[SecurityRatty] tag: magic

On The History of Event Processing: Global Network Monitoring

Sat, 30 Aug 2008 06:17:59 +0000

In A Short History of Complex Event Processing. Part 1: Beginnings, David Luckham opens his history discussion by saying;

“Event processing has been going on for more than fifty years.”

However, in On Event Processing as a Discipline and Some Subsets another colleague mistakenly blogs,

“… people who dealt in this area [network management and event correlation] have never investigated event processing in the larger sense (e.g. looking at additional patterns), and this area has also not spawned the event processing discipline.”

If you examine just one page from the CEP history at Stanford, researchers there outlined their view of the future applications for CEP, as follows:

Instant Insight - hierarchical event viewing applied to the Enterprise IT layer.
- Analysing business processes
Network Level Monitoring and Management
Cyber Security: Network Intrusion Detection
Enterprise Monitoring and Management
Modeling and Simulation of Collaborative Business Processes
Business Policy Monitoring
Analysis and Debugging of Distributed Systems

These applications areas mentioned by Stanford researchers, including Professor Luckham, support and validate our recent discussion Magic Quadrant for IT Event Correlation and Analysis, 2007 where we concluded that “event correlation and event analysis is Gartner’s closest magic quadrant (MQ) [...] relates directly to complex event processing (and event processing in general).”

If you take a detailed look at the 1999 CEP presentation, Defeating Large Scale Attacks: Technology and Strategies for Global Network Monitoring you will readily see that our colleagues are incorrect when they says that event correlational and network management folks have never investigated event processing in the “larger sense”. For example, the 1999 slides above, Stanford, slide 6, is titled “Complex Event Processing,” defining CEP from the application perspective of event correlation;

Complex Event Processing

Accept network ‘events’ from any source
- CISCO NetFlow FlowCollector, tcpdump
Correlates events based on content and temporal relationship between events
Event Processing Agents (EPAs) connected in an Event Processing Network (EPNs)
Both post-mortem and real-time processing

This single event correlational project example from David’s team at Stanford examined the challenging event correlation problems in the context of hierarchical events, maps, patterns, visualization tools, event processing models, patterns languages, network management abstraction layers, and more. Those core event processing problems from this 1999 example, very large and complex then, still exist today and are much more large and complex - precisely why it is called “complex event processing.”

It is quite obvious, in just this one example, that many folks have been looking at event correlation as a motivating application for event processing, in a larger context, for a long time, contrary to what our colleagues write in their “history of event processing” posts.

In a future post I will completely debuke these event processing “history revisionists.” I will illustrate very clearly how the history of event processing goes back at least a decade, and perhaps two (twenty years) before the history outlined in posts like On Research and Practice in Event Processing and The History of Complex Event Processing.

David Luckam stated that the art-and-science of event processing goes back around 50 years.

I am not sure I will go all the way back to 1960 in my next post on the history of event processing. However, I will go back at least to the early days of Internet Protocol (IP) networking and illustrate why distributed IP networking, network management and network security, is one of the key motivating factors for what we now call “event processing” and “complex event processing.”

Magic Quadrant for Application Delivery Controllers

Fri, 29 Aug 2008 09:00:00 +0000

(Source: Citrix) Gartner summarizes its view on Application Delivery Controllers, evaluates strengths and weaknesses of solutions, and provides Magic Quadrant reporting for a quick comparison across all vendors. Learn from Gartner how you can benefit from an all-in-one device like Citrix NetScaler that delivers the highest levels of availability, performance and security.

Magic Quadrant for IT Event Correlation and Analysis, 2007

Tue, 26 Aug 2008 11:04:05 +0000

I often get asked that if the current self-decribed CEP vendors are not doing “real CEP,” in my opinon, who are the vendors in the CEP space?

At the moment, event correlation and event analysis is Gartner’s closest magic quadrant (MQ) that relates directly to complex event processing (and event processing in general).

A number of our friends and colleagues would like to position CEP as BRE, BRMS, BPM, SOA, algo trading and just about every other technology under the sun, except event correlation!

In a nutshell, the state-of-the-state of CEP/EP is that a number of firms in the software industry have found some “uncharted magic quadrant waters” and are positioning themselves to be “chart worthy”. Instead of competing head on with the experienced players (event correlation and analysis) that have been in the event processing field for many years.

As I have mentioned a few times here on The CEP Blog, if the current generation self-described CEP engines were leading the industry in event correlation and analysis (CEP’s core technology domain) they would be either be on Gartner’s Magic Quadrant for IT Event Correlation and Analysis, or possibly acquired by a one of these large giants in event processing to solve complex event processing and event correlation problems that remain, for the most part, still unsolved!

UPDATES GALORE! or, THE PRONOUN WE MEANS YOU AND ME!

Wed, 13 Aug 2008 11:24:17 +0000

So much traveling, so little blogging. Sorry everyone. I’ve gotta say first that I really enjoyed meeting readers and friends of the blog this past two weeks.

Today, allow me to update you on FAIR and the movement towards a formal, open standard. There’s a couple of cool things going on in our little risk-world.

First, The Open Group Security Forum continues to move towards a formal adoption of FAIR.

WHAT DO YOU MEAN “WE” - YOU GOT A STANDARDS BODY IN YOUR POCKET OR SOMETHING?

Our meeting in Chicago a few weeks ago was great, but also slightly disturbing for me. I got pronoun-confusion syndrome. I’m used to using the “we” pronoun to refer to RMI, or Jack and myself as we vet the models. So without even thinking I would said “we have been looking at how loss occurs, and may want to change the model some” and The Open Group Members freaked out (rightfully so). Adrian Seccombe gently reminded me that the “we” was now the Security Forum, and that “we” didn’t go changing things at will without vetting against each other. Man I love this stuff. I get to run our thoughts and ideas past some great folks now - you know, those smart people who tend to have really complex problems and are trying hard to solve them.

Formal Adoption: Soon, Very Soon Now

Formal Adoption basically means we’ve made this document, everyone is close to saying that they generally like it, and once that finally happens then “bam”, we’re ready to move onward and upward with better things (see Cookbooks, below). We’ve got a couple of changes to the current document that have been requested that aren’t a big deal. For example, one request is that we make some statement about general applicability of FAIR to risk domains outside of the IT realm. But once additions like that and others are done, this long process should be complete.

New Document Moving Towards Public Release:

We’ve got a basic document that should be public in the next few weeks on “What Makes a Good Risk Assessment Methodology” - written by yours truly and Jack. It’s a very high-level document, and serves two purposes:

For novices it helps parse out what is important in any undertaking to understand corporate risk (the repeated discussions on the ISO 27001 mailing list make me think it would be a place ripe for such a document).
For those who “know” risk, it helps to re-establish some fundamental principles like the use of scales (ratio, please), the implications of dealing in probabilities, what attributes like consistency and defensibility mean, how “risk” should be reported to the business (something you know, meaningful) and so on.

When this doc is deemed ready for public consumption I’ll be sure to post on this blog here.

COOKBOOKS, EUROPEAN AGENCIES, AND, IRON CHEF “RISK” - WHOSE CUISINE WILL REIGN SUPREME?

One interesting thing that came up in the Chicago meeting was that ENISA (The European Network and Information Security Agency) developed a very nice document that reviewed something like 18 different risk assessment methodologies against their Criteria for Goodness. FAIR was one of the ones they reviewed, and we (the royal “we” used there to include all us FAIR-Folk) did awfully well. Things of interest:

They based their work on the current introduction paper which is not at all a step-by-step guide towards an organizational risk assessment (what ENISA really wanted) and we did pretty well. Well enough that if we had developed a paper along the lines of NIST 800-30 or OCTAVE for the use of FAIR in a formal process, we could have done really, really well. Like won-the-bake-off kind of well.
FAIR is actually not at all incongruous to many of the risk assessment methodologies offered, and in fact compliments many of them by letting those methodologies develop real, structured probabilities. Think OCTAVE, where they basically say “math is (probabilities are) hard, so if you want to do them for reals, good luck! But here’s a nonsensical way to do things if you want to believe in magic-fairy risk“. FAIR fits right in there by stomping on the magic-fairy risk with the jack-boots of rationality. FAIR similarly helps other risk standards that might lack structured probability development.

So The Open Group Security Forum decided that though we could create a new document and totally p0wn any future ENISA bake-off, there wasn’t much demand for the development of that documentation by the membership - a point which was made quite apparent at the beginning of the discussion when one large European company CISO asked “What’s ENISA?” Relevancy is everything, I suppose.

But that second item up there - the one about helping rather than competing with other “risk assessment methodologies” - really struck a chord. So “we” (The Security Forum) are going to develop some “Cookbooks” that basically are high-level documents that say “If you want to use FAIR with (OCTAVE/COSO/CoBIT/Whatever) here’s how it fits, makes it better, and improves your life. I’m pretty excited about these, and our first document looks like it’s going to be COSO integration.

THE OPEN GROUP SECURITY FORUM - THEY’RE A TRUSTING BUNCH (WITH QUALIFICATION, OF COURSE)

Finally, many people have asked me “Why work with The Open Group?” There are many reasons, to be sure, but I will give you one example. Members of the Security Forum there are not only great at vetting the model and getting consensus on risk and risk factors - but they’re quick to start applying. So in Chicago, I thought I’d be talking about FAIR and the standard and fighting groupthink. Nope. Not at all. In fact, the forum members spent more time suddenly discussing use of FAIR in a new Trust Model they’re developing. So all of the sudden, I’m part of a new and exciting project to develop a Trust Model - how cool is that? While formal adoption of the Trust Model will be necessarily long and deliberate - the collaboration and development is happening much faster than I can keep up with. But if you all will allow me, it will help me get my head around it all by blogging about it later this week. So be prepared to read about me dealing in “Trust” a little bit.

XTM? YAUSA, or Yet Another Useless Security Acronym

Mon, 11 Aug 2008 13:06:29 +0000

Sometimes, two negatives do make a positive. Gartner has avoided using the term UTM (that is, unified threat management) in our research because:

1. You can't (and wouldn't want to) manage threats.
2. UTM originally applied to products for small and midsize businesses (SMBs), but UTM has been recently co-opted by some enterprise security vendors under the guise of fresh marketing.
3. There is little evidence that many of the components in these platforms are integrated, much less "unified." Now, there is some promotion of the new acronym XTM (that is, eXtensible threat management) as a new generation of UTM. We're not referring to any product name, but the attempt to create a new and confusing acronym, and create another artificial market to size and make predictions about.

No matter what you call it, the arc of advancement of network security products for the SMB will continue: New threats will drive the development of new safeguards that will be included as an option in that same appliance. This is not true for the enterprise, where best-of-breed buying of point solutions will continue, with consolidation of products occurring in three places, aligned by buying center and safeguard profile (see "Introducing the Secure Web Gateway").

The next-generation firewall (NGFW) will serve the enterprise and combine firewall and IPS,; however, there will be no UTM for the enterprise (see "Magic Quadrant for Enterprise Network Firewalls, 2H07"). We are already seeing SMB multifunction firewall vendors optimizing performance by assigning separate ASICs, emphasizing that the inspection tasks on content and network processing are very different (see "MarketScope for Multifunction Firewalls for Small and Midsize Businesses"). Even among SMBs, we are seeing little evidence that many are deploying network, content and e-mail processing in the same platform, usually leaving e-mail security to a separate product or service.

Digital Cash in Iraq

Mon, 11 Aug 2008 08:53:52 +0000

Smart cards have still never quite taken off across the US, and at this point its fair to wonder if they will or if they will be eclipsed by phones or some such, but smart cards sure are big outside the US. One of the most interesting applications is of course digital cash and transaction processing. Net1 UEPS (ticker: UEPS) out of South Africa appears to be the leader here having built a $1.2B business out of this model. there are lots of regions in the world where people are underbanked or unbanked altogether and where its dangerous to have too much cash. I blogged about this earlier on Beer, Shotguns and Digital Cash.

Now Net1 UEPS is in Iraq as well:

The first UEPS transaction was performed on Sunday, August 3, 2008, in Baghdad, Iraq, during the official launch of the UEPS smart card technology with the two state banks namely, Rafidain Bank and Rasheed Bank.

The official launch, attended by invitees from Rafidain Bank, Rasheed Bank, the Iraqi Government, War Victim Ministry and Martyrdom Ministry, demonstrated smart card registration, biometric enrolment and issuing of UEPS cards, offline loading of wage payments and government grants to the UEPS cards and dispensing of cash.

The pilot project involving 100,000 beneficiaries is now ready for implementation across selected bank branches and will enable the distribution and payment of government grants to war victims and martyrdom beneficiaries, as well as salary and wage distribution and payment to employees of the two state banks.

Brenda Stewart, Net1 Senior Vice President Sales and Marketing, said, "From the entire team at Net1, we congratulate the Iraqi consortium on this historic achievement and look forward to the successful implementation of the various projects already identified for implementation, as well as the projects currently in business development. Net1 is proud that the development of its core technology, from which it creates end-user products that satisfy the requirements of its customers, can change the way business is conducted leading to the improvement of people's lives. We share the belief of our Iraqi partners that our technology can play a fundamental role in the upliftment of the economy. The success of any technology should be measured, not only by the profits it generates for its inventors, suppliers and users, but also by the difference that it makes to the lives of people," Stewart concluded.

I think there are lessons to be learned here wrt data and message level security. Net1 UEPS is a good example a of system carrying valuable assets across hostile terrain, web security architecture can learn a lot from this model.

P.S. If you are a Joel Greenblatt geek - UEPS is a magic formula stock (meaning they make cash and are priced cheaply) last time I checked.

Click Fraud, Botnets and Parked Domains - All Inclusive

Mon, 28 Jul 2008 03:58:08 +0000

It gets very ugly when someone owns both, the botnet, and the portfolio of parked domains actively participating in PPC (pay per click) advertising programs, where the junk content, or the typosquatted domain names is aiming to attract high value and expensive keywords in order for the scammer to year higher on per click percentage. This is among the very latest tactics applied by those engaging in click fraud. Hypothetically, the cost to rent the botnet and commit click fraud would be cheaper than sharing revenue on per click basis with "human clickers" who earn money based on how many ads they click given a set of scammer's owned sites, where the customer supports represents a DIY proxy switching application changing their IP on the fly.

Click Forensics's recent Q2 2008 report indicates that botnets were responsible for over 25% of all click fraud activity they were monitoring during Q2. Not surprising, given that botnets have long been observed to commit blick fraud, using a common traffic exchange scheme. What's new is the use and abuse of parked domains :

"Despite indication that some of the clicks from parked domains were invalid, Google failed to disclose to the plaintiff specific domain names in which these ads were clicked on, making detection of invalid clicks difficult and even worse concealing any evidence of invalid clicks," the lawsuit alleges. RK West eventually went through its server logs and discovered the source of the clicks, said Alfredo Torrijos, one of the company's attorneys."

Will cybersquat security vendors for improving the chances of attracting high-valued keywords to later on click fraud? The trend has been pretty evident for a while, with cybersquatting increasing on an yearly basis according to multiple sources :

"Rise in pay-per-click advertising where cybersquatters link the domain name they have registered with a website containing ads promoting a variety of competing brands. The cybersquatter receives money every time internet users access this website and click on one of the ads."

However, the "internet users who are supposed to click on one of the ads on the parked domains owned by the scammers" will get clicked by a botnet owned or cost-effectively rented by the scammer. Here's a sample of currently parked domains attracting Symantec ads :

symentec .com
symantek .com
symanteck .com
symantac .com
symantaec .com
symantic .com
symmantec .com
symanntec .com
ssymantec .com
symanthec .com
symanzec .com
symanttec .com
sjmantec .com
saimantec .com
seymantec .com
symanrec .com
symantrc .com
symantwc .com
aymantec .com
dymantec .com
sxmantec .com
symantex .com
symantev .com
symabtec .com
symamtec .com
synantec .com
stmantec .com
symanyec .com
sumantec .com
symant3c .com
syman5ec .com
wwwsymantec .com
symanteccom .com
ymantec .com
syantec .com
symntec .com
symanec .com
symantc .com
symante .com
symattec .com
symantcc .com
syman-tec .com
syymantec .com
symaantec .com
symanteec .com
symantecc .com
ysmantec .com
syamntec .com
symnatec .com
symatnec .com
symanetc .com
symantce .com

As well as recent sample brandjacking Kaspersky :

kespersky .com
kasparsky .com
kaspaersky .com
kaspasky .com
kasperscky .com
gaspersky .com
kasbersky .com
kasppersky .com
kasperrsky .com
kasperssky .com
kasperskj .com
kasperskey .com
kaapersky .com
kasperaky .com
kasperdky .com
laspersky .com
kaspersly .com
kasperskt .com
kaspersku .com
kasp3rsky .com
kaspe4sky .com
kas0ersky .com
wwwkasperskycom .com
wwwkaspersky .com
kasperskycom .com
aspersky .com
kspersky .com
kasersky .com
kaspesky .com
kaspersy .com
kaspersk .com
kappersky .com
kaspessky .com
kas-persky .com
kasp-ersky .com
kasper-sky .com
kasperskyy .com
akspersky .com
ksapersky .com
kapsersky .com
kaseprsky .com
kaspesrky .com
kaspersyk .com
kaspersky24 .com
kasperskyonline .com
kaspersky-online .com

What's most disturbing is that instead of having cybersquatting taken care take of a long time, and scammers emphasizing on the junk content in order to attract the relevant ads on the bogus domains, the still trendy cybersquatting still does the magic by including the targeted word in the domain name itself.

Related posts:
Cybersquatting Security Vendors for Fraudulent Purposes
Cybersquatting Symantec's Norton AntiVirus
The State of Typosquatting - 2007

Top 10 Signs Your Network Admin has Gone Rogue

Fri, 25 Jul 2008 14:00:30 +0000

Terry Childs captivated much of the IT world over the past week and a half with his lock-down of San Francisco’s IT system. Instead of watching a bunch of police chasing a white Bronco, this time the coverage amounted to many many articles, blog posts, comments, and long email chains. It seemed I would read one thing and the very next one would contradict or shed more light on some aspect of the case.

Depending on who you talk to, he is:

a) a hero

b) a disgruntled worker

c) in need of a serious work/life adjustment

d) in need of $5 million and/or a better lawyer

e) all of the above

Surprisingly strong opinions, regardless of what you choose.

We chose to lighten things up a bit and, as we always try to do, figure out how to help our customers be proactive. So here it is, the Top 10 Signs Your Network Admin has Gone Rogue:

10) David Letterman has a Top 10 list called “Top 10 Signs Your Network Admin Has Gone Rogue”

9) Your Admin is the only one with the network device log-ins and refuses to share them with anyone else.

‘8) His presentations about network configuration include the words “Magic” and “Burn after reading”.

7) Instead of email, he forces everyone to use the Suggestion box placed outside of his door…and then places a very obvious nanny-cam hidden in a teddy bear right next to it.

6) He begins to grow out his sideburns and every question directed to him in meetings results in the same response, “Do you feel lucky today, punk?”

5) He has the mayor on speed-dial.

4) He starts wearing very big shoes to the office and accosts random people in the hallways asking if they think they could fill them.

3) He refuses to write router and switch configs to flash citing network security concerns.

2) He calls you and asks for a $5 million salary advance; caller id flashes “Department of Corrections”.

And #1: You’re the City of San Francisco

Enjoy your lock-down free weekend!

ShareThis

HP's NAC- What I've Been Wanting to Tell You (but couldn't)

Tue, 22 Jul 2008 18:29:11 +0000

Well everyone- there’s something I’ve been wanting to tell you and now, after a year, I can!

Because of non-disclosure and other confidentiality contracts with various partners, vendors and manufacturers, we’ve had sealed lips for almost exactly 12 months. Now that it’s been made public by the media, I can share a little information with you and explain why I think you should be excited.

What cat is out of the bag now? HP ProCurve’s network access control solution leverages endpoint management technology from StillSecure’s Secure Access solution. Information Week spilled the beans, so to speak, in Mike Fratto’s recent 2008 NAC Survey Analytic Report. (See page 32)

Now, at this point, I can probably lump you into one of three groups… 1) You don’t care or have no clue what this means 2) You care but think this means HP ‘has no NAC’… or group 3) You know about StillSecure’s success and ProCurve’s integration and think this is a great combination.

I’m sure everyone will have their own opinion- I happen to be in Group 3. Why? Because HP has taken the power of their servers, leveraged a very solid endpoint management tool and incorporated a variety of other management and security features by way of their identity management solution.

The endpoint security. StillSecure’s Safe Access solution has been winning awards and earning stars for years. You can probably Google it, or check out some of Shimel’s blog posts, such as this one, with 4- and 5-star reviews from SC Magazine. In fact, just this year (and in previous years) Safe Access was voted Best Endpoint Security Solution by SC Magazine and has won numerous other awards and accolades from various analysts and media firms. They have a clean, user-friendly GUI, a solid Linux platform and a variety of testing methods, deployment options and switch integrations. (And no, you don’t need ProCurve switches, the NAC integration is ready for your Cisco, Extreme, or whatever you have).

User management. Combine one of the highest-rated endpoint security solutions with ProCurve switches, the #2 leader in the switching market (and Magic Quadrant resident) and the full integration with ProCurve’s Identity Driven Manager platform and you have one amazingly capable access control system. With ProCurve IDM, you can integrate directly with their NAC 800 appliance to offer per-user (or per-group) ACLs, QoS, restrictions or priviliges. Rules can be identity-based, time-based, location-based, or a combination of all. And, IDM eases 802.1X integration by offering users a central management and repository for user settings and VLAN assignments; it really is ProCurve’s special sauce and a distinguishing feature.

Switch security. The integration of advanced switch security functions, such as DHCP snooping, Dynamic ARP protection and dynamic IP lockdown gives ProCurve another leg-up to fight common known attacks for both in-line and out-of-band NAC deployments.

Zero-day protection. It gets better, the new Dynamic Configuration Arbiter (DCA) functions in ProCurve’s Pro-vision switches gives customers the unique advantage of integrating the NAC and IDM with ProCurve’s Network Immunity Solution (NIM). NIM uses flow analysis from sFlow and network behaviour anomaly detection (NBAD) to detect and automatically remediate on the edge. In English, that means we can use ProCurve’s NIM to detect attacks and take action at the edge port, such as blocking the port, locking out the MAC address of the offender, rate-limiting, or even mirroring the traffic to an IDS for further inspection. The super-nice part is, all the sFlow and NBAD works on wireless too. (Hey Stiennon, did you hear that?)

Full integration. Unlike some of the other network-based NAC vendors, ProCurve has done an exceptional job of integrating these features and we’ll continue to see more integration in future revisions of the softwares and as more TNC/TCG integration frameworks are released (such as IF-MAP).

I think the strong integration with the infrastructure and the ability to leverage a mature endpoint integrity will make HP a ‘real’ player in the NAC market moving forward.

Not to knock other NAC solutions- Choosing a NAC is like selecting the perfect wine for your dish- there’s no 1 ‘right’ choice for all occasions. Each have their advantages and disadvantages. There are several that have special sauces and you’ll actually be seeing more on that soon…

# # #

Mobile Malware Scam iSexPlayer Wants Your Money

Wed, 09 Jul 2008 03:42:00 +0000

A bogus media player (iSexPlayer.jar) targeting Symbian S60 3rd edition devices according to several affected parties, is currently being spammed through blackhat search engine optimization. Once infected upon confirming its execution since it's doesn't seem to be exploiting a specific vulnerability besides "bargain hunters" desire for free adult material, the malware attempts to trick the user into participating by becoming a member, however, a quick peek the source code reveals interesting facts about the scam.

For instance, once providing them with your credit card details and basically wanting to try out the service, it appears that there's no way out of it which is a problem since "Trial membership recur at $US 29.95 unless cancelled, Monthly membership recur unless cancelled" and also, "Do you want full access to all pictures and videos? Cost is 2 Euros, charged 100% descreet on your phone bill over SMS. Please allow iSexPlayer to send SMS".

The spammed through blackhat SEO sites are currently active, and perhaps a bit ironic, once you make any transaction with these people, anything that goes on at a later stage such as automatic calling or sms-sing to squeeze your bill, may be in fact legal since you authorized it.

Symbian Freak has some details, as well as an affected party :

"Last week, I had lend my N73 to one of my friends for use as he had lost his phone. I did not know what he did, but I checked my bills today and see some International calls made that amount to around 20USD. That is around 800 Indian rupees. To check, I called the number and learnt that it was a phone sex line. Now it was time for my friend to answer. The thirteen calls were made during a period spanning two days. On an average there were 7 calls a day. Now, the thing that struck me is, going by the call records, the calls on the second day were made when I had the phone with me. I am pretty sure no one dialled the numbers. I called my buddy and asked him if he had downloaded something. He then spilled the beans informing that he did go to some adult website and installed a software (I do not recall the name)."

The name of the "software" as I've already pointed out is iSexPlayer. Let's dissect the scammers and their sites currently spammed across 100,000 sites using blackhat SEO tactics. Related domains sharing the same IP and internal pages :

3g6.se
3gx.se
conn2.3g6.se
conn2.3g6.se
test.3gx.se

83.241.194.132 (83.241.194.128-83.241.194.191 DGC-DIRECT2-01 Direct2Internet AB - Internet Access Located in Johanneshov, Sweden)

3g6.se/dstream.php
3g6.se/newplayerdl.php
3g6.se/chrono/callback.php
secure.chronopay.com/index.cgi

The scammer's pitch :

"Free access to: - 500 Hardcore scenes - 100 Full lenght movies - Picture galleries Important! To install iSexplayer you must be at least 18 years old. You must install and run iSexplayer™ access module to watch the videos on Nintendo DS, You must install and run iSexplayer™ access module to watch the videos on Apple iPhone, Install iSexplayer"

Upon attempting to download the .jar file from the mobile page, the iSexPlayer.php does the magic like that :

"MIDlet-1: iSexPlayer,/icon.png,Easyloader
MIDlet-Install-Notify: http://3g6.se/install_notify.php?id=1322451
MIDlet-Jar-Size: 101313
MIDlet-Jar-URL: http://3g6.se/iSexPlayer.jar
MIDlet-Name: iSexPlayer
MIDlet-Vendor: Vendor
MIDlet-Version: 1.0
MicroEdition-Configuration: CLDC-1.0
MicroEdition-Profile: MIDP-2.0
did: 1322451
did2: 9416755"

Who's behind the scam?

"c_javax_microedition_lcdui_Form_fld.append("\niSexPlayer is owned by: ");
c_javax_microedition_lcdui_Form_fld.append("\nEnit Invest S.L. ");
c_javax_microedition_lcdui_Form_fld.append("\nweb: enitinvest.com ");
c_javax_microedition_lcdui_Form_fld.append("\nemail: support@enitinvest.com ");
c_javax_microedition_lcdui_Form_fld.append("\nTel: 1-800-845-4951 ");"

Enit Invest S.L.
Av. Machupichu 26, S 18
28043 Madrid
email: support@enitinvest.com
Tel: 1-800-845-4951

And since I'm sure that there are more juicy details within the source code further exposing their scammy practices, which you should not authorize in any way, just like you wouldn't really like making a long call on a premium rate number thanks to having a malware infected phone, once more details are gathered, particularly its compatibility with devices, they'll be posted.