September 13, 2006 - #115

Good Morning:
I'm optimistic today because my boy McGruff is coming to help with our little cyber crime education problem (here). We could certainly use the help. I also refer to a bit of security history as well (here and here) because we always need to remember where we've been, as it's instructive in where we are going. And given what we know about how attack vectors have evolved since Sobig, we need to bone up fast because there will be lots of new stuff coming at us in the near term. But it's not really new, is it? It's the same old crap with a few minor nuances. We know how to defend against the old crap, so we should be on our way to defending against the new crap, no? Told you I was optimistic today.

In blog-land, Shimel is upset with me yet again (here). Can you imagine what a saint my wife is? I seem to be able to annoy folks consistently only interacting with them via email once or twice a week. Imagine having to deal with me every day, in close proximity? Yep, better go get her flowers or something. 

I also need to highlight what may be the best quote from a blog piece I've ever seen. "You see lying is like crack- a short term high, but in the end you’ll end up naked in front of a dumpster with a crack pipe in an uncomfortable orifice." The Mogull is talking about why you should come clean when something goes wrong (here), but the images that flow through my mind when reading that quote are disturbing. And that's how I know it's a great quote.

Have a great day.

Technorati: Information Security

Top Security News

Who remembers Smokey the Bear and McGruff?
So what?- I can still remember watching TV when I was a wee pup and seeing Smokey the Bear on TV cautioning me to make sure to put the fire out and to be careful around matches. To this day I remember that. I'd call that pretty effective. Likewise, I remember McGruff the crime dog talking about personal safety. Everybody loves McGruff. Having a cool character to associate important lessons is just critical to consumer education. It's great to see the National Crime Prevention Council setting McGruff loose on the problem of educating consumers about cyber-crime. I mean really great to see because education has been the missing piece. Sure Microsoft can produce some pretty  videos, but no one sees them because they don't have a "character" to appeal to the masses. McGruff is pretty universal and I'm glad he's coming to our little cyber-town.
http://biz.yahoo.com/prnews/060912/sftu065.html?.v=73
Link to this

Security proactive? - We aren't there yet
So what? - John Dix (editor of NetworkWorld) covers the Security Standard in this editorial. The problem I have with making generalizations like security is moving from reactive to proactive is that the folks that speak at conferences like the Security Standard are NOT your run of the mill users. Should we be discussing security in the board room? Of course. Does it happen as often as it needs to? Not a chance. My take is that the auditors show up every couple of board meetings and make the CSO backpedal about what's not getting done. Maybe. That may be optimistic. There are a lot of good tidbits in John's column, and the session where the BT Radianz CFO and CSO got on stage together was great. They showed how the process should work. But do not get the impression that these datapoints are representative of the broader market. They aren't.
http://www.networkworld.com/columnists/2006/091106edit.html
Link to this

What security history tells us
So what? - I mentioned on Monday "those that fail to remember history are doomed to repeat it" with regard to 9/11. But it doesn't just stop there, history surrounds us and those that study it (like me) are better able to detect the patterns when we seem them again. And we always see them again. So check out this article which speaks of the 3rd anniversary of Sobig, the first spam-centric widespread attack. Sobig spawned industries and we are still dealing with the fallout today. I agree with the tone of the article, which is that low and slow are the preferred methods of the bad guys, who are trying to avoid detection. The big difference today? Financial motivation, pure and simple. This is a common theme that I cover because it's a very important nuance. Back in the Sobig days, the objective was chaos. The spammers were making tons of money, but by selling stuff - not compromising machines. Today's the money is in compromising machines. Big difference.
http://www.informationweek.com/story/showArticle.jhtml?articleID=192700775
Link to this

A good security primer
So what? - While we are on the topic of history, let me point to a good backgrounder on the SecurityProNews site. It's put together by Ken Baylor of McAfee and he did a good job of presenting the case of why we are seeing more spyware and corporate data theft. He goes into a lot of detail on the still present 419/Nigerian attacks and breaks up attack vectors into "opportunistic" and "targeted" types. It's an interesting way to break things down. He goes a bit into the hacker methodology and then discusses some best practices to protect yourself. This is a long piece and will take some time to get through, but if you are somewhat new to the business - this is a decent place to start. You'll get a feel for where we've been, how the bad guys are coming after us, and what you can do about it.
http://www.securitypronews.com/news/securitynews/spn-45-20060911EvolutionoftheHackerThreat.html
Link to this

You sick of NAC? Get ready for (M)AC!
So what? - Just when the backlash against NAC is in full swing, I read this article. Just what we need, another category of product (or more specifically another use for an existing category) to make sure wireless users are put under the same scrutiny and controlled like their wired NAC counterparts. Let's call it (M)AC for mobile access control. Yet, is this really an issue? A wireless user gets an IP address like everyone else, right? Unless you are an idiot, you route the wireless connections through your perimeter and leverage your directory/domain structure to authenticate and a VPN to provide access to the those wireless users, right? And if you've deployed post-admission NAC to protect key servers/resources then it wouldn't make a difference if the "last mile" to that specific IP address is wired or wireless, right? So this isn't resonating with me, but maybe I'm missing something. Why do I need a (M)AC to interoperate with my existing NAC to protect what looks to me like just another IP address? Perhaps someone from Aruba (the folks originating this crap) can help me understand why this isn't just more posturing to find another problem that can be solved with a big honking wireless access point.
http://www.techworld.com/security/news/index.cfm?newsID=6831
Link to this

Top Blog Postings

Just call me the Aesop of vendor angst
As I expected, my friend Shimel got a little hot under the collar about my latest "fable," which is yet another of my consistent attacks on unscrupulous vendors. So let me clarify because Shimel is as relentless as I am, and my ADD is kicking in about now, so it's time to move on. Most vendors do not know shit about the specific regulations and even less about the underlying industries that they are selling to. Maybe your guys are different. Good for you. There have been way too many times when I'm the smartest guy in the room about a specific regulation. Like I said, the other guys don't know shit. Fundamentally, I don't see enough vendors hiring people from industry to bring that industry-specific knowledge. Most take a junior product marketing person and make them the "expert." They start out knowing even less shit. I so agree that users play the games just like the vendors, your points on that are well taken. They want more for less, or they'll going to one of the 10 other vendors that do exactly what you do. Never have I said users don't play games. But I'm calling out vendor behavior now. At some point I'll see something stupid from users and call them out too. But having driven the turnip truck (great picture by the way) for many years, I can say I see bad behavior much more consistently from vendors.
http://www.stillsecureafteralltheseyears.com/ashimmy/2006/09/todays_rothman_.html
Link to this

The 21st Century harvest
Back when we were an agrarian culture, it was all about the harvest. That's when you figured out whether you could pay your bills or not. Not much has changed because in the spam business they are continually harvesting new addresses and putting them to use - blasting them messages that will potentially compromise their machines and turn them into zombies/bots for eventual monetization. If the bot masters aren't harvesting enough mail addresses, there is a high likelihood they won't be able to afford the payment on the Maserati this month. Oh well. But Dancho points to a project that has set up a bunch of honeypots with the intent on tracking the spammers and bot masters and then using that intelligence to more effective block the bad stuff. Lots of the anti-spam vendors have similar honeypot networks set up for this purpose as well, but it's good to see a community-driven effort - which hopefully will have broader applicability.
http://ddanchev.blogspot.com/2006/09/email-spam-harvesting-statistics.html
Link to this

Keeping your shorts clean
As a marketing guy, "keep your shorts clean" was a common Rothman-ism that made it's way into the vernacular of most of the folks on my team. I always pushed my teams to do more and do it faster, so inevitably we were going to screw things up. That's life. But as the Mogull points out, it's how you deal with the issue that determines whether you are a hero or a goat. Whether you are a user dealing with an outbreak or data breach, or a vendor having to disclose a vulnerability - coming clean quickly is the only way to do it. Why was Fidelity vilified when that laptop was stolen? Why was ChoicePoint raked over the coals? Why has Oracle lost pretty much all credibility with security folks? They didn't come clean. They don't accept fault and don't communicate a plan to fix it and to make sure it doesn't happen again. You can "lie" or obscure the truth for only so long. The gig will be up and you will be in the can. Maybe "naked in front of a dumpster with a crack pipe in an uncomfortable orifice," maybe not. But it will not be pleasant, that much I know.
http://securosis.com/2006/09/12/liars-always-lose-eventually-or-why-lying-is-like-crack/
Link to this

Can we win the war on botnets?
Some days I have to work really hard not to fall into a vacuum of depression and misery. When I read posts like this from Darknet, it's all I have to do not to just crawl into a hole. Why the drama? I think we are setting the bar too low relative to botnets. Here we see that the folks allegedly working on a solution are shooting to "slow them down." Well crap, why are we even bothering? I'm not sure that we can win the battle either, but why would we set the bar to just slow them down? Let's talk about how we make bots extinct! Let's wipe them from the face of the earth. It will take a large effort amongst the ISPs (to remove bots from the network), operating system folks (to actually build a better OS that isn't easy pickings for the bad guys) and consumers themselves (to be educated on what not to do). And there are major economic impediments, but settling for a half-ass solution isn't in anyone's best interest. We need to try to solve the problem, not just make it hurt less. I guess my medication is working.
http://www.computerworld.com/blogs/node/3427
Link to this

Recently on the Security Incite Rants Blog

Symantec and Juniper: A Tale of Two Drunks
Symantec and Juniper become the charter members of the anyone but Cisco club, announcing a deal integrating some SYMC technology into the JNPR perimeter security products. They also made noise about doing some joint selling. But most importantly, this deal got me thinking about my first run-in with Tom Collins. The outcome was not pretty, but at least I still remember it. Not like my first battle with Jose Cuervo, which never made it into the memory banks.
http://securityincite.com/blog/mike-rothman/symantec-and-juniper-a-tale-of-two-drunks

Deals aplenty: Verano/eDMZ, AT&T/USi, Apptix/Mi8
Looks like Monty Hall is back with a vengeance. Another day, another 3 deals - but only one is really security related, though all have security implications. Check out my snippets on all of the deals in TDI format - just so you weren't lonely during the day.
http://securityincite.com/blog/mike-rothman/deals-aplenty-verano-edmz-at-t-usi-apptix-mi8

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-09-12