[SecurityRatty] tag: surpass

ET and IT

Fri, 05 Sep 2008 07:34:12 +0000

Interesting piece by Tom Friedman (who has been on the green bus longer than anyone in MSM) comparing the candidates' energy stances, especially this part:

Why? Because renewable energy technologies — what I call “E.T.” — are going to constitute the next great global industry. They will rival and probably surpass “I.T.” — information technology. The country that spawns the most E.T. companies will enjoy more economic power, strategic advantage and rising standards of living. We need to make sure that is America. Big oil and OPEC want to make sure it is not.

Kleiner Perkins set up a $500M green growth fund, which sounds like a lot, until you realize that energy is a $6 trillion industry. So Friedman is right that ET is going to be bigger than IT on the top line, now profit margins may be a different story.

When do you have an obligation to go public?

Thu, 29 May 2008 17:13:01 +0000

No, not IPO public, but public about disclosing employer secrets which could provide a risk to the public. My friend Martin McKeay has written an article over the recent firing of an employee of TJX for disclosing in a public forum continued poor security practices by TJX. The same TJX I might add that as a result of slipshod security practices caused 100s of thousands of dollars, if not millions of dollars in bank fraud to occur.

Many have categorized CrYpTiC_MauleR, the employee who disclosed the information on hackers.org, as a "whistleblower". The term whistleblower is a term of art and in many circles will invoke some special immunity for the person who disclosed the confidential information. However, usually the disclosure of this information is made to a person or entity with the power or at least willingness to take corrective action. In this case, I think that is the missing pre-requisite. Just disclosing this information on a public message board does not meet the burden of defining this as whistleblowing. I think Martin is right on there. He says CrYpTiC (If I can call him that), was not a whistleblower in the strictest sense of the word and is not due any protection. He is just another person who violated his employment terms and his termination by TJX was perfectly justified. Let me say that I don't disagree with Martin about TJX having the right to fire CrYpTiC. They certainly do.

I have a problem with Martin when says that CrYpTiC should have done what he has done and that is keep your mouth shut and move on to the next opportunity. I think depending on the level of wrongdoing, not only is that wrong, but by willfully withholding certain information from the authorities it could make you guilty as an accomplice! Think about it Martin, if you knew your employer was committing a crime and you just quit your job rather than report that crime, you are an accomplice. When does the responsibility for the general good, outweigh your obligation to your employer. Is sticking your head in the sand and moving on while letting illegal or irresponsible behavior go on the right posture? I say not.

I think CrYpTiC felt strong enough about what TJX was doing was wrong that he posted it publicly. Though he did it anonymously and did not think it would be traced back to him, he felt strong enough that what TJX was doing was wrong and he wanted the world to know. When he made that decision, he also made the decision that letting the world know the truth was more important than his job at TJX. I am sure potential future victims of TJX fraud that will now be spared that loss would thank him for it.

Martin, there comes a time where keeping your mouth shut and moving along does not cut it. You have a duty to alert the proper authorities for the greater good of the public. The question is when does your duty to disclose surpass your duty to keep your employers information private? I think that is a personal question that all of us have to answer ourselves. Clearly criminal activity should be disclosed, otherwise you risk criminal exposure. Beyond that it is a judgment call. But saying not to disclose and just move on is appeasement at its worst.

The real question is why doesn't the PCI council or the government have a forum for people like CrYpTiC to go to in the future. That is what is needed!

Opinion: Promise for protecting laptops

Wed, 30 Apr 2008 09:00:00 +0000

Dealing with laptop protection is arguably the least favorite job for IT managers, and indications are that laptop sales will surpass desktop sales, so the situation is likely to only worsen. But upcoming chip-level antitheft technology and remote outsourced backup services promise relief.

Malware Infected Hosts as Stepping Stones

Thu, 21 Feb 2008 19:03:01 +0000

The following service that's offering socks hosts on demand, is pretty much like the Botnet on Demand one, with the only difference in its marketing pitch, namely, these are malware infected hosts as well, however, access is offered through them, but not to them. The degree of maliciousness of these hosts can only be measured once the exact IPs are known, and by degree of maliciousness I'm refering to their state of openess, namely, can malware, spam and phishing be also relayed through them, or we can eventually look up the historical IP reputation to figure out whether such activities have been going on in the past as well. Moreover, such commercial propositions are directly related with proxy threats, ones outlined in a KYE paper entitled "Proxy Threats - Port v666" discussing various detection and mitigation approaches :

"In typical proxybot infections we investigate proxy servers are installed on compromised machines on random high ports (above 1024) and the miscreants track their active proxies by making them "call home" and advertise their availability, IP address, and port(s) their proxies are listening on. These aggregated proxy lists are then used in-house, leased, or sold to other criminals. Proxies are used for a variety of purposes by a wide variety of people (some who don't realize they are using compromised machines), but spam (either SMTP-based or WEB-based) is definitely the top application. The proxy user will configure their application to point at lists of IP:Port combinations of proxybots which have called home. This results in a TCP connection from the "outside" to a proxybot on the "inside" and a subsequent TCP (or UDP) connection to the target destination (typically a mail server on the outside)."

The commercial aspect's always there to say, and vertically integrate since besides selling the product in the form of the tool for, they could eventually start coming up with various related, and of course malicious services in the form of spamming, phishing etc. It's perhaps more interesting to discuss the big picture. Once a great deal of these malware infected hosts is accumulated in such a way, there's no accountability, and these act as stepping stones for any kind of cybercrime activities, as well as the foundation for other services such as the managed fast-flux provider I once exposed.

Stepping stones as a concept in cyberspace, can be used for various purposes such as, engineering cyber warfare tensions, virtual deception, hedging of risk of getting caught, or actually risk forwarding to the infected party/country of question, PSYOPs, the scenario building approach can turn out to be very creative. One of the main threats possed by the use of infected hosts as stepping stones that I've been covering in previous posts related to China's active cyber espionage and cyber warfare doctrine, is that of on purposely creating a twisted reality. China's for instance the country with the second largest Internet population, and will soon surpass the U.S, logically, it would also surpass the U.S in terms of malware infects hosts, and with today's reality of malware, spam and phishing coming from such, China will also undoubtedly top the number one position on malicious activities.

However, with lack of accountability and so many infected hosts, is China the puppet master the mainstream media wants you to believe in so repeatedly, or is the country's infrastructure a puppet itself? One thing's for sure - asymmetric and cost-effective methods for obtaining foreign intelligence and research data is on the top of the agenda on every government with an offensive cyber warfare doctrine in place.