Web Application Email Harvesting Worm

This is a rare example of a web application vulnerability worm, targeting one of the most popular free email providers by harvesting emails within their 1GB mailboxes, and of course propagating further.

"Yahoo! on Monday has repaired a vulnerability in its email service that allowed a worm to harvest email addresses from a user accounts and further spread itself. The JS/Yamanner worm automatically executes when a user opens the message in the Yahoo Mail service. It uses JavaScript to exploit a flaw that until today was unpatched. Yahoo later on Monday fixed the vulnerability. "We have taken steps to resolve the issue and protect our users from further attacks of this worm. The solution has been automatically distributed to all Yahoo! Mail customers, and requires no additional action on the part of the user," Yahoo! spokeswoman Kelley Podboy said in an emailed statement."

Web application worms have the potential to dominate the malware threatscape given the amount of traffic their platforms receive, my point is that even within a tiny timeframe like this, one could achieve speed and efficiency like we've only seen in single-packet worms.

In a previous post related to the "Current State of Web Application Worms", you can also find more comments and resources on the topic. Rather defensive, the content spoofing exploiting the trust between the parties that I mentioned is nothing compared to the automated harvesting in this case. As there's naturally active research done in Bluetooth honeypots, IM honeypots, ICQ honeypots, Google Hacking honeypots, it's about time to start seeding your spam trap emails within free email providers or social networking providers.

The stakes are too high not to be exploited in one way or another, I hope we'll some day get surprised by a top web property coming up with a fixed vulnerability on their own. Realizing the importance of their emerging position as attack vector for malware authors is yet another issue to keep in mind. And the best part about web services is their push patching approach, you're always running the latest version, so relaying on end users is totally out of the question.

Find out more details on the worm, and comments as well.

UPDATE: Rather active month when it comes web application malware events, another Data-Theft Worm Targets Google's Orkut. Continue reading →

Consolidation, or Startups Popping out Like Mushrooms?

If technology is the enabler, and the hot commodity these days, spammers will definitely twist the concept of targeted marketing, while taking advantage of them. Last week I've mentioned the concepts of VoIP, WiFi and Cell phone spam that are slowly starting to take place.

Gartner recently expressed a (pricey) opinion on the upcoming consolidation of spam vendors, while I feel they totally ignored the technological revolution of spamming to come -- IPSec is also said to be dead by 2008..

"The current glut of anti-spam vendors is about to end, analysts at Gartner said Wednesday. But enterprises shouldn’t stay on the sidelines until the shakeout is over. By the end of the year, Gartner predicted, the current roster of about 40 vendors in the enterprise anti-spam filtering market will shrink to fewer than 10. As consolidation accelerates and as anti-spam technology continues to rapidly change, most of today’s vendors will be "left by the wayside," said Maurene Caplan Grey, a research director with Gartner, and one of two analysts who authored a recently-released report on the state of the anti-spam market."

The consequence of cheap hardware, HR on demand, angel investors falling from the sky on daily basis, and acquiring vendor licensed IP, would result in start ups popping up like mushrooms to cover the newly developed market segments, and some will stick it long enough not to get acquired given they realize they poses a core competency.

Sensor networks, spam traps, bayesian filters, all are holding the front, while we've getting used to "an acceptable level of spam", not the lack of it. What's emerging for the time being is the next logical stage, that's localized spam on native languages, and believe it or not, its gets through the filters, and impacts productivity, the major problem posed by spam.

SiteAdvisor -- I feel I'm almost acting as an evangelist of the idea -- recently responded to Scandoo's concept, by wisely starting to take advantage of their growing database, and provide the feature in email clients while protecting against phishing attacks. End users wouldn't consider insecure search by default in order to change their googling habits, they trust Google more than they would trust an extension, and they'd rather have to worry about Google abusing their click stream, compared to anything else. Anti-Phishing toolbars are a buzz, and it's nice to see the way they're orbiting around it.

Be a mushroom, don't look for an umbrella from day one! Continue reading →

It's Getting Cloudy, and Delicious

For real. A brief summary of the instant links for the last two days :

01. Eight Indian Startups to Watch - "Some startups are offering unique solutions for India’s burgeoning domestic market, others are targeting global markets. Several are going after both. Red Herring has chosen a few below-the-radar young companies that we think are worth watching." - to Investing Technology India on june 10

02. 'Grand Theft Auto' Game Makers Settle With FTC - "A settlement has been reached with the companies behind the popular video game "Grand Theft Auto: San Andreas," Take-Two Interactive and subsidiary Rockstar Games, which were sued for deceptive practices over hidden sexual content in the game." - to Game Investing on june 10

03. Symbian dismisses smartphone security risk - "David Wood, executive vice president of research at Symbian, said on the Symbian website that smartphones only pose a security risk if companies ignore basic practical rules." - to Malware Symbian on june 10

04. AV management 2006 - "We have assembled a comprehensive range from the leading anti-virus products available in today’s market. During our testing, we began by checking the capacity of these respective offerings to cope with basic tasks." - to Security Malware AntiVirus on june 10

05. Zero-Day Exploits Abound at Legitimate Web Sites - "An exploit distribution network controlled by a single organization that was using a network of 40 Internet domains, each of which was linked to an average of 500 infected sites, for a total of roughly 20,000 Web pages forwarding the groups' attacks." - to 0day Vulnerabilities on june 10

06. Taiwan Faces Increasing Cyber Assaults - "A hacker managed to issue an e-mail attachment that contained a fake press release purportedly from the Military Spokesman’s Office describing a meeting between People’s First Party representatives and MND officials." - to InformationWarfare Cyberwarfare Taiwan China on june 10

07. Social- and Interactive-Television Applications Based on Real-Time Ambient-Audio Identification - "We showed how to sample the ambient sound emitted from a TV and automatically determine what is being watched from a small signature of the sound—all with complete privacy and minuscule effort." - to NewMedia Privacy Surveillance on june 10

08. The Evolution of In-Game Ads - "Marketed as a way to help game makers increase their bottom line or make specific titles more realistic, advertisers are continually searching for ways to reach new audiences—young males and beyond."- to Game Advertising ... on june 11

09. Risks of Keeping User Data Outweigh Benefits - "Large data troves are certain to become targets of hackers, identity thieves and unscrupulous insiders. As the raft of recent data breaches has shown, there are plenty of companies, organizations and government agencies that do a lousy job at securing data." - to Security on june 11

10. Protect Me, Protect My Data - "Companies that underestimate security threats to their records do so at their own peril. It can mean a loss of trust and of business." - to Security on june 11

11. Audit finds security weaknesses at NASA center - "The IG’s audit found other problems as well. System administrators also accessed a key server containing security information without adequate encryption and did not remove unnecessary services from the network." - to Security NASA on june 11

12. America's Most Stolen Vehicles - "The Cadillac Escalade had the highest theft claim rate overall, according to the HLDI, and was the most stolen SUV, according to the CCC 2004 stolen vehicle report." - to Security Theft on june 11

13. N Korea in 'US spy plane' warning - "North Korea says it will punish the US, after claiming it is conducting spying flights over its territorial waters." - to Intelligence Reconnaissance on june 11

14. McAfee SiteAdvisor to add site blocking, extend ratings beyond Web - "McAfee is planning enhancements to its recently acquired SiteAdvisor software that will allow the Web-rating application to block inappropriate Web sites, offer safety ratings for online transactions and rate Web links that appear in e-mail and IM windows. - to McAfee SiteAdvisor on june 11

15. Google and Ebay : The MBA Analysis - "In fact, as they researched the paper over the course of the year, the authors came to the conclusion that eBay had no choice but to ally with either Yahoo or Microsoft. Then the Journal reported as much, and the Yahoo/eBay deal went down." - to NewMedia Google Ebay on june 11 Continue reading →

Travel Without Moving - Georgi Markov's KGB Assassination Spot

In the spirit of the previous hot spot in the Travel Without Moving series, here's another one, this time Georgi Markov's KGB Assassination spot. Georgi Markov was killed in London, in 1978, using a tiny pellet fired from an umbrella containing 0.2 milligram dose of poison ricin.

You may also find this Time Out's briefing on London's espionage locations interesting. Continue reading →

Going Deeper Underground

IT Security Goes Nuclear, at least that's what they say.

"Venture capitalists are predicting a "business boom below ground" as blue-chip companies turn to nuclear bunkers built at the height of the Cold War in the battle to protect sensitive electronic data. The latest private equity investor to move in on the area is Foresight Venture Partners, which has just taken a 20 per cent stake in The Bunker Secure Hosting."

But no matter how deep underground you are, you would still be providing an Internet connection given you're a hosting company. That's an open network, compared to a closed one which is more easy to control -- thick walls wouldn't matter when it comes to connectivity and insiders. It's logical for any data to be stated as secure in that type of environment, but an authorized/unauthorized "someone"will want to use and abuse it for sure.

VCs often exagerate to develop a market sector they somehow envision as profitable in the long term, the real issue is that, while the idea is very marketable, you cannon base future trends on this fact only. They'd better invest in market segments such as portable security solutions, or risk management companies such as Vontu and Reconnex, which I covered in a previous post related to insiders abuse. Continue reading →

There You Go With Your Financial Performance Transparency

Truly amazing, and the inavitable consequence of communication retention in the financial sector, but I feel it's the magnitude that resulted in Enron's entire email communication achive that's seems available online right now.

"Search through more hundreds of thousands of email messages to and from 176 former Enron executives and employees from the power-trading operations in 2000-2002. For the first time, they are available to the public for free through the easy-to-use interface of the InBoxer Anti-Risk Appliance. Create a free account, and go to work. You can search for words, phrases, senders, recipients, and more."

The interesting part is how their ex-risk management provider is providing the data, in between fighting with the Monsters in Your Mailbox. Continue reading →

All Your Confidentiality Are Belong To Us

The proof that commercial and open source encryption has surpassed the technologies to police it, or the idea that privacy and business growth as top priorities would ruin the whole initiative?

"The Government has launched a public consultation into a draft code of practice for a controversial UK law that critics have said could alienate big business and IT professionals. Part III of the Regulation of Investigatory Powers Act 2000 (RIPA) will, as it stands, give police the authority to force organisations and individuals to disclose encryption keys. The Government issued the public consultation on the code of practice for Part III, which will regulate how police and the courts use powers under the legislation, on Wednesday."

It would be interesting to see how they would initiate the response from individuals, without raising the the eyebrows on the majority of civil liberties watch dogs out there and, of course, businessess. That's of course, assuming they use encryption at the first place. Could be much more "wiser" to take advantage of covert practices to obtain the necessary information, instead of "forcing" this measure -- detecting encrypted/covert communication channels is another topic. Moreover, compared to the Australian police whose capabilities of obtaining information on criminals include the use of spyware is a bit contraversial, but adaptave approach.

If national infrastructure security matters, have individuals and enterprises personally take care of their security and encryption keys, promote data encryption, instead of dictating the vibrations by slowing down the basics through such laws. Continue reading →

Brace Yourself - AOL to Enter Security Business

In the re-emergence of the Web, AOL got the attention it never imagined it would get, Microsoft and Google fighting for a share of its modest, but strategic amount of eyeballs. After being an exclusive part of Time Warner's balance sheet since its early acquisition, and with a $510M fine, dial-up business that was profitable by the time telecoms started offering cable connections, due to the years of infrastructure renovation, the though to be mature online advertising model is what saved it. Now, AOL is basically putting half its leg into the red hot security market and wisely playing it safe as :

"AOL plans to expand into security services with the release of the Active Security Monitor, expected on Thursday. The program would also check to make sure Internet Explorer is properly configured to prevent security holes. "ASM determines a security score for your PC, and for all other PCs in your home network, by evaluating the status of all the major components needed for a robust system: Anti-Virus software, Anti-Spyware software, Firewall protection, Wireless Security, Operating System, Web Browser, Back up software and PC Optimization."

After the scoring, I presume it would "phone back home" and let AOL know what end users are mostly missing, then a solution provided by AOL, or a licensee would follow. Benchmarking against AOL's understanding of application based security is tricky, and I bet you already know the programs necessary to establish common sense security on your PC/network. Who's next to enter the security industry besides Microsoft and AOL, perhaps DoubleClick?

CNET has naturally reviewed the Active Security Monitor. Continue reading →

An Over-performing Spammer

Th3 4r7 0f $3nd!ng spam messages is evolving like never before, and while spammers are still catching up with the newest technologies such as VoIP, WiFi, Cell phones -- newest at least in respect to spamming -- trying to avoid the now mature indystry's practices, and taking advantage of the growing economies and their newbie users as victims, is what keeps it going.

I simply couldn't resist not to share this, seems like this spammer is totally overperforming himself. How would I fell a victim into this, given I cannot read what I'm about to get scammed with?

Spammers today are in a world of pain when it comes to the industry's experience in detecting their messages, still, spam continues to represent the majority of email traffic worldwide, and it's getting more creative. Images, "marketing" messages that you can barely read, old psychological tricks, but still, out of couple of million messages, someone still takes it personal, and feels like making a deal online.

Why spamming works? Because of the ubiquity of email, because of the freely available, marketed as fresh, email lists, and at the bottom line, the price for a spammer to send couple of million emails is getting lower with botnets on demand becoming a commodity. End users, end up sending spam to themselves for being infected with malware. What's next? Spamming is still catching up with the technological posibilities, and Chinese telecom operators for instance happen to be the most experienced ones in filtering mobile phones spam -- guess they're also over-performing in between censorship. Continue reading →

Bedtime Reading - Rome Inc.

If the Baby Business helped you envision the future, "Rome Inc - The Rise and Fall of the First Multinational Corporation" is going to help you perceive the past within today's corporate culture -- and Stanley Bing makes good points on every stage of the empire.

Basically, the book emphasizes on the "first multinational corporation" Rome, selling the ultimate product of its time - citizenship. Moreover, it goes in-depth into the concept of moguls and anti-moguls, and how their tensions indeed create an enterpreneurial and corporate culture in 120 A.D.

Every industry has moguls and anti-moguls, the behind the curtain disruptors at a specific stage. What are some of the characteristics of a mogul?

- Commision their PR
- Exercise power when feeling endangered -- elephants against the mice warfare
- Indirectly control the media that's "winning points" for quotations, and "credible" content
- Generally, tend to believe in being the Sun, when the universe tends to have so many dwarfs, and dimensions altogether
- Hide behind C-level positions
- Talk more than actually listen
- When they sneeze the whole industry gets cold

Certain societies, if not all, get obsessed with superficially creating heroes, so profesionally that at a certain point, the "hero" cannot deny any of the praises, but starts living with them and the load that comes altogether. Get hold of this masterpiece, you're gonna love it! Continue reading →

Phantom Planes in the Skies

I can barely imagine the panic with a non-responding -- can it respond when it's not there? -- plane in the sky, at least by the time a visual confirmation reveals the truth. In the post 9/11 world, airports were among the first strategic targets to get the funding necessary to protect against the threats fabricated in a think-tank somewhere. Money are wasted in this very same fashion on a daily basis, with no clear ROI, just established social responsibility and common sense security. Disinformation can always happen in sky, as "Flaw may lead to air chaos". From the article :

"Hackers armed with little more than a laptop could conjure up phantom planes on the screens of Australia's air traffic controllers using new radar technology, warns Dick Smith. The prominent businessman and aviator claims to have found another serious security flaw in the new software being introduced into the air traffic control system. He has challenged Transport Minister Warren Truss to allow him to set up a demonstration of the problem at a test of the technology in Queensland to show how hackers could exploit the automatic dependent surveillance broadcasting (ASD-B) system to create false readings on an air traffic controller's screen. The air space activist says he was told of the flaw by US Federal Aviation Administration staff."

Compared to a speculation I described in a previous post "Why's that radar screen not blinking over there?", these practices are highly natural to ELINT planes/warfare, and in the capabilities of experienced staff members as pointed out in the article. Everything is buggy, and so is the ASD-B system for sure, but the problem from my point of view, is the possibility for a "talkative leakage", and the procedures, if any, to internally report bugs like these, and get them fixed of course.
Phantom Warhawk image courtesy of Les Patterson. Continue reading →

Where's my Fingerprint, Dude?

Personal data security breaches continue occurring, and with the trend towards evolving to a digital economy, it's inevitably going to get ever worse. In a recently revealed case "Lost IRS laptop stored employee fingerprints", from the article :

"A laptop computer containing fingerprints of Internal Revenue Service employees is missing, MSNBC.com has learned. The computer was lost during transit on an airline flight in the western United States, IRS spokesman Terry Lemon said. No taxpayer information was on the lost laptop, Lemon said. In all, the IRS believes the computer contained information on 291 employees and job applicants, including fingerprints, names, Social Security numbers, and dates of birth."

For the time being the largest accommodator of fingerprints in the world is the U.S.A, and this fact affects anyone that enters the U.S. My point is that, given the unregulated ways of classifying, storing, transfering and processing such type of information would result in its inavitable loss -- bad in-transfer security practices or plain simple negligence.

As we're also heading to a biometrics driven society, the impact of future data security breaches will go way beyond identity theft the way we know it -- lost and stolen voice patterns, DNAs, and iris snapshots would make the headlines. You might also be interested in knowing how close that type of "future scenario" really is given the modest genetic database of 3 million Americans already in existence.

Things are going to get very ugly, and it's not the privacy issue that bothers me, but the aggregation of such type of data at the first place, and who will get to steal it. It's perhaps the perfect market timing moment to start a portable security solution provider, or resell ones know-how under license, of course. Continue reading →

Skype as the Attack Vector

It's often hard to actually measure the risk exposure to a threat, given how overhyped certain market segments/products' insecurities get with the time. Gartner, and the rest of the popular marketing research agencies seem to be obsessed with Skype as the major threat to enterprises, while Skype isn't really bad news, compliance is, in respect to VoIP, P2P, IM and Email communications retention or monitoring. From the article :

"The most recent bug in Skype is another clue to enterprises that they should steer clear of the VoIP service, research firm Gartner recently warned. Two weeks ago, Skype patched a critical vulnerability that could let an attacker send a file to another user without his or her consent, and potentially obtain access to the recipient's computer and data. This vulnerability follows three in 2005 (two high-risk, one low-risk) and highlights the risk of not establishing and implementing an enterprise policy for Skype," wrote Gartner research director Lawrence Orans in an online research note. "Because the Skype client is a free download, most businesses have no idea how many Skype clients are installed on their systems or how much Skype traffic passes over their networks."

There's a slight chance an enterprise isn't already blocking Skype, using both, commercial and public methods wherever applicable. Moreover, it would be much more feasible to consider the fact that, if the enterprise -- assuming a U.S one -- isn't blocking the use of Skype, it must somehow monitor/retain its use in order to comply with standard regulations. Skype poses the following problems :

- inability for the enterprise to retain the IM and VoIP sessions in accordence with regulations
- wasted bandwidth costing loss productivity and direct cash outflows, slowdown for critical network functions
- covert channels possibilities

Several months ago, Skype was also discussed as a command'n'control application for botnets, while steganography based communications and plain-simple encrypted/stripped IRCd sessions remain rather popular. Malware authors are actively looking for ways to avoid IRC given the popularity it has gained and the experience botnet hunters have these days.

Skype is the last problem to worry about, as in this very same way the recent vulnerabilities in major market leading AVs would have had a higher risk exposure factor as there's a greater chance of occurrence of malware, than a Skype vulnerability. It's the vulnerabilities in software in principle you have to learn how to deal with, and third-party applications that somehow make it on your company's network.

More resources :
Skype Security Evaluation
Silver Needle in the Skype
Skype Security and Privacy Concerns
Impact of Skype on Telecom Service Providers Continue reading →

Travel Without Moving - KGB Lubyanka Headquarters

Yet another hot spot in this week's Travel Without Moving series - this time it's Lubyanka Square's KGB Headquarters. There are still lots of Cold War sentiments in the air among yesterday's and today's super powers and you just can't deny it. Today's FSB, the successor to the KGB, is taking a very serious approach towards counter-intelligence, and offensive scientific intelligence practices in a much more synergetic relationship with the academic world compared to years ago. While the CIA is undisputably the most popular foreign intelligence agency, and more of a front end to the NSA itself from my point of view, the KGB still remains reponsible for very important and "silent" moments in the world's history.There were moments in the very maturity of the Cold War, when both, the CIA, and the KGB were on purposely disinforming their operatives in order to keep them motivated and fuel the tensions even more, but compared to the CIA with its technological know-how, KGB's HUMINT capababilities didn't get surpassed by technologies. Among the key success factors for the intelligence agency was the centralized nature of the command of chain, total empowerment, common and obsessive goal, and clear enemy.

Today's trends mostly orbit around :

- information sharing, that is less complexity among different departments and agencies
- win-win information sharing among nations
- offensive and defensive CYBERINT, harnessing the power, or protecting against the threats posed by the digital era
- automated and efficient mass surveillance practices- eliminating "safe heavens"

In case you really want to go in-depth into what has happened during the last couple of decades, Vasilli Mitrohih's KGB Archives are worth reading. And the true-retro gamers can take the role of "Captain Maksim Mikahilovich Rukov, recently transferred to the Department P from the GRU after three years' duty to investigate possible corruption inside the KGB (after a former agent turned private eye was found murdered). However, as the plot progresses, Rukov finds himself investigating a party hardliner anti-perestroika plot that threatens the life of General Secretary Mikhail Gorbachev" while playing KGB - Conspiracy game. Continue reading →

May's Security Streams

Here's May's summary of all the security streams during the month. This is perhaps among the few posts in which I can actually say something about the blog, the individual behind it, and its purpose, which is to - question, provoke, and inform on the big picture. After all, "I want to know God's thoughts... all the rest are details", one of my favorite Albert Einstein's quotes. The way we often talk about a false feeling of security, we can easily talk about a false feeling of blogging, and false feeling of existence altogether. It is often assumed that the more you talk, the more you know, which is exactly the opposite, those that talk know nothing, those that don't, they do. There's nothing wrong with that of refering to yourself, as enriching yourself through past experience helps you preserve your own unique existence, and go further. Awakening the full potential within a living entity is a milestone, while self preservation may limit the very development of a spirit -- or too much techno thrillers recently? :)

It's great to see that a knowledgeble audience has become a daily reality at this blog, it's never too late to meet new friends or their pseudo personalities. I've also included this month's stats area graph so you can get a grasp of the activity, go through past summaries for - January, February, March and April, in case your brain is hungry for more knowledge.

It is my opinion that the more uninformed the end user is, the less incentive for the vendors to innovate at the bottom line, and on the other hand, it is also easier for a vendor to put emphasize on current trends, instead of emerging ones -- which is what is going to add value to its propositonin the long-term. It's more profitable to treat the disease, instead of curing it. And while curing one doesn't mean curing all, it's a progress. So, I inform both sides and everyone in between. Information has never been free, but it wants to be free, so enjoy, syndicate, and keep yourself up-to-date with my perception on information warfare and information security, even when I'm not blogging, but just linking!

01. Biased Privacy Violation
While the site's niche segment has a lot of potential, I doubt it would scale enough to achieve its full effect. Providing Ex-couples with the microphone to express their attitudes is as quistionable as whether playing 3D shooters actually limits or increases violance.

02. Travel Without Moving - Typhoon Class Submarines
There're a lot of strategic security issues going beyond the information security market, and that is the defense and intelligence community's influence on the world. What used to be a restricted, or expensive practice, satellite imageryis today's Google Earth/Maps's service on a mass scale, anyone can zoom in front of the NSA. And as it's obvious you can spot things you can somehow define as sensitive locations though Google Earth/Maps, the question is so what? I've managed to dig quite some interesting locations I haven't seen posted anywhere and will be adding them shortly, feel free to suggest a spot if you have something in mind. The series in no way compete with the Eyeball-Series.org, though I wish.

03. The Current State of Web Application Worms
Web application worms, their potential and possible huge-scale impactis a topic that's rarely covered as an emerging trend by the mainstream media sources. On the other hand, over 200 words acticles on yet another malware variant going in depth into how the Internet is driving force for the E-commerce revolution, and how a ransomware pience of malware is changing this.The problem is rather serious due to the common type of web application vulnerabilities huge eyeball aggregators suffer from. Whether it's speed or infected population to use as a benchmarking tool, just like packet-type of worms, web application worms are foundamental for the creation of a Superworm beneath the AV sensor's radar.

04. Shaping the Market for Security Vulnerabilities Through Exploit Derivatives
Resoucesful post providing overview of the most recent developments inthe emerging market for software vulnerabilities, and the possibilityto secure future vulnerability releases. As Adam at Emergentchaos.com pointed out, the legality of such markets is among the cons of the idea, which is perhaps the time to consider the usability of markets for what's turning into a commodity - security vulnerabilities. The major problem which prompts for the need of such, is the current "private club" only vulnerability sharing practices among the infomediaries, but it can easily be argued that empowering vulnerability diggers, not researchers, isn't the smartest thing the community can do.

Vendors are often discussed as liable for the vulnerabilities in their software, but it's like blaming a dating service for not generating you dates, my point is that you cannot simply blame vendors for the vulnerabilities in their software as it would result in a major slowdown of innovation. Think about it, we all hate Bill Gates and use, while trying to avoid Microsoft's products pretty much everywhere, monocultures are bad, we'd better have half the Internet using MACs, and the other Windows so there would be an incentive and fair "allocation of resources" targeting both sides, as the plain truth is that malicious attackers aren't just attacking these days, they are gaining scale and becoming efficient. In a free market, where market forces invisibly shape and guide it, there's little room for socially oriented iniciatives like these. Today's software and technologies are shipped to get adapted, that's insecure ones we become dependent on, to later find out we have the live with their insecurities -- no one is perfect, and being all well-rounded is so boring at the bottom line.

If we were to start "thinking Security" everywhere, there wouldn't be anything left in respect to usability at the end of the day. And as I've pointed out in a previous post on valuing security, if security doesn't bring anything tangible, but prevents risks, that's the cornerstone of the problems arising with justifying expenditures. The Internet we've become so addicted and dependent on wasn't build with security in mind, but our conscious or subconscious marginal thinking gave us no choice, either live with the vulnerabilities and take advantage of its benefits, or stop using it at all. If we were to start thinking security first, there wouldn't be Internet at all, at least not in our lifetime. ISPs avoiding to take action on customers participating in botnets as they still haven't managed to find a way to commercialize the service, or Microsoft shipping its products in root mode and with all features turned on by default, are important points to keep in mind when refering to the practice of threatening and not curing deceases.

You cannot blame vendors for the security vulnerabilities in their software, you can blame them for the huge windows of opportunities their lack of action opens, and lack of overal commitment towards mitigating the threats posed by these, now, how you would you go to turn your day dreaming into a measurable metric, even come up with a benchmark is challenging -- a challenge ruined by the value of keeping an 0day, a truly 0day one.

05. The Cell-phone Industry and Privacy Advocates VS Cell Phone Tracking
There you go with your fully realistic 1984 scenario, I wonder would the idea constitute mass surveillance and social networking analysis altogether. DIY alternatives are gaining popularity, and the cell phone industry doesn't really want to be perceived as an "exact location"provider, rather communication services. The excuse if it becomes habitual? Well, since there's no Cold War anymore -- just sentiments -- it's Terrorism today.

06. Snooping on Historical Click Streams
It was about time Google reposition itself as a search company, not as a new media one heading towards portalization. There's nothing wrong with the idea, the realityis they can never catch up with Yahoo -- and they shouldn't! Spending some time with the feature, and you will be able to verify most of your previous research findings, or come across to surprising ones. Do you trust Google and its geolocation services at the bottom line? I do.

07. Pass the Scissors
It's never too late to earn a buck for printing currency, even in times of inflation in between.

08. Is Bin Laden Lacking a Point?
Google trends point to Washington DC as the region with the highest interest in Bin Laden, not surprising isn't it? I feel the entire idea of an organizational hierarchy and Bin Laden on the top is an oudated thinking, but a marketable one forwarding the entire responsibility to one person, who at the end of day wouldn't have any choice but to accept it, even though he had nothing to do with something in particular. Leadership is critical, and so is possible successorship. An image is worth a thousand words in this case!

09. Pocket Anonymity
Harnesing the power of established brands in privacy, encryption and anonymity services and providing portability is a great idea, no doubt, but what I'm missing is a targeted market, a clear positioning, is it privacy or anonymity provider, as there's a huge difference between the two of these. A free alternative to the idea as well.

10. Travel Without Moving - Scratching the Floor
No comment, just awareness.

11. Terrorist Social Network Analysis
Seems like social network analysis practices apply to terrorist organizations as well, and why wouldn't they? As you can see, there isn't big of a different between a Fortune 500 organization, and a terrorist one, the only problem and downsize is the inability to take advantage of the momentum, historical findings out of data mining are useful for power point slides seeking further investment, and that's it.

12. Valuing Security and Prioritizing Your Expenditures
Reactive, Proactive, or Adaptive, what's your security strategy, and what's your return on security investment?

13. EMP Attacks - Electronic Domination in Reverse
Did you know that Stalin was aware of the U.S's A-bomb, even before Harry Truman was? -- the consequence of too much secrecy sometimes! EMP attacks get rarely discussed, yet today's portability of these and potential for chaos put them on the top of my watch list. There have been numerous ongoing Cybersecurity and critical infrastructure security exercies in the U.S for the last couple of years, and while military equipment goes through hardening process, Russia remains a key innovator whose capabilities have surpassed their own expectations. Cyber warfare is the next Revolution in Military Affairs, and it would be naive not to keep thinking of sneaky attacks, the weakest point in an IT and electronics dependent society.

14. Insider Competition in the Defense Industry
Where else, if not in the defense industry?

15. Techno Imperialism and the Effect of Cyberterrorism
Today's public perception of Cyberterrorism is so stereotyped, perhaps due to one basic reality - you cannot fight Cyberterrorism, the way you can blow up a cave in Afghanistan, and it's a big problem. While public accountability is easily achieved through Cybersecurity exercises, there isn't a better tool for propaganda, recruitment, communication and research than the Internet, and as you're about to find out, there are ongoing initiatives to crawl the Web for terrorist web sites, analyze terrorist speaking communication patters on web forums, and how encryption, flight simulator programs are an unseperable reality of the concept.

As the conspiracy theorist inside me is screaming, there used to be a speculation how Disney on purposely brainwashed the perception of UFOs in its content, to make it more user-friendly excuse, and put everyone who's talking the opposite turns into the usual "that's the guy that has seen them" unfavorable position. Today's coverage on Cyberterrorism doesn't provoke discussion, instead it always tries to communicate and question the credibility of the idea, with the usual scenarios relating to SCADA devices, terrorists melting down power plants and the rest of the science-fiction stories. In all my posts on Cyberterrorism, a topic I've been actively writing on, and following for some years, I always point out that terrorists are not rocket scientists unless we make them feel so -- or have benefits to think they are.

16. Travel Without Moving - Cheyenne Mountain Operations Center
Cheyenne Mountain Operations Center from Google Maps, and a summary of a report onGoogle Earth's security implications, I hope you'll manage to get your hands on, the way I did through a friend.

17. Nation Wide Google Hacking Initiative
I like the idea of auditing a nation's cyber space through Google Hacking, the only problem is communicating the value to public and to the companies/sites. What can be defined as sensitive information leaked through Google, and who's the attacker? Is it a script kiddie, a google hacker, a foreign intelligence personel, or foreign company conducting unethical competitive intelligence? Knowing, or at least theorizing on the possible adversaries will lead your auditing practices to an entirely new level.

18. Espionage Ghosts Busters
No government is comfortable with having to smile at Chinese people, or how their economy is evolving from supplier to manufacturer, still there isn't any serious ground for this case -- besides and uncomfortability issue.

19. Arabic Extremist Group Forum Messages' Characteristics
Great research on today's fully realistic scenario of terrorists communicating over the Web, the public one, as basic authentication would have stopped such automated approaches for sure. What can you actually find with that type of intelligence, real terrorists communications, or growing propaganda sentiments, in between pro-democratic individuals to be recruited?

20. The Current, Emerging, and Future State of Hacktivism
A very well researched dissertation, a lot of visionary thoughts while it goes back to the basics. It is doubtful whether hacktivism would cease to exist despite the for-profit malicious attacks these days, as anarchists, governments, patriots or script kiddies, they all have an opinion on how things should be.

21. Bedtime Reading - The Baby Business
What's a "better" kid, and why you don't need one? Controllable uncertainty can be exciting sometimes, but as always, life's too short to live with uncertainty!

22. Travel Without Moving - Korean Demilitarized Zone
A post with an emphasis on North Korea, which as a matter of fact got recently a decline from the U.S on two-way talks on whether the U.S would condemn their nuclear program. As I've pointed out, there are just looking for attention, while the U.S is sticking to six way talks only. Iran truly took advantage of the overly bad publicity for the U.S around the world.

23. Aha, a Backdoor!
A smart way to fuel growth in homeland security solutions is to be able to exempt publicly traded companies from reporting these activities, and with the SEC trying to achieve better transparency in its data reporting practies, it opens up a huge backdoor for enterprises to take advantage of, without any short-term accountability, or transparency requirements for the use of their stockholder's money. It's the corporate world!

24. Forgotten Security
Forgotten what if security plans on a possible assassination to be precise. It's a like a situationwhere a newly graduated wannabe marketer is asked to conduct a marketing research for a future release of a product, and he just opens his bag and brings out a textbook, and starts looking it up.

25. Delaying Yesterday's "0day" Security Vulnerability
Nothing groundbreaking as this is today's reality for everyone, and there isn't such thing as a true 0day vulnerability these days. Oday to who, to the media, to the underground, to the market, or to the researcher who's catching up with a week of backlog?

26. Who's Who in Cyber Warfare?
In the future the majority of Cyber wars would be waged by nations, and the maturity of their understanding of the concept, and actual capabilities is again going to put the masses as a hostage in between. Defensive or offensive motives behind further development, armies will be defeated, and battles will be won in Cyberspace -- whether by infowar guerilla-fighters, corporations, or nations is the beaty of this uncertain growing reality.

27. No Anti Virus Software, No E-banking For You
Great idea, lot's of revenues for the AV vendor, end users with a feeling of security, all looks and sounds great, but it isn't, as these are the basics. An AV solution doesn't mean you won't get hacked, your financial information stolen, and your home PC won't end up in a botnet, it means there's less chance for it to happen now. Is this campaign worth the publicity and in respect to retaining the bank's customers? I feel it is, but it's where the whole process of bank2customer safety practices communication begins.

28. Microsoft in the Information Security Market
McAfee and Symantec have greatly felt the pressure from Microsoft's ambitions, as they've simultaneously released information on their alternatives of OneCare, all-in-one security and PC tunning for the masses. Moreover, IP violation suits and the rest truly represent the threat, and while I don't see any, I avoid the fact that this is what the end user really needs. And with all the buzz about OneCare, Microsoft's distribution channels, channel partners and strategic partnerships, it would be hard for them to stop using OneCare in an year. That's why McAfee, and Symantec's releases of alternatives neatly ruined the pionner position Microsoft could have taken. Now it's the same old information security market, the one you're so comfortable with, McAfee and Symantec providing security solutions as their first priority, and Microsoft, positioned as a follower catching up. Smart move!

29. Covert Competitive Intelligence
With enterprises considering key extranet participants as potential attack vectors, and web-integration of backend systems as potential targets, insiders are benefiting from within. Dealing with "hackers", malware, firewalls configuration etc. is part of the problem of perimeter based and application based defense. Consider taking into consideration, organizational threats such as insiders, and figure out a cost-effective way of dealing with this hard to detect, measure and secure against threat.

30. The Global Security Challenge - Bring Your Know-How
How would you be more creative, knowing how much is your budget and trying to allocate it for the idea of allocating it, or coming up with the idea first and then trying to commercialize it? Budget allocation is a daily practice, but the way it empowers, the very same way it wastes resources, ones usually wrongly allocated.

Healthy Paranoia
I really feel you. Continue reading →

Healthy Paranoia

More developments on the US-China Commission's decision not to use Chinese manufactured PCs on the SIRPnet follow, an event I covered in a previous post "Espionage Ghosts Busters". The oficially stated attack vector, namely that "..a significant portion" of Lenovo is owned by the Chinese Academy of Sciences, an arm of the Chinese government." is nothing more than a healthy paranoia to me, one reaching to the skies on certain occassions, of course. Just came across to an article summarizing some recent events :

"The U.S. State Department recently declared that due to national security concerns, it would restrict use of the 16,000 computers it purchased to nonclassified work. It had originally planned to use 900 of the machines on a network connecting U.S. embassies. Lenovo’s goal of becoming the “Sony of China” could be impeded by worries over its machines’ security, blocking its strategy to move out of its Asia stronghold and into the West by courting North American computer users and possibly listing on U.S. stock markets. That realization sparked outcry from officials of both the Chinese government and the computer company."

However, today's monocultural reality, and favorable trend towards diversity will have greater impact on the (in) security of the PCs. Moreover, the "manufactured in China" reality is a commonly shared myth, one that keeps getting debunked as well :

"Almost any PC you can name has Chinese content,” said Roger Kay, president of the research firm Endpoint Technologies Associates. He pointed to Intel semiconductors and Seagate hard drives made in China. He also noted that 80 percent of notebooks sold worldwide are manufactured in China."

Even if Lenovo dared to implement hardware backdoors, or ship the PCs rootkit ready, it could have successfully ruined its business future -- insider pressure is always an option, but what do you got besides speculation? Don't unload China Communist Party's load on this recently separated from IBM devision, they aren't in the most favorable position, still remain among the top players on the PC market, right next to the efficiency machine Dell, which as a matter of fact recently completed its second high-tech factory in China.

Healthy paranoia, or the George Orwell inside you? Comic page text generated at Gaxed.com Continue reading →

The Global Security Challenge - Bring Your Know-How

It's a public secret that the majority of innovative ideas come from either the academic enviroment, or plain simple entrepreneurial spirits. I find such annual competitions as a valuable incentive for both sides to unleash the full power of their ideas, or commercialize them - consciously or subconciously. SpaceShipOne is a case study on how elephants can't dance, or at least how they dance on high profit margins only.

Recently announced, The Global Security Challenge seeks "..to help young startups succeed in the security field. Take advantage of this unique opportunity to get your ideas in front of investors, media, and government and industry leaders." And most importantly :

"We seek to uncover the creative capabilities of innovators in universities and infant companies that apply to public security needs. This includes software, hardware or other industrial solutions that help (a) protect people, critical infrastructure, facilities and data/electronic systems against terrorist or other criminal attacks and natural disasters or (b) help governments, businesses and communities defend against, cope with or recover from such incidents. Examples of Technologies We Seek:
- Mesh Networks
- Data Storage and Recovery
- Detection/ Sensors
- Biometrics
- Search Software
- Cyber/Network Security
- Communications Interoperability & Reconstruction
- Biological/Chemical/Radiological Remediation
- Protective Equipment
- RFID, Asset Tracking & Container Security
- Biotechnology

I bet Europe's Top Private Security Companies revenues' exceed the limit of having less than £ 10 million in annual revenues, it's worth speculating on their participation. Do your homework, know your competitors better than they do themselves,work out your elevator pitch, and disrupt.

As far as acquisitions are concerned, SiteAdvisor is the fist recently acquired startup that comes to my mind with its $70M acquisition deal valuation. As it obviously goes beyond VC type of mentorship, to many this seemed as an overhyped deal. There's no price for being a pioneer, but a price on acquiring the position -- a stairway to heaven. Right now, a vertical security market segment is slowly developing, and it is my humble opinion that the company's pioneering position is poised for success. Another alternative to SiteAdvisor's safe search function is the recently launched Scandoo.com which actually integrates the results from Google and Yahoo -- I doubt users would that easily change their search preferences though.

Who's next to get acquired, or hopefully funded? Continue reading →

Covert Competitive Intelligence

Yet another agreement on alleged covert competitive intelligence, this time, "WestJet Airlines says it’s sorry that members of its management team covertly accessed a confidential Air Canada website, and has agreed pay $15.5 million. In a joint news release from the two carriers, WestJet said that in 2003-2004, members of their management team "engaged in an extensive practice of covertly accessing a password protected proprietary employee website maintained by Air Canada to download detailed and commercially sensitive information without authorization or consent from Air Canada."

It's worth noting that Air Canada was actually aware of the security event, knew when it happened, and managed to trace it back to their competitors. Today's competitive intelligence does include unethical information gathering whether in-house, or "outsourced" practices, as DDoS for hire still make the headlines, compared to the many other still undetected insider leakages years ago. It's also impressive how Dumpster diving still remains a serious threat -- so make sure you shred your secrets! Continue reading →

Microsoft in the Information Security Market

Microsoft is emptying its pockets with tiny acquisitions of security solution providers with the idea to target the masses in its all-in-one security service OneCare. There's nothing wrong with offering up to three licenses for $49.95 per year, at least not from a marketing point of view. Microsoft's Security Ambitions are getting huge "as it continues to reveal its security ambitions in very obvious ways. Its $75 million acquisition of SSL VPN vendor Whale Communications last week shows just how deep it wants to go against the established leaders of various security technologies. Already in Microsoft’s security sights are the antivirus and antispyware vendors. Since buying European antispyware vendor Giant Company Software and antivirus vendor Sybari, it was pretty clear that Microsoft intended to get into the malware protection market. Symantec, McAfee and Trend Micro seemed to be the clearest targets, but so are Sophos, CA, F-Secure and scores more smaller vendors."

Competition is always good for all parties involved. In another article on the topic, WebRoot's founder, a leading anti-spyware solutions provider, gave great comments about Microsoft's take over of the infosec market : "The taking of a second-best product in this space is akin to locking half the doors in your house," he said. "Vista will not solve the spyware problem. It may change the vector of attack, but it will not solve this problem. And I'll bet the company on it."

Microsoft really surprised me with their release of the Strider Honey Monkeys Crawler, as precisely the type of in-house research that would act as a main differention point of its solutions. The problem has never been the technology, they still have some of the brightest minds in the world working for them, but providing value and communicating the idea to the final customer. Security as a second priority isn't tolerated by customers, and Microsoft is last company that the end user associates with security. Obsessed with perfection, and still living in the product marketing concept world, is outdated thinking, the way pushing features based on "what the sample says" is not going to hold the front any longer. Customers beg to participate!

While for the time being Microsoft is rediscovering the Web, and working on Vista, money doesn't necessarily buy innovation, prone to make impact individuals do --ones heading to Mountain View, California where the real action is. Continue reading →

No Anti Virus Software, No E-banking For You

Malware and Phishing are the true enemies of E-commerce, its future penetration, and E-banking altogether. Still, there are often banks envisioning the very basic risks, and hedging them one way or another, as "Barclays gives anti-virus software to customers"

"Barclays Bank is issuing UK internet banking customers with anti-virus software, as part of attempts to reduce online identity theft. The bank has signed a deal with Finnish anti-virus firm F-Secure, which will provide software to the bank’s 1.6m UK internet banking customers. While other banks offer discounted anti-virus software deals to customers, Barclays is the first in the UK to give it away for free. ’Nearly two-thirds of home PCs don’t have active virus protection, and one in five is actually infected by a virus, placing people at risk from data theft, as well as damage to their computers,’ said Barnaby Davis, director of electronic banking at Barclays."

I find the idea a very good mostly because compared to other banks that try to reestablish the email communication with their customers, but starting from the basics, you can't do E-banking without generally acceptable security measure in place. And while an AV solution doesn't necessarily mean the customer wouldn't get attacked by other means, or that it would be actually active in the moment of the attack, this is a very smart to do. To take advantage of even more benefits, Barclays must actively communicate their contribution and unique differentiating point to their customers, in comparison with the other banks -- it's getting harder for companies to retain customers due to improved access to information, thus more informed decisions.

You can't just deal with the technological part of the problem, but avoid the human side in it, as education and awareness will result in less gullible, but more satisfied and longer retained customers. Phishing is today's efficient social engineering, and a bank's site shouldn't be assumed "secure" as on many occasions site-specific vulnerabilities improve the truthfulness of the scam itself. Forwarding the responsibility for secured access to the E-banking feature to final customers should be simultaneous with the bank auditing its web services. In the upcoming years, with the rise of mobile banking, I think we will inevitably start seeing more mobile phishing attempts.

Ebay's PayPal is still a major player in online payments, on its way to dominate mobile payments too. The trend and potential of cross-platform malware is what both AV vendors and payment providers should keep in mind. Continue reading →