PCI DSS 2.0 released


Happy Halloween!


How to Switch to Internet TV from Cable – Step by Step Guide

A little off my normal topic here but this shows how things are changing with regard to television and digital content delivery. This last month I finally rid myself of $180 or so a month by canceling my Comcast service and going digital over the internet. Since many people are trying to save money during the economic recovery I thought you folks might like to know how I did it.

Step 1 – Purchase a Roku Video Player

Buy a HD capable Roku Device with the wireless option. The first time I heard about the Roku, I thought it was pronounced “Rock You” but apparently I was just thinking of a song. The pronunciation is more like “Row Coo”. Anyhow, I really like the Roku device. It comes with a simple and easy to use remote control and it has lots of digital content available. Content carriers such as Netflix, MBA, Amazon Video, and many other optional channels. I discovered that the Roku unit even has some un-disclosed channels that you can add when your in their website. The channel list is located here.

Step 2 – Get a Netflix subscription

Next, for only 9.99 a month, Netflix is a great option to get the latest content and movies directly to your Roku. All the Netflix instant movies and shows can be delivered right down to the Roku device. We use this extensively as it provides the HD content that we like to watch and at only $9.99 a month it’s CHEAP in comparison to full digital cable TV. The only thing I do miss is the live content such as CNN, MSNBC and Fox, but there’s always their websites and I’m sure they’ll jump onto the digital delivery as this technology picks up even more steam. The cool thing about Netflix is that you can build lists of things you want to watch on their website and it shows up immediately available to watch on your Roku or other Netflix enabled devices. We put our Roku unit in our living room since that TV is already HD capable and we like to entertain our guests with the quality it provides.

Step 3 – Playon.tv content service

Once we started using the Roku, I started itching for more content so I did some research and found a service called Playon.tvPlayon.tv which provides content and they have an available channel on the Roku device. I bought their lifetime subscription for only $79 bucks, a pretty good deal in my opinion. The Playon.tv service is also expandable using their integrated Plugins and content scripts. The Roku device also supports the Hulu service which I promptly added to the Roku. The playon.tv service does require you to use your computer to be able to obtain the content on your TV devices, so you’ll need to account for the monthly electricity cost (usually around $20 a month) but since my computer was already on 24/7 I didn’t see anything different on my electric bill.

Step 4 – Bring it into the bedroom

Well, at this point I was really happy with my television service in my living room, but we lacked much in the way of TV Wii Netflix Channelin the bedroom. We had a Wii Game console that I hardly used in the last year and we received a CD from Netflix that added a channel to the Wii to get Netflix content. Apparently the Netflix channel is now available from the Nintendo Wii Store which we later converted to freeing up our CD slot on the Wii and improving the Netflix Wii Channel interface with search and browsing capabilities. I also found out that using the Playon.Tv service was possible on the Wii game console using the Wii internet channel which was cool since then I could watch Hulu on the Wii.

Optional Step 5 – What about local channels?

Now I know I said I got rid of comcast my cable provider, but since the cable is still present in my home, I did a little5ft. coaxial cable research and apparently many local cable providers add the local channels which they provide for free and not scrambled requiring the cable boxes. So I hooked up both of my TV’s to the cable and used the auto-progamming feature to have the TV scan for channels and whalla, 12 local channels added to my TV giving us all the local news that we missed after we went totally digital over the Internet.

Optional Step 6 – Local HD Channels

For the larger metro areas, there are quite a few HD channels available for free over the airwaves. You could easily pick up a digital HD receiver and hook up an HD antenna to get even more channels for free. HDTV AntennaI’ve yet to do this step but intend to soon. The HD receiver I’m looking to possibly purchase is the Samsung brand.

Cost of Hardware/Services:

$99    – Roku HD Video Player
$160 – Nintendo Wii Game Console
$40   – Miscellaneous cables
$79 (now $54.99)  – Lifetime Playon.tv subscription

Total Cost of my Implementation: $378

Monthly Recurring Costs:

$9.99 – Netflix Service

My Total Projected Annual Savings: $1,960


Risk = Threat x Vulnerability x Cost = DEAD

Do we need a new way to measure risk?

Absolutely! The old Risk = Threat X Vulnerability x Cost equation is a great methodology to measure risk as it takes a common sense approach to try and tie value to the likelihood that value could be impacted. I’m not suggesting that the whole thing be tossed out entirely, but isn’t there a more practical way to measure risk ? I’m aiming this article at explaining why it’s dead and what we might want to consider as a more viable way to quantify our risk score.

Top 10 Reasons the old equation is dead

1. Corporations often do not know about all the assets they own.

2. Configuration Management Databases (CMDB) often miss systems that are powered off, behind firewalls or due to other security controls.

3. Configuration Management Databases (CMDB) cannot quantify the value of a system.

4. Security Engineers cannot quantify a system manually as they do not have the spare cycles it would take to accurately perform the assessment.

5. Auditors do not have enough information from all the system, application, database owners to assess the value.

6. Applications often use similar infrastructures for storage, network or processing.

7. To come to a cost value, one must come up with every imaginable scenario which is almost impossible to predict.

8. How do we come up with an accurate value of a system?

9. How do we account for different data types since they impact “value” of “cost”?

10. It’s much easier for asset owners to determine the data type that flows through or is stored on a system or infrastructure component than it is to estimate the cost of a breach or the value of an information asset.

My risk equation proposal

New Formula: Risk = Threat x Vulnerability x Data Classification

Proposed Data Classification Values:

Classified = 5
Restricted =4
Confidential =3
Internal = 2
Public = 1

Looking at vulnerability management using a data classification weighting rather than some magical cost we bake up would serve to better enhance and target our resource remediation times to the appropriate places. I could even see a tie-in to DLP technologies so that the data classification is automatically updated into the vulnerability management tool so that it can be automated rather than manually defined by infrastructure, system or application owners. Often, none of these individuals know how valuable their information components are so security engineers plug in arbitrary values into asset value fields inside their vulnerability management platforms to signify the importance of systems…feel free to comment.


Using procmon.exe from Sysinternals to examine for malware, Trojans and bots.

Security Engineers often do not have the time to perform the in depth study of a system in order to determine if malware, Trojans and bot software has been installed on a PC. Given the limited amount of time we all have, we must find creative ways to determine if a breach of security on our systems have occurred. I suggest that one way to quickly determine if a system is actively compromised is through the use of the procmon.exe package included in Sysinternals.

Continue reading Using procmon.exe from Sysinternals to examine for malware, Trojans and bots.


Very interesting social network study on identifying trends

I’ve heard several big named folks on CNBC talk about using the “twitter indicator” to trade. I found that to be an interesting idea and googled it a bit. I found this research paper on social network trend analysis and its quite interesting. I know it may be a little dry, but its worth a read for the geeky.

Research Paper:http://www.ickn.org/documents/Web_Science_2%200_Identifying_Trends_through_dSNA.pdf


Using Sysinternals autoruns.exe for System Startup Analysis

Many security professionals have the need to perform analysis when Malware, Trojans or strange behavior is reported on a system. Lets take a look at the Sysinternals autorun.exe for performing this analysis. The goal of this blog posting is to try demonstrate the benefits of the application. Today, I’ll install Sysinternals onto my system in order to properly execute my startup analysis.

Continue reading Using Sysinternals autoruns.exe for System Startup Analysis


California Unemployment (EDD) exposing social security numbers

As many of us already know corporations and banks have changed the way they provide printed information to customers (at least for the most part). Corporations over the last 10 years have increasingly adopted policies against using social security numbers and personally identifiable information (PII) in their mailed reports, bills or customer invoices. This was primarily chartered by privacy advocates to reduce the exposure of customer data and prevent it from being used as a data source for identity theft. The increase of dumpster diving and drive by mailbox raids made it clear that we had to do something about what we disclose. Our governments don’t always seem to adopt the same protections that we’d expect of our public and private corporations so I’m hopeful my article will entice the citizenry to contact their government agencies and demand some changes.

Continue reading California Unemployment (EDD) exposing social security numbers


Metasploit Exploit released for Trend Internet Security 2010

I was cruising the Exploit-DB.com site today just  to see the latest in the exploits in the wild and noticed right away that there was a new metasploit exploit released on October 1st for Trend Micro’s Internet Security Pro 2010. It always chills me when I see exploits for security vendors. I guess I see them as being special or something. Maybe I shouldn’t put them so much on a pedestal since I guess all programmers can make mistakes. However, the question is… should we expect security vendors to have better security than their customers or other software companies? I wonder if NSS Labs is going to come up with a framework for assessing or certifying security product vendor’s development processes? Hmm… That’d be nice to see.

See the exploit below: