[SecurityRatty] tag: atlanta

AT&T Extends Free Wi-Fi to Cheapest DSL Plans

Tue, 16 Sep 2008 09:30:32 +0000

AT&T seems to have added free Wi-Fi for its lowest-priced DSL customers: The Atlanta Journal-Constitution is the only one with this story, and they've garbled a few of the details, but checking AT&T's public sites seems to confirm it. Previously, AT&T customers had to either have a fiber-optic U-Verse subscription, or a DSL line running at 1.5 Mbps downstream or faster to get free Wi-Fi Basic. The Basic pool covers most of the 17,000 U.S. hotspots, excluding some hotels and premium locations.

AT&T now says that any "FastConnect" subscription, even its DSL Lite offering of 768 Kbps down/128 Kbps up, qualifies for Wi-Fi Basic. The new statement reads: "AT&T Wi-Fi Basic service is FREE and already included if you subscribe to AT&T High Speed Internet, AT&T U-verseSM High Speed Internet, or AT&T FastAccess® DSL—all speed plans included.

There's still a $10 per month fee to upgrade to Wi-Fi Premier, which includes over 70,000 locations worldwide, along with the missing U.S. hotspots, but their Web site says that you have to have a 1.5 Mbps or faster connection to get the $10 per month upgrade. That may be out of date. That ordering page also says you need 1.5 Mbps or faster for free Wi-Fi, so that tends to confirm it hasn't been fixed. (It's even hosted at sbc.com, so perhaps that's part of the vestige of an older system, harder to update.)

Please note that iPhone subscribers still don't get free Wi-Fi on AT&T's Basic network.

Wee-Fi: Routing Out an Address; Badger-Fi

Fri, 12 Sep 2008 07:34:26 +0000

Slashdot breathlessly posts an item by coderrr that Skyhook Wireless is exposing people's addresses: Yeah, whatever. Skyhook has accidentally offered an API that lets you query their Wi-Fi positioning system for latitude and longitude using a MAC address. Skyhook constantly drives major cities around the world and integrates scans created by users of their systems as well. The poster defines a non-existent problem: first, a scammer needs to get someone's MAC address; then you need to pair a rough lat/long with their street address; then, coderrr says, you'd get a phishing email with your home address. Whatever. If my machine is compromised enough that you can obtain my MAC address and then launch a phishing attack, I have worse problems already than my street address being in the email--which is unlikely given that most Wi-Fi scans will be in urban areas. It's likely Skyhook will modify their systems to prevent submission of such queries, or perhaps open their API further.

Madison Wi-Fi network sold to Atlanta firm: Xiocom purchases Mad City Broadband, a firm that has suffered significant criticism over the performance of its Wi-Fi network in Madison, Wisc. The press release from Xiocom (some quoted in the Badger Herald article) are a bit over the top about a network that reportedly has few users, inconsistent performance, and covers only a fraction of the city.

Start-up Purewire offers managed security service for Web users

Sun, 03 Aug 2008 20:00:00 +0000

Atlanta-based start-up Purewire marks its debut today with a managed security service aimed at protecting enterprise Internet users from being victimized by Web-based attacks online.

Security Through Visibility - Montego, Lancope and NetFlow

Wed, 30 Jul 2008 17:57:06 +0000

We've probably all heard that you can't secure what you can't see and that statement is even more profound when it comes to virtual environments. This is because it is extremely challenging to see what is going on at a micro vs. macro level within a virtual environments network. The virtualization vendors such as VMWare and Citrix have provided embedded tools into their management consoles that show a macro level of visibility but its not enough to identify security events in the environment. Take a look at the attached picture. It simply shows VMWare's ability to monitor virtual network performance statistics from a bits per second perspective.

<-Click To Enlarge

With only this level of detail how can one determine which network applications are causing spikes. Is it FTP traffic that is occuring at a high volume at an unuseal time of day? If that were occuring, could that be indicative of either a breach or some sort of problem? What if FTP isn't even an authorized service in the virtual environment but there is a high volume of it? Did someone install a rouge FTP service so they could steal information from the server at will?

These types of questions can't really be answered without a micro level of detail into the packets flowing in, out and within the virtual environment. Now, what I am highlighting is not security in the traditional sense of prevention but using visibility as a means to first identify, then pin point the source of an issue so that it can properly be mitigated. Having constant visibility can also ensure that other security products in the environment are performing as expected. What if a Montego HyperSwitch with firewalling enabled is configured with many policies but someone forgot to create an FTP block policy. One could think they are protected from rouge FTP services transmiting data out of the network, but without constant visibility monitoring, can you be certain?

Some vendors, namely Reflex Security will get you to believe that their IPS / IDS solution that is inline and running in the virtual environment is the right and only approach. Or they will tell you to hang a virtual IDS off a span port in the virtual environment and you will at least have visibility into the attacks that are taking place. Well, sure... You now have attack visibility but at the performance cost of your virtual environment. Signature matching technologies are great, I'm a huge believer; however they don't scale very well in shared computing environments such as virtual ones. IDS systems also don't typically track protocol and network service (FTP, HTTP, etc.) utilizations; which is another important part of visibility.

So, what do we do to gain visibility without the performance headache? Well, for starters its probably best to put your IDS/IPS solutions in the physical environment where performance will be less of a concern. In fact, you can span a virtual switch's traffic out to a physical NIC as easy as you can to a virtual one. So why do it virtual and have to pay a 60% CPU utilization tax? Another solution is to IDS inspect only the things you care about. Why IDS inspect SSL traffic if you know your solution can't unencrypt SSL. Its just a waste of compute cycles isnt it? Policy based switching helps you with directing only the things you care about to an IDS (attack visualization product). Montego's HyperSwitch also can help you with the traffic redirection of only the things you care about.

Another method of visibility which I tend to be a fan of is one of packet analysis (aka NetFlow). NetFlow was invented by Cisco some time ago and has gained popularity in the physical world and definately has a use in the virtual world. NetFlow is lightweight. Let me say that again, its light weight! It only sends a summation of packet detail to an analytical engine which can do some number crunching, packet comparison, etc. etc. to make some sense out of whats going on. Lancope, an Atlanta based visibility company that provides Network Visibility, Security Visibility and User Visibility has this tool on their website that is a Netflow Bandwidth calculator. You'll see from playing with this ( http://www.lancope.com/netflowcalculator.aspx ) calculator that it doesn't consume a lot of network bandwidth to transmit these network accounting records. It also doesn't cause a lot of CPU overhead to send these records to an analytical engine sitting somewhere in the network.

Lancope's analytical engines have the ability to do the following for you within your virtual environment:

Slide 3

•Monitor and Alert network behavior of VMs
•Track Vmotion movement of VMs accross physical servers
•Monitor and Alert on communication between VMs
•Identify users accessing VMs
•Identify unauthorized or rouge VMs
•Monitor and Alert when VM’s go online or offline
•Identify network services running on VMs
•Monitor Network / Application performance of VMs
Display active hosts accessing VMs

...and probably a slew of other things I'm not aware of. A screen shot of their product is bellow:

<- Click to enlarge

You'll notice from the screenshot that you are able to visualize who is talking to who, how much traffic they have sent and received and something called a concern index (not seen on this screenshot).

Now, a concern index is a number that increases as Lancopes analytical engines monitor suspicious activity on a session. A high counter can be indicative of a security problem. Its another way of identifying (visualizing) compromised hosts (virtual machines) without having to do signature matching like a heavy weight IPS engine. Example: Lets say you have a VM that has a BOT on it and is "owned". The Lancope product is monitoring this long life session. Let's say that session is established for several hours or maybe even days or months. Lets also say that the conversation appears to be mostly unidirectional from a public ip address not belonging to your enterprise. Lancope would increase a the concern index on this since this server hasn't typically had this type of behavior. Once the concern index reached a certain level it could then fire off an email, send you a text message or something saying: Warning, Warning, Danger, Danger Will Robinson!!! You're virtual server may be infected with a BOT, please investigate immediately!!!

This example is VISIBILITY which helps you with SECURITY. There are a number of other things you can do with NetFlow and Lancope products that have less to do with security and more to do with operational efficiencies. Things like, helping you answer questions of: How do I know what network applications are taking up the most bandwidth? When should I move those applications over to a server with more horsepower? When did these VM's vmotion over here and was there a traffic condition / CPU condition that caused that to occur? I could go on and on but thats a topic for another blog entry.

So, my suggestion is to take a look at what NetFlow has to offer. Montego Networks supports NetFlow transmission and Lancope supports NetFlow analytics and with both you can regain what was lost visibility.

I hope this was helpful to you all!

-John Peterson

Security Through Visibility - Montego, Lancope and NetFlow

Wed, 30 Jul 2008 17:57:06 +0000

<-Click To Enlarge

Lancope's analytical engines have the ability to do the following for you within your virtual environment:

Slide 3

???Monitor and Alert network behavior of VMs
???Track Vmotion movement of VMs accross physical servers
???Monitor and Alert on communication between VMs
???Identify users accessing VMs
???Identify unauthorized or rouge VMs
???Monitor and Alert when VM???s go online or offline
???Identify network services running on VMs
???Monitor Network / Application performance of VMs
Display active hosts accessing VMs

...and probably a slew of other things I'm not aware of. A screen shot of their product is bellow:

<- Click to enlarge

I hope this was helpful to you all!

-John Peterson

Your 419 Mail Roundup

Wed, 02 Jul 2008 13:11:42 +0000

A handful of scam mails currently in circulation, including one mention of "groundnut oil" that seems so bizarre I had to highlight it in bold text. All this and more, after the jump...
Subject:
FROM THE DESK OF MR. STEVEN JAMES
From:
"Steven James"
Date:
Mon, 30 Jun 2008 19:17:03 +0100
BCC:

FROM THE DESK OF MR. STEVEN JAMES
CHAIRMAN INTERNATIONAL RELATION
FIRST BANK OF NIGERIA PLC
# 1 BANK ROAD WUSE FCT
ABUJA-NIGERIA.
PHONE: +234-80-66520277
Email: stevenjames809@live.co.uk

Very Urgent Attention,

Please permit me to introduce my humble self to you, my name is Mr. Steven James, I am the Manager of International Relation with First Bank of Nigeria Plc, I 'm 38yrs old, and I got your email address from a friend of mine, and my confidence reposed on you. I hope you read this message carefully and reply me immediately. Although we have not met before, but I suggest that this transaction will bring us together.

My dear, we had a customer, a foreigner but base here in Nigeria, his Name was Mr. Hamilton Creek. He is from Atlanta Georgia United State of America, but based here with his wife and his two children, Mr. Hamilton has being banking with us for the past 4yrs and some time in August 2002, Mr. Hamilton was on his way to his house, and unfortunately ran into a Trailer load of Groundnut Oil, and died   immediately, Their car got burnt, no single soul was saved, Mr. Hamilton Creek and His entire family was confirmed dead.

My Board of Directors and the Management of First Bank has mandated and instructed me to look for Mr. Hamilton Creek? Relation(s) and his Next of Kin to come and claim his fund, Since August 2003 till date, I have been looking for his relation's or his next of Kin to come and claim his fund which he Deposited with our bank, I have contacted his Embassy and after 3days, his Ambassador told me that Mr. Hamilton Creek has no relation and no next of Kin, their Ambassador told me that he used his first son as His next of kin, but it is quite unfortunate that Mr. Hamilton Creek Died with all his family members.

The reason why I contacted you is thus, Mr. Hamilton is dead, and his only son who supposed to inherit his properties and money also died with him. As at this moment, nobody or person[s] is coming to   claim this Money from our bank. The Board of Directors and management of our bank told me that if nobody or person[s] apply for the claim of Mr. Hamilton Fund, the bank will return the entire Fund into our Federal reserve. In the Light of the above, I want you to stand as the next of kin to Late Mr. Hamilton Creek; it might interest you to know that he had a Domiciliary Bank Account with our Bank and he has a total sum of US$9.2M Nine Million Two Hundred thousand Dollars, this is the exact amount which he had in his domiciliary account before the ugly incident occurred, and this money is still in his account as unclaimed money.

This transaction is very easy and simple, and it is 100% risk free, I'm the Manager for International Relations with First Bank of Nigeria Plc, and the Management and Board of Directors of the Bank are waiting for me to provide to them the Relation or next of Kin to late Mr. Hamilton Creek, of which I told them that I am still searching the next of kin to the deceased. Finally, if you are interested with this transaction, I will front you to the bank as the only next of kin to late Mr. Hamilton Creek, and I will let the bank know that you are the only right person to inherit Late Mr. Hamilton Funds and properties. If you are interested, just email me or call me on my   direct and private line#: +234-80-27536038 and late Mr. Hamilton's Funds will be credited into your account and all his Properties will be released to you either through Courier Services or the Bank will Cargo all his properties to you in any were you want it.

So reply me immediately and feel free to ask any question with regards to this transaction. You will take 50% of the US$9.2M. Which is? US$4.600, 000.00 Four Million Six Hundred Thousand Dollars, while the Balance of the same amount will be mine.

Your swift response will be highly appreciated.

Thanks and have a nice day.

Friendly Regards

Mr. Steven James

*******************************************************************************************

Subject:
REPRESENTATIVE NEEDED
From:
DFS SALES LTD UK
Date:
Tue, 01 Jul 2008 23:00:55 +0800
To:
undisclosed-recipients: ;

COMPLIMENT OF THE DAY TO YOU.

I am PETER WOODS from DFS SALES LTD UK.(
Website: www.dfs-online.co.uk ) Visit our site

We are into furnitures and we sell shares to people in
Canada,America, Australia and Europe.

We are in need of a book keeper. someone who can represent our company
in his/her country.

Our client in your location will contact you and make the company
payment to you.

You will be entitle to 11% of every payment been made out to you.

This is because most of our officer are from china and they do not

understand english very well.its hard for them to contact our
customers.

Our head office is located in CHINA. But we have a sub-office in the
uk.

If you are interested, Kindly send the entries for more understanding.

NAME IN FULL :.........
COMPANY NAME: .....
POSITION:......
FULL ADDRESS: .......
CITY/TOWN:........
STATE:............
ZIP CODE:........
COUNTRY:.......
MOBILE:.......
HOME TEL: .....
EMAIL ADDRESS: ........
OCCUPATION: ...........
BANK NAME :.......
AGE:............

You are to send the above details to

NAME : PETER WOODS.
EMAIL : dfs_woods@yahoo.co.uk
PHONE NUMBER : +44-704-575-0212

HOPE TO HEAR FROM YOU

*****************************************************************************************

To:
undisclosed-recipients:;

Good day!!!

We have been waiting for you since to contact me for your Confirmable Bank Draft of ?18 Million (Eighteen Million Pounds sterling) but we did not hear from you since for a couple of weeks now. Then we went to the bank to confirm if the draft that expired or getting near to expire and Metropolitan Police Uk told us that before the funds will get to your hand that it will expire.So I told him to cash the ?18 Million (Eighteen Million Pounds sterling) to cash payment to avoid losing this fund under expiration as I will be out of the country for a 6 Months Course.

What you have to do now is to contact FED EX COURIER SERVICES as soon as possible to know when they will deliver of your funds to you because of the expiring date. For your information we have paid for the delivering Charge Insurance premium. The only money you will send to the FED EX COURIER SERVICES to deliver your cheque direct to your postal Address in your country is ?250.00 being Security Keeping Fee of the Courier Company so far. Again don't be deceived by anybody to pay any other money except ?250.00 for the Security Keeping Fee.We would have paid that but they said no because they don't know when you will contact them and in case of demurrage. You have to contact FED EX COURIER SERVICES now for the delivery of your Draft with this
information below:

CONTROLLER: Mrs.Helen Williams
NAME: FED EX COURIER SERVICES
ADDRESS: fedexofficeuk@gmail.com
PHONE NUMBER: +447024080684

IF YOU ARE THE OWENER OF THE FUNDS AND YOU WILL SEND YOUR INFORMATION TO US SO THAT WE CAN DELIVERY YOUR FUNDS TO YOU WITHIN THE NEXT 84HRS TIME.IF YOU DO NOT RECEIVED YOUR FUNDS WITHIN THE NEXT 72HRS TIME AND YOU REPORT US THE UK FBI AND THE METROPOLITAN POLICE (SCOTLAND YARD) or YOU CONTACT YOUR LAWYER TO TAKE UP PROCEDURES AGAINST US.

Let me repeat again try to contact them as soon as you receive this mail to avoid any further delay and remember to pay them their Security keeping fee of ?250.00 for their immediate action. The FED EX COURIER SERVICES don't know the contents of the funds. This is to avoid them delaying with the funds.

Thanks as you contact them today.

Yours Faithfully

Mrs Helen Williams.

(The above actually comes with a nifty graphic that they've thrown in, thinking it makes it all look more legitimate. It doesn't, but here it is anyway):

....altogether now: oooooh. A slightly shorter 419 roundup than usual, but I'm sure I'll have piles of the things next week.

The Wee Bonny Has a Blog

Fri, 27 Jun 2008 10:40:11 +0000

My friend, the Wee Bonny Graydon McKee, has his own company and a new blog. Graydon is from Atlanta, helps us teach with the Potomac Forum, and just finished his Masters in Information Assurance. Pretty good guy all around. Check him out at Ascension Risk Management and fire up your RSS reader.

Bookmark to:

Laptop stolen from the home of a BearingPoint employee

Thu, 19 Jun 2008 11:38:38 +0000

Technorati Tag: Security Breach

Date Reported:
6/5/08

Organization:
BearingPoint, Inc.

Contractor/Consultant/Branch:
None

Victims:
Independent BearingPoint contractors

Number Affected:
Unknown

Types of Data:
"first and last name and Social Security Number"

Breach Description:
On May 14, 2008 a BearingPoint company-issued laptop was stolen from the residence of an employee. The laptop contained sensitive personal information belonging to a number of BearingPoint independent contractors.

Reference URL:
The Maryland State Attorney General breach notification

Report Credit:
The Maryland State Attorney General

Response:
From the online source cited above:

BearingPoint recognizes the importance of safeguarding the personal information it handles in the course of conducting business.
[Evan] As demonstrated on their web site. The number "8" followed by "The number of years in a row that identity theft has been the #1 internet crime"

To that end, we have implemented safeguards for the information.
[Evan] OK, I am following so far.

Even the most rigorous safeguards, however, can not guarantee protection against criminal conduct.
[Evan] Well, I think "rigorous safeguards" needs to be quantified somewhat. What are "rigorous safeguards" and how do they apply to this breach?

The Company was recently victimized by such conduct and we are writing to inform you that this criminal conduct might have a direct impact on you.
[Evan] Uh oh, here it comes. Not only was "The Company" recently victimized, but just as importantly, the owners of the personal information were victimized as well.

On May 14, 2008, the residence of one of our employees was burglarized and the company-issued laptop computer was taken amongst other personal property.

The employee promptly reported the theft to the Atlanta Police Department, which is investigating the break in.

The investigation into the burglary is on-going and BearingPoint is cooperating fully.

BearingPoint worked diligently to reconstruct the information stored on the stolen laptop.

BearingPoint has been able to determine that the computer contains the name and social security number of independent contractors.
[Evan] Recognizing the importance of safeguarding personal information, is storing personal information on a laptop (presumably without encryption due to the fact that there is no mention of it) a prudent practice?

The stolen laptop did not contain credit or debit card numbers, or financial account numbers.
[Evan] So a criminal would have to open his/her own accounts using the other information that WAS on the laptop.

We have no reason to believe that the information stored on the stolen laptop was the target of the burglary or that the information has been misused.

The personal information on the laptop can be accessed only with two passwords and two forms of authentication.
[Evan] The "passwords" are the authentication. I am guessing that BearingPoint meant two forms of identification (probably usernames). Again, I am guessing that one of the username/passwords is for the operating system itself which takes less than 10 minutes to bypass in most instances and I am guessing that the other username/password combination is file access for which there are known workarounds in many common applications (Word, Excel, PowerPoint, etc.). Either way, I think that this excerpt is meant to minimize the situation with a strong bias towards saving face.

In addition, the personal information was not stored in a single file or spreadsheet but dispersed among numerous files.
[Evan] Information security personnel know better than to argue the security through obscurity defense.

To date, we have received no report indicating that the information stored on the laptops has been accessed or misused.
[Evan] I think "laptops" in the breach notification is a typo

BearingPoint recognizes this development, and any related inconvenience, might be upsetting.

We regret this incident has occurred and we apologize for any inconvenience it may cause you.

As a result of this incident, we have taken immediate steps to review our current policies and procedures to further enhance security for personal data we handle and to reduce the risk of recurrence.
[Evan] Restrict ability to store confidential information on mobile devices? Encryption? Two-factor authentication?

To lessen the potential inconvenience to you and reduce the risk that you might be subjected to attempts to steal your identity, we have engaged ConsumerInfo.com Inc., and Experian company, to provide you with one year of credit monitoring, at no cost to you.

Please contact BPt-FMGOICPrivacy@bearingpoint.com should you have additional questions regarding the cirumstance of the incident.

BearingPoint currently anticipates notifying affected individuals on or before June 6, 2008, of this incident.

Commentary:
Marketing on the BearingPoint web site boasts "BearingPoint has demonstrated some of the biggest advancements in risk consulting services among the large number of providers in this market" - Forrester Wave: Risk Consulting Services, Q2, June 2007 Report.

It is disappointing to read about a well-respected company losing control of confidential information, but what makes this worse is the fact that it happened through the actions of a leading information security and risk consulting company. It is important to point out that one incident DOES NOT define a company.

No encryption or mention of it as a matter of policy, and the attempts to minimize the possible impact by mentioning ineffective controls (passwords and obscurity) is troubling.

Past Breaches:
Unknown

Heading to a Long Weekend of Dance

Fri, 23 May 2008 10:37:12 +0000

After many days, weeks and months of working on various customer and company projects, I’m taking the weekend off! (Yes, I usually work weekends and use the time to read, review and catch up.)

Most of my dance peeps have already trekked down to Atlanta for the 2008 USA Grand Nationals Dance Comp- a professional show of Shag and West Coast Swing dancers from across the country. I’ll be heading out in just a few hours with one of my friends to join the flock.

In case you haven’t kept up with previous posts, I used to compete in Shag (looong ago), then American Ballroom and, most recently, West Coast Swing. This event is the perfect spot to see fellow friends and dancers from today and yesteryear.

Because of my work schedule, I’ve taken a bit of a hiatus for the past couple of years. I won’t be competing here, but it’s a great competition to watch and the best group of people around!

I’m excited and I hope to get back on the photo-taking bus and have lots of fun and goofy shots to share next week.

# # #

Welcome to Microsoft Carric Dooley

Mon, 19 May 2008 07:25:54 +0000

(If you are a Lost fan, people keep appearing on the Island. What’s really happening?) Carric and I have worked together for the last 8 years. I first saw customers reverence for him when I moved to Atlanta while working for ISS in 2000. Carric was a contractor at Coke and I was explicitly told by [...]