Author: Dan Vasile

  • PCI DSS Control Objectives

    Payment Card Industry Data Security Standard has six control objectives and 12 requirements: 1. Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2. Protect Cardholder Data Requirement 3: Protect stored cardholder…

  • ISO 27001 Certification Statistics

    How many companies have certified under ISO 27001? You can find the answer here. So, under 7300 as of mid-August 2011. Now, in another report from April 2008, there were 4500 certificates. With the distribution: Japan (2550); UK (370);India (430); Taiwan (175); China(110); Germany (90); and then a group of countries (Hungary, Italy, USA, &…

  • ISMS Certification vs Conformity

    So, as stated here you can certify against ISO/IEC 27001 only. But why certify? Here are some reasons provided by certification bodies. Certification finds no basis in legislative or regulatory requirement, so why bother? The best answer is to validate that investment in security controls meets business goals and provides business value. Business value is…

  • ISO ISMS history

    The ISO is developing a new series of security standards, the first of which is ISO 27001, Information Technology—Security Techniques— Information Security Management Systems—Requirements. ISO 27001 replaces British Standard (BS) 7799, Part 2. BS 7799, Part 1 evolved into ISO 17799, Information Technology—Security Techniques—Code of Practice for Information Security Management and is now known as…

  • The ISO/IEC 27000 Set of Standards Overview

    The ISO/IEC 270xx is a set o standards regarding Information Security Management Systems (ISMS). The developer of this standards is the International Organization for Standardization http://www.iso.org/. ISO/IEC 27001 and ISO/IEC27002 are derived from ISO/IEC 17799:2005 who is derived from BS7799 (British Standard). Many standards regarding ISMS are under development and the published ones are subject…

  • [Tool] Check if an email address is valid – the php way

    In an older post we talked about checking the validity of an email address. Now let’s make a php function to automate this task. We can use this type of validation to check for example if a user is using a correct address when registering for a service.

  • Check if an email address is valid – the telnet way

    You can use telnet to check if an email is valid. You can actually send emails via telnet, but we’ll stick to checking for now. Remember that this is not a string validation but a complete check with the mail server if the user is valid. For this example we will use [email protected].

  • Attacking the lottery

    This is purely a theoretical attack on a lottery system. No magic combinations or generators, no syndicates or reading the stars, just a plain attack on the system. First of all, there are some perquisites. One will need an insider or more in order to carry out the attack, but this should not be a…

  • Socks proxy for non-socks applications

    For several reasons you may want to use a socks proxy, but a lot of command line applications are not able to work with a socks proxy. wget for example is unable to work directly with a socks proxy. Also, configuring wget to work with a http proxy is a pain. You can’t specify the…

  • SSH tunnels, an alternative to VPN

    What do you do when you need a connection to the Internet and the only thing in hand is an unsecured wireless network or hotspot? Do you realize the dangers involved? Would you trust this connection and send confidential data over it? Of course VPN is the favorite method, but what if you don’t have…