• 2 people thought of audits as positive even if they can be annoying. (One compared it to a doctor’s visit).
• 2 people thought auditors could be positive because they could help bring attention to issues which are being ignored by management.
• Only 1 person had a negative comments, saying auditors were a waste of money.

I had expected the results to skew entirely the other way, so maybe an auditor field guide isn’t as necessary as I thought. I will however throw out two random thoughts.

1. Auditors are interested in what is measurable, not necessarily in what is meaningful (to you).
2. While you may not like them, management usually has to listen to auditors. While you can complain all you want, ultimately you have to either pass the audit, so you might as well stop the complaining and try to focus on passing.

• Make sure your processor is PCI compliant.
• Limit access to sensitive data internally, and employ separation of duties. Get a review from a QSA of your PoS equipment.
• Check that the company hosting your website uses an IDS and has a SAS-70. If they use an SSL cert, that’s great because it “signals that a host has taken extensive precautions to secure data”
• Look into getting data breach insurance.

Now I could spend some time making fun of whoever wrote this article and some of the ridiculous statements, especially those contained in bullet point three, but that wouldn’t do anyone any good. There is a greater chance that my CIO reads Forbes (or will read some other source that will quote this article), than there is of my CIO reading a paper on proper session management techniques. Insult this article all you want, but realize that this is what’s being seen by your management, and this is the point of view they will have.

Update (7/19):

I realize I never quite finished this post. There are some valuable things to learn here, although they’re about business and psychology instead of infosec. I’ve seen far too many brilliant infosec people not get their advice heard because they weren’t speaking the right language. Realize what point of view the author (and readers) of this article are coming from. They don’t have the time or skill to do a security review, so they look for shortcuts like PCI compliance. The business is looking for indications of security that are easy to understand, easy to evaluate, and can be easily shown to others if their due diligence is ever called into question.

When extracting images from the report, the front cover has 2 main images – one of a blue fingerprint, and one of a grey one. When run through stegdetect it says that the later has 10 bytes of data before the 0x9d flag. I tried to get the data out with fphide, but fphide requires a key to extract. Since I had no more leads on another key, I had to give this up quickly. I tried stegbreak using both the john the ripper wordlist and the report itself as a dictionary to no avail. I also manually obtained the 10 bytes with a hex editor and tried using that as a key to break the encrypted data, but what algorithm uses an 80 bit key? (And I still don’t know the algorithm or the iv). I’m currently leaning back to my initial position that there is no steg data for four reasons:

1. What can you really hide in 10 bytes?
2. If you google this, you’ll see a lot of people have this issue. It could very easily be an artifact of the program which created the image. *cough*Adobe*cough*
3. Getting the images out of the doc seems to require either Acrobat pro or a third party app. I find it hard to believe that the creators of the puzzle would require either of those.
4. The clue on ZDnet says so.

That is of course speculation on my part, and I could be wrong, but that’s the assumption I’m working on going forward.

On a related note, this is far more fun to do with other people. I think I finally see the value of twitter.

The first thing to note is that on the back cover, in black text on a black background, is the following block of code:

U2FsdGVkX1/igcsdctD3brMu4vDXkswNZZoHL6QVcI6eBlfN4aqvBBowRhf9wfsk
hb5RIGVSpphM2bJe33tVKh7koZ85V5ebFI1mPlXEhnKHO+er8EIyDRYuVvju08qv
u/jITmGEM4Mpk4gvL7aVeFB5lxoMFo0ds/CEA6zK80QprvV5B+c6+MWciIzLFJWI
/4OcO96UGM2riMKj2iy4JgmRxjEUyX/TKQEIB1s7WLh6cW30JpvgAI8wILVdTWpt
+gnIfyEGxio4Q2T9LM1ncA5K2P4lg/DsTiDIEEg3Ws4uW5sbz22qfE91frW7NnBg
t46Iy0WhZgw0+wj4DCLzF4GBnIkplanSMdA+hiwhdR629KL7O8X1ZLg5eFHmjS6C
VCXXuQJVSaVG77/5113N/eNMboD2RhXyq1kWzZZaW/lpJ8vIDs5OK7d1TPG6aVLJ
hINx3qPZzNvtK4r4KfZ5fhjUXLcufOpE46gGnD0aHW+SCcGl2k7NPqbYfGtYSwuJ
HYne4VTxR772vsV5RFgirw==

Clearly it’s no stretch to imagine that this is a major clue. After spending several hours convinced that there was steganographic data encoded in the image on the front cover, I turned to analyzing the code block. The first several characters – U2FsdGVkX1/ – are the base64 encoding of “salted__”. What I have since learned is that when you encrypt something with a salt, the resulting ciphertext includes that string followed by the actual salt so that it can be decrypted. (Thus an awful lot of cipher text begin with U2FsdGVkX1 – the slash is sometimes a different character that has to do with the peculiarities of base64 encoding). If this has been salted, that means is has been encrypted. If it’s been encrypted, that means it can be….. unencrypted! I tried a lot of educated guesses at the passphrase, none of which have yielded a positive result yet. Part of the problem is that I know neither the key nor the algorithm. My last ditch attempt was to take the DBIR, convert it to text, use it as a dictionary, and then try each word as a key for AES128, AES256, DES, 3DES, blowfish, etc. My quick and dirty shell script is here:

for line in `cat dict`; do
  `openssl aes-128-cbc -d -base64 -in textblock -k $line`
done

for line in `cat dict`; do
  `openssl aes-128-ecb -d -base64 -in textblock -k $line`
done

repeat for 3DES, blowfish, etc., etc.

I have a feeling that the answer to either the algorithm or the key must be in the report somewhere, I just can’t find it. I hope this helps someone. (And if it does, please let me know).

Convicted TJX hacker Albert Gonzalez earned $75,000 a year working undercover for the U.S. Secret Service, informing on bank card thieves before he was arrested in 2008 for running his own multimillion-dollar card-hacking operation.