work that one out. (By the
way, no offense meant to Nessus - it's a great product that I use
myself - I just don't believe in basing C&A decisions on automated
tools.)
Gotta love this world we live in - the PCI people have mortgaged the
future of their industry in order to sell QSA "subscriptions"...
Beat me to the submission!
Whoever did this should be arrested and charged under the CMA. Being a journalist does not permit you to abuse other people's systems, period.
It's called risk management. That and show me a removable media solution that's CAPS approved up to IL3.
"Yes, we need the 0day as we've run out of ideas", said the head of WASC...
hes not a terrorist hacker hes just a very naughty boy!
Maybe we have found Asda then ;)