The first talk was on Adobe Flash security. Here are my notes:
- Cross-site flashing takes advantage of the html flash parameter allowscriptaccess=always
- Stefano Di Paola released SWFIntruder a few months ago to help analyze Flash applications at runtime
The second talk was on PCI. I was surprised that the discussion around this topic was lively, as I thought it would be pretty boring. Anyway, here are my notes from this talk.
- Criminals are getting better
- Tiny wireless skimmers are point of sale devices
- In-line wiretaps to record transactions
- Current PCI spec doesn’t require end to end encryption
- Visa’s PABP – Payment Application Best Practice
- PA-DSS – PCI Council adapted version of Visa’s PABP
- Section 6.6 is required by June 30, 2008
- Requires either a code review or a web application firewall for front facing sites
- But what defines a code review? Static vs dynamic
- Section 11.3 talks about pentesting
The next Bay Area meeting will be in the East Bay, probably somewhere in Pleasanton. If you want to give a talk at the next meeting, please drop me a line.
I only took a few pictures at this event, but they can be found on flickr.
Update: There is a great blog on PCI at pcianswers.com.