PayPal announced their Mobile PayPal offering this week.  Really nothing new here from a technology standpoint as it leverages existing services and the Verisign/PayPal security key.  Why I was interested in the release was the signal that they are putting more resources behind this market.  I am still shocked that payment via cell phone did not catch on like wildfire in US.  Look at adoption rates of cell phones, SMS, twitter and the like, and I would have bet that payment would have been right there with them.  Small dollar, in context, person to person, embedded payments could be easily provided. I saw my first payment via cell phone method in 1996 through one of the major European cell phone providers.  Built a system capable of providing ‘micro-payment’ over the phone in 1997.  Nada. No interest from the public. 

Still, it would be far safer for me to pay for that thing I bought on eBay over the cell phone than using the Internet access for whatever hotel I am usually staying in.  Need remains, so I am very interested in seeing how customers react to this recent announcement.  There are plenty of other companies who offer quality service but struggle with adoption.  Startups like Obopay have done a good job in building awareness and vendor relationships (with banks & telecommunications carriers) needed to succeed in this market.  But while they may be winning the war with the tiny providers like CellPay, Paymate, TextPayMe and countless others, they are at a disadvantage in a couple of ways.  First, these vendors typically build a new payment mechanism, unlike PayPal, who is simply a wrapper on existing infrastructure.  Second, even if they do come up with a novel approach, most likely what they have done is build a blueprint for the larger providers as they are not large enough to make a market.  After 10 years I think we have proven there is not going to be viral adoption, so the smaller players are going to have a very tough time if PayPal’s offering is adopted by their customers, something neither the banks nor the cell providers have been able to leverage.    

Now I am off for a long weekend.  Have a great Thanksgiving Holiday! 

-Adrian

Martin and I are preparing for Thanksgiving, just like everyone else in America right now. I don’t know about you, but that primarily means I have five days of work to accomplish in three days of the week. So we didn’t organize a guest this week- instead we sat down together (1000 miles apart) and talked about some of the stories that caught our attention over the last couple of weeks. It’s a good show, and we’re out of here until after Turkey Day.

Have a great Thanksgiving!

Network Security Podcast, Episode 129, November 25 2008

Show notes:

• Security FAIL - But I changed my Twitter password…
• Gmail Security Flaw PoC
• Kernel Vulnerability found in Vista
• Final judgment: SCO owes Novell millions (plus interest)
• Decreasing security for perceived security - all in the name of compliance
• Managing Security in Economic Downturns
• The Julie Amero forensic analysis

Hard to believe we’ve been around to post this yet a third time, but here you go. Our list of advice for shopping safely online this year; and we even updated it this time:

—-

Yes folks, Black Friday is only days away and the silly season is upon us. As someone born and bred in good old North Jersey (until I could legally escape), land of honey and shopping malls, this is a time so deeply ingrained into my subconscious that I’ve occasionally found myself sleepwalking around the nearest parking lot, looking for our old wood-paneled station wagon.

These days, thanks to the wonder of the Internet, anyone can experience the hustle and bustle of the Paramus malls from the comfort of their own home. And to help keep your shopping experience authentic, there’s no shortage of cheats and thieves ready to yank your painstakingly chosen gifts right out of the virtual trunk of your web browser. Of course they might take your house with them, which, even in Jersey (despite the legends) is somewhat rare.

In the spirit of safe and happy holidays, Securosis presents our top 6 tips for safe online shopping, simply presented for the technical or non-technical consumer. Some of these tips also apply to the real world for those of you who just can’t restrain the draw to the mall. Spread the fun, and feel free to post your own tips in the comments.

1. Use a dedicated credit card, temporary credit card number, or PayPal account for holiday shopping. Our first tip is also useful for the physical world- still the origin of most credit card fraud. Take your card with the lowest limit and use it exclusively for holiday shopping. Use one you can monitor online, and check the activity daily through the holidays (weekly at a minimum). Make sure it isn’t a debit card, and turn off any automatic payments (so you can dispute any charges before making payments). Keep tracking activity at least weekly for 12 months after the holidays are over, or cancel the card. DON”T USE A DEBIT CARD!!! These don’t have the same protections as credit cards, and you’re responsible for fraudulent charges. As for temporary credit cards or PayPal, read on to our second tip.
2. Only use credit cards at major online retailers; use a PayPal debit account or temporary credit card for smaller shops . Sure, you might get a better deal from Billy-Bobs-Bait-Shop-And-Diamond-Wholesaler.com, but many smaller retailers don’t follow appropriate security practices. Those hosted with a major service are often okay, but few consumers really want to check the pedigree for specialty shops. Instead, create a dedicated PayPal account that’s not linked to any of your bank accounts or credit cards. Credit it with as much cash as you think you need and use it for those riskier online payments. Worst case, you only lose what’s in that account, and you can easily cancel it anytime. Another option, depending on your credit card company, is a temporary credit card number for online shopping. These are single use, or single retailer/session numbers that can’t be used again or leveraged to run up your account. Charges still appear on your same bill and are tied to your main credit card account. Check with your credit card company to see if they offer this service, but most of the major card issuers have it as an option. I like these better than account passwords (e.g. Verified by Visa and Mastercard SecureCode) since they work everywhere, and you don’t have to worry about anyone sniffing them.
3. Never, ever, ever ,ever click on ANYTHING in email. It doesn’t matter if your best friend sent you a really good deal in email. It doesn’t matter if it’s your favorite retailer and you’ve always gotten email offers from them. Repeat after me, “I will never click on anything in email.” No special offers. No Ebay member to member emails. No “fraud alerts” to check your account. No nothing. Ever. Nada. Attackers are getting more and more refined in their attacks, some of which are very hard to distinguish from legitimate emails. Spam waves over the holidays are expected to break records this year. When you see an interesting offer in email, and it’s a business you want to deal with, just open your web browser, type in the address manually, and browse to the item, offer, or account area. Email is the single biggest source of online fraud; never click on anything in email!
4. Update your browser- use Firefox 3.1, IE 7 or 8, Safari 3.2.1, or Opera 9.6. Turn on the highest security settings. Over the past few months or so we’ve seen big updates of all the major browsers to include enhanced security features. Since the Safari update last week, all major browsers include features to help detect fraudulent sites- if you see a warning, shut down the browser and don’t go back to that site. All of these browsers will ask you before installing any software when you visit a site; when shopping, never allow the site to install anything. Either it’s a fraud or they don’t deserve your business. Pay particular attention to plugins to watch video, or free games unless you know it’s a trusted site (both are usually trojans). Most browsers now install with security enabled by default, so we won’t be providing detailed instructions here. Just download them. Now. Then come back and read the rest of this list. We’ll wait.
5. Download and install NoScript for Firefox. This is a free plugin for Firefox that blocks anything from running in your browser that you don’t allow (like Javascript, Flash, and so on). You won’t need it if you just stick with Amazon, but if you use Google to help you find that can’t-miss Drink-With-Me Elmo, you shouldn’t be trolling the Internet without it. If you don’t want it bothering you all the time, at least use it during your holiday shopping and turn it off later.
6. Keep your antivirus, firewall, antispam, and anti-spyware up to date. I don’t really care which product you use (and truth be told, we don’t really like most of the commercial ones, and don’t use them on our Macs) but as bad as some of these perform they really are essential on a PC. All users, regardless of platform, should use an email service that includes antivirus and antiphishing. For Windows users, Windows Defender is a good, free additional tool to limit spyware. Right now there’s no known spyware for Macs, unless you’re stupid and start manually downloading things.

These six simple steps won’t stop all fraud, but will significantly reduce both the chances you’ll be a victim, and the damage if you are. Feel free to email them to your friends and family who won’t normally browse a security site like this one.
-rich

Last week I talked a bit on the decision by Microsoft to kill OneCare and release a new, free antivirus package later in 2009. Overall, I stated that I believe this will be good for consumers:

I consider this an extremely positive development, and no surprise at all. Back when Microsoft first acquired an AV company I told clients and reporters that Microsoft would first offer a commercial service, then eventually include it in Windows. Antivirus and other malware protections are really something that should be included as an option in the operating system, but due to past indiscretions (antitrust) Microsoft is extremely careful about adding major functionality that competes with third party products.

Not everyone shares my belief that this is a positive development for consumers. Kurt Wismer expressed it best:

i doubt you need to be a rocket scientist to see the parallels between that scenario and what microsoft did back in the mid-90’s with internet explorer, and i don’t think i need to remind anyone that that was actually not good for users (it resulted in microsoft winning the first browser war and then, in the absence of credible competition, they literally stopped development/innovation for years)…

…

what we don’t want or need is for microsoft (or anyone else, technically, though microsoft has the most potential due to their position) to win the consumer anti-malware war in any comparable sense… it’s bad on a number of different levels - not only is it likely to hurt innovation by taking out the little guys (who tend to be more innovative and less constrained by the this is the way we’ve always done things mindset), but it also creates another example of a technological monoculture… granted we’re only talking about the consumer market, but the consumer market is the low-hanging fruit as far as bot hosts go and while it may sound good to increase the percentage of those machines running av (as graham cluley suggests) if they’re all using the same av it makes it much, much easier for the malware author to create malware that can evade it…

That’s an extremely reasonable argument, but I think the market around AV is different. Kurt assumes that there is innovation in today’s AV, and that the monoculture will make AV evasion easier. My belief is that we essentially have both conditions today (low innovation, easy evasion), and the nature of attacks will continue to change rapidly enough to exceed the current capabilities of AV.

An attacker, right now, can easily create a virus to evade all current signature and heuristic based AV products. The barrier to entry is extremely low, with malware creation kits with these capabilities widely available. And while I think we are finally starting to see a little more innovation out of AV products, this innovation is external to the signature based system.

Here’s why I think Morro will be very positive for consumers:

1. Signature based AV, the main engine I suspect Morro runs on, is no longer overly effective and not where the real innovation will take place.
2. Morro will be forced to innovate like any AV vendor due to the external pressures of the extensive user base of existing AV solutions, changing threats/attacks, and continued pressure from third party AV.
3. Morro will force AV companies to innovate more. Morro essentially kills the signature based portion of the market, forcing the vendors to focus on other areas.
4. The enterprise market will still lean toward third party products, even if AV is included for free in the OS, keeping the innovation pipeline open and ripe to cross back to the consumer market.

Since the threat landscape is ever evolving I don’t think we’ll ever hit the same situation we did with Internet Explorer. Yes, we may have a relative monoculture for signatures, but those are easily evadable as it is.

At a minimum, Morro will expand the coverage of up-to-date signature based AV and force third party companies to innovate. In a best case scenario, this then feeds back and forces Microsoft to innovate. The AV market isn’t like the browser market; it faces additional external pressures that prevent stagnation for very long.

I personally feel the market stagnated for a few years even without Microsoft’s involvement, but it is in the midst of self correcting thanks to new/small vendor innovation, external threats, and customer demand (especially with regards to performance). Morro will only drive even more innovation and consumer benefits, even if it ever fails to innovate itself.

-rich

When I was with IPLocks in the 2004 time frame, we were exploring the possibility of selling our monitoring and assessment suite into the government. Friends and contacts made introductions, and we began investigating whether there was a need for our solution, and if so, how we would approach tackling that type of relationship. While we knew dealing with the government would be tough, we felt that any organization that is sitting on piles of personally identifiable information and literally hundreds of thousands of databases would be a natural fit for our technology.

After a few months of the analysis process, we decided we couldn’t do it. Too much in the way of time and resources, and too much uncertainty about what we needed to do. Going through the process was simply too long and too difficult for a small company like ours to undertake. We had a technology that could solve problems in different branches of the government, but this is not like the private sector where vendor meets customer, product meets need, and we write up a contract. There are far more demands and restrictions, and the more we learned, the more we felt we were missing basic knowledge of all the steps in the process. Or even what the process was, for that matter, or which systems integrator we should approach- we did not know if we needed to focus on specific branches of the government, nor were we even aware of all the accreditations and certifications our product would need to go through. The risk was too great and we walked away.

This is a common problem and one to be expected. I run into vendors at every trade shows in the same boat- a desire and a good technology fit, but not a clue where to start. A couple years ago, my friend Robert Rodriguez helped found the IT Security Entrepreneurs forum with the intention of tackling this type of problem and providing a way to “bridge the gap” between federal agencies and private industry. From his perspective he saw both the desire from the vendor side to participate, but also the need from the government side to have security products that were- how do I say this- from the current decade. But the process does not favor this sort of innovation, rather it is the larger firms that can afford the time and resources to last through the effort, with the smaller and mid-sized vendors getting filtered out. Smaller firms with innovative technologies typically cannot compete. Various arms of the US Government are supporting this effort to address the problem by offering educational resources and contacts, and the forum’s web site will host much of that information freely to the public.

If you are serious about selling to the government, there is also a conference in March dedicated to this topic, and it is well worth the $400 fee. Past events have had a number of very good speakers from the security industry, academia, DHS, and the US military, along with some very eye-opening comments from the behind-the-scenes administrators who run the procurement side of the process. Once you understand the issues from the other side of the table, it makes what to do and why much clearer. Plus a lot of the VCs, resellers, and system integrators are in attendance. They help small firms avoid common mistakes and wasted efforts, and provide some plainspoken advice on what you need to do to sell to the government. If you have ever sifted through the online tomes of government requirements written in that special form of legalese, you know why this is valuable.

-Adrian

I installed Parallels 4.0 on the iMac last week, upgraded my licenses and converted my bootable images to the new format. It took a while as the conversion process takes a long time. While the installation was trivial, I had 4 different bootable images to convert, which took a good 3 hours to migrate even though they were only a couple of gigabytes apiece, and each only has a handful of applications installed. But I had no problems and everything worked fine. There are a couple subtle changes to the interface that make management of the images a little easier. I have not observed the claimed performance enhancements, but I have not had performance issues in the past, so your mileage may vary.

As the build I used was the one provided right after the official announcement, I was expecting that a new one would be released soon to clear up some small issues that have popped up. Sure enough, build 4.0.3540.209168 popped up today. Problem is I cannot install it. The ‘Continue’ button is grayed out- I tried a couple times, but there are really no options other than to accept and continue, but still I cannot proceed. I cannot imagine something this simple not getting picked up by QA. Anyone else out there having this issue?

-Adrian

Catching up from last week I saw this article in Techworld (from NetworkWorld) about an IETF meeting to discuss the impact of Dan Kaminsky’s DNS exploit and potential strategies for hardening DNS.

The election season may be over, but it’s good to see politics still hard at work:

One option is for the IETF to do nothing about the Kaminsky bug. Some participants at the DNS Extensions working group meeting this week referred to all of the proposals as a “hack” and argued against spending time developing one of them into a standard because it could delay DNSSEC deployment.

Other participants said it was irresponsible for the IETF to do nothing about the Kaminsky bug because large sections of the DNS will never deploy DNSSEC. “We can do the hack and it might work in the short term, but when DNSSEC gets widely used, we’ll still be stuck with the hack,” said IETF participant Scott Rose, a DNSSEC expert with the US National Institute for Standards and Technology (NIST).

Look, any change to DNS is huge and likely ugly, but it’s disappointing that there seems to be a large contingent that wants to use this situation to push the DNSSEC agenda without exploring other options. DNSSEC is massive, complex, ugly, and prone to its own failures. You can read more about DNSSEC problems at this older series over at Matasano (Part 1, Part 2, site currently experiencing some problems, should be back soon).

The end of the article does offer some hope:

The co-chairs of the DNS Extensions working group said they hope to make a decision on whether to change the DNS protocols in light of the Kaminsky bug before the group’s next meeting in March. “We want to avoid creating a long-term problem that is caused by a hasty decision,” Sullivan said. “There are big reasons to be careful here. The DNS is a really old protocol and it is fundamental to the Internet. We’re not talking about patching software. We’re talking about patching a protocol. We want to make sure that whatever we do doesn’t break the Internet.”

Good- at least the chairs understand that rushing headlong into DNSSEC may not be the answer. We might end up there anyway, but let’s make damn sure it’s the right thing to do first.

-rich

Since I get asked this question a lot:

1. Call yourself an analyst.
2. Convince someone to call you an analyst.

Business cards don’t hurt.

-rich

(P.S.- Being a good analyst? Totally different story, although you still start the same way.)

After this week, Rich and I are “Home for the Holidays”, with the last of the year’s travel behind us.

We have started work on our Web Application Security Program, and in keeping with our dedication to transparency in our research, we will be posting research notes for comments here on the blog during the next couple of weeks. We’re the first to admit that more of our revenue comes from sponsors/vendors than end users, but we believe that total transparency in our research process can help weed out any overt or subconscious bias and keep us honest. And let’s face it- we want to give you free stuff, and this is the only way I can do that and keep all my dogs fed.

Rich and I are looking forward to avoiding the airports during the holidays and we should be pumping out a ton of research to close out our year.

Now on to the week’s security summary:

Webcasts, Podcasts, Outside Writing, and Conferences:

• Rich was in Minnesota this week, meeting with clients and giving his DLP pitch, at a T-Wolves game before returning. (No, he didn’t wear a gorilla suit, and no flaming rings were involved).
• On the Network Security Podcast this week, Martin and Rich interviewed Glenn Fleishman on the recent WPA crack and more.
• CSO Magazine published seven of Rich’s predictions for 2009. Not one involves Hoff or SCADA.
• Rich wrote a TidBITS article on how the new anti-phishing features work (or don’t) in Safari. This one really isn’t Apple’s fault, he’s just not a fan of Extended Validation certificates, and hopes users don’t rely on a blacklist filter to completely protect themselves.

Favorite Securosis Posts:

• Rich: Gives his perspective on the evolution of, and current challenges facing, Building a Web Application Security Program.
• Adrian: Rich’s post on Microsoft’s move to give AV away to Windows users.

Favorite Outside Posts:

• Adrian: Amrit Williams’ humorous look at great Tech Failures.
• Rich: Gunnar Peterson’s lecture on security, economics, and breaches: The Economics of Finding and Fixing Vulnerabilities in Distributed Systems. I may not agree with all of it, but this is exactly the kind of perspective we need to develop more in security professionals.

Top News:

• The big news all week has been the automobile manufacturers in Washington looking for bailout loans. The political game has been high drama, with both sides accusing each other of ineptitude.
• Oh yeah, that whole Stock Market bug-a-boo. Anyone think we will drop to 6k before this is all over? 5k? You didn’t own stocks, did you?
• Deja Vu all over again … IT functions being outsourced during tough economic conditions. What’s next, call centers in India?
• The Metasploit Framework, version 3.2 has been released.
• Not security related, but this parody of the real estate crisis is just too funny not to share.
• The Chinese Hacker Flowchart. Nothing new, but interesting anyway.
• Google is supporting OAuth for secure mashups. I’d like to dig into the model more and see if a malicious gadget can use this to compromise credentials. At a minimum, it will likely enable easier CSRF. We finally have users suspicious about installing desktop apps, but now we have to explain why online gadgets/widgets are also dangerous. Sigh.
• Massachusetts privacy law includes security standards. Most of which just require documentation, and other than encryption very little security.

Blog Comment of the Week:

From ‘ds’, on Building A Web Application Security Program:

Looking forward to this series. I undertook this process last year with much success.

It was something that benefited the business, with an ability to conduct testing more regularly than could be done with externals as well as more affordably. It also provided a nice career path for the technical team members and raised the profile of security as something more than just a specialized system administrator.

We’ve gotten more “good press” with our business leadership on this than most anything else we’ve done.

-Adrian

Last week the SBN died as Google decided to drop support for Feedburner groups during their transition of Feedburner to Google’s platform.

Alan Shimel worked hard behind the scenes, and the new SBN is hosted over here at Lijit.

Huge thanks to Alan and Lijit for saving the SBN, and please redirect your browsers and readers to http://security.lijitnetworks.com/. It’s a little rough right now, but more updates and fixes should be out soon.

-rich