Network Security Blog

Rich is on paternity leave, Zach is caught up at work and Martin is suffering from sleep deprivation, so we brought in Mike Rothman once again to pick up the slack and suffer the slings and arrows of recording a podcast.  We have to apologize for a minor mixup last week, a link to episode 209 was accidentally included in the show notes, so iTunes picked up on that as episode 210.  We fixed it the next morning, but it was already too late for a lot of people.  And despite the fact that Martin is confused and call this Episode 212 at the beginning of the podcast, it really is 211.

Network Security Podcast, Episode 211, September 7, 2010
Time:  36:03

Show Notes:

• Witty Banter (It’s in the show notes, it must be in the show)
• One Page to Share with Your Management
• NSA Director says US has a duty to secure the Internet 
• The 13th Requirement
• TechCrunch purges Zeus malware attack
• Every week 57000 fake web addresses try to infect users
• Alert:  Massive new survey worm spreading on Facebook
• The Twitter XSS post-game show
• Tonight’s music:  Black Coffee – Caffeine Remix by Chaz

Rich is off dealing with the joy of fatherhood (again), leaving Martin and Zach to rope Mike Rothman into the podcast for a few weeks. Our news stories are pretty short tonight, thanks to an interview with the one-and-only Jennifer Granick of the Electronic Frontier Foundation. Martin discusses GPS tracking, the DMCA, and more with Jennifer.

We’d also like to welcome Rich and Sharon’s new baby girl… -> Network Security Podcast, Episode 210, August 31, 2010
Time:  42:20 Show Notes:

• Witty banter
• County gives jerseys with tracking microchips to preschoolers
• ArcSight shares shoot up after buyout report
• Interview with Jennifer Granick

• Tonight’s Music: “Baby Doesn’t Have a Name Yet” by 4-Track Gio

I was only able to get a few interviews while I was in Vegas this year.  But one of my favorites was talking to Joe Grand, the creator of all five year’s worth of electronic Defcon badges.  This year’s badge was smaller than previous years but it had some unique and interesting capabilities and it was also the most artistic of them all.  Joe talks about the hardware that went into making the badge, some of the difficulties they encountered (and there are always difficulties) and plans for next year’s badge.  No, I didn’t get a scoop and can’t tell you what it will be, but if Joe Grand is involved, I’m willing to bet they’ll still be really cool.

BHDC 2010:  Joe Grand

Last year Rich Mogull and Jeremiah Grossman created a little know certification, the Certified Application Security Specialist or Certified ASS.  To those in the know, or with the intelligence of the average house pet, it should be immediately obvious that this was an April Fool’s joke.  Funny, and it’s been a continuing joke through out the community, but apparently someone took it seriously enough to actually include it in a job description recently on Craigslist.  And strangely enough, the link I had now leads to the scam page on Craigslist.  Luckily I had the foresight to grab a copy of the post before it disappeared.  What were these people thinking?  Don’t they know they’re supposed to save this sort of stuff for the beginning of April?  The full job description after the page break.
Tired of Coding? Become an Application Security Specialist! (san jose south)

We have an immediate opening for a junior application security specialist (ASS) to join our growing consulting company. This permanent, full-time position is a great opportunity for someone with strong web application development skills that would like to move into the interesting and fun field of application security. This is a highly technical hands-on role that will utilize your web application development skills but involves little coding.

We will provide the right candidate with on-the-job training. The goal will be to quickly teach you how to perform detailed web application security assessments (black-box) and penetration tests by pairing you up with seasoned consultants. We have plenty of interesting projects to work on, including a wide variety of web applications (financial, e-commerce, gaming, etc.) and web services. Longer-term, we will train you to perform security code reviews.

This is an opportunity for a team player who would like to move into a new and exciting field, is ready to get started quickly, and is eager to learn some new skills and have fun while doing so.

Tired of Coding? Become an Application Security Specialist! (san jose south)

We have an immediate opening for a junior application security specialist (ASS) to join our growing consulting company. This permanent, full-time position is a great opportunity for someone with strong web application development skills that would like to move into the interesting and fun field of application security. This is a highly technical hands-on role that will utilize your web application development skills but involves little coding.

We will provide the right candidate with on-the-job training. The goal will be to quickly teach you how to perform detailed web application security assessments (black-box) and penetration tests by pairing you up with seasoned consultants. We have plenty of interesting projects to work on, including a wide variety of web applications (financial, e-commerce, gaming, etc.) and web services. Longer-term, we will train you to perform security code reviews.

This is an opportunity for a team player who would like to move into a new and exciting field, is ready to get started quickly, and is eager to learn some new skills and have fun while doing so.

Primary Job Duties
• Conducting web application security assessments and penetration tests. These are very systematic assessments which are done using our proprietary methodology, which we will train you on. The assessments involve manual testing and analysis as well as the use of automated web application vulnerability scanning/testing tools.
• Performing source code reviews using automated tools such as Fortify or AppScan Source Edition (Ounce) and/or manual analysis.
• Writing a formal security assessment report for each application, using our company’s standard reporting format.
• Participating in conference calls with clients to review your assessment results and consult with the clients on remediation options.
• Retesting security vulnerabilities that have been fixed and republishing your report to indicate the results of your retesting.
• Participating in conference calls with potential clients to scope out newly requested security projects and estimate the amount of time required to complete the project.

Work Location
Our company is headquartered in San Jose, California. The majority of work will either be done from either our corporate office or will involve driving to client locations throughout the Bay Area. Some of the work will involve travel.

Technical Skills
• Several years of experience developing web applications, preferably hard-core financial, e-commerce, or business applications that face the Internet. (required)
• Knowledge of the HTTP protocol and how it works.
• Experience performing web application security testing and using vulnerability testing tools. (preferred, but we will train the right person)
• Experience with web application firewalls (preferred, but we will train the right candidate)
• Experience with network-level penetration testing (nice to have, but not necessary)

Soft Skills
• Solid written and verbal communication skills.
• Willingness to do hands-on, highly technical work.
• Strong customer focus. The goal should be to make customers happy enough that they ask for you to be sent back to do more work for them.
• Desire to learn new things and become a participant in the local information security community.
• Honesty and integrity.

Other Requirements
• Must undergo criminal background check and drug testing.
• Flexibility to work odd hours at times. For the most part this is a Monday-Friday 8:00 to 5:00 job, but sometimes customers require us to do certain work during weekends or off-hours.

Job Benefits
• Competitive salary including performance incentives
• Reasonable work hours compared with most information consulting firms. We expect employees to work hard and produce results, but we also understand that our employees have a life outside of work and are not a 60 hour per week body shop.
• Company sponsored medical and dental insurance
• Company sponsored training programs and career growth opportunities
• Company sponsored industry certifications necessary for your position (such as CISSP, CEH, etc.).
• You’ll be part of a closely-knit team of dedicated employees.
• Your choice of beer (at the end of the workday)

If you think you’re the right person for this challenging and fun career opportunity, please reply with your resume.

Last year Rich Mogull and Jeremiah Grossman created a little know certification, the Certified Application Security Specialist or Certified ASS.  To those in the know, or with the intelligence of the average house pet, it should be immediately obvious that this was an April Fool’s joke.  Funny, and it’s been a continuing joke through out the community, but apparently someone took it seriously enough to actually include it in a job description recently on Craigslist.  And strangely enough, the link I had now leads to the scam page on Craigslist.  Luckily I had the foresight to grab a copy of the post before it disappeared.  What were these people thinking?  Don’t they know they’re supposed to save this sort of stuff for the beginning of April?  The full job description after the page break.
Tired of Coding? Become an Application Security Specialist! (san jose south)

We have an immediate opening for a junior application security specialist (ASS) to join our growing consulting company. This permanent, full-time position is a great opportunity for someone with strong web application development skills that would like to move into the interesting and fun field of application security. This is a highly technical hands-on role that will utilize your web application development skills but involves little coding.

We will provide the right candidate with on-the-job training. The goal will be to quickly teach you how to perform detailed web application security assessments (black-box) and penetration tests by pairing you up with seasoned consultants. We have plenty of interesting projects to work on, including a wide variety of web applications (financial, e-commerce, gaming, etc.) and web services. Longer-term, we will train you to perform security code reviews.

This is an opportunity for a team player who would like to move into a new and exciting field, is ready to get started quickly, and is eager to learn some new skills and have fun while doing so.

Tired of Coding? Become an Application Security Specialist! (san jose south)

We have an immediate opening for a junior application security specialist (ASS) to join our growing consulting company. This permanent, full-time position is a great opportunity for someone with strong web application development skills that would like to move into the interesting and fun field of application security. This is a highly technical hands-on role that will utilize your web application development skills but involves little coding.

We will provide the right candidate with on-the-job training. The goal will be to quickly teach you how to perform detailed web application security assessments (black-box) and penetration tests by pairing you up with seasoned consultants. We have plenty of interesting projects to work on, including a wide variety of web applications (financial, e-commerce, gaming, etc.) and web services. Longer-term, we will train you to perform security code reviews.

This is an opportunity for a team player who would like to move into a new and exciting field, is ready to get started quickly, and is eager to learn some new skills and have fun while doing so.

Primary Job Duties
• Conducting web application security assessments and penetration tests. These are very systematic assessments which are done using our proprietary methodology, which we will train you on. The assessments involve manual testing and analysis as well as the use of automated web application vulnerability scanning/testing tools.
• Performing source code reviews using automated tools such as Fortify or AppScan Source Edition (Ounce) and/or manual analysis.
• Writing a formal security assessment report for each application, using our company’s standard reporting format.
• Participating in conference calls with clients to review your assessment results and consult with the clients on remediation options.
• Retesting security vulnerabilities that have been fixed and republishing your report to indicate the results of your retesting.
• Participating in conference calls with potential clients to scope out newly requested security projects and estimate the amount of time required to complete the project.

Work Location
Our company is headquartered in San Jose, California. The majority of work will either be done from either our corporate office or will involve driving to client locations throughout the Bay Area. Some of the work will involve travel.

Technical Skills
• Several years of experience developing web applications, preferably hard-core financial, e-commerce, or business applications that face the Internet. (required)
• Knowledge of the HTTP protocol and how it works.
• Experience performing web application security testing and using vulnerability testing tools. (preferred, but we will train the right person)
• Experience with web application firewalls (preferred, but we will train the right candidate)
• Experience with network-level penetration testing (nice to have, but not necessary)

Soft Skills
• Solid written and verbal communication skills.
• Willingness to do hands-on, highly technical work.
• Strong customer focus. The goal should be to make customers happy enough that they ask for you to be sent back to do more work for them.
• Desire to learn new things and become a participant in the local information security community.
• Honesty and integrity.

Other Requirements
• Must undergo criminal background check and drug testing.
• Flexibility to work odd hours at times. For the most part this is a Monday-Friday 8:00 to 5:00 job, but sometimes customers require us to do certain work during weekends or off-hours.

Job Benefits
• Competitive salary including performance incentives
• Reasonable work hours compared with most information consulting firms. We expect employees to work hard and produce results, but we also understand that our employees have a life outside of work and are not a 60 hour per week body shop.
• Company sponsored medical and dental insurance
• Company sponsored training programs and career growth opportunities
• Company sponsored industry certifications necessary for your position (such as CISSP, CEH, etc.).
• You’ll be part of a closely-knit team of dedicated employees.
• Your choice of beer (at the end of the workday)

If you think you’re the right person for this challenging and fun career opportunity, please reply with your resume.

Zach Lanier brought up HacKid (pronounced ‘hacked’ I’m told) on the podcast last night and I just realized I haven’t even written a single post on the subject.  My friend Chris Hoff, aka @beaker, is one of the key organizers and Zach is on the committee as well, and this looks like it’s going to be the start of something that’s every bet as fresh and original as BSides, except this time it will be kids who are learning, rather than a bunch of angsty security professionals who felt they weren’t being properly represented at Black Hat (I’m teasing, if that isn’t immediately obvious)

My kids are little geeks, similar to many of your kids in all likelihood.  They wake up in the morning and hop online or start playing on the DSi, or just pick up a book and read.  Their favorite magazines are Make and Science Illustrated.  And some fool introduced them to Japanese (is there any other type?) anime a couple of years ago.  So a convention aimed at teaching them how the Internet works, how to stay safe online and building robots really appeals to them.  Add to it that the convention is happening at the Microsoft NERD center and MIT is just down the street and you’ve got something that budding geeks will find unresistable.

If you’re on the East Coast anywhere near Boston, have kids between the ages of 5 and 17, think about taking them to HacKid in October.  Do keep in mind that every young person must be accompanied by an old person (read: adult guardian), but that each of the classes will likely have almost as much to teach the adult as they do the kids.  Everything is being done on a volunteer basis and the event is organized as a non-profit, so the money is all going to a good cause.  But hurry if you’re going to sign up, the cost goes up from $50 each to $75 next week. 

The gang reunites this week after skipping an episode and, despite wondering if Rich’s house was going to get blown away to the merry old land of Oz, squeezed out a show — and even included our very first bumper (from our friends over at Eurotrash Security Podcast). Yes, we did cover the proverbial “elephant in the room” (or, in this case, the elephant that ate another elephant for a large sum). Also, remember that we’re always up for taking listener questions, so shoot any our way.

Network Security Podcast, Episode 209, August 24, 2010
Time:  41:30

Show Notes:

• Witty banter, conference updates
• HacKid conference, October 8 and 9, Boston, MA
• Changes to Foursquare’s authentication system
• OpenSSH 5.6 arrives
• Exploiting DLL Hijacking Flaws
• Intel buys McAfee
• Tonight’s Music: This One’s A Cheap Shot by Every Avenue

Branden Williams is one of the thought leaders in the PCI field, or at least someone like me who blogs about it a lot and hopes others find value in our thoughts.  I had a few minutes to catch up with him at Black Hat, where we discussed what he’d seen at Black Hat as well as the upcoming changes to the PCI DSS.  It appears that not much has changed since our talk and that the conclusions that we drew still remain consistent with what the PCI Council has released since then.  Pardon the background noise, we accidentally chose what we thought was a quiet corner but turned out to be one of the major staff entrances and exits.

Black Hat 2010:  Branden Williams, Director of Security Consulting,RSA

I’ve been working in and around the payment card industry for over four and a half years now.  A year and a half working for a service provider and seeing the worst of credit card storage possible and three years of performing Payment Card Industry Data Security Standards (PCI-DSS) assessments have shown me both the best and the worst of how merchants, service providers and other entities protect our cardholder data.  I’ve seen, and made, huge mistakes in implementing and securing cardholder environments.  I’ve assessed clients who’ve gone far beyond the requirements of PCI to truly secure their networks and I’ve seen administrators struggle to get even the most basic security measures in place because they don’t have the resources to do more.  Throughout all my experiences the one thing I’ve always been able to do is learn from the failures and triumphs of the individuals I deal with and I think I’ve gained a pretty deep understanding of the credit card systems and some of the things that are required to maintain a base level of security in today’s world.  And when it comes down to it, that’s all a framework like PCI is, an attempt to create a security baseline.

While I do have a lot of experience in PCI, I will never claim to have the all the answers to securing a cardholder environment.  I won’t even claim that I understand all the implications that writing a policy and technology framework like the PCI-DSS.  But I do have some ideas around how I’d do things differently if I was writing the requirements.  Boy do I have some ideas.  And I know that I have a lot of friends and peers in the industry who are more than willing to give those ideas a thorough looking over and thrashing to separate the wheat from the chaff and help me winnow out what’s useless from what can really help the industry in the long term.  So over the next couple of months, I’m going to lay out a series on how I’d write the PCI-DSS.  I expect that many of the ideas I throw out will be torn apart, but I want to encourage people to start thinking about how we can change the standards going forward.

One of the reasons I’m starting this right now is that the PCI Council has just released Summary of Changes for PCI 2.0 and changed from a two year to a three year lifecycle.  While the changes aren’t set in stone as of yet and all we have so far is an outline of what these changes are, what we have seen is nothing more than minor clarifications and minimalistic guidance for virtualization.  Since the new changes aren’t fully revealed yet, it’s hard to be too tough on the PCI Council; yet minor changes coupled with lengthening the time between revisions seems to be a plan to calcify the PCI-DSS and protect anyone from having to make major changes to their environments.  I feel there’s been enough time and feedback that this approach is not in the best interest of security nor is it really in the best interest of the public.  Bluntly put, the change to a three year life cycle should have been accompanied by a major revision of the requirements, not the minor tweaks we’re getting.

I won’t call what I’m thinking of PCI; the PCI-DSS is what it is and I can’t change that directly.  What I’ll be writing is just a series of thought constructs based on what I think are the real steps we should be taking to secure the credit card process.  I want to think outside the box that we’re currently in, looking at what we do now and trying to understand how we can do it better without tearing apart the merchants and service providers with additional costs and burdens.  I’m realistic enough to know that anything that requires large amounts of time and money are going to be met with screams of denial and pain.  But I also know we can refocus many of the efforts we’re making now and use the same tools we already have in place more effectively.

I want to start with a few principles that I think everything else should derive from.  And I know even these principles need to be challenged and refined.  The first of these is simple:  Everything flows from policy.   This is currently the last requirement in the PCI-DSS and I have always thought that it was the biggest mistake that was made when the original CISP requirements were written up.  As it stands now, policy is stuck onto the end of the requirements almost as an afterthought, even though in many companies it’s what gives the teams trying to secure the environment the ability to make clear cut decisions about what is and isn’t acceptable in the cardholder environment.  It’s also very helpful in getting the budget to purchase the tools you need.  Of course, I’ve already had one person tell me that starting with policy is doomed to failure, but this is my framework, so too bad.

The second principle is Keep it simple.  Come on, 200+ requirements??  How many of these are redundant, needless or just a vestige of something that is no longer reasonable to require.  We’re still required to check for a stateful firewall, even though every firewall built in the last 5 (10?) years is stateful.  I’m sure you can think of dozens of other requirements that are similarly outdated and needless.  Why have requirements that are simply placeholders that serve no real purpose?  Once a requirement becomes outdated, it needs to be retired to make room for something more important.

My final principle is Concentrate on results, not technologies.  There are very few things I like to see more in an assessment than a client who’s met with the PCI-DSS in a way that goes well beyond the simple requirement and actually secures their environment.  Andy Ellis, aka @CSOAndy is one of my heroes in the industry because of everything that he and his team have done to secure Akamai.  I need to talk to him to see how much he’s willing to disclose about what Akamai does differently, but let’s just say that his compliance assessments are truly unique and not something you ever want to send a junior assessor to deal with.  My goal is to develop a framework that concentrates on the results we want to see, not the tools you have to have in place to make it happen.

I think I’m taking on an impossible task here.  But I my goal isn’t to tell anyone what they’re doing wrong; it’s to come up with alternative ways to meet the same goal, which is securing the credit card process and promote security for enterprises overall.  I’m going to stumble a lot, I’m going to make mistakes and people are going to tear my ideas apart.  But if I can get you thinking about how we can do things differently, I’ll consider this experiment a success.  I want people to consider what we’re doing now and how we can do it better.  Some of my ideas will be thought of as impossible in the ‘real world’; some ideas will be taken almost directly from the PCI-DSS. And some will be taken directly from friends and peers.  My biggest fear is not being criticized for the effort; my biggest fear is that it’ll be ignored.

Here’s the most complete review of the changes I’ve seen to the update of the PCI-DSS and PA-DSS to version 2.0 over at the PCI Guru blog.  And a hat tip to John Kindervag for pointing me in the right direction. That’s all for now. 

This morning the PCI Council released the Summary of Changes for PCI 2.0.  And to be brutally honest, so far I’m completely underwhelmed.  Obviously we don’t have the details on what the changes actually are, but the high level view of them makes it sound like there are almost no significant changes.  Strike that: there are no significant changes at all.  There is some clarification and some mention of virtualization, but I was hoping for more.  I wasn’t expecting much more, but I was hoping.

I got to talk to Bob Russo from the PCI Council in July, and he’d hinted at the level of change.  And maybe I’m just not realistic in asking for major changes.  Despite the fact that PCI has been around for a while now, there are still a lot of merchants and service providers who have issues complying.  It may be that the realistic thing for the Council to do is continue to build support and compliance with what they have now, rather than pushing to increase security by making major changes.  Sometimes it is better to accept minor changes you know you can enforce than to try for something grander that you’ll never attain.

I’m hoping to get another chance to talk to Mr. Russo.  I’ve asked nicely, really I have.  I’d like to understand why this is the sum total of changes they’re making before switching to a three year lifecycle.  I’m not sure I’ll like the answers, but I still want to hear them directly from the man who’s in charge of the group setting and managing the PCI Standards.  Obviously, my approval is not necessary, but as one of the people who helps enforce the PCI Data Security Standards, I want to understand the reasoning.

This week’s episode was pretty refreshing- rather than covering our usual news stories, we spent most of our time answering some questions from our listeners (that’s you). Please keep ‘em coming folks- we’d much rather try and help you out than blather about unimportant nonsense in our feed readers. Besides, if you ask enough questions we don’t have to read. Which is good. Because Rich never learned how.

Network Security Podcast, Episode 208, August 10, 2010
Time:  45:27

Show Notes:

• Listener Q&A (half the show)
• Disclosure spat on Twitter (no link)
• Don’t plant child porn on your boss’ computer
• NatGeo goes to DefCon (great article!)
• Tonight’s Music:  What about the Love? by Art Linton

This week’s episode was pretty refreshing- rather than covering our usual news stories, we spent most of our time answering some questions from our listeners (that’s you). Please keep ‘em coming folks- we’d much rather try and help you out than blather about unimportant nonsense in our feed readers. Besides, if you ask enough questions we don’t have to read. Which is good. Because Rich never learned how.

Network Security Podcast, Episode 208, August 10, 2010
Time:  45:27

Show Notes:

• Listener Q&A (half the show)
• Disclosure spat on Twitter (no link)
• Don’t plant child porn on your boss’ computer
• NatGeo goes to DefCon (great article!)
• Tonight’s Music:  What about the Love? by Art Linton

This year at Black Hat we never got into our normal swing with microcasts of releasing them the same day they were recorded.  On top of that, I didn’t go home after the convention, I went off for another week on the road for work.  Which means I’m only now getting to a point of having the energy and time to edit and post.  Which is a long winded way of saying “Better late than never”.

Dimitri McKay, the Security Architect for LogLogic.  Dimitri and I talk about the Cloud Security Alliance and what it means as well as touching briefly on the new virtual appliance LogLogic has recently release.  We talk about why we need an organization like the CSA and even dig briefly into what the ‘Cloud’ is.  Not that we can actually define the cloud in less than 10 minutes.

Black Hat 2010:  Dimitri McKay, LogLogic.

I make no secret of how much I value privacy.  Which is weird coming from someone like myself who spends so much time on social networking, blogging and generally shouting my activities to the world.  But I control most of that information, which is what privacy is all about in the digital age.  So why am I talking about letting my wife track my every move?  Because I received a press release about the Family Tracker application for the iPhone and iPad, and rather than just go on a diatribe about how such a system could be misused, I have decided that for the next few weeks I will voluntarily give my wife the ability to track the location of my iPhone anywhere it goes.  And since I’m almost never without my iPhone, it means she’ll be able to track my movement at all times.  Besides, she just gave me “the Look” when I asked if it was okay for me to track her movements; allowing her to track me was obviously a healthier choice.

I don’t like the idea of tracking of people, especially if they don’t know about it.  The potential for abuse far outweighs the benefits in most cases.  Whether it’s a spouse or parent abusing the tracking, someone abusing access to the vendor or law enforcement legally tracking someone, I get very nervous about what CAN happen.  So when I got the press release for Family Tracker and an offer for promotional codes, I decided it was time to bite the bullet that is my paranoia and see how a tracking program like this is used in real life. 

I travel.  A lot.  In the next few weeks I’ll be crossing the country several times and I’ll be gone from home more than I’ll be there.  I post my travel schedule on several calendars around my office, so which city I’m in is rarely a question and I use FourSquare enough that my location has never really been a mystery anyway.  But I’ve always been in control of both of these methods of tracking and giving my family a tool to tell where I am almost every moment of the day is new and interesting experience for me.  I suspect that my wife will look me up once or twice and then ignore the application 99% of the time.  But she has surprised me before.

I’ve set it up so I can track myself and my iPhone from my iPad, so even if my wife doesn’t want to track me, I can still find out more about what the program is capable off.  And unless I do something stupid that involves the police, I doubt anyone else will want to track me.  If anyone really wants to know my whereabouts, there’s more than enough information already on the Internet to find me if someone takes the time.  This will just make it a little easier.

So through the end of the month my little social experiment will be running. After that, we’ll see.  It may be that my wife likes being able to track me.  Or she may just say, “Meh.  If I want to know where you are, I’ll just call.”  I’m almost as interested in seeing how she uses Family Tracker as I am in seeing if she thinks being able to track me is worthwhile.  I honestly don’t know which way she’ll decide.

After the break is the information the folks at LogSat sent me when I expressed interest in their product, which covers several important questions about how Family Tracker works.
Hi Martin, To help you with the review,
allow me to explain a bit more in detail Family Tracker’s GPS settings.
We have 3 settings of operation for the background GPS tracking. In
“Driving Only” mode we are actually not powering on the GPS, as
the location is being retrieved via the cell towers. The location is
updated only when there is a cell tower change (usually while driving).
If you do not need super precise locations, we strongly recommend using
this setting as it allows for huge battery savings, as the power used by
Family Tracker is practically insignificant. As an example, beginning a
3-hour drive starting with the iPhone fully charged results in still
having a 97% charge left after those 3 hours.

The “Always On”
settings instead do keep the GPS radio in the device on at all times.
This results in a better GPS accuracy, but will also result in a lower
battery life (the charge won’t likely won’t last an entire day). With
both the ”Always On 1Km” and the ‘Always On 100m” settings, Family
Tracker will continue to update it’s position even if the phone is
stationary in one position (in 5 minute intervals). This will allow you
to know that Family Tracker is still running on the phone and that the
position being marked on the map is fresh and accurate. This is not
possible to do in “Driving Only” mode.

Going back to the “Driving
Only” mode, a new update (Family Tracker v2.1) recently became
available in the App Store. With this update, when using “Driving Only”
mode, we are briefly firing up the GPS for 20 seconds every time we
detect the phone has stopped moving. This allows us to obtain a rather
accurate position (often within 10-100 meters) as soon as the phone is
still, while at the same time continue to maintain a very, very low
battery consumption.

Now to the tracking functionality. The
“Locate Me” screen in Family Tracker lets you add users who you wish to
allow to track you via the web. If you’d like for someone without an
iPhone/iPad to track you, you can add their email address to that
“Locate Me” screen. When you do that, the user will receive an email
with a link that allows them to track you via the web. Please note that
you (the person tracked) are the one initiating the email with the info
on how to track you.

If you instead wish to track someone using
your iPhone, that is done by adding the person you wish to track to
the ”Locate Others” screen. When you add the email address of another
person running Family Tracker to the “Locate Others” screen, that person
will receive a tracking request popup on their phone. While your
request is “pending approval”, there will be an orange question mark
next to their name. Once they approve the request, you will receive
a notification yourself on your iPhone to let you know they accepted
your request, and the orange question mark will turn into a green
checkmark. In addition, you will also receive an email with a link that
will allow you to track that person via the web. Again it is important
to note that unless the person being tracked approves that initial
request to be tracked, they will not allow you to track them.

In
regards to security, you will notice that each time a user is allowed
to track another user, we use a unique alphanumeric (36 possible
characters, with a varying length between 16 and 32 characters, allowing
for between 8E+24 to 6E+49 combinations) code to uniquely identify the
tracking request and make it available via the web. In addition the
“tracked” person can remove “trackers” at any time form their “Locate
Me” screen, which will immediately deactivate the tracking alphanumeric
code. Lastly, for privacy concerns we only
store in our database the last location reported by the GPS – we do not
store a tracking history. We have had several requests to include the
speed for that location, as many users have a valid point in asking “I
see they are on the highway, I would like to ensure they are still
moving and did not crash…”, so we may add the speed value as
well in a future version.

I hope this helps,

Roberto
Franceschetti
LogSat Software

Well, Martin, Rich and Zach all survived another trip to Las Vegas and the trio of conventions known as Black Hat, Defcon and Bsides. Our livers might argue that, but we ignored their cries last week and will probably continue to do so. We discuss a few of the presentations we saw, including the GSM and ATM breaking sessions, as well as the new vulnerability in Safari that uses a PDF rendering issue to jailbreak iOS devices, such as iPads and iPhones. And Zach got to be on the radio this week; now Martin is the only one left out.  Tonight’s episode is a little rough; Zach is on a cell phone and Martin is in Texas, so Rich gets to do all the fun stuff for a change.

Network Security Podcast, episode 207
Time: 30:00

Cisco recently released the 2010 Midyear Security Report and I caught up with one of the principal authors, Mary Landesman, Senior Security Researcher at Cisco.  Mary talks about the outcomes of the report and how the security landscape is changing.

NSP-BHDC2010-MaryLandesman.mp3

Cisco recently released the 2010 Midyear Security Report and I caught up with one of the principal authors, Mary Landesman, Senior Security Researcher at Cisco.  Mary talks about the outcomes of the report and how the security landscape is changing.

NSP-BHDC2010-MaryLandesman.mp3

Well, not quite; I have a few more hours of getting packed and work before I head to the airport, but close enough.  But around lunch, I’ll be throwing all my stuff in the trunk of the car and heading for Las Vegas, Black Hat, Defcon and BSides!  I find this trio of events to be my favorite get together of security professionals.  Black Hat has the slightly more serious, business oriented presentations, Defcon tends to be a bit outrages and inflammatory, while BSides is the new kid who’s experimenting with different formats and venues.  If you’re a security professional of almost any stripe and you’re not at least petitioning to attend these events, you need to start.  The networking opportunities alone are worth the cost and when you throw what you learn about current threats, it’s not that difficult to justify, especially BSides and Defcon.  Tell your boss you heard about an amazing panel going on Sunday at noon called PCI, Compromising Controls and Compromising Security.

Whether you’re going or not, Rob McMillan over at IDG has done a good job of summarizing some of the key stories you should be watching come out  of Vegas this week.  I should be able to get interviews with at least a few of the people giving these talks, so keep an eye out here and the podcast page for this year’s series of microcasts.  Or if you hate those, you might just want to unsubscribe until next week.  In fact, if you don’t want to hear about the events going on in Vegas this week, you just might want to stop reading most security blogs, Twitter, Facebook, blogs and most other social media outlets security folks use for a little while. 

Following the twitter stream, it’s easy to see that there are a lot of security professionals eager to get to Las Vegas, meet with old friends, make new ones and get the party started.  And the parties really are an integral part of the the whole experience.  If nothing else, try making it to the IOActive Freakshow Saturday night; if last year is any example of what they have planned for this year, it’ll be worth it if only so you can say you saw it.  Just be careful how much you drink and what you say, you don’t want to be this year’s example of someone who ignored that cardinal rule.

So much for seeing eight hours of sleep a night for at least a week.

Like many people in the security blogger community, Tyler Reguly pays for his blog and other community efforts out of his own pocket.  For the most part, that’s not a big issue, since there are many options for blogs that are free or cheap.  But Tyler does more than just blog, he also hosts Damn Vulnerable Linux on his servers.  Again, usually not a problem, except he got SlashDotted and now has a bill of several thousand dollars to pay!  You can read the whole story and help by donating a few dollars to his cause.  I’ve had a few brushes with the same experience myself, so I can fully understand the panic he’s probably going through.  And on the off chance that he get’s more than the bill costs, he’ll be donating the overage to Hackers for Charity.