The fact is, the less frequently PANs traverse networks, the less chance they’ll be snooped.  The basic idea here is practiced all over the Internet already.  Instead of sending the PAN, encrypt it, and send a “token” instead.

The first analogy that comes to my mind is the use of salted hash functions to protect the contents of /etc/passwd on UNIX systems.  Many years ago /etc/passwd, a text file involved in local authentication for UNIX, actually contained the passwords of all the users.  After some time people took to encrypting the passwords with hash and salt, and later moving the encrypted contents out of /etc/passwd entirely into /etc/shadow.

This is similar to the process described here.  Instead of authenticating a purchase by passing the actual PAN data, the PAN is encrypted or tokenized, and then decrpyted/detokenized at the other end.  The analogy isn’t perfect, some tokens are multi-use, etc… but the basic concept is the same – encrypt the PAN so it’s not as often transmitted and stored “in the clear.”

While the idea of encrypting cardholder data is far from revolutionary, it’s at least encouraging to see the effort.  Furthermore, the fact this isn’t a new concept means it should be easy for the engineers implementing it to grasp.

The IE vulnerabilities affect all supported versions of Internet Explorer up to and including IE 9. The August Patch Tuesday update purportedly fixes errors in the way IE handles objects in memory and handles JavaScript handlers.

According to MS11-057, Microsoft said an attacker who successfully exploited any of the vulnerabilities could gain the same user rights as the local user, and the most severe vulnerabilities could allow remote code execution if a user uses IE to visit a specially crafted webpage.

Jason Miller, manager of research and development at VMware’s Shavlik Technologies, said the IE flaws and the Windows DNS error allows cybercriminals to attack systems remotely. Any time there’s a public vulnerability “out in the wild, it’s important to disclose it as soon as possible,” Miller said.

I remember as a young system administrator, back in 2000, maintaining a policy that no Windows host was allowed to receive connections directly from the Internet.  This policy was a result of experience, because any time anyone deviated from the policy the Windows hosts in question would be compromised.  As a result, we kept all the Windows hosts behind layers of firewalls, placed Sendmail hosts in front of the Exchange server, and reverse-proxies in front of IIS servers.   At the time  I remember thinking “well… Microsoft just isn’t mature enough to play on the Internet yet, that’s why we have UNIX/Linux.”

Seems not a lot has changed since then.

“Patching administrators also must address server-side vulnerabilities. MS11-058 addresses two privately reported vulnerabilities in the Windows DNS server. The flaws affect the server side rather than a client request to a DNS server. If the company DNS servers have caching of DNS relaying enabled, the system is at risk. Otherwise, if the DNS role is not enabled, users are not at risk, although they should still deploy the patch to be on the safe side,” Miller said.

Remote root attacks against DNS servers are so 1999.

I wonder if Microsoft will ever have an operating system that doesn’t require hand holding.  My guess is as long as people vote with their dollars, the answer is “no.”

According to Nick Summit, Regional Vice President at TW Telecom, “The State of Texas has long been an important customer of TW Telecom. We are pleased to expand our relationship with the various departments and agencies across the State of Texas and look forward to delivering our unique set of capabilities, innovative solutions and world-class customer care to the State.”

Having built out fiber network infrastructure throughout Texas as well as providing services for the state government, Texas has been an ongoing growth market for TW Telecom.

Those network bets are paying off. Over the past year, the service provider has secured contracts with a host of large business, government and even carrier customers including Gehan Homes, the Army at its Fort Bliss station in El Paso, and data center provider Core NAP.

AT&T filed additional information with the FCC to support its proposal to acquire T-Mobile USA. Among the benefits justifying the purchase, AT&T claims wireless pricing will fall and service quality would rise if the purchase is approved.

Since initial announcement of their intention in March, AT&T has been trying justify the purchase by proving the merger would benefit consumers with lower prices and improved service. A couple weeks ago the FCC asked the company for more information regarding the deal.  AT&T, in their letter, said the deal would “relieve significant capacity constraints faced by both companies and lead to improved service quality.” The data include analyses of 15 major markets, including metropolitan centers such as New York, L.A., and San Francisco.
The analysis focuses on how the merger would lower costs and pricing as AT&T and T-Mobile gain efficiencies after combining their networks, whether that reflects reality after the event of a merger remains to be seen.

Sprint responded by dismissing AT&T’s analysis. Sprint Senior VP of Government Affairs, Vonya McCann, said “AT&T’s do-over submission is a last-ditch attempt to distract regulators, politicians, and consumers from the fact that it has failed to provide any evidence that its proposed takeover of T-Mobile yields meaningful benefits.”

McCann maintains AT&T’s new statement does not change the negative consequences of the takeover. In fact, the merge would raise prices, reduce innovation, and decrease investment.
The FCC normally reviews mergers within 180 days, but gave AT&T an extension to file additional information. Now that AT&T has given more data regarding the proposed merger, the FCC is expected to restart the clock. The deal must also receive approval from the Department of Justice.

Telecom in the US is like an accordion, with the split into the regional Bell operating centers (RBOC) in the 80’s to now, when we come full circle and once again head toward monopoly.

IAM enables you to control access to AWS service APIs and specific resources. IAM also enables you to add granular conditions which control exactly how a user can use AWS, such as time of day, their  IP address, or even if the connection is SSL or not.
IAM can be used to grant your employees, and applications access to AWS service APIs, using your existing identity systems such as LDAP or Active Directory.
It is now possible to enable your mobile and browser-based applications to securely access AWS resources by requesting temporary security credentials that only grant access to specific AWS resources, for a a specified period of time.

According to prosecution, Swartz obtained access via a wiring closet in the basement of an MIT building. From there he accessed JSTOR and downloaded some 4.8 million articles. According to the indictment Swartz intended to make all of these journal articles free via a file sharing site.  Of the 4.8 million some 1.7 million were accessible “for pay.”

Some background on Swartz.  Swartz is an online political activist and programmer.  He is founder of the nonprofit Demand Progress, a civil liberties advocate group.  According to the current executive director of Demand Progress the indictment “makes no sense” and called the charges “bizarre. It’s like trying to put someone in jail for allegedly checking too many books out of the library.”

According to JSTOR “We stopped this downloading activity, and the individual responsible, Mr. Swartz, was identified,” the statement said. “We secured from Mr. Swartz the content that was taken, and received confirmation that the content was not and would not be used, copied, transferred, or distributed.”

Now, regardless of your opinion on to what degree this is activism, and what degree this is theft, a couple of statements I’m reading just don’t make sense.  For one, JSTOR claims that such a massive download harmed their servers.  Really?  Please explain to me how he physically damaged servers by using them for what they’re intended for, namely making files available for download.

The other thing that really annoys me is the comment by JSTOR “We secured from Mr. Swartz the content that was taken.”  Ok, so you know the content is digital, right?  If we follow the analogy that his crime is akin to checking out too many library books, this makes sense, but the thing is they didn’t need to get their books back.  The articles in question are digital.

If JSTOR and or MIT plan on suing Mr. Swartz, they should at least be clear that they are suing him for “intending to make copyrighted materials public.”  So, he didn’t actually even commit the crime yet, he just intended on it.

The elephant in the room, at least for me is how they were able to act so quickly and apprehend Swartz before he had a chance to make the files available.  To me, this stinks of setup.  Swartz is a political activist, and unfortunately in this and many other countries that makes him a target.   Given the political climate surrounding new legislation that could make it criminal to even play copyrighted material over 10 times on youtube, one could see how Swartz could have a target painted on his back.  Furthermore, During the time of the theft, Swartz ironically was a fellow at Harvard University, through which he could have accessed JSTOR services.  Curious, no?

In any case, Swartz was released on $100,000 bail and a trial date of September 9th.

Well how about that?  Last week the Wiliam Lynn of the Department of Defense released a 40 page  unclassified version of its first-ever cyberspace operations strategy.  It’s a new domain, if you will, for our military branches formerly just land, water, air, and space … and now cyber-space.

Perhaps due to the fact the agency was victim to the attack in March, when foreign attackers stole 24,000 odd sensitive files from the Pentagon?  No wait, maybe it was the fact we’ve lost data regarding missile tracking systems?  How about satellite navigation?  Unmanned drones?   Jet fighters?  The answer is an unequivocal “yes.”  We have lost data about all of those things to foreign hackers.

Since the version released was the civilian, not secret version, it doesn’t go into a ton of detail.  It basically stresses increased network resilience and generally being prepared in the event something truly horrible comes our way from cyber-space.  It doesn’t go into details, and it says nothing about offensive maneuvering.

According to Lynn “The cyberthreats we face are urgent, sometimes uncertain and potentially devastating as adversaries constantly search for vulnerabilities,” Lynn said in a statement. “Our infrastructure, logistics network and business systems are heavily computerized. With 15,000 networks and more than seven million computing devices, the [Defense Department] continues to be a target in cyberspace for malicious activity.”

Soldiers will be prepared for various wartime scenarios such as “degraded cyberspace operations for extended periods and disruption during a mission.”  I wonder if these soldiers will be fueled by typical mess hall fare, or will they live on a diet of Red Bull and Hot Pockets?  Will “Reveille” be sounded for these particular soldiers at 4 in the afternoon?  Will they wear normal military dress or will Slayer shirts suffice?  I digress…

Besides training cyber-soldiers, the DoD has deployed a system of sensors and other software to gather intelligence, a giant intrusion detection network if you will.

Incumbent iPhone has been criticized of being the behemoth player in the market, the Goliath to Android’s Open Source David. Apple have been accused of being heavy handed, charging fees for those who would write apps for their platform, and being overly critical of what is allowed past their sentries, and into the Apple App store. They’ve even been slammed for charging an additional 30% of each sale, the capitalist evil of it all!

In short, Apple has been acting as Apple always has. They keep their hardware and software linked. In what many view as the stupidest thing Apple ever did, back in the 80′s unlike Windows they didn’t enter into agreements with outside hardware makers. The result was Windows growing to a giant buggy monopoly, while Apple stayed small – yet functional.

What we see today in the iPhone vs. Android battle reminds me not of Android being the underdog, the Linux if you will, to Apple’s Microsoft. What we’re seeing in these Android app marketplaces is all of the confusion and security-hole-ridden infestation of a Microsoft bloated giant, without the benefits of the peer oversight usually associated with Open Source projects.

I must confess that when I first learned and downloaded Google’s Open Source Android code way back when, I was excited that just maybe the community would have a shot at the mobile phone market. What we have instead is utter chaos.

Is it the money? Probably.

Unlike the Linux kernel, and major Open Source distributions, these Android app marketplaces seem to lack code review. Not intending on throwing out the baby with the bathwater here. The conspiracy theorist in me almost thinks Apple has hired a clandestine team of hackers to write and distribute Android malware via backwater app stores in order to sully the name of Android for people who don’t understand the difference between Android and the various marketplaces that peddle Android apps.

About a month ago Android made the news because of the Dream Droid Lite set of malware, an encore to the Dream Droid set from a month before that. Now we have a new round of Android malware.

Similar to the Droid Dream this new malware doesn’t rely on the user to manually launch the infected app to start it. Like a proper virus the malware can change its next connection time and the command-and-control server the Trojan “mothership” uses to communicate with the malware on the infected device. It can initiate an app download and create several install-related prompts that direct the victim to download other apps, send the user to malicious web addresses, and even update itself.

Obviously, Android users can protect themselves by downloading apps only from trusted sources and developers known by name and perhaps rating. In short the user has to treat their phone like it were a Windows based computer. I don’t know about you, but as much as I like the computer like features of my smart phone, I like that ultimately it isn’t a computer first, it’s a phone. I have enough computers in my life to worry about, and Im willing to bet most of you do as well.

Without further ado, the latest two stars in the world of Android malware are …

HippoSMS: Researchers at North Caroline State University found this one on alternative app markets in China. It’s designed to incur charges by sending SMS messages to a hard-coded premium-rated number. Yikes!

Zitmo: A banking trojan, this piece of trash poses as a banking activation application, and then forwards all your SMS messages to a remote web server in hopes that one-time passwords banks send to customers for an extra authentication factor can be first be grabbed by the knuckleheads that birthed this crap.

I understand that choice is an important thing in the marketplace, and that before you install anything anywhere, CAVEAT EMPTOR. Still, for now I’m happy me and my iPhone don’t have to worry about it.

Recently, the concept of the white list has made it’s way into data forensics. So called “data reduction software” can reduce the time it takes to search a system, by removing known-good files, such as operating system files. Computer forensics software like AccessData’s Forensic Toolkit automate the screening of files for specific profiles and signatures during a forensic investigation.

When a drive shows up in the office of a computer forensics team, the first thing to be done after cloning the drive is to eliminate as much information as possible from the research, in order to enable the researcher to focus on what’s important. Limiting the set of information to be studied means more time is spent looking at what is important, and less time weeding through typical files associated with Windows or other known software. In fact, NIST has created a National Software Reference Library, designed to collect software and incorporate file profiles from the software into a Reference Data Set (RDS). The RDS is a collection of digital signatures of known, traceable software applications. It currently contains data for about 11,000 software applications.

At Spohn consulting we employ a similar technique when searching a client’s network for malware. We have a database of known good ports and after we collect information from all the hosts on the network we can rather quickly eliminate the fingerprints of known good services and processes, which enables us to focus on what isn’t normal.