[SecurityRatty] tag: universe

Huh? Elected officials held accountable?

Sat, 27 Sep 2008 11:03:46 +0000

I woke up in another universe this morning. Here in this universe, elected officials are held accountable for their mistakes that harm you.
I suspect though that collecting on the courts award will be another nightmare altogether.

clipped from news.cincinnati.com

Elected officials can be sued in ID theft, court rules

Elected officials can be sued if they place your private information online and someone uses it to steal your identity, an Ohio appeals court ruled Friday in overturning a lower court ruling.

Let's Play Two

Tue, 12 Aug 2008 08:47:51 +0000

Every year my Dad and I go to see a Red Sox series. Last weekend was this year's trip and we went to Chicago to see the World Champion Boston Red Sox (saying that never gets old) play the White Sox. Of course, while you are in Chicago you have to see Wrigley Field, and we really lucked out. This weekend was Red Sox versus the White Sox (the battle of the Soxes they used to call it on Channel 38) on the southside and northside featured Cubs versus Cardinals! The last four World Series winners in town on the same weekend (Red Sox 04, 07, White Sox 05, Cards 06).

We learned several things- first in heaven the Cubs play the Red Sox in the World Series. Those ballparks are true gems. (In hell its probably the Yankees versus Phillies). Also, the people on the southside and northside *really* have a rivalry going. Its basically Boston v NY but they live in the same town! Here is one example from the southside

One of the great things about Wrigley (and there are many despite what southsiders say), is that its in the middle of a real neighborhood

Epicenter of Cub universe

Lots of action before and after game time, lots of people wandering around with gloves catching batting practices homers outside the stadium...err Field. Key point - Wrigley is a field, not a Stadium. Also Fenway is a Park. The Greek root of the word "paradise", means "enclosed green space", not concreteopolis

Wrigley is baseball Mecca

The greatest Cub of all, Ernie Banks, was our touchstone for the day - "Let's Play Two." we started at Wrigley for the day game (Zambrano got shelled) and then got crosstown for the night game.

To pull this off the L is your friend. As several Chicagoans pointed out, they are the only city that can have a true subway series, because the Red Line services both the White Sox and Cubs, whereas Mets-Yankees involves numerous transfers and so on.

We got to US Cellular Field which is fine but a shadow of Wrigley and absolutely nothing good to eat. Luckily we had Daisuke Matsuzaka on the hill

Before every game, Big Papi holds court in center with some players from the other team, he is to be a very popular guy. Ozzie Guillen told him before the series that with Manny gone, he wouldn't see a pitch to hit all weekend (ps. he did and crushed a bases loaded double)

The question we got most was - what about the Manny trade? His replacement strikes out a lot, but is otherwise a promising player

The Red Sox and White Sox share a little history, most especially Pudge Fisk who hit the famous homer in the 75 world series for the Red Sox and then had a great career for the White Sox (actually played more games for Chicago than Boston, but went into Cooperstown with a B on his hat)

Red Sox won, hanging out in Wrigley was an even bigger highlight, and Chicago is a beautiful city to visit, by far the most accessible of the big US cities. Also, lots of good places to eat courtesy of Thomas Ptacek.

Wee-Fi: Hughes Ups Downstream Speeds; Eye-Fi Raises More Cash

Wed, 06 Aug 2008 07:59:34 +0000

HughesNet now delivers 5 Mbps downstream over satellite: The network was previously limited to 3 Mbps down for a whopping $190 or $210 per month, depending on whether you paid upfront for the receiver or not. The new service, ElitePremium (running out of superlatives, eh, HughesNet?), doesn't yet show up in their list of plans, and the press release declines to mention the price, which is likely to be $250 per month based on their other tiers. While that's steep, when the alternative is nothing, paying $60 for 1 Mbps to perhaps $250 Mbps for 5 Mbps downstream could be a lifeline for businesses in the boonies.

Eye-Fi raises $11m in second funding round: I don't cover companies' financial dealings often, but Eye-Fi is always worth highlighting, as they appear to be the only smart entrant in the entire universe of cameras-with-Wi-Fi, and they're not even a camera maker. Camera makers have typically limited or straitjacked the onboard Wi-Fi. Eye-Fi's now three models of SD cards with Wi-Fi built in have a pretty wide range of controls and abilities. I tested out the Eye-Fi Explore recently, which pairs Wi-Fi GPS-like positioning from Skyhook with Wayport hotspot access, and the review appears in Saturday's Seattle Times. Eye-Fi's biggest challenge is better camera integration, so that cameras can handle power management in discussion with the card; camera makers have to not feel threatened by Eye-Fi's smart technology, though.

Information Centric Security and Virtualization

Mon, 21 Jul 2008 15:00:00 +0000

With Information Centric Security, you create a virtual container, wrapper or 'universe' for the data and the business rules. You no longer care if some of the infrastructure has been compromised as you may still be able to keep data secure even if it has been copied or vMotion'ed off to some other place outside your control.

PC Universe is shrinking thanks to McAfee Secure's cluelessness

Fri, 27 Jun 2008 06:11:00 +0000

My web app sec friends know exactly how to push my red buttons. "Heh-heh, send it to Russ, he'll go off." Yep. ;-) Thanks, Rafal. Now I'm all spun up. I was sent two moronic gems this morning; one on the merits of McAfee Secure / Hacker Safe and the 109% sales increase it resulted in for PC Universe, the other an interview with the Internet's single biggest dillweed, Cresta Pillsbury. These articles are both a bit dated, but they equally embrace the premise of "trust" logos as a predominant sales driver, rather than any actual motivation to secure a site and protect consumers.
An example:
"If you’re doing conversion marketing and statistical testing on your website and you haven’t explored trust logos yet, then you’re missing out."
I must be the most naive person in the world; this enrages me. When will the idiots who write this crap get a clue? They've bought right into the hype the snake oil salesmen hoped they would and are now complicit in their failures.
Case in point, as seen in the Internet Retailer piece. By the way, I realize that Internet Retailer and basic web application security practices are completely at odds, but this one deserves direct abuse.
"PC Universe first tested Hacker Safe on its own site in an A/B split test in which half the visitors saw the Hacker Safe seal and half did not. During that test, 7.3% more orders came from Hacker Safe shoppers than from the control group. PC Universe, which operates on the web at PCUniverse.com, is No. 360 in the Internet Retailer Top 500 Guide."
Really? Let's see what McAfee Secure / Hacker Safe has done to actually provide any measurable security benefit.
How about absolutely nothing.
Here's PC Universe's very current, verified McAfee Hacker Safe cert.
Now, here are a few ridiculous examples of reality from the this universe as opposed to the McAfee-twisted alternate universe. Please note, this is the "accountid" variable, and the fact that the marquee is rendered no less than eight times.
1) Marquee
2) XSS Deface
3) Cookie
If you rather just see a video of these vulns, it's here.
PC Universe, rather than lauding your sales increases thanks to some POS logo, try securing your site code. I guarantee you have other issues.
McAfee Secure, once more, you are simply fraudulent to the core.

del.icio.us | digg

More Log Management Questions - Answered!

Fri, 23 May 2008 12:04:00 +0000

I did this VERY fun webcast with WhiteHatWorld this week and a lot of good questions about log management came up. I am answering them here for my readers. BTW, LogLogic product-specific questions can be found on LogLogic website; I am not answering them here.

Q1: Is a preferred log management program to consolidate the log data and then allow us to review them?

A1: The answer is "Yes!" for a vast majority of use cases consolidating logs work better than the silo'ed approach. Also, this will be answered in longer dedicated post within a few days (link TBA).

Q2: Is it feasible to use a log management tool to try to determine whether application events / failures are being caused by infrastructure issues?

A2:Wow, fantastic! The answer to this is "Yes, if you have the right logs collected." In most cases, to get to the bottom of such issues requires having BOTH application (e.g. PeopleSoft or Oracle) and infrastructure logs (e.g. Windows or Solaris).

Q3: What the typical retention schedule for logs which might be required logs for compliance issues?

A3: I wish I can give a simple answer for this, but there is none. Well, PCI DSS makes it simple: 1 year for logs from in-scope systems. Other regulations are not as clear and the numbers, or - more often! - guesses at such number range from 90 days to 7 years and more. 90 days to 1 year is a common retention policy for security (on the longer side of this range) and operationally (on the shorted side of this time range) useful logs. Check this out for a few ideas for long long you might need the logs.

Q4: Once you have logged the events, what do you do with them?

A4: Well, I was about to laugh it off since it truly opens up a Universe of questions, issues, challenges, etc. But here is my attempt at a short answer (like, less than a book :-)): a) you collect the logs and now you can search thru them in case you need to b) you summarize them and notice the trends - overall know what is going in your environment c) you analyze them in real time to trigger alerts on "critical" log messages - failures, attacks, etc. See this slide deck for some useful pointers.

Q5: Why do I create a log policy?

A5: Log policy is a clear and simple document that show what you log on each system (and why): it helps you to configure logging across all the systems as well as helps to know what information you have in your environment (should an auditor ask, for example). A log policy also defines log retention, log review practices, etc. NIST 800-92 Guide to Security Log Management [PDF] is a good source of info on this subject.

Enjoy!

Technorati tags: log management, logging

Microsoft hack pack spells trouble

Wed, 30 Apr 2008 20:00:00 +0000

Microsoft has announced a suite of tools called COFEE that makes forensic analysis of Windows easier. This means that there is a whole universe of potential exploits just waiting to be found.

Access AT&T Wi-Fi from T-Mobile Hotspots

Thu, 10 Apr 2008 06:28:37 +0000

T-Mobile's roaming deal with AT&T has obviously already kicked in: Astute reader Klaus Ernst let me know several days ago that the New York Starbucks locations were offering an AT&T login on the gateway page. I lackadaisically tried this out yesterday here in Seattle. AT&T has a ton of roaming partners, so it presents an interface that lets you type in whatever your particular credentials are to gain access. With my Boingo Wireless account, I have easy access to Starbucks now. The screen below was captured on my iPhone at a Starbucks in Fremont, Seattle (otherwise known as the center of the universe).

Is the 3Com, Bain, Huawei deal dead for good?

Fri, 21 Mar 2008 06:26:20 +0000

Saw a couple of reports today including this one in the NY Times that the Bain, 3Com, Huawei deal is dead again. Of course we have heard this before, only to see the parties try to figure something else out. But this time it sounds like Bain is done wasting cycles on this deal and going to move on. 3Com's stock took a dive on the news.

I personally think that if they were going to divest the Tipping Point stuff, what was the big deal with this one. Instead now 3Com has a much narrower potential universe of partners/acquirers to deal with. It materially decreases the worth of their company and their ability to compete. Looks like Cisco is the winner here. I wonder what there position on this was?

Update: Now comes a report that 3Com is demanding a 66 million dollar "break up" fee from Bain for withdrawing from the deal for no good reason. I don't know but the government not letting the deal go through seems like a good reason to me. However, deals like this often have a break up fee clause. Guess we will have to see how this one turns out.

Is the 3Com, Bain, Huawei deal dead for good?

Fri, 21 Mar 2008 05:26:20 +0000