[SecurityRatty] tag: dear

KPIs for ISO 27001? Do Such Things Exist?

Tue, 02 Dec 2008 10:48:41 +0000

On Gary Hinson’s excellent ISO 27001 Google Group, the following question was just posed:

Dear Implementers:
What could be the KPIs by which I, being Management Representative,
can show complete picture in a compiled brief/short report? Your
response would be highly awaited.

Which I think is a great question! Talk about no-nonsense. None of this “high-falutin” nonsense about ISO adoption providing ‘piece of mind’ and ‘common language’ or ’strategic currency’. No this is straight from the hip - tell me right now how I can communicate the value of an ISO implementation to non-security management.

I’m not sure I’ve got a good answer. Do you? You guys (loyal, cool, readers) are really bright and many of you CxSO’s in your own organizations. Leave comments and in our next post I’ll publish the best and brightest (as well as some of my own thoughts).

On Inspiration and Security

Mon, 17 Nov 2008 11:07:00 +0000

First, I have a horrible revelation to make: I never held CEOs in much regard. For example, if you go to “a CEO keynote” at a security conference (RSA comes to mind), you can be pretty much assured that you’d get a boring, bland and “content-free” speech which summarizes to 1 word: nothing. Actually, it is 0 words :-) Similarly, even though I knew what CEOs did (tell people what to do, give speeches so that employees work better, help sales sell, interfere with engineers’ engineering :-), etc), but always regarded them as people regarded “party commissars” back in the Soviet Union days: as folks who give rosy speeches hardly anybody believes in and who show charts with upward trending curves (e.g. “Bullshit volume per employee per quarter is UP 34.6%!!!” :-)) To better understand this point read the famous book “Why Business People Speak Like Idiots: A Bullfighter's Guide” :-)

So, my dear readers, imagine how amazed I was to find myself being truly inspired by my CEO, for the first time in my working life! Philippe’s “no-B.S.” approach definitely works for me. I listened to his speech at a company meeting last week and – I am serious! – that was the most interesting, visionary AND inspiring speech that I’ve heard in a long time. It was clear what we’ve been doing, what worked, what didn’t and what we need to be doing and why it will work.

I already learned more than a few things from him just by listening to him speak or conduct a meeting (or by watching him beat up a job candidate…). For example, one CAN be “positive, but not marketing-ish,” even if situation is difficult. If one has an issue, one has to face it with no sugarcoating rather than ’play’ positive and pretend the issue is not there. One can have BOTH a driving vision AND be attentive to customers. One CAN release something when it is ready, not a year before :-) Etc, etc.

Finally, while some choose to lay people off, we at Qualys ARE HIRING! Come join us and help build the SaaS security platform that actually works! Specifically, we are looking for TAMs (kind like an SE, but better :-)), PMs and a lot of engineers.

Change!!!

Thu, 09 Oct 2008 13:17:00 +0000

No, this is not about a certain populist US politician :-) It is about a much graver subject indeed.

As of today, the only Chief Logging Evangelist in the world is no more. I have resigned from my position at LogLogic, effective October 9, 2008, which is today. Please don't contact me at the company email; use my personal email instead. My LinkedIn profile has been updated accordingly.

If you are curious, I still love logs. I really do. Logs are cute :-) You should love them too. And, it goes without saying, I will always remember that title, Chief Logging Evangelist, that I have created for myself. People did say that "Anton wakes up and thinks 'what else he can do today to make the world love logs?'" - it was pretty much like this. In fact, I think world does love logs a tiny bit more now and thus my mission of a logging evangelist has not been in vain.

I will be offline for the entire next week ("OMG, no blogging?" - "Nope, no blogging!") and you, my dear reader, will have to wait until October 20th to hear the news about ...

... where Anton is NOW!!!???

Yes, where is he? :-)

Talk to ya October 20th! The end always brings the new beginning ...

P.S. Please don't tell me that I have a penchant for dramatic. I know :-)

Technorati Tags: chuvakin

John Zanni Delivers Keynote at the Tier1 Hosting Transformation Summit

Thu, 25 Sep 2008 12:00:27 +0000

As General Manager of Worldwide Hosting, John Zanni is a key guy for every Managed Service Provider delivering Microsoft based solutions. At this year’s Hosting Transformation Summit, John gave a keynote titled: “Leadership Perspective: Cloud Computing – is Virtualization Enough?”

John talked about Microsoft’s mission, his perspectives on key industry trends and market opportunity; he touched on Cloud Computing and Virtualization and took some Q&A from the audience of Managed Service Provider executives.

One of his first proclamations - Microsoft has really embraced the heterogeneous environment. Really? How in the world is Microsoft going to help convince IT line managers, or mid level managers to believe this statement? I think they have a long way to go to achieve this vision with any credibility in the marketplace. I do know that they are making small strides.

Microsoft has been widely credited with some very good blogs that are self critical and introspective. They have also been quite active in the standards boards within DMTF and many others such as Open WSMAN and CIMON (Open Pegasus). Microsoft in February published 30,000 pages detailed technical specifications – protocol documentation for Exchange, since that time they have published another 15,000 pages. They have had over 224,000 downloads since February 21, 2008. Thus they are trying to be more open by making some of these secret sauce protocol resources directly available on the web.

So for now, I will take a very cautious wait and see approach to this proclamation. Time will tell.

Trends

Rapid growth continues
Hosting Competition has a new face
- Platform gorillas (amazooglesoft)
- Ad supported Web 2.0 hosters (Google, Facebook,)
Utility Cloud Computing models are expanding to non-traditional hosting companies
- Wells Fargo vSafe - hard to believe that a big bank would start to offer a SaaS offering
- New tools and markets digital ribbon, CohesiveIT

IDC Data shows that growth of SaaS ISV’s is the biggest layer of growth. The fastest growing services are complex, custom applications. IDC says this area will be bigger than the hosting area in the next 5 years. John said that Microsoft is spending a lot of time, money and energy on this right now.

John said:

“when Microsoft thinks about the building blocks that make-up the cloud, virtualization is a core piece of the puzzle. However you also need also identity services, Operating system with standard set of libraries to tap into… or remote storage that application developers will tap into.. Developers will consume these set of services, but you will also need a set of tools to manage your physical, virtual and geographically distributed datacenter infrastructure.” (that is where ScienceLogic comes in!!)

He went on to say,

“In some ways, virtualization enables decentralization – allows you to move from data centers, enables fast scaling out, business to move from on premise to the cloud and off again…. Automation is very important – this will help you scale your business – this is core to your future success.”

He talked about a new breed of knowledge worker: He called them Digital Natives (compared to grey haired guys like me who are left out of this category).

Definition of a Digital natives? A young adult who has grown up with cellphone, web based applications, Facebook account, as their primary mode of communications.

John commented that we are 5 years into a 10 year journey. Only 12% of all servers in the world are virtualized today… in the next 4 years it will double to 25%. This is the time to think through how this business will affect you.

‘Virtualization without good management is more dangerous than not using virtualization in the first place.” Thomas Bittman, Analyst Gartner

Patching and provisioning nightmare – no scalable administration – sprawl chaos.

John posed a question to the audience: How do you partner to provide the ISV support in application development with specific market needs… partner by keeping the hosting to SaaS solution providers up and running and provide the quality of service that their customers expect…. Complimentary services of storage and backup is a big win with a huge market-upside over the next 5 years..

John said that Microsoft continues to make huge investments with Managed Service Providers.

Investing in the windows hosting platform
Hyper V and SQL2008 GoLive program - getting beta code out to service provides to find as many bugs as early as possible.
Software + Services (S+S) incubation center program
Partnering for cloud platform market offers
Cloud platform guidance and best practices

During the Q&A, David Burns from Cincinnati Bell asked the very best question… “when are you going to make it easier for the Service Provider market to deal with the Microsoft Service Provider Licensing Agreement (SPLA) quarterly statistics pull and change the SPLA pricing to be more efficient and creative for the new Virtualization and Cloud offerings you have talked about?”

John’s response: “We hear your frustrations loud and clear and are working on some new ideas for the future version of SPLA.” My interpretation – “Dear Service Providers don’t expect anything new or easier to deal with in the next 6 months!”

His closing remarks: “Cloud is evolving = very early stages, lots of hype, but think of how this evolution will effect your business and how you can plug into it.”

Lamphun Botanical Garden and Terracotta Arts

Mon, 22 Sep 2008 01:25:17 +0000

My dear friends in Lamphun, Thailand have been building a botanical garden. Enjoying life, I have working on various projects with my friends and have just made this YouTube video on their 150 rai (60.7 acres) of land in Lamphun. The project, under development, features trees, flowers, plants and herbs from all over Thailand in a setting of traditional Khmer motifs cast in Lamphun terracotta.

Now you know why I have not been travelling the world, speaking in conferences this year. Event processing is great fun, but there is more to life than processing complex events!

Zango And The Batman Online Videogame

Wed, 03 Sep 2008 07:00:00 +0000

This is Newsarama, a site (mostly) geared around comics and other related media:

Click to Enlarge

You'll notice Batman, over on the right there. Let's take a closer look:

"Free Online Batman Game"? Well, that's curious because I follow comics pretty closely and I'd be the first to know if an "Online Batman Game" had been in the works (this advert has been doing the rounds on numerous comic-related websites. Visit the URL in the ad - Batmangame.info - and you'll see this...

Click to Enlarge

There it is again - "Online Batman Game". Furthermore, the text goes on to say:

"Batman Online lets you do anything and every little thing you'd like in a Batman game. From leveling up your character to destroying villans, it has it all. Download and play this amazing game now, all for free! I'm sure you'll be playing for hours on end, it's that much fun.

    Level Up Your Character

   Explore a Huge Vast World

   Play Online With Your Friends

   Hundreds of Quests To Finish

   Perfect Battle System

So start your Batman adventure today! Download the full game below and fight them all!"

Note that they specifically call it "Batman Online". It specifically sounds like a text blurb you'd expect to see with a MMORPG. However, something isn't quite right here.

1) The only DC licensed MMORPG anybody knows of is this, and it isn't due out until 2009. It's not Batman-centric, either.

2) The screenshots are lifted from the Batman Begins videogame, which came out in 2005. If you were offering a "Batman Online Game", wouldn't you use screenshots from that instead of an unrelated title?

3) Absolutely no licensing, copyright or legal mumbo-jumbo on the page anywhere. DC and Warner Bros don't roll like that.

4) The website - Batmangame(dot)info - is registered anonymously. Not exactly something you see everyday for websites related to licensed DC franchises such as Batman videogames.

5) "To download and play the Batman Online Game you must download and install Zango as well. It is free, very easy to install and will give you access to the full game."

Shall we continue?

Click to Enlarge

A Zango installer prompt, complete with picture of Batman at the top. If you say "No" to the install, you end up on Google.com. What happens if you click "Start"? Well, you'll get the usual collection of Zango installer screens including one that rather humorously has a guy in a superhero costume.

Once everything is installed, you're taken to another page and from here things just get plain confusing. Remember, up to this point you've been promised an "Online Batman Game", the description of which is clearly intended to evoke images of a MMORPG. However....

Click to Enlarge

All of a sudden, you're being told you're downloading "Batman: Vengeance" on a cheap-looking splash page and shown what looks like an unofficially ripped Batman: Vengeance trailer on Youtube.

In case you're unaware, Batman: Vengeance is a videogame first launched way back in 2001 for consoles (followed shortly after by a PC version). What does this have to do with an "Online Batman Game"? Well, nothing, actually. Aside from the fact you were presented with one thing and are now handed another, things get even stranger when you see the download location:

Click to Enlarge

Have you ever heard of an officially licensed game being offered via Rapidshare downloads? It's possible, I guess, but it seems a little odd. However, the real oddness is reserved for the "Online Batman game" itself.

Remember, we've been promised "Hundreds of quests", "A huge vast world", the ability to "level up your character" and (of course) the "play online with your friends" promise of greatness.

Click to Enlarge

Imagine your dismay, then, when you've installed Zango, downloaded the game from Rapidshare using up around 140MB of bandwidth, installed it and....

Oh dear.

Not only are you given a totally different game than what was advertised, you're given a DEMO VERSION of that game with four short sample levels present, no online functionality and quite a few less quests than the "hundreds" advertised.

Hilariously, you can download a 100% legit copy of this demo here at Fileplanet, sans Adware. Setting aside the issue of whether this file is actually sitting on Rapidshare with either Ubisoft or DC / Warner Bros permission (and if it IS okay to be there, I'm pretty sure it's NOT okay to falsely advertise it as some kind of MMORPG) there are some questions that need to be raised here.

When this guy approached them with his website, did nobody stop to think that this game did not actually match up with the "Online Batman" game it was touted as? Didn't someone at Zango Quality Control actually download the game and see the big "This is a demo" wording as soon as it starts up? Or question why the screenshots on the website don't look like the graphics for Batman: Vengeance in the slightest?

However you look at it, this is a scam, pure and simple. Whoever came up with the idea of an "Online Batman Game" is lying through their teeth. Of course, because their website is registered anonymously we have no idea who the culprit is, unless of course Zango want to deposit them on the steps of Gotham City and let me dispense some Batman-style justice to their posterior.

However, based on the way these things tend to go - God forbid anyone ever offer up the identity of someone happily scamming the public at large, even when that person is dragging the name of the company associated with them through the mud by their antics - I think I might be waiting some time for the Bat Signal...

Myspace Cracker Steals Firefox Passwords

Tue, 26 Aug 2008 14:49:03 +0000

A "Myspace Cracking tool" has recently come to light, though if you're considering attempting to crack some Myspace accounts with this:

....then you might want to think again, on account of it not being quite what it seems. This "cracking tool" is only after one persons details: yours. Run it, and you'll see the following (somewhat bizarre) message, which should be your first clue that all is not quite right here:

At this point, your CD tray may well pop open - perhaps in tribute to the Trojans of old that did pretty much the same thing. At any rate, you're certainly not cracking any Myspace accounts, and after a faint grinding from your PC you're left to sit and stare at your desktop, wondering what went wrong. Here's a clue - have a poke around inside the EXE, and some lines of code will likely start to give the game away:

..."Firefox password grabber"? Oh dear.

The observant end-user will notice a .txt file appears on their C Drive, and itcontains all the stored passwords saved via Firefox on their computer:

Click to Enlarge

As you can see, the bad guys here seem to be exploiting a well known password recovery tool for nefarious purposes - in this case, Firepassword. You're probably wondering what happens with the stored login details at this point - well, do some more digging in the code and you'll see this:

Click to Enlarge

The stolen Firefox passwords are sent to an FTP drop set up by the hacker, and every login you had stored in Firefox at that point is immediately at risk. Of course, if you're foolish enough to play around with hacking tools then there's a good chance you're going to get burned sooner or later...

We detect this as FoxPass.

Strange Digg.com Spamming

Wed, 06 Aug 2008 03:51:10 +0000

I saw this in the security section earlier today:

Click to Enlarge

Each one links to a page on a website called Tubeteases(dot)com, and each page streams a Youtube video - usually females bouncing around in various states of undress.

Click to Enlarge

Usually with spam like this, there's a financial incentive - however, I'm having a hard time working out what the motive is here. There are no clickable ads to make money from on the site - it's just page after page of miniaturised Youtube clips.

Click to Enlarge

No popups, no flashing banners, no mousetraps.....nothing.

I thought I'd worked it out when I scrolled down the page and saw a large advert for a webcam site. Aha! Obviously the gimmick is luring you to the above video site then get you to pay up for webcam access, right?

Well, not exactly...

Click to Enlarge

...."Free"? Oh dear, this isn't going well. They don't even have the advert for the webcam site at the top of the page, it's stuffed down at the bottom somewhere so I can't even claim "in-your-face" advertising.

At the very bottom, I saw a set of weblinks to other sites - surely this is the gimmick then? Entice potential webmasters to pay up for links placed on-site? Well, as it turns out, no. Clicking the "free slots available" link simply takes you to a page offering a free link placement script.

Normally spam = profit. Here though, I can't see that this follows the usual pattern. Perhaps someone woke up feeling philanthropic and randomly decided the best course of action for Digg.com users was watching hundreds of postage-stamp sized clips of semi-naked females.

We can tell them off for spamming Digg though, so we've got them there...

Congress Finally Suggests New Rules for that New-Fangled Internet

Mon, 28 Jul 2008 11:25:56 +0000

Congress, the bastion of democracy and founders of new legislation for our dear country, apparently have hopelessly outdated rules about how its members use the Internet — they aren’t allowed to post content on any site besides house.gov — meaning no flickr, youtube or other social networking. It also means many members are already violating the rules, posting to youtube, tweeting from the House floor and so forth.

New rules are being proposed, but there’s some debate over them because they would still be restrictive–from Ars Technica:

The new rules, proposed in a letter by Rep. Michael E. Capuano (D-MA), would allow members to use third-party sites so long as official content is not “posted on a website or page where it may appear with commercial or political information.”

This would be difficult since most third-party sites like YouTube display automatically generated advertisements and related user content next to featured video.

Maybe she should switch to unich? Get it?

Tue, 22 Jul 2008 09:19:48 +0000

Found this in one of the groups I belong to at Eons.
Go ahead, forward it to the lil wife.

clipped from www.eons.com

Dear Tech Support,

Last year I upgraded from Boyfriend 5.0 to Husband 1.0 and noticed a distinct slowing down in overall system performance, particularly in the Flower and Jewelry applications, which operated flawlessly under Boyfriend 5.0. In addition, Husband 1.0 uninstalled many other valuable programs, such as Romance 9.5 and Personal Attention 6.5, and then installed undesirable programs such as NBA 5.0, NASCAR 3.0 and Golf 4.1.