Comments on: Visa issues security alert

By: jestep

jestep — Wed, 20 May 2009 15:00:33 +0000

Visa posted this on their website finally. 3 months after they issued the alert to their partners.

By: Wenningstedt auf Sylt

Wenningstedt auf Sylt — Tue, 24 Feb 2009 02:34:00 +0000

How are we going to check if the blockers of this IP addresses were doing the right thing in blacklisting? Its not rare that errors occur. I pity those addresses that were included even if they were not in any way doing illegal stuff.

By: Mark

Mark — Fri, 20 Feb 2009 05:40:49 +0000

Big companies has dedicated technical teams who work hard to make the system totally secure. But still these type of instances occure. I don’t know when these type of incidents will stop happenning.

By: jestep

jestep — Wed, 04 Feb 2009 23:01:23 +0000

I think one of the major problems that I’ve read about is that malicious software can be installed in unpartitioned spaces on a hard drive. It’s even possible to make the partition invisible to the current operating system. As far as this goes, make sure you don’t ever leave unpartitioned space on a drive.

The only way to scan for these would be to use a process monitor and then calculate the hash of a running process that matches the listed filename. You can also search for the filename but I have a suspicion that some of these may be generated on the fly, in which case you could only look for a running process. You would need to manually do this on every computer on a network. Ideally, you don’t ever let an intruder in to install these in the first place, because it’s going to be difficult to detect them.

If you need a good process monitor, here’s one from Microsoft. This will show you everything that is currently running through the operating system.

By: Tod

Tod — Wed, 04 Feb 2009 22:55:13 +0000

That’s my point … Visa’s proper response was to notify the Malware scanning folks … which they stated they did.

If not the Malware scanner … how do you recommend scanning for these across your systems?

By: David Bergert

David Bergert — Wed, 04 Feb 2009 21:29:24 +0000

“Eh.. no. I am sure all of this is custom stuff, which is not picked by AV.”

Yeap, not one of these hashes are in the ThreatExpert.com database…

By: Visa issues security alert - Malicious Software and Internet Protocol (IP) Addresses | Payment Systems Blog

Tue, 03 Feb 2009 23:04:49 +0000

[...] it out here. No TweetBacks yet. (Be the first to Tweet this post) Possibly Related Posts (automatically [...]

By: Anton Chuvakin

Anton Chuvakin — Tue, 03 Feb 2009 22:33:01 +0000

“This is what we have malware scanners for”

Eh.. no. I am sure all of this is custom stuff, which is not picked by AV.

By: Tod

Tod — Tue, 03 Feb 2009 15:36:22 +0000

Yes, this seems fairly important … but this really isn’t the way to handle it.

Table 1 … This is what we have malware scanners for, how does Visa suggest that we scan for this stuff, if not with our existing tools?

Table 2 … Is Visa serious regarding the fact that they think that we should create a Black List of IP addresses in our Firewalls? The bad guys change IPs and domains more often than we change our underwear.

This Visa Data Security Alert seems to me to be very ill advised and poorly presented/executed.

What is their thought process behind this?

By: jestep

jestep — Tue, 03 Feb 2009 13:32:04 +0000

They haven’t posted it up there yet. We usually receive their alerts in an email before they post them publicly. This one seems fairly important, so I’m not sure what’s taking them so long to get it up there.