[SecurityRatty] tag: street

CEP is Not Low Latency Messaging, EAI or ESB

Wed, 03 Sep 2008 08:31:49 +0000

In respose to CEP is Not BPM, BAM, BRE, BRMS or SOA, fellow blogger Mark Palmer posts, Smart Order Routing and CEP - Made for Each Other. Mark does a good job describing his perspective on smart order routing (SOR), yet his counterpoint that SOR is “complex event processing” is quite unconvincing.

I agree with Mark that SOR is important and very interesting; but in his reply he seems to be confusing CEP with “complex EAI” or a “complex messaging” application. For example, Mark says,

“It’s not uncommon for a single SOR system to connect to 10 or more markets and multiple asset classes. Not only is this a confluence of events, it’s a stunningly complicated environment in which to create a complex, real-time model in which to apply “simple” routing decisions. On this basis alone, SOR needs CEP.”

Connecting to many market feeds with multiple asset classes might be complicated, but “complicated connections” are an EAI (adaptation layer) function, not a core CEP function. In fact, TIBCO Software has been doing this type of low latency back-office order routing for many years, and TIBCO historically calls this “messaging.” Adding some rules to high speed, low latency messaging does not make it a “CEP” application.

Mark goes on to set up a counter argument to ILOG’s Changhai Ke, comments with,

“SOR operates by analyzing the confluence of events from market data feeds, order flows from OMS systems, and executions, aggregating and analyzing those events in real time, and adjust routing decisions on the fly.”

This is the well travelled argument the “new stream processing vendors in capital markets” have been saying, still unconvincingly, for the last few years. Basically their perspective is that if you have a lot of ”feeds” and a core requirement for “speed” - “feeds and speed” - you are doing “complex event processing.”

Mark Palmer forcefully stated his opinon that the folks who do not agree with him do not “understand” modern day SOR. However, a strong counter argument can be made that the “newcomers” to capital markets like StreamBase do not understand that “feeds and speeds” with order routing is little more than moderan day EAI. This is a basic message routing capability and it has been around for a long time. After all, Wall Street operated quite well before the term CEP was coined! TIBCO technology was providing Wall Street back office, low latency, smart order routing a decade ago, and they called this technology “messaging”.

So, I remain unconvinced, at least by Mark’s passionate counter post, that SOR is CEP. SOR, as Mark and other have described it, is a low latency messaging technology. Message routing rules have exisited in this technology space for decades.

I agree with Mark completely that low latency EAI (like SOR has been described) can be quite complex, from a “feeds and speeds” perspective. However, I remain skeptical that “feeds and speeds” is much more than modern day messaging and message routing.

In closing, in the network and security management world we have been dealing with “myriad feeds and speeds” for as long as I can remember, but admitted not like capital markets. Taking myriad feeds, running rules against the feeds and then routing the messages/events for further processing, regardless of the complexity of the feeds and the data, is actually more of a messaging/ESB technology than a CEP technology.

I remain completely open minded to any convincing counter arguments.

McIrony: An unexpected response from McAfee

Sat, 30 Aug 2008 09:04:00 +0000

Irony: incongruity between what might be expected and what actually occurs.

Right before Black Hat, I put together what I believed was a pretty strong arguement against McAfee Secure - Hacker Safe, at a level heretofore unexplored. I believe it was more damaging than anything I've said to date, and as such, presented potential risk for me. So I ran it by some friends before publishing it. Then a most extraordinary thing happened. I had a long chat with Nate McFeters, who described an awakening he'd recently experienced. He shared with me the belief that a better approach to potentially negative security research might be to try to create a positive outcome, and worry less about press cycles or exposure, the 15 minutes of fame if you will. He pointed to people like Mark Dowd as an example of people who conduct crushingly good research, and steer clear of the petty, ego driven bulls**t.
There I sat, repose like the thinking man, frozen for minutes. "Nate", I said, "I think you're right."
What do I aspire to as an information security professional; more readership or street cred than the next guy, or the respect of my peers for contributing to the greater good? Attention, press cycles, 15 minutes...it all has its allure, trust me on this.
But at the end of the day, I really do want to contribute to the greater good.
So I did something different. I sent my findings to McAfee and offered them an opportunity to respond, rather than publish first, ask questions later.
Here's the real kicker.
They responded.
I had a three hour lunch this past Thursday with two gentlemen from McAfee, who flew up from the Bay Area to Seattle to have a face to face with me. This, all by itself, speaks volumes to me. In addition to meeting with Kirk Lawrence, the new Director of Product Management for McAfee Secure, there I sat with, of all people, Joe Pierini, the very guy who has suffered more than his share of abuse, up to and including the Pwnie. As I have been a direct contributor and participant in heckling Joe, you can imagine our meeting could have been uncomfortable. It was not.
I have had expectations of McAfee and Scan Alert that to date have not been met, or my (your) perception has been that they have not been met.
This meeting was designed as an opportunity to voice some of these expectations, and see if McAfee, in turn, believed there was any merit to them.
Surprisingly, at least as spoken, we weren't all that far apart.
While, as a naive idealist, I believe that security should come before conversions, I am also grounded enough of a realize that the most attainable goal can be a marriage of both. This premise frames my expectations of McAfee.
Can they not be more of a "thought leader" for all the Ma & Pa websites who rely on McAfee Secure, first for a higher conversion rate, then security?
Can they not hold merchants to a higher standard, without alienating them and losing business?
Can they not embrace the security research community in a fashion that McAfee, the security community, the merchants, and consumers can all benefit from?
Can they not be more transparent in their approach, providing more details and feedback about their methods, their findings, and their vision?
I know McAfee Secure - Hacker Safe scans can find vulnerabilities.
I know they report the vulnerabilities to merchants.
What happens thereafter is where things begin to break down.
Can the scan engine be improved to find more vulns? Sure. That's really not that big a deal; technology can always be improved.
But, regarding holding merchants to a higher standard; therein is the whole point of this debate.
Anyone can throw a badge on a site.
But what happens when the site proves vulnerable is the key. I'll be candid here: I don't give a damn about the merchant at that point; it's the consumer who is at risk and needs something better from McAfee and their peers.
So, here begins a different approach. I know that making changes at a company the size of McAfee can be likened to the three miles it takes to turn around an aircraft carrier. I'm willing to work with them, and allow for a positive outcome.
I have been told that, in two or three weeks, we can expect a published standard, that clearly defines exactly what the McAfee Secure product offering adheres to, inclusive of their expectations for merchant remediation timelines, potential badge downgrades for unresolved vulnerabilities, and hopefully even a more clear stance on XSS.
I have been told that I will have the opportunity to discuss this standard, and invite feedback. Any standard is better than no standard.
I have also been told that this is just the beginning of changes that will lead to more of what I have hoped for in my expectations, over the next 6 months or so.
I am hopeful that we can take McAfee at their word, and even if slowly, see a positive outcome.

del.icio.us | digg

Thieves Target Homeowners and Builders

Fri, 29 Aug 2008 15:51:00 +0000

We have written about thefts of copper wire and even street manhole covers in the past. It appears that new homes and those being foreclosed upon are ripe targets for unscrupulous thieves.

Thankfully, there are many more solutions than in days past. Global Positioning Systems can now be hidden in materials and the thieves can be tracked in real time and the Police notified by the security consultant who has been hired to monitor their movements.

The highlighted link from "The New York Times", tells the sad story of a young couple and their 7 month old child who had to live onsite at their new house for many months in order to deter thieves.

We have spoken with home builders in the past regarding supplying security officers to monitor unfinished homes. One of the hurdles has been the cost of security. The escalating cost of these thefts may now make Home Builders think twice though.

The National Association of Home Builders claims that $5 BILLION a year is being stolen nationally by theives from homes under construction. That would purchase a lot of security services. Not to mention the cost of labor to replace that missing copper wire, plumbing fittings, doors & windows, etc.

Like we always say, thieves are opportunists. If you give them an opportunity such as leaving valuable building supplies unprotected, they will take them. On the other hand, if you put an obstacle in their path such as a site that is monitored by security cameras (with somebody on the other end of the camera - you'd be surprised how many businesses put in cameras but have nobody to monitor them)or a roving security vehicle, they will move along and ply their trade elsewhere.

That is called "target hardening". Quite literally, you make yourself (or your property) a harder, more difficult target. They then move along to some other target. Bad for someone else, but good for you.

Creepy Customer Profiling via Facial Recognition

Fri, 22 Aug 2008 05:41:08 +0000

Usually, shopping off-line is usually more ad-free than shopping online. But this is changing, with ads coming in strange places like video screens at Gas Stations, Albertson’s, and so on. Google’s been using content targeted at users for some time, and now this is coming to offline ads too. Some unlikely retailers like Dunkin Donuts are installing facial recognition systems that change the ads shown, depending whether the viewer is male or female, and in what age range.

The Wall Street Journal says that Dunkin’ Donuts is experimenting with video screens that use facial recognition technology to figure out your age and gender. The screens then display ads targeted specifically to you.

Creepy!

Dunkin’ Donuts is also tailoring the cash register ads to your specific purchase. If you buy a breakfast sandwich, you can expect an ad prompting you to return “for a coffee break in the afternoon” to “try an oven-toasted pizza.” The system is already in place at two Buffalo, NY locations.

Read the full article here.

Dont click that link, think first.

Wed, 20 Aug 2008 21:15:43 +0000

If the links not from someone you trust, dont click it!

clipped from it.toolbox.com

New Social Malware hits the street

As social malware goes, this is a good delivery mechanism for getting people to click on links. Most of us have learned that clicking on links from people who you do not know is generally not a good idea. Spinning up the social aspect of malware delivery, using MySpace and Facebook friends should result in a better penetration of the malware because we are used to clicking on links from our friends.

No Trademark for Cloud Computing

Thu, 14 Aug 2008 16:01:06 +0000

Just a couple of weeks ago, it was reported that Dell was in the final stages of being granted a trademark on “Cloud Computing” – shocking and amusing pretty much everyone except for possibly Dell employees. But apparently the US Patent and Trademark Office paid attention to the flurry of negative responses and has since cancelled their “Notice of Allowance” for the trademark.

I’d like to give everyone the benefit of the doubt here; perhaps Dell was using it in a much narrower sense. Perhaps the term has really only been used more commonly since the time Dell first applied for the trademark back in March 2007 and now. BUT…

- Dell’s definition is quite broad and certainly not Dell-specific. “The design of computer hardware for use in datacenters and mega-scale computing environments for others; customization of computer hardware for use in data centers and mega-scale computing environments for others; design and development of networks for use in data centers and mega-scale computing environments for others.” Strike One.

- And according to the Wall Street Journal’s research, “cloud computing” has been in regular use since 2001. Strike Two.

So now the “case” has been returned to examination and hopefully the PTO will follow up on everyone else’s research on this and decide that yes, cloud computing is one of those broad, ubiquitous terms that should NOT be trademarked by a single company.

Twelve billion dollars!

Wed, 13 Aug 2008 10:37:00 +0000

Sounds like a Dr. Evil sound bite :). In fact this could be the potential impact of the 41 million cards stolen - according to security company Jefferson Wells. The amount is a result of simple multiplication - 41 million x $300 for each card lost. On the higher end, no doubt.

While I don't think the real cost is anywhere close to that (even by an order of magnitude), it is still a large number. Even at street price of $2 per card, someone must be making 41 million x $2 = $82M!

More scary to imagine, is where this stolen data is going, what kind of money they are making and what illegal stuff is being done with it.

76Service - Cybercrime as a Service Going Mainstream

Wed, 13 Aug 2008 04:08:43 +0000

Disintermediating the intermediaries in the cybercrime ecosystem, ultimately results in more profitable operations. Controversial to the concept of outsourcing, some cybercriminals are in fact so self-sufficient, that the stereotype of a mysterious 76service server offered for rent could in fact easily cease to exist in an ecosystem so vibrant that literally everyone can partion their botnet and start offering access to it on a multi-user basis. Evil? Obviously. Extending the lifecycle of a proprietary malware tool? Definitely.

The infamous 76service, a cybercrime as a service web interface where customers basically collect the final output out of the banking malware botnet during the specific period of time for which they've purchases access to the service, is going mainstream, with 76Service's Spring Edition apparently leaking out, and cybercriminals enjoying its interoperability potential by introducing different banking trojans in their campaigns.

In this post, I'll discuss the 76service's spring.edition that has been combined with a Metaphisher banking malware, an a popular web malware exploitation kit, with two campaigns currently hosting 5.51GB of stolen banking data based on over 1 million compromised hosts 59% of which are based in Russia. Screenshots courtesy of an egocentric underground show-off.

Some general info on the 76service :

"Subscribers could log in with their assigned user name and password any time during the 30-day project. They’d be met with a screen that told them which of their bots was currently active, and a side bar of management options. For example, they could pull down the latest drops—data deposits that the Gozi-infected machines they subscribed to sent to the servers, like the 3.3 GB one Jackson had found. A project was like an investment portfolio. Individual Gozi-infected machines were like stocks and subscribers bought a group of them, betting they could gain enough personal information from their portfolio of infected machines to make a profit, mostly by turning around and selling credentials on the black market. (In some cases, subscribers would use a few of the credentials themselves). Some machines, like some stocks, would under perform and provide little private information. But others would land the subscriber a windfall of private data. The point was to subscribe to several infected machines to balance that risk, the way Wall Street fund managers invest in many stocks to offset losses in one company with gains in another."

The 76service empowers everyone who is either not willing to spend time and resources for building and maintaining a botnet, launching campaigns, and SQL injecting hundreds of thousands of sites in order to take advantage of the long tail of malware infected sites that theoretically can outpace the traffic that could come from a SQL injected high-profile site.

Next to the spring.edition, the winter edition's price starts from $1000 and goes to $2000, which is all a matter of who you're buying it from, unless of course you haven't come across leaked copies :

"Assuming that the dealer offering what he claimed was the 76service kit was correct, the profit is not only in the kit, but in selling value added services like exploitation, compromised servers/accounts, database configuration, and customization of the interface. Prices start between $1000 to $2000 and go up based on added services. The underground payment methods generally involve hard-to-track virtual currencies, whose central authority is in a jurisdiction where regulation is liberal to non-existent, and feature non-reversible transactions. The individual or group called "76service" was easy to track down on the Web, but not in person."

It's interesting to monitor how services aiming to provide specific malicious services are vertically integrating by expanding their portfolio of related services -- taka a spamming vendor that will offer the segmented email databases, the advanced metrics, and the localization of the spam messages to different languages -- or letting the buyer have full control of anything that comes out of a particular botnet for a specific period of time in which he has bought access to it. For instance, DDoS for hire matured into botnet for hire, which evolved into today's "What type of stolen data do you want?" for hire mentality I'm starting to see emerging, next to the usual interest in improving the metrics and thereby the probability for a more succesful campaign.

Ironically, this cybercrime model is so efficient that the people behind it cannot seem to be able to process all of the stolen data, which like a great deal of underground assets loses its value if not sold as fast as possible. The result of this oversupply of stolen data are the increasing number of services selling raw logs segmented based on a particular country for a specific period of time.

Time for a remotely exploitable vulnerability in yet another malware kit about to go mainstream? Definitely, unless of course backdooring it and releasing it doesn't achieve the obvious results of controlling someone else's cybercrime ecosystem.

Related posts:
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Malware as a Web Service
Coding Spyware and Malware for Hire
Are Stolen Credit Card Details Getting Cheaper?
Neosploit Team Leaving the IT Underground
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Pinch Vulnerable to Remotely Exploitable Flaw
Dissecting a Managed Spamming Service
Managed "Spamming Appliances" - The Future of Spam

People said China was safe, but danger still lurks in the so-called "safe" places.

Tue, 12 Aug 2008 12:06:00 +0000

The unfortunate stabbing death of an american who travelled with the Olympians showed that we should not take safety for granted.

Without being there, it is difficult to know, but one wonders if the press got it right when they reported that the killer did not know that the people he attacked were from America. It is highly probable that most American tourists would stand out on the streets of Beijing. If they followed the advice of security consultants who advise about trying to "blend in", there is a chance that they would be less obvious, but due to the fact that many were there to support the atheletes,I think it is very likley that the killer was able to identify them as being American.

The attacker did commit suicide after the attack, so there is a good chance that he was mentally disturbed. When we travel abroad, or even within our own countries for that matter, we should not only be looking for potential terrorists. There are a lot of other categories that can cause harm; burglars, robbers, purse snatchers, street con artists, kidnappers, people under the influence of alcohol/drugs and so on.

For many people, it is difficult to switch from relaxed tourist one minute to a defensive positon the next. Remember that it is alright to be cautous and suspicious. You don't have to make friends with everyone you meet on the street. It is much more important to be able to come home safe and sound to your family at the end of your trip.

Flying Without ID

Tue, 12 Aug 2008 08:33:39 +0000

Seems like the procedure has changed:

Mr. Peters nodded, and then looked down at the sheet which I had filled out and signed. “I’m going to have to make some calls to verify your identity.”
I nodded.

He pulled out a cell phone. I had assumed that we would be going to some separate screening room, but that wasn’t the case. He stood facing the silver table, and I leaned back against it. So this was the dreaded interview. People walked past us with bags and luggage.

"Hello," he said. "Security." Long pause. It sounded like he was transferred. He said a number that I think had the same number of digits as a phone number. Then he said a shorter number. "No, she doesn’t." He wrote something in small letters on the form. Then he spelled my name over the phone. "D-A-V-I-D-O-F-F. That’s Indigo Delta… yes."

He looked at me. "What’s the name of a street that you lived on prior to your current address?"

"Inman."

"Inman," he repeated. There was a pause. "Where did you live in 2004?"

"Hmm…" I said. "New Mexico? I think? Maybe Massachusetts."

He conferred with the person on the phone. "That’s fine." He hung up.

"All right," he said. "You’re going to go through full security screening." He wrote "SSSS" in red marker on my printed boarding pass. He handed my form to one of the officers at the podium, and then gestured to the first screening line. "Right here."

This only works if you've lost your ID, not if you refuse to show it.