[SecurityRatty] tag: forbes

VC and IPO Outlook

Fri, 07 Nov 2008 06:07:37 +0000

Forbes interviews venture capitalist Charlie Harris. He is the Chairman of Harris and Harris (NASDAQ:TINY) a venture capital fund which is focused on funding nanotech companies. He is bullish looking forward from today for a couple of reasons

1. We have an eight year back log of good companies and ideas due to a poor IPO environment, we have had an eight year drought in IPOs but still lots of good ideas out there.

2. Clean tech theme has a lot of room left to grow

3. The recent financial crisis has revealed and removed a lot of risks

4. The best businesses are started in times of economic distress. Dislocation equals opportunity. Companies that start during financial distress have tremendous discipline to survive.

Somewhat surprisingly for a person with 100% of his fund invested in nanotech, he does not see nanotech as the leader of a next IPO bookm. He seems to see nanotech as an enabling technology (my words not his) so you will see nanotech enabling clean fuel, cancer drugs and so on, and these individual spaces could boom, but not an "all things nanotech" type boom.

Alright Dell! Youre winning me back!

Wed, 30 Jul 2008 19:38:04 +0000

Im starting to think maybe we can still have something together here.

clipped from www.forbes.com

Dell spent $770,000 to lobby in second quarter

In addition, the company lobbied on data security legislation as well as proposals to crack down on spyware and phishing scams. Spyware are computer programs that can surreptitiously access hard drives to track online behavior and steal sensitive personal data, while phishing scams use fake e-mails and fraudulent Web sites to trick consumers into releasing credit card numbers and other personal information.

Links List 7.25.08

Fri, 25 Jul 2008 08:28:47 +0000

The Wall Street Journal reports that the military is taking “Tech Lessons”. It seems that over the last few years, the DISA CIO has been visiting different tech companies to learn about cutting-edge technologies that might be able to help soldiers in the battlefield. CIO Garing identified social networks and mashups as great technologies for smaller projects with potentially more immediate impact than the traditional years-long IT projects of the past. He should check out NAPA and the Collaboration Project [link to Dan Munz Q&A] which highlights just how government agencies and orgs are already doing what he’s talking about.

Just what I was waiting for, open source takes on cloud computing.

We had a very interesting call this week with analyst firm, The 451 Group, about the cloud and who is really doing what in this space now. Trying to separate the hype from reality, just like everyone else.

After a disappointing (to analysts and the street) financial analyst call on Tuesday, VMware’s stock reached an all time low, almost back to the IPO stage. In a follow-up interview, Forbes asked the new CEO what he thinks about the stock price, the analysts saying VMware doesn’t have a solid or innovative growth plan for the future, and whether VMware should be part of EMC or not (their backhand way of bringing up the whole Diane Greene thing…he didn’t fall for it).

Wait for it…wait for it…we have been waiting for it. VMware announced plans to launch a free version of its ESXI hypervisor starting July 28. I have to question the timing on this one. Why didn’t they do this before Hyper-v came out and try to at least undercut the Microsoft announcement? VMware is and should be the leader in this space but they act like they’re playing from behind. And to Wall Street, perception counts for a lot.

Surprisingly, there hasn’t been a lot of coverage after the June 2008 OMB mandate on IPv6 readiness. But one interesting follow-up, a feature is set to be added to IPv6 which the upgrade was supposed to eliminate. One of the design goals for IPv6 was that it would rid the Internet of network address translation (NAT), gateways that match increasingly scarce public IPv4 addresses with private IPv4 addresses used inside corporations, government agencies and other organizations. NAT adds complexity and cost, but due to the length of time it’s taken to migrate from IPv4 to IPv6, engineers may create special NAT devices to translate between IPv4-only and IPv6-only hosts and hopefully nudge along the transition to IPv6. IEEE is all set to meet on this topic later this month.

ShareThis

"Metro" employee information mistakenly posted to Web

Tue, 15 Jul 2008 06:39:14 +0000

Technorati Tag: Security Breach

Date Reported:
7/14/08

Organization:
Washington Metropolitan Area Transit Authority ("Metro")

Contractor/Consultant/Branch:
None

Victims:
"past and present employees"

Number Affected:
4,675

Types of Data:
Names and Social Security numbers

Breach Description:
"Metro has advised nearly 4,700 past and present employees that their social security numbers were published accidentally on the transit agency’s Web site last month."

Reference URL:
Metro Press Release
Associated Press via Forbes.com
NBC Channel 4 News
The Washington Post

Report Credit:
Washington Metropolitan Area Transit Authority

Response:
From the online sources cited above:

Metro has advised nearly 4,700 past and present employees that their social security numbers were published accidentally on the transit agency’s Web site last month.

The information was posted between June 9 and 25 as part of a solicitation from Metro to companies interested in providing worker’s compensation and risk management services.
[Evan] Rather than post this information to a public web site, why wasn't a more secure method of tranmission used such as VPN or secure FTP?

The document mistakenly included the social security numbers of 4,675 employees.
[Evan] According to Metro spokeswoman Candace Smith the sensitive information was supposed to be redacted. I wonder how well this mandate was communicated to the employee(s) responsible for compiling and posting the information.

A smaller group of employees had their names and social security numbers posted in the lengthy document. Metro officials continue to analyze the information for any other data breaches.

Three Metro employees have been disciplined

The three disciplined employees, including a manager, have been suspended for up to a month without pay, officials said.
[Evan] This implies that the employees responsible for the mistake should have known better. We can probably assume that they were informed of the proper procedure, but did not follow it.

Letters warning of the breach were sent out to the affected employees.

The letter urges employees to watch their credit reports for signs of identity theft.

Last week, the agency set up a separate Web site where employees can determine whether their numbers were among those posted.

The agency is offering the 4,700 employees one year of free credit report monitoring, $25,000 in identity theft insurance and counseling services.

"We deeply regret this incident, and believe the likelihood of misuse of the information is low," said Metro Chief Safety Officer Ronald Keele.

"However, we have taken additional steps to protect employee information by bolstering Internet security and requiring more checks and balances of materials before they are being released publicly."
[Evan] Checks and balances are typically lacking in these types of breaches, so I think it’s a good sign that Metro is addressing these.

Metro officials say they are not alone in this type of data breach.
[Evan] So what?

According to the Identity Theft Resource Center, data breaches at businesses, governments and universities were up 69 percent in the first half of 2008 compared with a similar period in 2007.

Commentary:
The end result of this oversight is three disciplined employees (with no pay for a month) and nearly 4,700 people with an increased risk of identity theft. Forethought is there for a reason, whether or not you use it is your choice.

Past Breaches:
Unknown

Blue Box #79: Asterisk vulnerabilities, VoiceCon/VON coverage, eavesdropping, FBI, ZFone, P2P, VoIP security news and more

Mon, 09 Jun 2008 12:30:57 +0000

Synopsis: Blue Box #79: Asterisk vulnerabilities, VoiceCon/VON coverage, eavesdropping, FBI, ZFone, P2P, VoIP security news and more

Welcome to Blue Box: The VoIP Security Podcast #78, a 32-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 15MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on March 27, 2008. Yes, that was over two months ago... we know...

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!

MANY thanks for all the offers of audio production assistance

Dan met with Craig Bowser down at VoiceCon, also David Endler, Mark Collier, etc.

Jonathan met with Dean Elwood, Martyn Davies, etc.

Four Asterisk vulnerabilities

The Economist: Bugging The Cloud

Forbes: How to Make Your Phone Untappable

VoIP News: VoIP: Who Might Be Spying on Your Communications? (Hint – It’s Not Just the NSA

VoIP News: Listen Up: 17 Signs That You Are Being Wiretapped

eChannelLine: Businesses lagging in securing VoIP (also ComputerWeekly.com and news release )

eChannelLine: Ingate launches enhanced security for VoIP and SIP (also Enterprise VoIPPlanet )

Voice of VOIPSA: Hacking Zyxel Gateways

Voice of VOIPSA: Vishing Attacks

Voice of VOIPSA: FBI VoIP Surveillance Requirements Leaked (also in FierceVoIP and Slashdot )

Voice of VOIPSA: Hackers Send Thousands of Fake Calls to Deaf People

SnapVoIP: Unified Communications in Virtual Worlds to Solve ‘Tower of Babel’ for Intelligence Agencies

Israeli-made Cryptophone attracts world spy agencies pointing to product site

BlogInfoSec.com: Save The Whales (about a new form of phishing)

Network Computing: Your Data and the P2P Peril

NetQoS: VoIP Monitor 1.1 released

PC World: FaceTime Security Product Scans Skype’s Encrypted IM and news release

Sipera IPCS Solution for Teleworkers Rated ‘Avaya Compliant’

Extreme Networks Boosts Security for Converged Voice and Data Networks with New Tools

Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

32:27 - End of show

Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Blue Box #79: Asterisk vulnerabilities, VoiceCon/VON coverage, eavesdropping, FBI, ZFone, P2P, VoIP security news and more

Mon, 09 Jun 2008 11:30:58 +0000

Synopsis: Blue Box #79: Asterisk vulnerabilities, VoiceCon/VON coverage, eavesdropping, FBI, ZFone, P2P, VoIP security news and more

Welcome to Blue Box: The VoIP Security Podcast #78, a 32-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 15MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on March 27, 2008. Yes, that was over two months ago... we know...

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!

MANY thanks for all the offers of audio production assistance

Dan met with Craig Bowser down at VoiceCon, also David Endler, Mark Collier, etc.

Jonathan met with Dean Elwood, Martyn Davies, etc.

Four Asterisk vulnerabilities

The Economist: Bugging The Cloud

Forbes: How to Make Your Phone Untappable

VoIP News: VoIP: Who Might Be Spying on Your Communications? (Hint – It’s Not Just the NSA

VoIP News: Listen Up: 17 Signs That You Are Being Wiretapped

eChannelLine: Businesses lagging in securing VoIP (also ComputerWeekly.com and news release )

eChannelLine: Ingate launches enhanced security for VoIP and SIP (also Enterprise VoIPPlanet )

Voice of VOIPSA: Hacking Zyxel Gateways

Voice of VOIPSA: Vishing Attacks

Voice of VOIPSA: FBI VoIP Surveillance Requirements Leaked (also in FierceVoIP and Slashdot )

Voice of VOIPSA: Hackers Send Thousands of Fake Calls to Deaf People

SnapVoIP: Unified Communications in Virtual Worlds to Solve ‘Tower of Babel’ for Intelligence Agencies

Israeli-made Cryptophone attracts world spy agencies pointing to product site

BlogInfoSec.com: Save The Whales (about a new form of phishing)

Network Computing: Your Data and the P2P Peril

NetQoS: VoIP Monitor 1.1 released

PC World: FaceTime Security Product Scans Skype’s Encrypted IM and news release

Sipera IPCS Solution for Teleworkers Rated ‘Avaya Compliant’

Extreme Networks Boosts Security for Converged Voice and Data Networks with New Tools

Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

32:27 - End of show

Thank you for listening and please do let us know what you think of the show.

Whats with all of the new ads? Forbes, business and finance blog network

Mon, 05 May 2008 20:23:46 +0000

For those who read my blog via feed reader and not on the web site itself, you may not have noticed the new ads and member badge from the Forbes Business and Finance Blog Network. I received an invitation to join an elite list of 400 blogs handpicked by Forbes. They will syndicate content and sell advertising for the site. There are some other cool benefits that go along with the membership. I was very proud to be selected for this, but frankly was worried about too many ads. If you get a chance, check out the site and have a look. I know it means I am going commercial, but am hoping it will lead to a broader audience.

Links for 2008-04-23 [del.icio.us]

Wed, 23 Apr 2008 20:00:00 +0000

UBS Explains Risk Management Gone Wrong

Wed, 23 Apr 2008 12:49:32 +0000

Big news in risk management this week as UBS released a report to shareholders describing the situation that has led to roughly $37 billion in write-downs so far related to the company's subprime exposures (see articles in Reuters , Forbes , the Wall Street Journal , and BusinessWeek).

Overarching causes described in the report are not surprising; control failures, an overly aggressive focus on short-term growth, and excessive risk taking are among the high level issues addressed. Also in the report, however, are scores of more detailed explanations of control failures in more than 20 different categories. Specific problems on the list include:

• Gaps in risk management expertise
• Failure to respond to wider industry concerns
• Lack of comprehensive Subprime risk assessment
• Complex and incomplete risk reporting
• Inadequate systems (related to infrastructure investment)
• Lack of strategic coordination
• Asymmetric risk/reward compensation

The list goes on, providing a substantial study guide for risk managers and auditors on problems to avoid. And because of the unfortunately massive losses due to these failures, the report also offers a bit of cost justification support for your new, broad risk management initiatives.

Customers of 14 Advance Auto Parts stores are victims of intrusion

Mon, 31 Mar 2008 17:45:18 +0000

Technorati Tag: Security Breach

Date Reported:
3/31/08

Organization:
Advance Auto Parts, Inc.*

*Headquartered in Roanoke, Va., Advance Auto Parts is the second-largest retailer of automotive aftermarket parts, accessories, batteries, and maintenance items in the United States, based on store count and sales. As of December 29, 2007, the Company operated 3,261 stores in 40 states, Puerto Rico, and the Virgin Islands. The Company serves both the do-it-yourself and professional installer markets.

Contractor/Consultant/Branch:
None

Victims:
Customers that made purchases and one of 14 retail stores

Number Affected:
56,000

Types of Data:
"financial information" including "credit card, debit card and checking account information"

Breach Description:
"Advance Auto Parts Inc. (AAP) said data from 14 of its stores may have been affected by a network intrusion, potentially compromising financial information of up to 56,000 customers."

Reference URL:
Advance Auto Parts News Release
CNNMoney
Reuters via Forbes.com
eWeek.com

Report Credit:
Advance Auto Parts, Inc.

Response:
From the online sources cited above:

ROANOKE, Va.--(BUSINESS WIRE)--March 31, 2008--Advance Auto Parts, Inc. (NYSE:AAP), a leading automotive aftermarket retailer of parts, accessories and maintenance items, released information today regarding the Company becoming the victim of a network intrusion.
[Evan] I don't think of the company as a "victim". I think of the people and possibly the banks that may have to reissue cards and reimburse the people as victims.

The investigation by Advance Auto Parts revealed that data from 14 of its stores may have been impacted, potentially compromising customer financial information of up to 56,000 customers.

The following 14 Advance Auto Parts stores were affected by this network intrusion:

Affected Store Address             City              State
----------------------------------------------------------------------
2920 Martin Luther King Jr. Drive Atlanta           Georgia
----------------------------------------------------------------------
6100 Old National Highway          College Park      Georgia
----------------------------------------------------------------------
1354 Harrisburg Pike               Columbus          Ohio
----------------------------------------------------------------------
950 E Boston Street                Covington         Louisiana
----------------------------------------------------------------------
2055 South Locust St.              Canal Fulton      Ohio
----------------------------------------------------------------------
422 US Highway 80 W                Garden City       Georgia
----------------------------------------------------------------------
2414 Belle Chase Highway           Gretna            Louisiana
----------------------------------------------------------------------
1370 Ashland Road                  Mansfield         Ohio
----------------------------------------------------------------------
6645 E. Shelby Dr.                 Memphis           Tennessee
----------------------------------------------------------------------
179 Sgt Prentiss Drive             Natchez           Mississippi
----------------------------------------------------------------------
5185 Jimmy Carter Blvd.            Norcross          Georgia
----------------------------------------------------------------------
936 N. Gospel St.                  Paoli             Indiana
----------------------------------------------------------------------
6300 W. Broad St.                  Richmond          Virginia
----------------------------------------------------------------------
1802 Teall Ave.                    Syracuse          New York
----------------------------------------------------------------------
[Evan] I don't recognize any pattern in the store locations. I wonder if there is a pattern elsewhere. Why these stores, or is this just all that is known at this point?

Advance has notified its credit, debit and check processors.

As a precautionary measure, the Company has also started sending letters directly to the impacted customers whom it has been able to identify. Customers who purchased products in the 14 stores and who do not receive a letter can call the toll-free number listed below to determine if they have been impacted.

Advance is also working with the appropriate law enforcement officials who are conducting a criminal investigation.

The Company believes that the incident has been contained. However, the Company is continuing to investigate and has partnered with a leading global third party security expert to assist in the investigation.

In addition, Advance continually partners with leading experts to enhance the security of information technology systems.
[Evan] Like who? What makes a person a leading expert?

"Safeguarding our customers' confidential financial information is extremely important to Advance Auto Parts, and we take this responsibility very seriously," said Darren Jackson, President and Chief Executive Officer.
[Evan] I respect the fact that the CEO of the company addresses the public regarding this breach. It demonstrates that Mr. Jackson understands his role and ultimate responsibility for information security.

Advance has also established a special toll-free number with dedicated resources for potentially impacted customers who made purchases in the 14 stores to call to ask questions. The special toll-free number is 1-800-704-1154. Customer service representatives will be available to answer questions seven days a week from 8 am until 12 midnight EDT through May 31, 2008.

Advance is offering the affected customers a credit monitoring product from a national credit reporting agency at no cost for one year.

"We sincerely apologize for any inconvenience this attack on our network may cause. Advance Auto Parts has been dedicated for the past 75 years to earning customer trust and for providing Legendary Customer Service. We strive to serve each and every customer better than anyone else," said Jackson. "We truly appreciate the business of each Advance Auto Parts customer."

Commentary:
There are many many details missing from this news release. I expect more details to follow as people continue to ask questions and demand answers. A "network intrusion" is very general and implies an outsider attack. Why these 14 stores?

Stay tuned...

Past Breaches:
Unknown