At night, the ice weasels come.
Loosely Typed in Ohio

General More great opportunities at CoverMyMeds

Posted by Matt Scantland on September 3rd, 2009

CoverMyMeds is looking for entry level account managers.

permalink | one response | share this

General, Networking/Systems, Security The New York State Cyber Security Conference, Day 2

Posted by Chris Green on June 8th, 2009

My second day of the New York State Cyber Security Conference was equally as engaging as the first – dare I say thrilling at times. Before I share some of the meat, I’d like to again compliment the conference staff on an excellent program. What an absolute gem and a bargain ($50 public, $150, private). If you’re into information security I highly recommend a visit, June 9-10 2010 have already been set aside. You’ll see me there.

Our keynote to start the day was delivered by Raphael Perl, Head of the Action Against Terrorism Unit, Organization for Security and Co-operation in Europe (what’s with these titles? sheesh) who discussed global cybersecurity challenges for practitioners as well as the emerging threats and tactics of terrorism in cyberspace.

One of the items I thought most interesting was the explanation of overall approach on a political and military level. From a political perspective, it’s becoming understood and accepted that security is a global challenge requiring international information sharing. But the military is resisting, instead preferring to stay separate and secretive. As I pointed out on day 1, Philip Reitinger and others plainly state the biggest issue we face is hackers and other baddies becoming much more organized and globally sharing information at a rate the good guys can’t match. It would seem to me the military approach is destined for failure, and Raphael Perl made it clear he believes the same. Here’s a few other interesting points or facts from the discussion:

  • Last June, 1 billion PC’s were in use worldwide. By 2012 this will double to 2 billion.
  • 200 billion email messages are sent every day, Cisco estimates 90% of them are SPAM.
  • There are currently 3-5000 active websites run by terrorists or are terrorist affiliated.
  • In a non-scientific poll of sales at a major computer store, 10% of home users bought antivirus software with a new PC purchase. Business users bought it 90% of the time.

He devoted a lot of time to discussing the potential threat to cyberspace by terrorists. He believes terrorists are actively planning to disrupt the Internet, and will launch an attack in conjunction with a real attack or a major national disaster. The goal is interrupting services right when many need it most. He believes the information sharing and readily-available tools by hackers will help facilitate these attacks, as any cyberattack can be easily copied by terrorists. However, it was also made clear that not all experts agree with his opinion. Overall I found the discussion very intriguing and certainly worthy of deep future interest.

Day 2 tracks were Five Common Mistakes in Securing Web Applications, Are you Googling Your Privacy Away?, Are You Prepared for Data Loss, and PII (personally identifiable information): Taming the Beast (AKA how to discover and secure PII). Just like yesterday, they were all engaging and very well presented. The Google talk was particularly thrilling – yea I said thrilling. It’s incredible how much private information we give away to Google in exchange for their services. If you know me, you know I’m not afraid of talking about how much Google scares me. When it’s all laid out for you in a short presentation it’s even more resonating.

  • Google is better than everyone else at screwing you and your privacy.
  • Their cookies auto-renew every time you use any service.
  • They’ve essentially built the best surveillance system ever created. You are a GUID (Google User ID), everything you do with them maps to this GUID, and it will follow you until you die. They aim to have a GUID for every person in the world.
  • You readily give Google (and other social networking sites) vastly more information than the police can ask you.
  • GMAIL really is email for life. According to the ECPA your data is only protected for 180 days, on day 181 Google can give it to law enforcement without a warrant, barely with a formal request. Our DOJ is working on depreciating the 180 day rule.
  • Google has only indexed 20% of the internet.
  • If you use Google Desktop with remote access, everything you have indexed is stored in the Googlesphere. You’re violating HIPAA, PCI, SOX, and most other compliance specifications (oops!).
  • When using Chrome, Google knows every keystroke you type into the browser. Even fields you backspace/delete.
  • They don’t have to ever delete anything you tell/ask them to. Google’s file system is designed not to delete.
  • Does your phone run Andriod? They know everyone you talk to, where you are, where you’ve been.
  • Goog411 is a slick, free 411 service, right? Actually, you’re training their voice recognition software.
  • Google probably knows much more about you than any government agency.
  • Remember that HIPAA, PCI, and SOX violation stuff? Hope you’re not using GMAIL since it’s stored (and indexed) in the Googlesphere.
  • Google probably knows much more about you than any government agency.
  • Yes, they can filter via your GUID and/or IP address and find all of your search terms.

I could go on, and the presentation was less than an hour. It’s freaking scary. Here’s the rest of my juicy tidbits from the day:

  • 60% of top 100 websites had hosted or or were involved in malicious activity in 2008.
  • Of all 2008 vulnerabilities, 58% were from web applications.
  • From the 2008 total, 73% of those classed “easily exploitable” were web applications.
  • Dear developers: Most hackers don’t use browsers to exploit web applications, client-side anything is fail.
  • 80% of internet traffic crosses a Verizon network.
  • In the vast majority of cases when a breach occurred due to a known software vulnerability, the patch was released for over a year.
  • Top three types of malware are keyloggers, back doors, and capture-and-store programs.
  • The majority of these are plain, un-customized and easily detectable by most antivirus programs.
  • 49% of breaches go undiscovered for months.
  • VerizonBusiness’ assessment of breach events over three years revealed 82% of organizations captured the attack(s) in logs, but the logs were either too complex or they lacked the tools to filter the data into a useful view.
  • In this period, 69% of breaches were detected by a third party. 24% were detected internally passively (stumbling on), and 7% were detected actively.
  • Over 260 million SSN’s have been leaked since 2005.
  • There are a few open source tools for scanning/identifying PII.
  • According to solution methodology, 89% of breaches could have been solved by data-at-rest protection (identification and removal or encryption, etc.)

I have 21 pages of notes and a large list of ideas/tasks taken over those two days. So let me say again what a fantastic event this conference was.

Chris

permalink | no responses | share this

General Customer and Data Support positions at CoverMyMeds

Posted by Matt Scantland on April 29th, 2009

We’re looking for new folks to join the team at CoverMyMeds, an exciting new service that helps pharmacies and physician offices collaborate to submit prior authorization requests for prescription drugs. This helps patients get their healthcare needs taken care of, and improves the lives of our healthcare provider users too.

permalink | no responses | share this

General I Hate You, Apple Customer Service (Updated!)

Posted by Jon Canady on October 23rd, 2008

Final Update!: A gentleman from Apple Executive Support (I think) just contacted me regarding the case. He was very courteous about the whole thing. I told him the honest truth: that I’m no longer completely enraged but that I just expected someone at the Apple Store to be able to help, or for my return to be given preferential treatment (since it’s a return), but he mentioned that it’s a custom order thing with new hardware. He said they were investigating whether or not they could get something expedited out for me, and I appreciate that. It’s a little weird that I had to go this far up the chain to get an expedite, but it looks like things are in good shape now.

Update!: It turns out that “a day or two at the factory and then overnight shipping” means 7-10 business days. When questioned, the official response from the “AppleCare Support Admin” was “well, it takes a while to build the unit, and we have to ship it from China.” Then why the hell did you say overnight? Also, see the comments for various people trying to defend Apple’s policy.

Like any good Mac tool, I ordered the new 15″ MacBook Pro the day they were announced. I could rationalize the purchase ’till next week, but the bottom line is I wanted a spiffy laptop and I ordered one. I even custom-configured it with a larger, faster hard drive!

That last bit’s important. For want of this hard drive in my defective unit, Apple Support completely shit all over me.

Continue Reading…

permalink | 9 responses | share this

General OWASP AppSec 2008: Day 3

Posted by Chris Green on September 24th, 2008

Today brought us the real meat of the week, conference day one. This is my first industry engagement and I found it quite easy to get registered, figure out where things are happening and understand the lay of the land. Quite a bit happening all at once; three different presentation tracks, a bustling vendor area, many coffee-and-tea stops (which I used frequently!), people moving all around, and just a lot of good energy around the building. To keep this on the lighter side, I’ll bullet out what presentations I chose with a quick comment.

  • DHS Software Assurance Initiatives: A thorough discussion on integrating security into the SDLC with government best practices. Keyed me into a lot of materials I’d like to read!
  • HTTP Bot Research: This was a great talk on botnets, past present and future by shadowserver. A lot of time was spent on the Georgia conflict and looking at the first botnet attack from the U.S. and the second from Russia. I really enjoyed it!
  • Get Rich or Die Trying – Making Money on The Web, The Black Hat Way: This was my (and Jon’s) favorite talk. It was a veiled comic presentation that hammers home business logic flaws.
  • Using Layer 8 and OWASP to Secure Web Applications: Two of the City of New York’s security guys lead this presentation on how they’ve developed their software development policies and practices.
  • Industry Outlook Panel: Several big names in corporate security discussed their thoughts on a variety of topics. I really wish it was a double session, 50 minutes wasn’t nearly enough time.
  • OWASP Testing Guide – Offensive Assessing Financial Applications: This was presented by a jet-lagged no-BS Brit who laid out some good testing primer.
    • cough we skipped the next hour and half (nothing we really wanted to hear) to run back to the hotel and grab some great Thai food in the East Village.

  • OWASP Live CD: This turned out to be a lot less on the live CD and a lot more about a beta email phishing project loaded into a VM image. It scared the devil out of me, very powerful software. Apparently scared a few other folks too as it may not ever get released because it works so well.

Finished the night up with the (ISC)2 cocktail hour (free booze!) and they announced a new certification, the CSSLP.Then we took a walk to Times Square again which is infinitely cooler at night (duh).

Back in and getting rested for tomorrow. Can’t believe it’s nearly Thursday already!

Goodnight from Grand (street)!

permalink | no responses | share this

« Previous Page« Older Entries
Newer Entries »Next Page »

©2012 Innova Partners • Powered by WordPress 2.9.2
Close
E-mail It
Socialized through Gregarious 42