Security Karma…

June 21, 2007

Recent reports suggest that security Industry expects lot from Users and Designers compared to other Industries and thats the cause of all evil .. as a rephrased quote goes “Uncertainty and expectation are the root causes of Security failure“.

What NOT to Expect from Users:

1)Install Browser Toolbars/Pulgins

2)Verify/Check Security Locks,Indicators,Certificates,Extended Validations.

3)Not to click,download links and attachments sent in Email,IMs.

4)Install latest updates,maintain clean hygiene of the system.

5)Use the same PC for watching P0rn(at least sandbox p0rn..) and sensitive transactions.

6)Not to Share/write their password with friends,coworkers and change their password at least every month.

7)Not to call the VP/CEO for a small(amount) breach in their account after all its hard earned money..

8)Use Strong ,different passwords for different accounts.

9)Identify XSS,Html,JS Injections by checking/blocking sources of the pages.

10)To change their browsing habits

11)Not to use laptops,CD,DVD,USB to store sensitive data without protection(Encryption).

What NOT to Expect from Security people:

1)Not to use a homegrown implementation of well-known cryptographic algorithms or design/implement a home grown crypto algorithm.

2)Plan for protocol flaws,unexpected errors and multiple protection mechanisms failing or being bypassed.

3)Externalize client side components from trust model as its not very difficult to prevent algorithm,key,data recovery when the attacker has full access to the client software, device.

4)Use multiple layers of protection whenever possible and adding detection and logging at every layer.

5)Compartmentalize data in such a way that a breach will not escalate to other compartments.

6)Design hardware crypto considering economics of the attack(time,money,skillset) and the life expectancy of the product

Advertisements

Business Plan for a Phishing 2.0 Startup:

June 14, 2007

Problem :

Around 55 million people or 44% of internet users do online banking and recent Emperor (Read Gartner) report say 96% of users does not understand security or confused by the goofy methods security vendors provide.

The Solution:

Phishing 2.0 provides all in one toolkit to cover all types of client side and channel attacks It s patent pending methods like vishing (VOIP ,SMS phishing and active MITM(Man In the Middle) attacks for channel and platform independent root kit installable Trojans, Hardware keyloggers,screen scrappers etc for client attacks.


Benefits
:

 

  1. Automated Phishing Attacks can be launched at single click.
  2. Other features include launch of automated DoDs attacks.
  3. The whole ecosystem of phishing under one process.
  4. Its so easy that your mama can also launch a attack..
  5. Leaves no forensics evidences, FBI will never catch you.


Revenue Model
:

Average server Uptime of Home user License is 58 hrs and Average uptime of Enterprise serve r license is 19 days and around 200 people give away their identify and gain of per user is around $532 , 10k per attack.

  1. Renting the toolkit for per attack/hour basis.
  2. Licensing Fee from countries to launch DoDs attacks.
  3. User centric packaging like spear phishing or launching attacks against a group, site etc.
  4. Industry specific attacks like IRS Share Brokering, Fund raising.

Channel partners :

  1. Money laundering agents who act as mules and non banking money exchange like (eGold,Hawala etc )
  2. Outsourcing partners for server maintenance and support mainly Rockphish group whose average server uptime is 19 days.
  3. Domain registration agents for the different names.
  4. Email harvesters provide 2 million address per hour.

Funding Requirement:

100k for lots of bandwidth and 100k for lots of domain space 100K for beer and smoke .

Team:

X00r Founder :Ex-black,white,blue hat. Has been in the industry from phish 1.0 days ,famed for launching many DoDs attacks.

Mr.X Co Founder :Controller of 3 biggest botnets on the planet and Trojan writer

Agent W0lF:Client side attack vector specialist and web site cloner

Board of advisors :

Has some great Board from Old school and bring lots of experience on board.