[SecurityRatty] tag: thursday

Cablevision Activates Major Areas of Its Wi-Fi Network

Wed, 03 Sep 2008 17:01:01 +0000

New York area cable operator Cablevision flips switch for high-traffic areas of Long Island: They're announcing Thursday that they've turned on the initial phases of their network in Nassau and Suffolk counties, as well as at commuter rail platforms and station parking lots throughout Long Island. The service offers 1.5 Mbps in each direction, the company claims. Detailed site maps for their previous much smaller activated areas are up at their Wi-Fi information site, and I expect to see these updated soon.

Cablevision will ultimately spend about $300m in building a Wi-Fi network exclusively for its customers; 2.4m of these customers qualify to use the service at no cost. There's no pay as you go option, no monthly subscription; you're either a subscriber of theirs, or not. It's a fascinating strategy, because they're leveraging all these dollars as a tool to crack its competitors in the market. With increasing competition from telephone companies that are offering television service, cable companies need to compete on voice, data, and video, as well as well as on mobile offerings. When the network is built, Cablevision can conceivably offer Wi-Fi telephony service, too.

I'm dying to know what the reduced churn rate and increase in subscriptions will be in six months. Given that hotspot access costs $10 to $30 per month depending on the network, Cablevision is delivering something of value. It's great honey for new subscribers and glue to keep current subscribers.

The company is claiming that with this latest activation, they have the largest Wi-Fi network for consumers in the U.S. They're likely correct. The only other public access network of scale that's being used by large numbers is in Minneapolis, and based on what I know about both networks, Cablevision probably deserves bragging rights. The network in Taipei, Taiwan, is likely still larger, but I haven't heard any usage number in nearly two years; at that point, subscription rates were 10 percent of what had been projected.

McIrony: An unexpected response from McAfee

Sat, 30 Aug 2008 09:04:00 +0000

Irony: incongruity between what might be expected and what actually occurs.

Right before Black Hat, I put together what I believed was a pretty strong arguement against McAfee Secure - Hacker Safe, at a level heretofore unexplored. I believe it was more damaging than anything I've said to date, and as such, presented potential risk for me. So I ran it by some friends before publishing it. Then a most extraordinary thing happened. I had a long chat with Nate McFeters, who described an awakening he'd recently experienced. He shared with me the belief that a better approach to potentially negative security research might be to try to create a positive outcome, and worry less about press cycles or exposure, the 15 minutes of fame if you will. He pointed to people like Mark Dowd as an example of people who conduct crushingly good research, and steer clear of the petty, ego driven bulls**t.
There I sat, repose like the thinking man, frozen for minutes. "Nate", I said, "I think you're right."
What do I aspire to as an information security professional; more readership or street cred than the next guy, or the respect of my peers for contributing to the greater good? Attention, press cycles, 15 minutes...it all has its allure, trust me on this.
But at the end of the day, I really do want to contribute to the greater good.
So I did something different. I sent my findings to McAfee and offered them an opportunity to respond, rather than publish first, ask questions later.
Here's the real kicker.
They responded.
I had a three hour lunch this past Thursday with two gentlemen from McAfee, who flew up from the Bay Area to Seattle to have a face to face with me. This, all by itself, speaks volumes to me. In addition to meeting with Kirk Lawrence, the new Director of Product Management for McAfee Secure, there I sat with, of all people, Joe Pierini, the very guy who has suffered more than his share of abuse, up to and including the Pwnie. As I have been a direct contributor and participant in heckling Joe, you can imagine our meeting could have been uncomfortable. It was not.
I have had expectations of McAfee and Scan Alert that to date have not been met, or my (your) perception has been that they have not been met.
This meeting was designed as an opportunity to voice some of these expectations, and see if McAfee, in turn, believed there was any merit to them.
Surprisingly, at least as spoken, we weren't all that far apart.
While, as a naive idealist, I believe that security should come before conversions, I am also grounded enough of a realize that the most attainable goal can be a marriage of both. This premise frames my expectations of McAfee.
Can they not be more of a "thought leader" for all the Ma & Pa websites who rely on McAfee Secure, first for a higher conversion rate, then security?
Can they not hold merchants to a higher standard, without alienating them and losing business?
Can they not embrace the security research community in a fashion that McAfee, the security community, the merchants, and consumers can all benefit from?
Can they not be more transparent in their approach, providing more details and feedback about their methods, their findings, and their vision?
I know McAfee Secure - Hacker Safe scans can find vulnerabilities.
I know they report the vulnerabilities to merchants.
What happens thereafter is where things begin to break down.
Can the scan engine be improved to find more vulns? Sure. That's really not that big a deal; technology can always be improved.
But, regarding holding merchants to a higher standard; therein is the whole point of this debate.
Anyone can throw a badge on a site.
But what happens when the site proves vulnerable is the key. I'll be candid here: I don't give a damn about the merchant at that point; it's the consumer who is at risk and needs something better from McAfee and their peers.
So, here begins a different approach. I know that making changes at a company the size of McAfee can be likened to the three miles it takes to turn around an aircraft carrier. I'm willing to work with them, and allow for a positive outcome.
I have been told that, in two or three weeks, we can expect a published standard, that clearly defines exactly what the McAfee Secure product offering adheres to, inclusive of their expectations for merchant remediation timelines, potential badge downgrades for unresolved vulnerabilities, and hopefully even a more clear stance on XSS.
I have been told that I will have the opportunity to discuss this standard, and invite feedback. Any standard is better than no standard.
I have also been told that this is just the beginning of changes that will lead to more of what I have hoped for in my expectations, over the next 6 months or so.
I am hopeful that we can take McAfee at their word, and even if slowly, see a positive outcome.

del.icio.us | digg

Nmap presentation and class in Louisville area

Thu, 28 Aug 2008 15:03:44 +0000

Hi all, my GRE test went well and I'm back to working on the site. I've been invited by the Kentuckiana ISSA chapter to give a presentation on Nmap and its use. The event happens Sept 5, 11:30AM at the following location:

Innovative Productivity / McConnell Technology
401 Industry Rd, Louisville, KY 40208

The ISSA would like to have an RSVP. Also, I'll be giving a longer hands on demonstration and lab later on in September where people can bring their own laptops and use a private network to get some hands on experience with Nmap. We are not sure of all of the details yet, but it will likely be held Sept 20th at the Ivy Tech campus in Sellersburg, IN.

Also, this month's Louisville 2600 meeting is coming up on Thursday, Sept 24th. More details can be found here: http://louisville2600.org/

Nmap presentation and class in Louisville area

Thu, 28 Aug 2008 15:03:44 +0000

Also, this month's Louisville 2600 meeting is coming up on Thursday, Sept 24th. More details can be found here: http://louisville2600.org/

Apple promises September fix for iPhone security flaw

Wed, 27 Aug 2008 20:00:00 +0000

A recently discovered security flaw that would allow access to a locked iPhone will be fixed next month, Apple said on Thursday.

Best Western Hotel Online Booking Breached, 8 Million Victims In Personal Data Theft

Mon, 25 Aug 2008 09:57:47 +0000

Criminal gang has stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds. Thursday night, an unknown hacker, possibly indian, successfully breached the IT defences of the Best Western Hotel group’s online booking system and sold details of how to access it [...]

Brazilian charged in botnet scheme, will be extradited to U.S.

Fri, 22 Aug 2008 09:00:00 +0000

A Brazilian man has been charged for trying to broker a deal to rent out a botnet in order to send spam, U.S. authorities said Thursday.

Brazilian charged in botnet scheme, will be extradited to US

Thu, 21 Aug 2008 20:00:00 +0000

A Brazilian man has been charged for trying to rent out a botnet that would be used to send spam, U.S. authorities said Thursday.

Nokia admits security flaws in Series 40 OS

Thu, 21 Aug 2008 09:00:00 +0000

Nokia confirmed Thursday its widely used Series 40 operating system has security vulnerabilities that could allow activation of stealth applications

Nokia admits security flaws in Series 40 OS

Wed, 20 Aug 2008 20:00:00 +0000

Nokia confirmed Thursday its widely used Series 40 operating system has security vulnerabilities that could allow stealth installation and activation of applications.