[SecurityRatty] tag: purchase

Open Letter to Verizon Wireless

Mon, 25 Aug 2008 11:43:00 +0000

After receiving no support from agents at the Verizon Wireless store or by agents on the phone, I decided to write them and make it an open letter. It’s no secret that Verizon has a great network, but it’s also no secret that their phone selection stinks. I don’t want to leave them and am hoping that whatever little bad press I can cause will encourage them to resolve the issue. If not, I’m tapping out. For 3 years I have hated my phone and loved their network. I’m ready to feel mediocre about both. Here it goes:

I am currently without a phone and would appreciate a speedy reply.

I have been a Verizon Wireless customer for over 5 years and my monthly bill easily averages over $200 during that time frame. While I love your network, I have been completely unsatisfied by your selection of phones. It is a stretch to say that my last phone worked—it had a feature called a battery that allowed me to switch from the car charger to my office charger without dying. And I waited—under duress—until I was allowed to purchase a new phone with the discount.

My current phone has a wonderful battery life, but this is the 4th time the charger has snapped off in the phone. The phone is fine, but I keep paying $30 for new chargers. I refuse to purchase another or wait until February when I will be eligible for a new phone. You sold a phone with a design flaw, and I’m not even asking for a refund or a free phone. Just allow me to take a chance on a new one at the 2 year contract renewal rate.

If not, I will gladly pay the early termination fee and leave Verizon. On general principle, I will spend more money canceling my account with you than I would likely receive as a discount on a new phone. As a customer, I consider it unacceptable that you sell inferior phones and leave me with no recourse.

The first time I waited haplessly to become eligible for a new phone. I will not suffer a second time. If you don’t like the fact that you will end up losing money by allowing me to purchase a new phone early, I suggest you take it up your vendors who supply you with awful products. I can promise you that we will both lose more money if you don’t.

Sincerely,

Eric Marvets

Software Security Market

Mon, 25 Aug 2008 09:18:59 +0000

Information Security budgets are pretty crufty, they are an accumulation of decisions but the analysis that led to these decisions is rarely revisited, it just snowballs. So the normal Information Security budget is just a legacy artifact of when the network was the greatest vulnerability. Gary McGraw took a pass at reviewing the numbers in software security, breaking down software security sectors like tools and services (note to Gary - I think Aspect does more than just training!). This is great work by Gary to get these numbers to see the real changes occuring in software security. Here were his findings on software security tools:

One of the most important developments in the software security market can be seen in the tools space which, combined, almost doubled to $150-180 million. Top of list are two major acquisitions that closed in 2007: Watchfire's purchase by IBM (somewhere in the range of $120-150 million on 2006 revenue of $26 million) and SPI Dynamics's purchase by HP (for around $100 million on 2006 revenue of $21.2 million).

...

The black box space was flat in 2007, with IBM/Watchfire checking in at $24.1 million and HP/SPI Dynamics earning $22.3 million. Smaller companies in the space, including Cenzic, Codenomicon, WhiteHat and the like had combined revenues around $12.5 million (a growth of 25%, though Cenzic grew 16% and WhiteHat 52%). Most of the growth "hiccup" in the black box market can be attributed to the serious challenges posed by any acquisition. So far 2008 looks to be back on track from a growth perspective in the black box testing space. The global reach that IBM and HP offer are already making a big difference.

On a more positive note, static analysis tools for code review grew at a healthy clip in 2007 into a $91.9 million dollar market. Fortify was up 83% to $29.2 million. Klocwork grew over 60% to $26 million. Coverity grew over 50% to $27.2 million. Ounce Labs tripled their revenue to $9.5 million.

These are very nice growth numbers, what company doesn't want 83% growth? However, the total picture is not so good. Gary's estimate shows the software security space coming in at $150 Million total, yet we see a company like Checkpoint that won the network security war in 1995 with earnings of around $900 Million! One single network security vendor is 6 times bigger than the entire software security space?!? Complete UTTER Madness!

This is the stupefying, stultifying effects of budget cruft, where the decisions made in The People's Republic of Information Security have no bearing on reality of threats or even a business case.

Let's look at networks. Obviously Cisco is the biggest, they earned $39.5 Billion last year. Pretty stellar. So spending $900 Million (Checkpoint) to defined $39.5 Billion seems like a pretty good deal.

Except, let's compare software security spending - last year Microsoft earned $60 Billion, SAP $16 billion, and Oracle $22 Billion. So that is about $98 Billion and you are going to "defend" that with allocating $150 Million worth of software security tools?

	Network	Software
Asset Value	$39.5 billion	$98 billion
Security Investment	$900 Million	$150 Million
Security Investment as a percentage of asset value	2.28%	0.15%

This table greatly disturbs me. From a prioritization standpoint The People's Republic of Information Security is misaligned by orders of magnitude. Next time you read about a data breach, or see an auditor's report with thousands of findings you won't have to wonder how it happened. It happened because Information Security doesn't have its eye on the ball.

Consider that software security tools could grow 50% a year for five years and still be half of where Checkpoint is today!

I see the outcomes of backwards looking, crufty decisions by Information Security every day - one or two software security sherpas heading out to work with thousands of developers, meanwhile the network security people sit around and read the newspaper and go home every day at 5.

The optimistic way of looking at all this data is that there is major room for growth for software security, if you take Checkpoint as a target, then the software security space should evolve to around 2% of the software space meaning that it should evolve into a $2 billion space around fifteen times larger than it is today. Unprotected assets will either be protected or will cease to be assets, VCs get your check books ready.

Creepy Customer Profiling via Facial Recognition

Fri, 22 Aug 2008 05:41:08 +0000

Usually, shopping off-line is usually more ad-free than shopping online. But this is changing, with ads coming in strange places like video screens at Gas Stations, Albertson’s, and so on. Google’s been using content targeted at users for some time, and now this is coming to offline ads too. Some unlikely retailers like Dunkin Donuts are installing facial recognition systems that change the ads shown, depending whether the viewer is male or female, and in what age range.

The Wall Street Journal says that Dunkin’ Donuts is experimenting with video screens that use facial recognition technology to figure out your age and gender. The screens then display ads targeted specifically to you.

Creepy!

Dunkin’ Donuts is also tailoring the cash register ads to your specific purchase. If you buy a breakfast sandwich, you can expect an ad prompting you to return “for a coffee break in the afternoon” to “try an oven-toasted pizza.” The system is already in place at two Buffalo, NY locations.

Read the full article here.

EPTS: Proposed Event Processing Definitions, September 20, 2006

Thu, 21 Aug 2008 01:47:11 +0000

For interested readers, here are the event processing definitions we provided to the (future) EPTS working group on September 20, 2006, coordinated (edited) by David Luckham and Roy Schulte;

adaptive process management (n.) an element of resource and business process management, adaptive search and event processing. Sometimes referred to as “Level 4” event processing or process refinement.

application concept (n.) a definition of a set of properties that represent the data fields of an application entity. An application concept can describe relationships among themselves. For example, an order concept might have a parent/child relationship with an item concept. A department concept might be related to a purchase requisition concept based on the shared property, department_id. Application concepts can include an application state model.

application state modeler (n.) a UML-compliant application that allows you to model the life cycle of a concept instance — that is, for each instance of a given concept, you can define which states it will pass through and how it will transition from state to state. States have entry actions, exit actions, and conditions, providing precision control over the behavior of an event processing agent. Transitions between states also may have rules. Multiple types of states and transitions maximize the versatility and power of the application state modeler.

derived event (n.) an event that is created as a result of processing one or more other events.

complex event (n.) an event that is a situation-entity abstraction of two or more simple, derived or other complex events.

complex event processing (n.) CEP is a technology for extracting information from message-based systems. CEP is primarily an event processing concept that deals with the task of processing multiple events from an event cloud with the goal of identifying the meaningful events within the event cloud. CEP employs techniques such as detection of complex patterns of many events, event correlation and abstraction, event hierarchies, and relationships between events such as causality, membership, and timing, and event-driven processes.

event (n.) a instance of an event definition. It is an immutable object that represents a business activity that happened at a single point in time. Just as one cannot change the fact that a given activity occurred, one cannot change an event — events are immutable.

event aggregation (n.) the aggregation of simple, derived or complex events into higher levels of event abstractions.

event definition (n.) a set of properties related to a given activity that represents an important or interesting change of state in a human, system or computational activity. An event definition includes event properties such as event priority, event time to live (TTL), and a description of the payload, which is comprehensive information related to the activity that occurred. Events expire when the TTL has elapsed, unless the event processing agent has instructions to consume them prior to that time.

event channel (n.) a communications channel in which events are transmitted from event source to event receivers, typically received as electronic messages. Each channel can have multiple destination and. events can be configured to transmit to a default destination. JMS is an example of an event channel.

event cloud (n.) a partially ordered set of events (poset), either bounded or unbounded, where the partial orderings are imposed by the causal, timing and other relationships between the events. Typically an event cloud is created by the events produced by one or more distributed systems. An event cloud may contain many event types, event streams and event channels. The difference between a cloud and a stream is that there is no event relationship that totally orders the events in a cloud.

event-driven (n.) the behavior of a human, system or computational entity whose execution or actuation is in response to events, typically received as electronic messages.

event-driven architecture (n.) an architectural style for distributed computing applications in which some of the components are event-driven and communicate by means of events.

event processing (n.) computing that performs operations on events, including modifying, creating and destroying events.

event-object (n.) an software object that represents an event, generally for the purpose of computer processing, that exhibits both encapsulation, inheritance and polymorphism.

event prediction (n.) computational activity where the impact of events, complex events, and situations caused by events identified, including both opportunity or threat. Sometimes referred to as “Level 2” event processing, impact assessment or predictive analytics.

event pre-processing (n.) computational activity where events are cleansed or normalized to produce semantically understandable data. Sometimes referred to as “Level 0” event processing.

event processing (n.) computational activities on events dealing with the association, correlation, and combination of event data and information from single and multiple event sources to achieve refined identity and situation estimates for observed event objects, and to achieve complete and timely assessments of opportunities, threats, and their significance. Event processing is characterized by continuous refinements of event estimates and assessments and by evaluation of the need for additional sources, or modification of the process itself, to achieve improved results.

event processing agent (n.) an EPA is a computational entity that performs event processing.

event processing network (n.) a set of event processing agents and a set of event channels connecting them.

event properties (n.) data representation of an event, typically by name-value pairs of type string, integer, real, boolean or a complex data type.

event refinement (n.) filter, identify and track events & make initial processing decisions based on association, correlation and state estimation. Sometimes referred to as “Level 1” event, or event-object, track and trace.

event stream (n.) a time-ordered sequence of events. An event stream may be bounded by a certain time interval or other contextual dimension (content, space, source, certainty), or be open ended and unbounded.

event stream processing (n.) a time-ordered sequence of events. An event stream may be bounded by a certain time interval or other contextual dimension (content, space, source, certainty), or be open ended and unbounded.

rule (n.) defines what triggers unusual, suspicious, problematic, or advantageous activity within an event processing agent and what the EPA does when it discovers these types of activities. Rules execute actions based on certain conditions on events, instances, or a combination of both. A rule includes a group of condition-rule statements and action-rule statements. The condition statements instruct the EPA what to look for in events, and action statements instruct the EPA how to respond when conditions are met. If all the conditions in a rule are satisfied by events or instances or both, the EPA fires the actions. The action might be to execute tasks, create an event instance, modify property values in an event instance, create and send an event, or something else.

rules engine (n.) a type of event processing agent that uses a declarative programming model to process events. Formally described as “an abstract structure that describes a formal language precisely, i.e., a set of rules that mathematically delineates a (usually infinite) set of finite-length strings over a (usually finite) alphabet“. Informally, it can be any system that uses rules, in any form, that can be applied to data to produce outcomes.

rule language (n.) is an artificial language that is used to control the behavior of an event processing agent. Rules languages, like human languages, have syntactic and semantic rules to define meaning.

situation refinement (n.) identify situations, or complex events, based on event clustering, event-event relationships and relationship analysis and context. Sometimes referred to as “Level 2” event processing.

simple event (n.) an event that is not an abstraction or composition of other events.

virtual event (n.) an event that is imagined, modeled or simulated.

Note: The Emerging Technologies Engineering Team at TIBCO Software significantly contributed to these event processing terms and definitions.

A Diverse Portfolio of Fake Security Software - Part Two

Mon, 18 Aug 2008 21:51:48 +0000

With scammers continuing to introduce new typosquatted domains promoting well known brands of rogue security software that is most often found at the far end of a malware campaign, exposing yet another diverse portfolio of last week's introduced domains is what follows.

Naturally, in between taking advantage of the usual hosting services, most of the domains remain parked at the same IPs, this centralization makes it easier to locate them all, then having to go through several misconfigured malicious doorways that will anyway expose the portfolio.

antivirus2008t-pro .com - (91.203.92.64; 78.157.142.7)
antivirus2008pro-download1 .com
antivirus2008pro-download2 .com
scanner.antivir64 .com
antivirus2008t-pro .com
antivirus-2008y-pro .com

systemscanner2009 .com - (89.18.189.44; 208.88.53.114)
xpdownloadserver .com
global-advers .com
xpantivirus .com
updatesantivirus .com
windows-scannernv .com

ratemyblog1 .com - 208.88.53.114
windows-scanner2009 .com
systemscanner2009 .com
antivirus-database .com
antivirus2009professional .com
antivirus-2009pro .com
antivirus2009-scanner .com
global-advers .com
drivemedirect .com
windows-scannernv .com

webscweb-scannerfree .com - (58.65.238.106; 208.88.53.180)
freebmwx3 .com
mytube4 .com
beginner2009 .com
webscweb-scannerfree .com
antivirus2009-software .com
antivirus-database .com
purchase-anti .com

onlinescannerxp .com
virus-onlinescanner .com
spywareonlinescanner .com
xponlinescanner .com
virus-securityscanner .com
virus-securityscanner .com
webscannerfreever .com
blazervips .com
global-advers .com
xpantivirus .com
drivemedirect .com
windows-scannernv .com

mytube4 .com - 58.65.238.106
beginner2009 .com
webscweb-scannerfree .com
securityscannerfree .com
xpcleaner-online .com
streamhotvideo .com
xpcleanerpro .com
onlinescannerxp .com
online-xpcleaner .com
antispyguard-scanner .com
virus-onlinescanner .com
microsoft.browsersecuritycenter .com
fastupdateserver .com
blazervips .com
xpantivirus .com
drivemedirect .com
fastwebway .com
xpantivirussecurity .com
wordpress.firm .in
megacodec .biz
mcprivate .biz

internet-defense2009 .com - 84.16.252.73
myfreespace3 .com
greatvideo3 .com
internet-defense2009 .com
windows-defense .com
3gigabytes .com
teledisons .com
updatesantivirus .com
update-direct .com
xp-protectsoft .com

top-pc-scanner .com - (91.203.92.50; 92.62.101.43)
nortonsoft .com - (91.186.11.5)
powerantivirus-2009 .com - (91.208.0.233)
powerantivirus2009 .com - (91.208.0.233)
pwrantivirus .com - (91.208.0.231)
xp-guard .com - (92.62.101.35)
xpertantivirus .com - (91.208.0.230)
internetscanner2009 .com - (89.149.229.168)

Where's the business model here? Where it's always been, upon installation of the rogue security software, the malware campaigner earns up to 40% revenue from the rogue security software's vendor.

Related posts:
Localized Fake Security Software
Diverse Portfolio of Fake Security Software
Got Your XPShield Up and Running?
Fake PestPatrol Security Software
RBN's Fake Security Software
Lazy Summer Days at UkrTeleGroup Ltd

Review: Eye-Fi Explore Hits the Mark

Tue, 12 Aug 2008 08:13:02 +0000

After spending two weeks with the $130 Eye-Fi Explore Wi-Fi memory card, I'm a fan: The Eye-Fi Explore was introduced in July by the eponymous firm to support geotagging - embedding latitude and longitude into photo metadata - and easier uploading of images. The Eye-Fi Explore is a Secure Digital (SD) card with 2 GB of storage, a tiny computer, and a Wi-Fi radio. The Explore uses Skyhook Wireless's Wi-Fi positioning data combined with Wayport's network of 10,000 hotspots, mostly McDonald's, along with revised firmware and software that dramatically improves the experience of uploading photos.

The company shuffled its products into three versions several weeks ago: Eye-Fi Home ($80), which uploads only to a specific computer over a local network; Eye-Fi Share ($100), a rebranded version identical to its first offering last year, which can upload to photo-sharing services or a computer or both; and the Explore. (You can purchase the Eye-Fi Explore from Amazon.com, as well as the other models.)

I reviewed the Explore as a geotagging system for The Seattle Times this last Saturday; I'd reviewed the original Eye-Fi (now Eye-Fi Share) for them last year as well. You can read that review for my take on geotagging, or skip to the bottom of this review, as well.

The hardware is apparently the same or nearly so, and it works just as well as it did last year. The biggest improvements, however, are a few workflow tweaks that make it far easier to manage and track uploads of pictures without draining your camera's batteries down to zero.

Wee-Fi: Mumbai Blast Leads to Open Network; NullRiver's App Nullified; Copper Substitute

Mon, 04 Aug 2008 05:56:36 +0000

Mumbai man's open wireless network used to send bomb claim: An American expatriate, Kenneth Haywood, left his Wi-Fi network open in Mumbai, and police allege it was used to send email claiming responsibility for a bomb blast that killed 42 people. The Guardian reports that Haywood says his email account was also hacked. Police say that someone would need to be within two floors of the 15th-floor apartment Haywood and others occupy, but they may be disregarding high-gain antennas. Haywood's installer demanded he not change his network password.

iPhone tethering application up, down, up, down: The NetShare connection-sharing application from NullRiver has made a couple of appearances on Apple's App Store, the only authorized place from which owners of iPod touch and iPhone devices can purchase software for uncracked equipment. NetShare appears to violate the terms of service for AT&T, although this wouldn't be the case with all carriers worldwide, by bridging 2.5G and 3G network traffic via the Wi-Fi connection on the iPhone. A laptop or desktop needs special configuration to connect to the iPhone, but various reports show it works fine. AT&T offers tethering with other smartphones - but not the iPhone - for typically about $20 more per month, comparable to a national hotspot aggregated subscription.

Speaking of AT&T, they like WiMax as a wire alternative: AT&T is bullish on WiMax, but the fixed kind used to replace wires in places they have no cable.

The Magical ATM Card and SMS Message in Thailand

Sun, 03 Aug 2008 09:30:52 +0000

It was not too long ago that I penned Keyloggers: Why Banks Need Two-Factor Authentication. In that post, I briefly mentioned how a number of banks in Thailand use inexpensive SMS-based two-factor authentication (2FA) with one-time password (OTP) to authenticate transactions.

One of my favorite banks in Thailand is K-Bank. With K-Bank I can simply walk up to an ATM machine and pay a mobile phone bill, purchase mutual funds, buy insurance, or transact an ever-growing list of services payable at the modern and sleek K-Bank ATM.

For example, tomorrow I fly to Chiang Mai in Northern Thailand and found K-Bank’s service amazingly better than in the US. For example, I booked my flight as usual (over the phone, but could have used the Internet) and told the reservation agent I was going to pay by ATM. He simply gave me a PayCode and told me I had three hours to go to the ATM and enter the PayCode to perfect my reservation. I also got the PayCode via SMS. This gave me the time I needed to make sure I had booked the perfect boutique hotel in Chiang Mai, the Fern Paradise.

Then, I went out into the beautiful Thai weather and completely my airplane reservation at the ATM machine; which also printed out a receipt with my flight details and reservation number.

It sometimes amazes me how much further advanced some services are in Thailand compared to the US. To me, it feels more secure not to use an on-line payment center or give out my credit card details over the phone. I can simply book a ticket, take a PayCode, and complete the transaction at a nice modern, shiny, K-Bank ATM machine.

Who knows, maybe soon I can select the perfect window seat at the ATM and the receipt will act as my boarding pass!

CISA and CISSP Preparation

Thu, 31 Jul 2008 09:14:07 +0000

Recently I have received a number of questions seeking preparation tips and insights for the CISA and CISSP certifications. I hold both of these certifications, and passed them both on the first attempt using very different preparation approaches. I took the CISA first, and based on a few lessons learned, I radically changed my preparation plan for the CISSP.

FYI, the official preparation information, qualification requirements, exam requirements, etc. can be found at:

Certified Information Systems Auditor (CISA) : http://www.isaca.org/cisa/
Certified Information Systems Security Professional : https://www.isc2.org/cissp

Are You Ready ?
A few basic questions to ask yourself to gauge how ready you are:

Do I meet the spirit, and not just the letter, of the experience requirements ?
Has there been sufficient diversity in my experience ?

Both of these exams cover a very broad spectrum of subjects. It is my personal belief that the experience requirements exist as an aid to whittle test takers down to candidates who have the professional experiences required to be successful, and to discourage people from taking the exams before they are ready. If you truly meet the background requirements, then you should have had some contact with many of the core topic areas for the exam.

If you are looking at the core content of the examination, and do not believe that you really have the breadth of exposure to be able to describe and discuss each domain at a high level, then you may be better served by delaying the exam in favor of working with your management to gain broader professional experience.

Five Step Approach to CISA or CISSP Exam Preparation

Perform an initial benchmark and assessment of your readiness
Read a “survey” level preparation guide cover to cover
Perform a secondary benchmark, and compare your readiness
Review official, or “deep dive”, preparation materials on areas identified as your weaknesses
Re-benchmark, and repeat targeted reviews until ready

For the first certification that I prepared for, I did not perform the first three steps outlined above. I went directly to the official source materials and began trying to review them cover to cover. I passed the exam, but I also spent a lot of time & energy reviewing things that I already knew “well enough”, and was burned out when reviewing the areas which could have been richer learning opportunities. No matter what your professional background, no one knows-it-all or does-it-all, so there is always an opportunity to learn new things while you are preparing for the certification exam. The goal of this five step approach is to focus your time where you have the greatest learning opportunities. Hopefully this focuses your time and energy in the most rewarding way.

Performing the Benchmarks

For the Benchmarks, I like to complete a timed half-length or full-length examination.

It is my feeling that a half-length exam is long enough that fatigue, maintaining focus, and pace are all stressed, as they will be on examination day. This of course requires access to a large set of test questions or sample tests, preferably with explanations of incorrect answers. In addition to commercial third-party test preparation tools, there are good (and free) test preparation quizzes available from www.cccure.org.

Survey Materials

I find the “Exam Cram” series to be very useful survey literature. I purchase books from this series when I want a high-level and quick handling of an entire subject matter area. As a result, I own survey books from the series in topic areas which I have no intention of pursuing certification for. Obviously the books I recommend for these certifications are:

Deep Dive Materials

There are exam preparation materials available from a variety of sources that fit the bill in this area. What we are looking for are books that contain solid coverage of the areas where benchmarking has shown the most significant need for improvement. In addition to the materials from (ISC)2 and ISACA that I list below, consult your local library - often they will have books that fit the bill. (And, of course, consider arranging a donation of good materials if they do not.)

Final Thoughts

Good luck on your journey toward Information Security or Audit certification. One word of caution: Make sure that you have realistic expectations about what actually being certified will mean. Although I do think being certified helps a person establish credibility more quickly, and is helpful when searching for new employment, often people are underwhelmed by the “Congratulations, that’s nice” from their current employer. If your expectation is that a big raise, bonus, promotion, etc. is hinging on your being certified, then I would strongly encourage you to reality-check that with peers in your organization.

Cheers, Erik

CISA and CISSP Preparation

Meru Networks erects a "cone of silence"

Wed, 30 Jul 2008 04:05:48 +0000

Who doesn't remember the cone of silence from the original Get Smart TV series. Whenever Max and the Chief had something important to discuss they would lower the cone of silence so that no one else could hear them or eavesdrop. So it is only fitting with the recent release of the Get Smart movie, Meru Networks has released a wireless cone of silence.

Meru is one of few stand alone wireless companies still hanging on out there. So they need to be innovative to survive. Their latest product, RF Barrier puts antennas around a physical plant to dampen and make it impossible to to listen in on wireless data exchanges. They claim this is a first of its kind. Thinking about it though, I don't see a big barrier to other companies having similar technology. I don't think you have to be a genius to broadcast traffic that puts out "noise" to hide legit traffic. I think the real special sauce is that this works in conjunction with Meru's other security products like wireless firewalls and secure access points.

With Motorola's recent purchase of AirDefense is having wireless IPS soon going to be table stakes in the wireless provider game? I think it is and while Meru's RF barrier is a nice story, they are going to need to have some sort of IDS/IPS in their product line to keep up.