Just the facts ma’am:

• Rank on Inc. 500: #350
• Three-year revenue growth: 840%
• Rank on Top 100 DC-area companies: #27
• DC area ranked #1 for most companies on the Inc. 500 list; #2 for most companies on the Inc. 5000 list (behind NYC)
• 2^nd fastest-growing software company in the DC area (Note: we got categorized as IT Services but of course we really fall under “Software”. They never seem to have a “Technology Appliances” category…)

Read the full press release here.

We’re loving it because of the awards we’ve applied for over the last few years and haven’t won. (Or maybe only I care about this since I had to fill out all those applications. Hmmm, I’m sensing a pattern here…) But in this case, it’s all about the numbers.

We love this part of our story because it comes down to customers actually believing in you and your product enough to plunk down the money – and keep coming back for more once you prove yourself the first time. It’s not about the hype or the latest flash in the pan or “sponsorship” or how much money some VC gives you. It comes down to you, your product and your happy customers.

It's a cracking read and one I'd recommend to all insomniacs with an penchant for such topics, but I have to say, I'm actually pretty encouraged by what I read... ]]> Thu, 03 Jul 2008 14:00:00 +0000 hannigan report information security world government departments steps notably recommend insomniacs pan-emea special Why I welcome the Hannigan Report http://securityratty.com/article/2e699cb88411c7ece62621d294d7f5fb http://securityratty.com/article/2e699cb88411c7ece62621d294d7f5fb 1. Before the PIN is encrypted by the Tamper Resistant Security Module (an ATM in the case of bank customers). Most criminals have been using fake PIN PADs and a number of techniques like jamming cards etc steal PINs blissfully unaware that they are on camera most of the time. Nice video ? here.

2. After the PIN reaches the issuer and is decrypted. This is the scarier situation -as the attacker would have access to a database of unencrypted PIN numbers / PIN offsets coming in from all around the globe. PCI supposedly requires that issuers be compliant and not store unencrypted PANs or PINs - but no validation is required (unless they are a VisaNet processor).

Well - Kevin Poulsen at Wired wrote today about how an alleged ATM crime spree has been blamed on a Citibank hack. Though Citibank has denied the hack as the cause of the fraudulent withdrawals - all signs seem to point towards it so far.
(This definitely is not new - While testing an issuer's security I'd stumbled upon ATM log entry files - complete with PAN, PIN, full name, address, zip code and atm location - back in the day when RFP just released whisker. )

This is probably just the beginning of a new wave. Issuers really need to pull up their socks and begin to treat cardmember data with the same respect that PCI Co is requiring merchants and processors to do. - and while I'm wishing horses - can ANSI or someone start working on some standards for requiring all track data to be encrypted in transit?]]> Thu, 19 Jun 2008 06:38:00 +0000 pin pin reaches pin offsets fake pin pads atm location atm bank pins atm crime spree access .. and now - PIN stealing.. http://securityratty.com/article/69d58048921734eeef4975b4be8bf3fb http://securityratty.com/article/69d58048921734eeef4975b4be8bf3fb

While waiting for the pan-out of the Cisco System's acquisition of Securent, I can't help but wonder how Cisco is going to develop the Securent technology in its future products. Will the Securent policy engine (PDP) be used 1) as a main point for policy management and enforcement for network equipment, OR 2) will they continue using the product along the 'Securent-intended' path: enforcing fine grained application level policies by integrating policy enforcement points into applications, OR  3) managing fine grained authorizations on the network layer (without the need to open up applications), similarly to BayShore Networks, Autonomic Networks, and Rohati Systems? Without a comprehensive identity and access management offering (IAM), Cisco will probably be fit best to do 1) and 3) described above. This seems most consistent with Cisco's background and culture.

Ozmo apparently is trying to leverage the ubiquity of Wi-Fi, the market reach of Intel (which has invested in the firm and is pushing its technology), and the dissatisfaction with Bluetooth device association and throughput to stick a wedge into Bluetooth's market domination. Well over a billion Bluetooth chipsets have shipped--CSR alone has shipped over a billion--and estimates put half a billion this year into cell phones alone. So there's a large embedded market to overcome.

This new technology, so far unnamed but apparently part of Intel's Cliffside research program, is trying to reduce complexity by reducing the number of standards needed to drive a computer, while increasing the flexibility of those standards. Ozmo and Intel's system would, for instance, allow a simultaneous WLAN connection and a PAN network of up to 8 devices using a single radio on a computer.

The press releases and articles make it quite unclear whether a new Wi-Fi chip would be needed; that chip would almost certainly not conform to today's Wi-Fi standards except in a compatibility mode, given that Wi-Fi has no capacity for PAN-style connections. Ad hoc mode isn't quite the same thing. In the past, extensions to the 802.11 standards that are the basis of the Wi-Fi certification and service mark were allowed as long as basic 802.11 worked as expected.

Bluetooth and Wi-Fi have been complementary technologies for several years. There were early conflicts--I wrote an article about the severe problems in using Bluetooth 1.1 and 802.11b back in 2001! But those interference and coordination issues were resolved, and Blueooth and Wi-Fi marched forward hand in hand, without any close association between the two trade groups behind the standards and branding, but with a lot of technology acquisitions and mergers on the part of companies that make Wi-Fi gear.

The Bluetooth SIG has been working for years to put Bluetooth on top of ultrawideband (UWB), which is still not readily available in the marketplace. UWB is always next year's big technology, and may be passed by except for applications like high-definition video streaming among a/v electronics. The SIG also announced support in Oct. 2007 for Bluetooth + 802.11, where a Bluetooth device could initiate high-speed transfers using 802.11 (yes, Wi-Fi, but not by that name; no partnership there). Bluetooth plus UWB is likely not available until 2009 at this point; BT and Wi-Fi, not until perhaps 2010. (See my article, "Bluetooth to Add Wi-Fi with UWB Delays in Mind," 2007-10-31.)

It's hard to see how Ozmo builds a place in this infrastructure, even with higher bandwidth, and what Ozmo says is lower power use and a lower cost for their chips, because laptop and desktop makers will need to buy into the Intel/Ozmo ecosystem. The demand for this kind of technology is typically driven by users who buy one component and need their computer to interface with it.

With Ozmo and Intel apparently planning to debut the Wi-Fi chips and driver support next year, it seems like a multi-year process to figure out whether Ozmo can evolve a competitive position to Bluetooth, even as Bluetooth is estimated to be embedded in over 1.2b cell phones by 2012.

• Passport
• Voting ID card
• PAN card
• Driving License card
• Government issued ID card
• Social Security Card
• Military ID card
• Consular ID card
• Postal ID card
• Government Employee ID Card
• Credit Card
• Debit Card
  

Breach Description:
ACAP Security and affiliated sites are actively marketing a "secure payment system that allows Internet-based businesses to accept secure PIN-debit card payments and transactions at their online store."  The PinPay and SoftCard sign-up pages and account access pages are not adequately secured with encryption, potentially exposing extremely sensitive personal information.

Reference URL:
Merchant 911 Blog

Report Credit:
Tom Mahoney, the Founder and Director of Merchant 911

Response:
From the online source cited above and my own cursory investigation:

Back in January, I had short email dialog with a Kip Long, who claimed to be one of the principles of a company called Softcard out of Huntington Beach, CA. They are not to be confused with SoftCard Systems in Athens, GA. As far as I know, SoftCard Systems is a legitimate company with a legitimate product.

Mr. Long was rather aggressively, but not very successfully, trying to impress me with their product - from what I can make of it, a virtual PIN based card.

The company uses PinPay - to process transactions and both companies are a part of ACAP Security, Inc..

I reviewed their site for possible inclusion in our website’s resource pages, but promptly rejected them.

their insecure sign-up form - was requesting “Identity Card Numbers” and issue dates.
[Evan] The sign-up forms at SoftCard.biz and PinPay.net are not secure.  Neither are their respected login pages.

“Identity cards” are selectable from a drop down menu and include such ID information as Passport, Driver’s license, SSN, and Credit Card.

The form also requires a full name and DOB.

I tried using the HTTPS URL but it appears that they do not have a security certificate tied to their site.

The fact that Mr. Long used a hotmail address to pitch the company made me wonder too, given that at Merchant911 we try to instill in our members that a free email address from a customer is a fraud alert.

If a company official can’t use his company’s domain for email, I’m not going to talk to him.

I called their attention to the insecure web form in January. They still have the form up there, happily collecting this information with an insecure form.
[Evan] I also sent emails and heard nothing in return.

I have to wonder how much information has already been sniffed or otherwise compromised. You probably don’t want to fill out this form.
[Evan] My advice would be to NOT fill out the form and NOT conduct business with a company that has not demonstrated a willingness to secure your information.

Commentary:
Tom informed me about this vulnerability (and potentially a breach for anyone that signed-up/in) a couple of weeks ago.  I've been a little busy lately, but was finally able to check it out.  Let me recap what I found.

First, let's go to www.softcard.biz. This is the site that Tom originally pointed out to me.



The flash home page forwards visitors to a static index (indexaa.html) page.  The first paragraph on the page informs visitors about PinPay.

"The PINPAY SoftCard is a wise way to carry and transfer money. It gives you the ability to purchase products at participating stores throughout the world (as well as at online shopping malls), with the security of a PIN that travels the internet via private encrypted tunnels. It also allows you the ability to load money to your card, pay bills, transfer money to merchants, transfer money between cards, and withdraw cash from your card at the store."



See where the page says, "Register for your FREE card HERE!!"?  This is a link to the sign-up page that Tom was referring to.



No "https" in the URL.  Tom was right on that.  The sign-up form asks for a personal information ranging from name and address to identity card information (even information for a "Second Identity Card").



The "Select Identity Card" drop down menu displays the choices for the prospective customer, including Passport, Voting ID card, PAN card, Drivers License card, Government issued ID card, Social Security card, Military ID card, Consular ID card, Postal ID card, Government Employee ID Card, Credit Card and Debit Card



SoftCard (or PinPay or ACAP Security) are asking for some very sensitive personal information!  First, this is quite a bit more information than they need to approve a person for a "PINPAY SoftCard".  Second, no encryption?!  Third, who is ACAP/SoftCard/PinPay and what will they do to secure my information once they have it supposing it wasn't intercepted on the way to them?

Let's dig a little (public) information about ACAP Security.  According to Entreprenuer.com, ACAP launched "Personal Private Network" (ppn) technology, commercially available under the trade name ppnPRO, which is described as a "highly secure, and highly private" personal private network.  ppnPRO uses "Government approved AES encryption, with strong personalized 256-bit encryption keys, and encrypting all information- network addresses, applications and ports, as well as the confidential data content".  Sounds impressive, but it also sounds like the company should know a thing or two about securing web site transactions with encryption. 

I want to discuss the risk of sending confidential private information over a public network such as the internet without encryption, in particular.  This is not a new topic, but I will take some time to demonstrate the risk.

In order for my information to be compromised, someone (or something) will need to capture the traffic.  In order for someone to capture my traffic, they will need to tap into the communication somewhere between me (my computer) and the destination (the web server).  My information doesn't travel directly from my computer to the server.  There are intermediaries (routers, switches, firewalls, etc.) that have to get (or forward) my information from my computer to the server.



As you can see depicted in the graphic above, there are at least 16 routers (or hops) between this example source and www.softcard.biz.  The final few hops are not reported due to filtering.  So where could my traffic be captured?  At the very least:

• Between my computer and my router (or firewall)
• Between my firewall and the ISP hand-off
• Between all the traversed devices within my ISP's network
• Between all the traversed devices through the internet
• Between all the traversed devices within the destination ISP's network
• Between all the traversed devices within the destination organization's network and the server itself.
  

Evolutionarily, presumably it is a better survival strategy to -- all other things being equal, of course -- accept small gains rather than risking them for larger ones, and risk larger losses rather than accepting smaller losses. Lions chase young or wounded wildebeest because the investment needed to kill them is lower. Mature and healthy prey would probably be more nutritious, but there's a risk of missing lunch entirely if it gets away. And a small meal will tide the lion over until another day. Getting through today is more important than the possibility of having food tomorrow.

Similarly, it is evolutionarily better to risk a larger loss than to accept a smaller loss. Because animals tend to live on the razor's edge between starvation and reproduction, any loss of food -- whether small or large -- can be equally bad. That is, both can result in death. If that's true, the best option is to risk everything for the chance at no loss at all.

This behavior has been demonstrated in animals as well: "species of insects, birds and mammals range from risk neutral to risk averse when making decisions about amounts of food, but are risk seeking towards delays in receiving food."

A recent study examines the relative risk preferences in two closely related species: chimanzees and bonobos.

Abstract

Human and non-human animals tend to avoid risky prospects. If such patterns of economic choice are adaptive, risk preferences should reflect the typical decision-making environments faced by organisms. However, this approach has not been widely used to examine the risk sensitivity in closely related species with different ecologies. Here, we experimentally examined risk-sensitive behaviour in chimpanzees (Pan troglodytes) and bonobos (Pan paniscus), closely related species whose distinct ecologies are thought to be the major selective force shaping their unique behavioural repertoires. Because chimpanzees exploit riskier food sources in the wild, we predicted that they would exhibit greater tolerance for risk in choices about food. Results confirmed this prediction: chimpanzees significantly preferred the risky option, whereas bonobos preferred the fixed option. These results provide a relatively rare example of risk-prone behaviour in the context of gains and show how ecological pressures can sculpt economic decision making.

The basic argument is that in the natural environment of the chimpanzee, if you don't take risks you don't get any of the high-value rewards (e.g., monkey meat). Bonobos "rely more heavily than chimpanzees on terrestrial herbaceous vegetation, a more temporally and spatially consistent food source." So chimpanzees are less likely to avoid taking risks -- as most species are.

Fascinating stuff, but there are at least two problems with this study. The first one, the researchers explain in their paper. The animals studied -- five of each species -- were from the Wolfgang Koehler Primate Research Center at the Leipzig Zoo, and the experimenters were unable to rule out differences in the "experiences, cultures and conditions of the two specific groups tested here."

The second problem is more general: we know very little about the life of bonobos in the wild. There's a lot of popular stereotypes about bonobos, but they're sloppy at best.

Even so, I like seeing this kind of research.