Posted: 10 Sep 2008 12:44 AM CDT
The following are two updates for the next version of SIPVicious's PBX extension enumeration tool svwar:
svn checkout http://sipvicious.googlecode.com/svn/trunk/ sipvicious-read-only
Posted: 09 Sep 2008 07:50 PM CDT
Rich is back after a week at the Democratic National Convention and a week of vacation with his wife. He’s been out of touch between being in Denver and being off the coast of Alaska. He’d also just arrived home a couple of hours before we started recording, so tonight’s show is short, sweet and to the point. Which is probably for the best, since there were privacy issues up for discussion; I was barely able to keep Captain Privacy at bay.
This posting includes an audio/video/photo media file: Download Now
Posted: 09 Sep 2008 02:07 PM CDT
Keeping on the theme of iPhones this week, we have a brief video explaining the top 4 reasons that the iPhone is Evil. Very funny.. and very very true! I'm not quite cool/hip enough to actually OWN an iPhone, but I covet those that do, and am just quite lame enough to own an iPod Touch and pretend it's a phone. Yep... I'm that redonkulous!
Posted: 09 Sep 2008 01:13 PM CDT
Today we announced that the American Bankers Association will be joining the VIP Network. We are very excited about this on many levels. Getting VIP credentials into the hands of 350 member banks creates a huge opportunity for VeriSign and makes this much more convenient for their users. ABA Members will have first hand experience with strong authentication on tools they use every day. And as this protection rolls out, ABA member banks will witness how easily they can deploy strong, two-factor authentication, and how convenient it is for their customers. We look forward to working with the ABA. Welcome to the network!
Posted: 09 Sep 2008 12:03 PM CDT
One of the things I am most proud of regarding my blogging is the Security Bloggers Network. What started off as an idea has now grown to over 175 blogs with a Feedburner/Google combined subscriber base of over 70,000! By just about any measure that is a lot of blogs and a lot of readers.
After our very successful Black Hat Bloggers Network affiations, the SBN is getting ready to roll out some new affiliations which should benefit all of our members. Also, based on a lot of the questions some of us have been seeing, it seems that there is a new class of security bloggers contemplating taking the plunge. You can get all of these great blogs in one spliced feed here.
Posted: 09 Sep 2008 07:54 AM CDT
Here is a pet gripe of mine. I was talking to a friend of mine today about missed calls on cell phones. How many of you try to reach someone get their message and just hang up without leaving a message. Why? Its not like the person is not going to know you called. Missed calls are pretty standard on all cell phone and caller ID phones as well. Do you just want the person to know you called, but leave them guessing about what? Do you think by seeing a missed call the person will know what you wanted? Is there some other dynamic at play here?
I think the problem is that too many voice greetings are just too long. There is no way to short circuit the message and get to the beep to leave your message. If I am calling someone and get their voice mail, especially some one I have called before, I don't want to listen to a greeting for a long period of time. I often hang up myself rather than listening to the whole thing. I like messages that say, "if you like press # to leave a message" or are short and too the point. Too many voice mail systems now penalize you for hitting the # button. They start the message all over again.
Bottom line is either leave a short voice greeting, not a marketing message or early on say if you want to bypass and just leave a message press "a number".
Posted: 09 Sep 2008 03:06 AM CDT
Italian joke on the CERN experiment :)
This posting includes an audio/video/photo media file: Download Now
Posted: 09 Sep 2008 03:02 AM CDT
Posted: 08 Sep 2008 08:37 PM CDT
While not a security related post...I thought I would let everyone know about a really good open source hard drive cloning software that I recently discovered when I needed to clone and image multiple Linux systems. It's called Clonezilla and works just like Symantec Ghost but faster and free.
From the Clonezilla web site:
"Clonezilla, based on DRBL, Partition Image, ntfsclone, and udpcast, allows you to do bare metal backup and recovery. Two types of Clonezilla are available, Clonezilla live and Clonezilla server edition. Clonezilla live is suitable for single machine backup and restore. While Clonezilla server edition is for massive deployment, it can clone many (40 plus!) computers simultaneously. Clonezilla saves and restores only used blocks in the harddisk. This increases the clone efficiency. At the NCHC's Classroom C, Clonezilla server edition was used to clone 41 computers simultaneously. It took only about 10 minutes to clone a 5.6 GBytes system image to all 41 computers via multicasting!"
Yeah, it's fast alright! I have been using the Clonezilla Live to image hard drives and it has been working great. You can also run it off of a USB thumb drive if you are so inclined. So, don't fork over $$ to that evil empire called "Symantec"...give Clonezilla a try if you want to clone a drive or multiple drives. :-)
Posted: 08 Sep 2008 06:20 PM CDT
The latest installment of the SSAATY podcast is up and available. Michael Montecillo, a security practitioner and analyst with Enterprise Management Associates, stops by to join Alan and me on the podcast. After tricking Michael into a setup Brazilian Jujitsu match with Chris Hoff, we turn our attention to more serious matters; the roll of analysts in the network security industry. The discussion covers the influence analysts have on a vendor's fate, how much vendors can influence analysts and their coverage, and just how reliable predictions are by analysts. We have a good bit of fun and I know you'll enjoy the podcast.
The podcast was recorded in the Medioh studios in Boulder, Colorado, by Medioh CEO Scott Converse. Special thanks to Scott for hosting us one again and acting as our podcast sound engineer.
We have a new URL for the podcat, http://www.ssaatypodcast.com if you'd like to subscribe to the RSS feed or listen to other episodes.
Enjoy the podcast!
This posting includes an audio/video/photo media file: Download Now
Posted: 08 Sep 2008 12:48 PM CDT
My article on unified communications for the middle market came out today on SearchCIO-Midmarket.
The article just scratches the surface of the issue but covers a bit of VoIP and some products within reach of smaller companies.
Posted: 08 Sep 2008 11:10 AM CDT
Secunia doesn’t think AV and IDS vendors are writing signatures well enough and plans to remedy the situation by opening up their analyses to a wider customer base with easier “pay-as-you-go” terms.
Posted: 08 Sep 2008 09:08 AM CDT
Social networking users can easily be tricked into becoming unsuspecting drones in zombie networks, according to new research. Security researchers from the Foundation for Research and Technology in Heraklion, Greece, created a seemingly innocuous Facebook application called Photo of the Day. The (harmless) application posed as only offering Facebook users a different photo from National Geographic every day, but it served another purpose for the makers. –Facebook app shows botnet risk - Woah, Sotiris and the other guys at FORTH just got famous. Well done guys! :-)
Posted: 08 Sep 2008 12:13 AM CDT
With Tumbleweed’s offerings for email security, secure file transport, and certificate validation, there were just not enough tools in that chest to build a compelling story- either for messaging security or secure transaction processing. And it provides just one more example of why Rothman is right on target. Given that Tumbleweed’s stock price has been flat for the entirety of this decade, this is probably both a welcome change of scenery from the stockholders’ perspective, and a sign of new vision on how best to utilize these technology elements. There are lots of fine email/content security products out there having a very difficult time of expanding their revenue and market share. Without some of the other pieces that most of their competitors have, I am frankly impressed that Tumbleweed has made it this far. Dropping this product line into the Axway suite makes sense, as it will add value to most of their solutions, from retail to healthcare- so this looks like a positive outcome.
Posted: 07 Sep 2008 09:00 AM CDT
(Sorry for Finnish announcement)
Olen vihdoin saanut kirjoitettua perusasioihin paneutuvan tietoturva-paperin, joka on suunnattu tietokoneen loppukäyttäjille ja pienille yrityksille. Tämän paperin piti alunperin valmistua Joulukuussa mutta venyikin sitten näin pitkälle syksyyn, johtuen työkiireistä ja inspiraation uupumisesta.
Nyt sen voi kuitenkin käydä lukemassa täältä ja sen nimi on "Tietoturva 101". Kommentteja voi kirjoittaa tähän blogi-kirjoitukseen tai vaihtoehtoisesti lähettää sähköpostia. On hyvä tiedostaa, että tämä on ensimmäinen paperi minkä olen kirjoittanut suomeksi ja se osoittautui yllättävän vaikeaksi kun pääsääntöisesti termit ynnä muut ovat englanniksi.
Posted: 07 Sep 2008 07:00 AM CDT
Posted: 06 Sep 2008 11:39 PM CDT
A former co-worker and security software developer dude Joe Webster started up his own blog, Security For All (http://secforall.info). Joe joined StillSecure back when I was CTO and I remember he was interested in the whole blogging and podcasting thing back even then. Hey, Joe... I'm surprised it took you so long to start the blog! :)
Seriously, Joe's not only a sharp guy but is also dedicated to improving securty. Plus, he's a really nice guy and great keyboard/composer. So check out Joe's new Security For All blog. He has a good post up there in response to one of Joel Snyder's videocasts about Network Access Control.
Posted: 06 Sep 2008 03:55 PM CDT
A little bit more than two years ago, I approached Jessica Goldstein from Addison Wesley to write a book about security visualization. We sat down during BlackHat 2006 and discussed my idea. It didn’t take much to convince her that they should get me on board. I went home after the conference and started putting together a table of contents. Here is the very first TOC that I submitted:
If you read the book, you will notice that this is pretty much what I ended up with. More or less. An interesting fact is that at the time of submitting the TOC, I had no idea what to exactly write about in the compliance and insider threat chapters. The even more interesting fact is that a lot of people told me that their favorite chapter is the insider threat chapter.
After submitting the TOC to Jessica, she had me fill out some more marketing questions about the book. Things like target audience, competitive books, etc. After handing that in, it went silent for a bit. Jessica was selling the book internally. And then things started to look not so good. Jessica went on maternity leave. Kristin took over and got the proposal review process lined up. I asked some people in the industry to have a look over my proposal and provide feedback to the publisher. Questions like: “Why is Raffy the right person to write this book?” “Is there a market for this book?” etc. were being asked. I received the six really great reviews (thanks guys!) mid December 2006. On December 19th, I received an email with the contract to write the book. I sent the contract off to a friend of mine who is a lawyer, just because I was a bit worried about intellectual property rights. After a few emails also with Addison, I felt much better. They are not at all interested in any IP. They just want the copyright, which was totally fine with me. Then, finally, on January 17th, I signed and was under contract to write about 300 pages about security visualization.
After a few days, I received an ISBN number for the book and a ton of material about style guides and how to go about writing the book. All very exciting. I decided to not write my book in TeX, unlike my masters thesis. That was definitely a smart decision. It turned out that using Word wasn’t that bad. The template from Addision made it really easy to format the text correctly. I actually ended up using VI to write the original text without any formatting. Once it was all done, I copied the raw text into Word and started formatting. The reason for doing this is that I am so much quicker in VI than I am in Word. (And hitting the ESC key in Word is not something you want to be doing too much.)
One of the next steps was to put together a timeline. Well, it was sort of aggressive. The version of the schedule I could find in my archives shows that I was planning on being done mid September 2007. Well, I missed that by only a year I attribute a lot to the fact that I didn’ really know how to write (seriously) and to the chatpers for which I had to do a lot of research.
I definitely enjoyed the process of writing the book. The folks at Addison Wesley were awesome. They kept motivating me along the way and provided great insights into the writing process. What I am still very impressed with is the PR aspects. Early on, they hooked me up to film a video cast about the book. After publishing the book, I get about an email a week for some press opportunity. Keep them coming
Here is a fun fact: In ~/Data/projects/vis_addision, where I have all the material for the book, I accumulated 1.1GB of data. Pretty crazy.
Are you thinking about writing a book? Do it, but make sure you have time! I spent a LOT of time in the local coffee shop (picture on the left). I always had printouts with me to work on corrections. The picture on the right I took at 6.30am in Taipei. Yes, it’s a full-time job! I learned a lot! I made amazing connections. And I had fun! One piece of advice: make sure you have a good publisher!
I haven’t seen the book in my local Barnes and Nobles yet. Well, I checked two weeks ago. But a friend (@jjx) sent me this picture. So, apparently some book stores have it in stock:
Posted: 06 Sep 2008 03:40 PM CDT
I've been saying for the past few years that most security breaches go unreported, but I had no hard data to back it up. I just believed it by instinct and some anecdotal evidence. Now, we have a survey to point to with supporting data that claims 89% of data leakage incidents in 2007 went unreported. I've also talked a lot about non-malicious insider breaches which is listed as the #2 security challenge by respondents of this survey. I haven't seen that question asked very often. Interesting data points. Data leakage, lost devices, insider threats continue to be a major concern (along with email attachments, malware and phishing).
Posted: 06 Sep 2008 03:15 PM CDT
Next Tuesday I will be speaking in Graz, Austria at the FIT-IT event. The topic of the event is Trust in IT Systems & Visual Computing. I am giving a keynote in the afternoon about the topic of Security Research 2.0. I will be hitting on one of my favorite topics, the dichotomy between security and visualization. We need to all work hard on combining the worlds of visualization and the security. We have all seen what happens if security people are writing visualization tools. And we have seen what happens when visualization people try to understand networking and security. I can show you some pretty bad papers that get either side completely wrong. Maybe I am just too picky, but if you read some of the papers that I reviewed for RAID and VizSec, you would probably agree with me.
While talking about RAID and VizSec, the conferences are taking place in a week at MIT in Boston. I will be giving a short presentation on DAVIX with Jan Monsch and will also be part of a panel discussion. Looking forward to make my points about visualization there. I am going to stay for RAID and hope to catch up with my former collegues from IBM research. Drop me a note if you are attending as well.
Posted: 06 Sep 2008 12:48 PM CDT
Posted: 06 Sep 2008 07:00 AM CDT
Posted: 05 Sep 2008 10:28 PM CDT
Well the good news about our economy just keeps right on rolling in. First came word that unemployment rose to a 5 year high today at 6.1% (and for the first time I know security and IT people in that group who are finding it hard to find a job). At the end of the day word came out that the Federal Government will announce a bailout/take over of the two mortgage giants, Fannie Mae and Freddie Mac. This will result in just about all shareholders of these companies being wiped out and more importantly, you, me and the rest of US citizens are now guaranteeing and on the hook for all of those trillions of dollars of mortgages out there!
Fred Wilson says that this is the new MO of the fed. Wait until after the markets close on Fridays to announce the really bad news. Ever the optimist, Fred thinks that this could be the beginning of the end for the bad news and may represent the bottom. I say, things will get worse before they get better.
Brad Feld wrote today about cycles in the business world. Certainly the pendulum swings and what goes up, must come down. But Brad says he is 42 and thinks he has seen it all when it comes to cycles. I am 47 and realize that is not true either. Yes, there are cycles but each one is different enough. Yes things will get better some time, but the pain and damage being done is going to take a long, long time to recover from.
Try owning a house in Florida, Michigan or some parts of California. Politicians talk of change, but I am not sure what fundamentally is going happen that will change our present predicament. The sheer numbers are just scary.
I along with many others I am sure will be looking for signs that we are starting to pull out of this mess. But like in cycles past, by the time it is obvious that we are, the smart money will already betting on the next cycle.
Posted: 05 Sep 2008 05:36 PM CDT
Nir is now blogging.
Posted: 05 Sep 2008 04:39 PM CDT
My Xcon 2006 pass
Jumper sent me an e-mail about the upcoming Xcon 2008 Conference that will take place in Beijing from 18-19 October:
More details on the conference here at Security Focus.
For those of you who are unfamiliar with Xcon, I’ll give you a little background. The yearly host of the Xcon conference series is a group going by the name Xfocus. One of their 2007 conference attendees, XYZreg (Zhang Yi), a regular member of their security group, claimed to have broken Kaspersky Anti-Virus Technology. When I went to the conference in 2006, two of the major sponsors were Microsoft and NSfocus. NSfocus was one of the very first hacker sites in China, originally called the Green Army. The organizaton has a very confusing history.
If anyone is planning on attending the conference, please drop me a line.
Posted: 05 Sep 2008 02:50 PM CDT
After long and arduous work on behalf of the SPSP and many others, and after several private classes of the CPISM, the very first public bootcamp and exam proctoring occurred in Salt Lake City, UT last week. Even a short while after I see people updating their LinkedIn profiles with this designation.
It was so successful that the SPSP immediately booked another class in Dallas in November for not only the CPISM, but also the new CPISA. People have already been signing up and I expect these classes to sell out as well. In fact David Bergert, author of Payment Systems Blog, has already blogged about his registration.
Every place I go people are asking how they can become a QSA. The problem is, you cannot hold the designation of QSA unless you work for a QSA company, which requires a formal application and attestation to the PCI SSC. And, if you ever leave the QSA company you work for you loose any right to call yourself a QSA. This is why the SPSP has create the CPISA/CPISM for those “across the table from” the QSA. So you can hold your own in conversations and discussions regarding the payments industry and compliance.
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|