September 20, 2006 - #120

Good Morning:
I'm getting the newsletter out early today, as I have a morning flight. Got to love those 4:30 AM wake-up calls. As you can imagine, I wrote most of the TDI last night, so I guess we can call this "Yesterday's Incite." Maybe think about this like a Tarantino movie. The time line may be hard to follow (like the classic Pulp Fiction - one of my all time favorites), but it sure is entertaining.

In security-land, it pays to track what your bosses are reading. Well, the business related stuff anyway. Since I've been on the other end of "airline magazine syndrome," basically when the CEO reads something in an airline magazine and then knows everything about a topic and feels fit to challenge your strategy and plans. That's a lot of fun. There is always blood spilled and it's usually yours. So I took to paying close attention on my flights to anything that was related to marketing, so I at least knew where the spear was coming from. You may get asked about spam and phishing (here), so be prepared. And don't tell me I didn't warn you.

I also want to point out some AV activity, first with Trend deciding to match Microsoft's pricing for the security suite (here). That's good old market economics at work. The value of a product is the intersection of what a customer will pay and what competitor will charge for it, not what some predatory pricing hawks think it should be worth. Also check out Michael Wright's rant (here) about the latest IE zero-day, Firefox, and whether Microsoft is the fox guarding the hen house because their AV offering protects against something they haven't patched yet. Seems like a soap opera to me.
 
Have a great day.

Technorati: Information Security

Top Security News

What your bosses bosses boss knows about spam
So what?- I like to read the mass market business pubs (like Fortune and Forbes) because it keeps me in touch with what the muckety mucks behind the mahogany desks fixate on. So when I see a link from BusinessWeek Online about security, I immediately click it to figure out what I'll hear about from contacts in the field (who just got dumped on by their boss). This time it's spam, which is still an issue though less visible. BW goes through some stats about how much spam is out there and the criminal aspect of phishing and the like. They've actually downplayed the situation. Phishing is one vector, but Trojans that are sent around via email are still very much alive. And once the unsuspecting (and yes, stupid) user clicks on that link, they are done. Rootkits aplenty and other nastiness (like keyloggers) gets downloaded that make it trivial to compromise accounts. So if your bosses bosses boss doesn't see much spam, that's a good thing. I probably wouldn't bring up those pesky rootkits over that pleasant lunch at the club.
http://biz.yahoo.com/bizwk/060919/tc20060919412904.html?.v=1
Link to this

Ding Ding! Let the AV pricing battle begin.
So what? - I'm sure the folks at Sunbelt are just gnashing their teeth right now, since Trend went and screwed up their whole Microsoft predatory pricing argument. By matching OneCare's price of $49/yr for 3 desktops, it's now clear that there is LOTS of room to move on pricing for desktop suites and though Microsoft probably won't drop the price more - someone else will. And that's a good thing for consumers and for the market economy. Again, what other technology market do you know that consistently raises prices and does a worse job? Kind of feels like an airline pricing discussion. Microsoft set the bar and now another meets it. We'll see if the rest do likewise, which they don't necessarily need to do because there is a lot of inertia in the AV business. But Symantec and McAfee certainly won't be gaining share by keeping their prices higher.
http://www.channelweb.com/sections/allnews/article.jhtml?articleId=193003442
Link to this

Things to do in DC when you are dead
So what? - Looks like the Department of Homeland Security found someone to take the job of Cyber-security Czar. The guy's name is Greg Garcia and he comes from a DC trade group, so he's a beltway "insider" which he'll need to be to have any kind of hope of getting anything done. Good luck to him. I suspect he'll need all the luck he can find and maybe some divine intervention too. I'm still skeptical, but who knows? I'll suspend belief for a little while until we hear about this guy's plan and strategy. But not that long. I'm not the most patient guy. It would be nice to have some semblance of leadership from the Feds regarding security. Not sure if he's Andy's brother, but if you see Christopher Walken (The man with a plan) walking around, be very afraid.
http://www.darkreading.com/document.asp?doc_id=104118
Link to this

Sprint goes mobile security
So what? - The carriers are getting into the security game. Be more afraid than if you see Christopher Walken. I guess I'm a bit jaded because I've followed the carriers for the better part of the last 15 years, and not much has changed. So now Sprint is going to issue you software (from Mobile Armor) to load on all of your mobile devices and manage it how? I tend to associate carriers with ultra-mature technologies, you know things they can manage centrally - like Class 5 switches. If they can't roll it out with a minimum of fuss for a million customers, they are not particularly well suited to that specific market. Doing anything with agents on mobile devices is tenuous on a good day, what happens when something blows up and your CEO's Blackberry goes haywire when closing a billion dollar acquisition? Sure I'm dramatizing a bit, but I guess you'll be hearing that pin drop over the "crystal clear" mobile network because that's about all the customer service reps will be able to do for you.
http://www.symantec.com/about/news/release/article.jsp?prid=20060918_01
Link to this

Protecting Active Directory
So what? - They say directories hold the keys to the kingdom, and they do. So what can you do to ensure your Active Directory is protected and the data in it is not compromised? Derek Melber's 5 areas to focus on is a start. By ensuring that you have proper policies for passwords, account lockouts, and membership to key administrator groups (enterprise, schema, domain) you'll be closing off some of the low hanging fruit the bad guys use to gain access to the Windows network. Many of these tips are not brain surgery, but they need to be done consistently. That's the secret. 
http://www.windowsecurity.com/articles/Top-5-Security-Settings-Audit.html
Link to this

Top Blog Postings

Much ado about privacy breaches
There is perceived risk and real risk and a huge difference between the two. Every time a laptop is stolen, alarm bells go off. Every dumb organization that allows customer records onto a laptop runs the risk of being the latest vilified big company to mistreat their customers. But is this all much ado about nothing? Given the stats (proffered here by Douglas Schweitzer) only 1% of 500,000 lost customer records by the credit reporting folks have resulted in identity theft. You are more likely to be compromised by losing your credit card or checkbook. I'm not minimizing the seriousness of privacy breaches because there is clearly a PR issue and customers are at risk, and that's not good. But let's at least be realistic about how often these breaches result in identity theft. Guess I feel like picking a fight today, since I'm sure the various Captain Privacy's out there will tell me I'm all washed up.
http://www.computerworld.com/blogs/node/3499
Link to this

Personal machines should NOT be on your network
Some security managers want to be accommodating to employees, which in concept is not a bad thing. We do exist so they can do their job function (and pay for our hind sections to stay around), but you should be wary of employees that connect into the network from home PCs. One of the key security imperatives is to protect intellectual property. If you let someone connect in and access systems via their home machine, how do you control their activity and more importantly what they do with your data? In this post from Tom Olzak, he goes into both the risks and some of the remedies for controlling these devices and ensuring they don't do damage. I'm totally on board with a blanket policy to prevent personal machines from network access. If an exception is needed, they better have a damn good reason. Just give them a laptop and then they can work 24 hours a day like the rest of us.
http://blogs.ittoolbox.com/security/adventures/archives/the-threat-of-home-pcs-to-your-information-resources-11778Link to this

Another Top 5 list on not getting hacked
This time it's White Hat's Jeremiah Grossman providing some rules for road. First ditch IE. Yeah man. I'm doing great so far. Next, add more security to your browser, like the Google toolbar. Check. Got that too. Don't click on links in email. Hmm. Most of the time I don't do that. But of course, the links in TDI are legit and cool to click on. :-)  Protect your web mail. You bet. All over that. Use a single credit card for online purchases. Nope. I have one for home and a separate one for business. Neither of the credit limits are too high and I track the transactions daily via Quicken. So I feel pretty good. How do you feel about your online security? How about your employees? Maybe you can teach them a few of these tricks.
http://jeremiahgrossman.blogspot.com/2006/09/top-5-tips-to-not-get-hacked-online.html
Link to this

Microsoft and conflicts of interest
Michael Wright here goes on a bit of a rant about Microsoft. He's not alone, there are a lot of folks I interact with that continue to be appalled at the number of severe zero-day threats we deal with every month (or so it seems). So  Firefox is not the answer because it isn't enterprise capable and doesn't support all the applications. Huh? Not sure I buy that, but let's play for a minute because this is where it gets good. Then he goes into how Microsoft is evil because their AV customers are protected from this vulnerability and their OS customers are not. This is misplaced angst. Would anyone calling bunk on McAfee and Symantec if they caught this exploit? Nope. Does that put the impetus on Microsoft to patch quicker? I don't think so, even if they are protecting only one segment of their customer base. They do a monthly patch cycle (or earlier if it's important and ready) and rarely deviate from that. It's not like they are holding this patch up to drive AV sales. Why should Microsoft should be treated differently because they now have an AV product?
http://mcwresearch.com/archives/306
Link to this

Recently on the Security Incite Rants Blog

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-09-19