Category Archives: business

Recuva: Nice windows data recovery tool

Not a professional tool but an easy, quick and free one.

If you just accidently deleted some files on windows or your employee leave the company deleting all his data, well that you get out from trouble quickly.

It also came out in a ‘portable’ version to be loaded from an usb stick drive.

Check Recuva recovery tool

Military contractors going commercial

Most military contractors are suffering from the restriction of government’s budgets for military expenses and are moving into commercial markets, still they have to adjust a lot of things.

Read here a nice analysis from rochtel on how military contractors should adapt their strategy.

Brazilian Electrical Blackout: preview of cyberwar

In 2005 and 2007 in Brazil million of people was targetted by a blackout.

Initially it appeared like an accident.

Now it’s known that was caused by a cyber attack against electricity control systems.

That was just a preview of what a cyber attack in a cyberwar means.

In near future we’ll probably see something like ‘virtual custom offices’ at internet borders, defining what get in and what get out like several “not so democratic” countries are doing.

Does the cyberwar will affect digital rights? Probably yes, even i hope not.

Conventionality is not morality.

During my daily RSS OCD reading I had to deal with this article: it has been written by a “senior anti-virus researcher at Kaspersky Lab’s“. Talk about personal interest.

I wont comment on the practical implications of useless signature based AV’s and how cyber criminals will never need amateur-ish projects to carry on their malicious tactics.

But what is always interesting is watching the very same people who use billion dollar scare tactics to sell you a perfectly useless piece of software (which will give you a false sense of security, hence will make you more insecure), talking about ethics.

Hackers Hacking Hackers

Hackers hacking hackers are always pretty fun.

And I am not talking about ZF05 (which was cool reading, even if not as cool as ~El8 was), I am talking about this.

This is big business, this is the American way

43 years old “UFO eccentric” hacker Gary McKinnon just loses appeal against his extradition to the States for computer crimes he committed 7 years ago.

If you’ve lived under a rock during the last few years what this dude did was basically break into .gov computers looking for UFO related material.

Probably the last case of recreational hacking I’ve heard about.

So his case is obviously going to be a classical “Strike one to educate one hundred” kind of message to every hacker attacking american computer systems: we can reach you everywhere you live and have you extradited to our country where we will sentence you to life in prison.

Unless you are a multi millionaire cyber criminal living in Russia or a chinese spy, of course.

Iphone jailbreaking crashing towers? FUD!

It’s interesting to read a news about an anti-jailbreaking statement by apple that say that with jailbreaked phones it may be possible to crash mobile operator’s towers:

By tinkering with this code, “a local or international hacker could potentially initiate commands (such as a denial of service attack) that could crash the tower software, rendering the tower entirely inoperable to process calls or transmit data,”

So fun, as the Baseband Processor interface of iPhone is precisely the same of Google android and all Windows Mobile powered devices:

Basically the operating system use AT commands (do you remember old hayes modem commands?) with additional parameters documented and standardized by 3GPP that let more deep (but not that much deep) interaction with the mobile networks.

Please note that those AT commands are standard and widely available on all phones and are the interface to the Baseband Processor.

On iPhone that’s the list of commands that an from apple point of view could let “a international hacker to crash the tower software” :

Undocumented commands on iPhone

Damn, those European anarchist of Nokia are providing publicly also their AT command sets, and are AVAILABLE TO ANYONE:

Nokia AT Commands

Oh jesus! Also the terrorist oriented Microsoft corporation let third party to use AT commands:

Windows Mobile AT Commands

It’s absolutely unacceptable that also RIM, canadian funky against USA, provide access to AT commands:

Blackberry AT commands

And it’s unbelivable to see that Google Android also document how the system speak to the Baseband Processor and find on forums that it’s ease to access it:

Google Android Basedband Processor

Not to speak to ALL other mobile manufactuer that use the very same approach and let any party to speak via AT commands to the baseband processor of the phone.

Is the baseband processor of iphone buggy and the AT&T tower software buggy so that it’s dangerous to let the user make experiment with it?

Probably yes, and so those are only excuse because the software involved are not robust enough.

Apple, be careful, you have the trust of your users because you are apple you always have done things for the user advantages.

Users does like telephone companies that are huge lobbies that try to restrict and control users as much as possible.

If you, Apple, start behaving like a phone company users will not trust you anymore.

Be careful with FUD statements.

chinese espionage: the worst and more silent threat for western countries

Hi all,

in the past few years i saw an incredible increase in the amount of “public” news about espionage against different western countries and usually coming from far-east, typically china.

China want to be the largest economic power within 2020 and it’s following a grow rate of 8% per year. Their “controlled” capitalism without the inefficiency of the democracy it’s something that’s beating the western countries, less efficient because democratic.

China, in order to quickly grow it’s R&D capacity make an extensive use of espionage, it’s estimated that Chinese government have more than 1.000.000 intelligence agents worldwide.

And they know how to do espionage, their “spy” does not cost that much like western countries’ spy, less guarantee, less payments.

Also they are using cyber espionage as an important source of information and competitiveness against western countries companies and government R&D results. China is so un-cooperative that now also western countries spying each other, or even Russian, use chinese internet space as the “start base” for their internet based espionage activities.

I knew of a USA phisher that used to build it’s own trojan with a chinese version of Windows Xp with a chinese version of the Microsoft Visual Studio development suite. Why? For information deception, in order to tweak the forensics effort of the FBI analyst and have them think that it’s own attacks was coming from China!

Any investigators that see an attack coming from china typically think “oh shit, it comes from china, we’re lost”, and now even cybercrime use China like a far-west, untouchable base for cyber attacks.

Back tracing attacks coming from china it’s like trying to find out what’s inside a black hole, it’s a one-way trip and no information comes back.

To give better an idea of what i am speaking about just get the following list of reference:

Germany accuses China of industrial espionage

Chinese trainee goes on trial as French industry fears espionage

U.S. Vulnerable to Chinese Cyber Espionage

Massive Chinese Espionage Network

Cyber Spy Network Also Targetting Finland

How do the western countries defend themself?

That’s a nice points to speak about because there’s no simple way to defend against espionage other than considering it like a serious and concrete threat.

Governments should be able to get more understanding that their approach to informations systems and information security policy must not only exists on paper but also be applied everywhere in order to be effective. Governments are complex organizations and only a few are enough smart to be able to quickly and efficiently make security policies really be implemented organization-wide. But they are trying to, especially the most competitive ones like USA, UK and Germany .

Companies instead should acquire awareness of the problem that is present, available, concrete as concrete is the chance that someone enter into the offices to steal good (not for espionage). For that reason companies place alarm systems, access control with badge, camera monitoring systems.

But espionage does not mean fighting and protecting against poor thieves but instead against more sophisticated, either technically and socially, attacker that can use old school intelligence techniques always effective. Getting employed and stealing information while working. Simulate to be customers to establish a link trust with a salesman and then find a reason to let him execute some malicious software “hey, but my modellization software demostrate that your model used to measure the performance of your product it’s not the one you advertised. Check it out, see your self with the software we used!”. What do you think the salesman will do in order to catch the prospect customer?

Only awareness, knowledge about the issues can make such risk to be considered seriously.

Governments should provide financing to industrial associations, chamber of commerces and similar agencies in order to make such awareness national wide and let entrepreneurs became conscious and became prepared to recognize, identify and stop espionage activities.

The law perspective

Governments should strenghten their laws in order to be able have the required rights tools to enforce the protection from espionage.

Look at the analysis made by my smart cousin Angelo Pietrosanti on espionage “Is the European R&D Equally protected from espionage as in the US R&D?”

Country Civil Sanction against trade secret threat Criminal Sanction against trade secret threat Year of last modificationg
USA 5 mln $ up to 10(for domenistic) or 15 (for foreigners) Years of Jail 1996 (Economic Espionage Act)
Germany YES up to 3 Years of Jail 1986
France 0.03 mln $ up to 2 Years of Jail 1992
UK YES NO 1984
Italy YES up to 2 Years of Jail 1942
Switzerland YES up to 3 Years of Jail 1986
Finland YES up to 3 Years of Jail 1990
Sweden YES up to 6 Years of Jail 1990
The Netherlands YES up to 4 Years of Jail 1992

What this table show?

  • Outdated law (except USA)
  • Not so serious sanctions against espionage activities. (except USA)

Maybe some european policy on this could help.

In conclusion

We are in an economic war where the winner is not the one having more forces, but the one being more technologically advanced, and economically clever.

Chinese are demonstrating to be enough aggressive and clever, will the western countries be able to react both on the defense and the attack in this war?

Criminal business model: Somali pirate case study

Hi all,

this blog post is to have a nice economical point of view on somali pirates business model, something nice as also crime is a business and need it’s business evaluation:

An economic Analysis of Somali Pirates Business Model

It sounds much like a great deal, check it out the details:

The attack model and costs

The negotiation phase (Offer and Counter offer)

The resolution

And for the pleasure of home gamer, Cuttrhouat Capitalism: the game

1st august 2009: Switzerland start realtime internet interception

The intelligence strength is increasing everywhere… also in Switzerland that had a well known privacy protection approach!

Read the WikiLeaks Article

UAE government placing backdoors into Blackberry devices

Nice attempt to place backdoors inside Blackberry devices.

It seems that UAE government wanted to do something nasty placing backdoors trough software upgrades in Etilsat (local mobile operator) blackberry devices, obviously with the cooperation of the mobile operator itself.

Fortunately, the power of the security community discovered and unveiled the facts. Check it out.

Etisat patch designed for surveillance

Wired magazine: Blackberry spies

Security exists only with transparency.

Nokia World in Stuttgard 2-3 September

Everyone who’s business is directly connected to mobile, aggregators, operators and generally speaking mobility application should really attend Nokia World where most of the world key people in the mobile business .

It’s extremely interesting to see the evolution of the business models related to the Application Portals, how the mobile operators are changing their approach to the market, the increasing of value added services related to mobile industry.

And the most important things is, the mobile operators will be able to became financial operators to really provide mobile payment systems integrated into any day digital life?

And if this will happen, how the manufacturer and operating system provider will play this game?

Saas: is the end of the myth?

Saas business models growth a lot during the past few years and i personally appreciate it.

No software to be installed, configured, maintained, service available when you needed with a early adoption time and most important reduction (or apparent reduction) of the total costs of ownership.

I had few experience with SaaS business (as a customer) and i have to say that the following Gartner Group analysis on SaaS businesses imho tell you the truth only for half of statements:

  • There is always a partial integration issue (not all systems are so flexible to really integrate into your business like you would like)
  • There is often a lacks of the technical requirements needed by the specific business case
  • I DO NOT agree that there is a barrier in the costs, as SaaS usually let you start spending only a few. However it’s true that while doing the deployment you should be more conservative in the usage of features and items (es: I am using for my company a hosted VoIP PBX system, we pay for each extension we add. We don’t have test extension or extensions that are not strictly needed because it costs. When we had an internal VoIP PBX system, we was plenty of test extension. This slightly increase some complexity in maintenance and deployment, even if the total cost of maintenance is a lot lower than an internal system to be managed.

So we can assume that Saas it’s for most but not for all, especially if the need of customizations for the very specific business needs are relevant.

An in depth analysis and testing has to be carried on, in order to discover all the limits of the solution, on functionalities and pricing, to really discover if the specific solution fit the business need.

Best advices by world leaders

Today i found a very nice set of 22 ‘best advices’ on Fortune coming from world leaders and i would really like to link there some of the most interesting ones (at least for me).

I think that those suggestion let you work and manage your projects and goals (in any situation you play a leadership role, being business or personal stuff) in a proper, rational and effective way.

Colin Powel: Focus on performance, not power

Jim Sinegal: Show, don’t tell

Mort Zuckerman: Do what you love

Meredith Whitney: Always set realistic goals

Lauren Zalaknick: Listen (others opinion)  

Robin Li: Underpromise and overdelivery (while running a company)

Mika Brzezinski: Use failure to motivate yourself

Mobile platform hacking: worms and botnet from phones?

The hacking community is finally starting seriously auditing and hacking Symbian OS, even if it’s difficult, hard to work on, unpleasant to debug it .

There are so many mobile operating systems (Symbian OS, Nokia S40, Windows Mobile, RIM OS, Mac OS X, Android/Linux, Brew) that a worm/virus being able to leverage a cross-platform vulnerability it’s just a theory.

Trusted computing platforms, security model of J2ME Java only phones (like RIM and S40), digital signature everywhere are all tools that make massive hacking on mobile platform really difficult.

It’s difficult and costly to develop on mobile platforms, it’s difficult and costly too doing hacking on that platforms.

Still look at a very nice achievement of paper from SEC Consult called Pwning Nokia phones (and other Symbian based smartphones) .

Can we expect future worms or botnet on mobile? I don’t expect so, too many different OS with hard-to-beat security model.

And even if a worm would be able to penetrate a single mobile paltform bugs, mobile operators would be able to block it very quickly (compare how many GSM/UMTS operator exists compared to Internet Service Provider?).

The real goal of online marketing: lead generation

Often i discuss about online marketing, however it include the mysterious “marketing” magic word that’s tipically subject to misunderstanding and misconception .

The end goal of online marketing is to generate qualified leads coming from international markets.

Some interesting links about it, and how things should be properly done are below:

I would really like to see an effective leverage of online techniques and tools as the main interface and providers of information, the main pre-sales agent of the company explaining almost everything required to get back a qualified lead.

Voice encryption in government sectors

I will make some in depth articles about how voice encryption really works in government environments.

The open standards and open source still have to reach the military and government environments for what’s related to secure speech.

To give you an idea of the complexity and kind of particular issues that exists, look at the USA 3G Wireless Security: A Government Perspective and the A Waveform Architecture to Support Security and Interoperability in Multi-National Wireless Networks for Tactical Communication .

They are using so-custom protocols like Secure Communications Interoperability Protocol that require the use of patented MELPe ultra-narrowband codec that there’s not a real market of application and equipment using this. Only a small elite of government controlled companies from few countries manage this de-facto lobby.

Should we change this bringing open standards also to government sectors?

Product Management

You know, product management it’s a job for half-fish, half-meat guys, that understand both business needs and technology issues.

I found two amazing and very well done presentations about it, i suggest to read it as it clarify a lot of things of the marketing and technical activities applied to the management of products inside companies to reach the market.

The strategic Role of Product Management

Very in depth presentation. Ask yourself, do you know what’s the differences between marketing and promotions, sales, advertising? How to really manage the core of the company, the product?

Product Management for BrainMates

Very smooth presentation going to the point: A product is the tiny overlap between the needs of a business, the aspirations of it’s development team and the unsatisfied desires of the customer.