September 27, 2006 - #125

Good Morning:
Only have time for a quick rant this AM. Kind of an eclectic day in security-land yesterday. We saw a number of reasonably cool innovations. Symantec has figured out how to monitor IRC (here), but what is the impact on how the bad guys will now use IRC, knowing the good guys are likely watching them? We also see a new financing alternative from a small SIM vendor (here), which is interesting since I wonder whether financing software is a good idea given it is upgraded every year or so. We also see Larry Seltzer and I on the same page relative to ISPs needing to step up to the zombie issue (here) and Farnum yearning for days gone by (here)

More later, as I'm working to get a new piece on Security ROI over the finish line this afternoon.
 
Have a great day.

Technorati: Information Security

Top Security News

Review - Data Leak Prevention
So what?- Data leak prevention is hot baby! It's blowing out the hype meter, as more and more people talk about the need to control content and ensure it doesn't leave the organization thus violating privacy restrictions and putting intellectual property at risk. But when do you buy and what do you buy? There are 8-10 players now positioning in this market and they'll be more. So there are lots of vendors chasing every deal. But there will be lots of deals out there. They tested Vontu, PortAuthority, and Tizor (which does checking at the database level), but more qualitatively and not in a true comparison. Which is fine because the products are different and it's only when functionality stabilizes will a head to head comparison mean anything. For those of you RSS readers that don't know how to compare products in an early market - you should read my Buying Security Products guide (here) - if you are interested just send me a note and I'll send it along.
http://www.networkcomputing.com/showArticle.jhtml?articleID=193003538
Link to this

Dark Vision kills IRC
So what? - I'm torn by the announcement by Symantec of their Dark Vision technology. First, I'm glad they have it and I also understand the Big Yellow has a renewed focus on highlighting their research and showing innovation. But on the other hand, I'm sad that the bad guys now know the tool exists. The key rule of intelligence gathering is to not let the enemy know what tools you have at your disposal. I imagine the bad guys figured someone was monitoring IRC and were probably careful, but many folks likely took the risk because communicating with an army of bots is hard without a mechanism and protocol like IRC. Well now the bad guys KNOW they are going to be watched. Maybe not today or tomorrow (as SYMC figures out how to package the product), but soon. And that means it's time for the "talented" hackers to find higher ground. You see the quandary?
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1218406,00.html
Link to this

Five steps to secure email
So what? - Sometimes I read something and it seems so easy. Odds are it's not, but securing your email is definitely achievable. This article goes through 5 tips, which are pretty good. The first two (use a secure email client) and always use text are tried and true. I just don't think they are practical. No one is going to use "The Bat!" as an email client. Sure it has no vulnerabilities because no one uses it so no one targets it. And text is definitely an option, but I find it boring and inconvenient - so I don't. That's why I have other protections. I'm on board with the others, like using a webmail account for subscriptions (but that was more about my job hopping than security, but it worked out the same) and adding additional layers (for $2/mo. or less - send you email through a service for anti-virus and anti-spam). The fifth and final tip is to encrypt sensitive emails and this is also a good thing to do, but still not for the feint of heart.
http://www.itsecurity.com/features/five-steps-email-security-092106/
Link to this

Thin client - legitimate alternative to laptops?
So what? - There is a movement out there to eliminate the need to carry laptops. Between SaaS offerings, webmail, and remote control, do you really need that laptop? If I had the ability to get on a "secure" kiosk at a hotel or coffee shop and get to all my data, the answer is probably not. I get all email and can do IM on my Blackberry. The push back has always been the couple of hours you are on a plane. Sales folks would be bent out of shape because they'd actually have to talk to their prospects, as opposed to rely on the PPT crutch. Though I guess they could project from their video iPod. On the positive side, you wouldn't have pilfered laptops causing privacy breaches. You wouldn't have users screwing with their machines and breaking stuff and of all horrors - you may even have a more balanced lifestyle. The idea of getting off the grid while I'm up in the air is very appealing. No email to pester me. And if I really need to write, perhaps I could fall back to PEN AND PAPER. Now that would be novel.
http://www.eweek.com/article2/0,1895,2020334,00.asp
Link to this

Move that SIM off the lot!
So what? - Today's trick question of the day: What do SIM vendors and the auto makers have in common? They are both using tricky finance to move product that no one wants. Now I can understand the major technology providers providing financing for big hardware purchases. It gives the customer more options, but a startup? Evidently eIQnetworks figures that giving customers the ability to finance the perpetual license is a good idea. Hmm. Innovative, yes. But something about it doesn't sit right with me. I'll take a 48 month payment plan for a product that will be upgraded every year. I guess you can just add the upgrade price to the principal of the note next year, eh? If a customer wants to do SIM and use their operational budget, why wouldn't they go to a MSS provider for the service? 
http://www.eiqnetworks.com/newsroom/eIQ_CriditCorp.shtml
Link to this

Top Blog Postings

Seltzer on the Secure ISP
Looks like Larry Seltzer and I are on the same wavelength. This week he talks about the need for ISPs to step up and protect their customers as well. I mentioned that on Monday (here). Larry's news peg is a new offering from Trend Micro for carriers to correlate data and draw conclusions about who has been compromised. The approach seems similar to a company called Simplicita that inserts itself into the DNS path and depending on what behavior it finds on the devices, it can send the device for remediation, issue warnings, etc. Larry then deals with the issue of whether you want your ISP to remediate your computer? Who cares? As long as it gets fixed. What I DON'T want are friggin' zombies eating up bandwidth and doing bad things. That's what the ISPs need to stop. So like Simplicita, Trend has to overcome ISP resistance to getting in the middle (even though they already are). There are no data points of an ISP doing this yet, but there will be.
http://www.eweek.com/article2/0,1759,2020286,00.asp
Link to this

Hacker rules of conduct?
This piece on the Network Security Journal is funny. It aims to discuss the "rules of conduct" for malicious-code writers. Huh? Bad guys don't have rules, but let's not use that little oversight to obscure the value of the post. This is a good description of how the TACTICS have changed and echoes many of the things I've been writing about lately. Hackers want to go low and slow (here) and they use bot nets as their predominate means of attack. Their goal is to remain undetected and they don't abuse the bots anymore to further evade detection. Hit and run. Much harder to both detect and with the advent of rootkits, clean up. So as I discuss a bit later (here), life isn't getting easier.
http://www.networksecurityjournal.com/2006/09/new_hacker_rule.html
Link to this

Here's one vote for Windows Defender
It seems that Eric Ogren had some cycles over the weekend (boy that would be nice) and decided to test out some of the anti-spyware tools. Let's just say he was less than impressed with Webroot and very impressed with Windows Defender. Now EO did not do a "real test" here, basically he just ran it and saw what it found. I don't think he actually loaded spyware on his machine to see which product caught stuff better, but that's not the point. No one (besides ICSA and VirusBulletin) continues to test AV for whether it works. It all gets back to the first rule of product development. Customers buy the interface, user experience, and reporting. NOT cool technical widgets. Seems that Webroot has their work cut out for them if they can't compete with Microsoft's user experience because Defender comes for a pretty attractive price - nil!
http://www.computerworld.com/blogs/node/3571
Link to this

Back into the time machine
It seems Michael Farnum is yearning for days gone by. I'd be lying if I said I didn't do that from time to time as well. Life was a lot less complicated back in the early to mid-90's. Farnum is talking about 2001-2003, but the points are the same. Hacking's changed. Attack vectors have changed. Defenses have changed. But it's all much more complicated. What hasn't changed is the difficulty in getting sustained funding for security projects and being able to communicate value to the executive suite. But Farnum also has some misconceptions here. First malware is far from dead. It's just different. The objective isn't to melt your network, it's to own your machines. And it doesn't seem like the media has a lack of things to write about, so I'm not too worried about that either.
http://www.computerworld.com/blogs/node/3576
Link to this

Recently on the Security Incite Rants Blog

Policy <> Compliance
Based on an article in Network Computing this week, folks could get the impression that all you need for "compliance" is a set of well-written policies. That's a load of crap, so in this post I go through how a policy is the first step on the road to compliance, but ultimately it's about executing on a security strategy and producing documentation for auditors to prove what you are doing.
http://securityincite.com/blog/mike-rothman/policy-compliance

The Role of Aggregate Data in Security
Two of my fellow bloggers, Ross Brown and Alan Shimel are at it again. This time they are arguing about whether it's kosher to gather data from customers in exchange for offering them free products. Having been in a number of companies that built protection schemes around data, it's not an option. Every security vendor needs data from their customers to make their products better and to improve protection. But how do you go about getting that data? I've got some opinions. Also check out the comments on this post because there are some good ones, addressing Microsoft's Windows Genuine Advantage (the way they collect data is not kosher) and also whether an open source data gathering technique would go over better.
http://securityincite.com/blog/mike-rothman/the-role-of-data-in-security

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-09-26