Wednesday, January 30, 2013

Is CBS Interactive standing by CNET or exerting to much control?

This is just getting weirder and weirder. I like many of the media sites that fall under CBS Interactive but I am really beginning to question some of their recent policies and how much control they are exercising over their subsidiaries where they originally stated that +CNET  would have editorial independence.

First, during CES 2013, CNET voted Dish Network's Hopper with SlingBox integrated as one of the finalists in it's "Best of CES" awards. Because CBS (among others) is sueing Dish Network over The Hopper's Auto Hop commercial skipping feature, they decided CNET can't review The Hopper. +Greg Sandoval even quit over the issue. CBS then had to scramble and write an actual policy about the issue.

Second, to keep in line with the new "no review" policy, CBSI told CNET they cannot review the new Aereo Roku app. If your not familiar with Aereo, they provide a service similar to slingbox. Basically, they have thousands of tiny aerial antenna for over-the-air broadcasts. These are piped over the internet to your browser, or, now it seems, the Roku app. The major networks, including CBS, have issue with this.

On the other side of things, as long as CBS is not in litigation over a product, they seem to be standing by CNET. CBS Interactive is currently in litigation with a group of R&B and hip-hop artists who says CBSI is promoting piracy by reviewing BitTorrent and other P2P software. CBSI is currently fighing an injunction that would prohibit CNET from reviewing BitTorrent software like the new BitTorrent File Sync pre-alpha. At least in this case, they are standing by CNET. That's good, right?

Among all this, CNET says they will still have unbiased news on everything, including things that are in litigation, they just can't review the products.

Tuesday, March 20, 2012

Internal issues still cause more data loss than outside attacks, says report

Internal issues still cause more data loss than outside attacks, says report

There isn't much surprise that most threats still come from the inside, whether malicious or negligent. In reality, many of the causes of the malicious/negligent/system glitches overlap and depends on how you look at them.

Looking at the report, it seems phishing seems to be under malicious, but can this also be classified as negligence? I don't know how many computers I have to get my techs to clean because someone opened a malicious pdf or file from their personal email. I guess I can see it being malicious, as ultimately, the phishing email was crafted by someone with malicious intent, whether it be to get someones bank account/PII or breach into a company.

Same goes for "theft of data bearing devices". Portable Hard Drives, Laptops, Thumb Drives, Backup Tapes, or other items. How many of these are due to someone intent on stealing from a specific company and how many of them are due to someone not following policy and leaving a laptop and portable hard drive on the passenger seat while they run inside 7/11 for a pack of smokes and to pay for gas? Most of the data on the latter probably never sees the light of day and is wiped before being sold somewhere.

Successful SQL injection or web site attack? Is this malicious or "system glitch" because the server admins didn't patch on schedule or follow procedure? Many of these could be one or the other and are probably determined by the investigation and, in some cases, whatever makes the company look better.

In general, if we could stop users from doing stupid things, and getting them to follow correct procedure, we could probably stop a lot of the current and continuing threats. Of course, the bad guys would just find another way in. :-)

Monday, March 19, 2012

My rant on overhyped RFID Credit Card Hacking

My Uncle sent me a link to this video that has been going around lately, and I thought I would post my little rant about this kind of hyped up information. I'm not saying that it doesn't happen, just that it isn't as prevalent as they want you to believe. It is happening, and technology is always evolving...on both sides of the fence. Remember the person in the video and the interviews all over the internet, is trying to sell you his wallets and Credit Card sleeves. And the news sites are trying to sell you their version of the news. It's always good to have more information. As they say....The More You Know...

It's always good to protect your cards, whether they have RFID or not. To be honest, I'm more worried about the waiter/waitress copying my card when they take it out of site at a restaurant than I am about someone grabbing my card through the air. :-) More on my opinion after the video... (Have I used ... enough yet? ;-)

I've been watching this technology for a while now, and while it may seem easy to grab your card info, it is not as easy to use it as they are making it look. Plus, the security behind the cards is always evolving. The first generation of cards sent your whole name and everything along with the date, more recent cards send just enough for the current payment to process. The second piece of security, is every "transaction" that is sent via RFID has it's own unique CVV code that is only good for that transaction. (CVV is the 3 digit code on the back of your card that you need for some transactions). Because this code is unique to the transaction, any thieves have a limited amount of time to make a purchase, depending on how often you use your card; and can only use it for one transaction. And if they don't use it before you make a purchase, the code of your next transaction will be out of order and the alert your Credit Card company that something is amiss. The list of codes are unique to the card, similar to the SecureID tokens many banks use to protect internal transactions and the Government uses for security access.

This my understanding from what I have read over the last couple of months on the subject from trusted sources in the Information Security Industry, but I have not been able to test it myself. Even so, my wife bought me one of those secure wallets that is supposed to block RFID signals, and I have been able to confirm this, as my bus pass will not scan through it, And I carry all of my IDs with RFID chips in them in special containers. I don't currently have any of the RFID Credit Cars, though not because I have said no to them. As in many things, vigilance is the key and always a good idea. If you suspect fraud, report it. Remember, even though you are not liable for fraudulent transactions, these companies have to pay for them somehow, and it comes from higher fees from both the credit cards companies and the stores we buy from that have had a chargeback because someone else bought something from them using stolen credentials.

One of my favorite places for information:

Thursday, December 29, 2011

Android Ice Cream Sandwich: When Is It Coming To LG, Samsung, Motorola, HTC, Sony Devices

I'm not always a big Apple fan, but this is one of the things they have done right. Being able to install the new update on an old phone on the day it comes out is a great improvment­. So what if my old 3Gs (before I sold it) didn't get all of the new hardware features, at least it got the software ones.

One of the things I like about Android is the cheaper phones and the breadth of devices you can choose from. But at the same time, you get what you pay for. My Ascend II is nice, but has minimal RAM and drive space, and I am constantly fighting for space on it. I will probably never see ICS on it unless I wait for some dev to port CM9. (watching the forums weekly but not holding my breath). I like the face that I was to buy the phone for $100 with no contract, but again, you get what you pay for.
About Sony
Read the Article at HuffingtonPost

Sunday, May 8, 2011

Thousands Of Google Images Infected With Malware

-=- This post is in reply to a comment on the Huffington Post article linked at the bottom of this post-=-

There are multiple reasons that ISPs don't run antispyware/antimalware before traffic reaches customers, many of them probably legal. Like Spifflous mentions, they can do DPI (Deep Packet Inspection­) to see what is in the traffic, but this would probably have privacy issues. How many people want their ISP sniffing their email traffic for Spam or malicious links when it means they also see all of your Banking Documents or other informatio­n in them that you wouldn't want them to see.

ISPs could also run a black list on these sites. It takes a lot of work to keep up with the criminals and keep a constantly changing black list. That said, there are companies that do it. I use OpenDNS which uses crowd sourcing for it's blacklist. I like having control over it. The next question would be who controls the blacklist, and what do you do if your site is wrongfully blocked. How about if your site is correctly blocked because of malware due to being hacked, but you fix it. Who determines what needs to be done to have it unblocked. At what point does blocking sites become censorship­.

If you want a technical reason, DPI slows down internet traffic. Technology is getting better and there are devices that can do DPI in real time, but the cost more. If ISPs did do this, who do you think would end up paying for it?
About Google
Read the Article at HuffingtonPost

Friday, February 13, 2009

ShmooCon, Podcasters and Dojosec oh my!!!

I’ve been meaning to post this for a couple of days, and finally got around to doing a little write-up on them. As I posted earlier, I had the chance to go to my first Hacker convention in Washington DC. In preparation, I did a little bit of research into ShmooCon and started following the Shmoo Group on Twitter. In the process, I picked up a few followers on Twitter. Marcus Carey being one of them. Looking at his information led me to a group of podcasters that were hosting their third annual Podcastersmeetup at ShmooCon. Basically a group of Security oriented podcasters that get together to broadcast live from ShmooCon and meet their listeners. Marcus runs a group called Dojosec that was one of the sponsors for the podcastmeetup and an event afterwards called Firetalks. Afterwards, we all went to the HacDC party and had a great time getting to know people in our field and doing a little networking for the future. All that from a little bit of research before going to a conference.

Monday, February 9, 2009

Intro Post: What is this blog for?

Hello All, :-)

I've been thinking about starting another blog for a while and seeing what I can put into it. For the moment, this is going to be kind of a catchall of thoughts, links, security bytes and whatever else.

I recenlty went to Shmoocon and met some great people there. At one of the after con gatherings, I met some of the DC Security Space bloggers and podcasters. They podcasted from the con and did something called FireTalks that I will go into in a future post. Anyway, one of the ideas behind FireTalks is to give back to the community. Part of giving back is to give insight and to get your ideas out. In this way, you enrich the community and hopefully get something out of in in the process.

Anyway, the idea of giving back and seeing if anyone will even listen is why I am starting this. That and a place to share some of the junk that is floating around in my head. :-)