The Daily Incite - August 22, 2006 (#100!)

Submitted by Mike Rothman on Tue, 2006-08-22 08:02.
::
Today's Daily Incite

August 22, 2006 - #100!!!

Good Morning:
Holy time elapsing Batman, today The Daily Incite hits the century mark! Unbelievable really. Feels like yesterday I had this wacky idea to do a daily newsletter to keep folks in the know about what was happening in the security business. DAILY NEWSLETTER?!?!?! They thought I was nuts, and some days I think I am. But I've had a lot of fun with it and I hope it continues to provide value. I'm sure you'll let me know the day it doesn't.

In security-land, the highest profile story is the AOL folks getting canned over the privacy breach (here). Some folks (like Steve Gillmor here) think this is moving in the wrong direction. I disagree. There must be consequences to stupidity, or else it continues to happen again and again and again and again. You never like to see someone lose their job, but there are some lines you cannot cross. And AOL crossed them.

There continues to be a lot of activity around the Mac wireless exploit. Rich Mogull picks apart the words of everyone's announcements in excruciating detail (here) and can envision a scenario where everyone escapes unscathed. That would be an interesting outcome for sure.  

Have a great day. It will be pretty quiet on the blogging front this week. No worries, just catching up a bit on client work and attending to some family matters. But I'm also recharging for a flurry of blogging to happen in the next couple of weeks.

And just a gentle reminder to tell you friends about TDI. Many of you already have and for that I thank you. For those of you that haven't, what are you waiting for? Unless you like them coming to you because you are in the know...

Top Security News

Test DR and test it again
So what?- There will be great lessons learned from this week's Strong Angel III disaster simulation. We'll get a better idea of what works and what doesn't when the infrastructure and community is in turmoil. Obviously, we never want to actually have to use these skills, but in the world today it would be foolish to assume that you won't. There are also lessons to be learned in the business community as disaster recovery is usually a document on a shelf somewhere gathering dust. If you don't exercise the process and test the systems, they won't be there when you really need them. I've learned that the hard way quite a few times. Hardware fails, users make errors, and accidents happen. If you aren't prepared, you are putting your business at risk.
http://www.informationweek.com/story/showArticle.jhtml?articleID=192202134
Technorati tags: ,
Link to this

AOL CTO takes a bullet
So what? - Maybe I'm heartless and insensitive (as one of my first bosses observed), but I think the public execution of AOL's CTO and two other minions sends the right message. As I mentioned above, Steve Gillmor doesn't quite agree, but that's OK. We as an industry talk about "self-regulation" and for AOL to skate away after such a massive blunder with a "sorry" is just insufficient and would raise the antenna of the regulators - which is exactly what we don't need. We need to see a couple of heads on a stick, paraded around the public square to make sure people understand AOL takes the matter seriously. They've got to win back customer confidence, and doing nothing was not that way to do that. 
http://www.insurancetech.com/news/showArticle.jhtml?articleID=191902427
Technorati tags:
Link to this

Secure Linux getting easier
So what? - Being a fan of layered security architectures, you want to have adequate protection at the perimeter - but also in the data center and also the endpoint devices. There are lots of options for endpoint and server protection for Windows servers, but locking down Linux was less packaged. Knowledgeable Linux admins lock down the OS as a matter of course, but given the increasing popularity of the open source OS, not everyone can be termed as "knowledgeable." The folks that provide the Linux distributions have to help out more on that front and that's what Novell is doing by continue to invest in their open-source AppArmor framework. Ensuring rouge applications don't "root" the server is critical to protecting the integrity of applications, so the sooner these offerings mature, the better it is for the non-Windows folks out there.
http://www.securityfocus.com/brief/284
Technorati tags: , ,
Link to this

This device will self-destruct in 30 seconds
So what? - Given all the recent privacy breaches, endpoint data protection has become a much higher priority for customers. There are a bunch of options to both encrypt data and subsequently wipe a disk remotely if it falls into the wrong hands. But what about smart phones and PDAs? Not so much. I personally password protect my Blackberry and have a strong enough password that I'm reasonably confident that it won't be nailed in the 10 tries someone gets. But I also don't have much of note on there either that would be me in trouble. This new product from a company called Synchronica is one of a group (also including Bluefire and Trust Digital) that blows up the data on a PDA. The interesting thing is that with Synchronica's offering the speaker starts wailing after 30 seconds. Kind of creates a real disincentive for the bad guys, which is cool. I can't imagine this is too hard, so you'll likely see the other folks add similar capabilities in the near term. Jeff Hayes also covers the topic here.
http://securityblog.itproportal.com/?p=435
Technorati tags: , Synchronica
Link to this

Get me one of those ISS time machines
So what? - Looks like ISS wants to be back in the endpoint security game. I haven't heard about their Proventia Desktop (formerly BlackICE) stuff for quite a while, guess they were too busy trying to upgrade their RealSecure installed base to the appliance. But now that they've largely done that (where it's going to happen) they are refocusing on the desktop side by adding BitDefender AV to Proventia Desktop by early 2007. EARLY 2007? Jeez, perhaps they missed the fact that all of their competitors (notably CheckPoint, Symantec and McAfee) have had a bundled endpoint solution for YEARS. And to announce it now is also interesting. You tend to pre-announce technology when you are early in the market and want to gain a "thought leadership" perspective. Or when you are very late and trying to keep existing customers from buying something else. Hmm. Yo comprende.
http://www.iss.net/about/press_center/releases/US_BitDefender_08212006.html
Technorati tags: ,
Link to this

Top Blog Postings

Mogull's take on the Mac wireless hack
Note to self, don't sue Rich Mogull. The venerable analyst goes medieval on all of the text having to do with the Mac wireless exploit to try to discern the truth that is buried in there somewhere. He pulls the text apart as I've seen few lawyers be able to do and comes to the conclusion that all of the parties can escape with their reputations intact. I personally think that Apple is going to get a bit of a bloody nose in the end because they are playing word games to confuse the issue. I also think that within the next couple of days all of this will come to a conclusion.  
http://securosis.com/2006/08/21/another-take-on-the-mac-wireless-hack/
Technorati tags: ,
Link to this

Do you really need that laptop?
Given the recent issues with air travel, this is a question we need to start asking ourselves. Your users will say HELL NO, you aren't taking my laptop. But what if traveling with one is no longer an option? Is your security infrastructure in a place where you can support remote desktop securely from a kiosk or hotel room device? What are the risks of the U3 devices that allow you to keep your "desktop" on a thumb drive? Of course the infrastructure (ubiquitous devices and network) isn't there yet to support no laptops, but it will be. And besides the flight time, where I tend to be reasonably productive, what would I really be missing without the laptop? Perhaps a few trips to the chiropractor. This is not a short term discussion, but it's something we should be thinking about.
http://www.informationweek.com/blog/main/archives/2006/08/laptops_are_we.html
Technorati tags:
Link to this

Big acquisition - Mediocre results
There are exceptions to every rule, but in this post Don Dodge makes a pretty compelling case as to why start-up valuations in every technology sector will be coming down. I've been saying this for a while, and it's nice to see a guy with a pretty significant check book (Don works in corporate development for Microsoft) make a similar case. It's hard to find enough synergy to make a big deal pay off, so the risk is dramatically reduced by doing smaller deals. It's the folks like Microsoft and Cisco that can do multi-hundred million dollar deals, but they don't very often. They are more interested in technology and at an early stage, so it can be more easily integrated into other stuff. If anything this is a key insight into what's going to happen in security. There are A LOT of security companies. There are NOT that many buyers that can (or want to) do big deals. Revisit Econ 101 if you are still confused about how this movie ends. I'll give you a hint, it has to do with supply and demand.
http://dondodge.typepad.com/the_next_big_thing/2006/08/synergy_rarely_.html
Technorati tags:
Link to this

And I thought I was pessimistic
You've got to love the Brits. They make me look like a sunny optimist. This survey of 500 UK SMB's shows 58% of them think they'll have a security breach over the next year. But as we learned at the end of Terminator 2, the future is not determined. So you can take action today and make sure you aren't the one that gets nailed. Remember that the bad guys go for the path of least resistance. You don't need to be bullet proof, just more secure than the guys that are virtually next door.
http://tinyurl.com/jchpa
Technorati tags:
Link to this

Recently on the Security Incite Rants Blog

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-08-21

Technorati: