October 19, 2006 - #138

Good Morning:
I'm running a bit late this AM because I had a few early appointments. First with my oldest daughter Leah to get her ready for the bus at 7 AM and then with the back of my eyelids because I'm a bit run down between the golf trip and the early flights and late returns this week. A sick Mike is a grumpy Mike, so I thought it best to get some rest and delay TDI for an hour. It's good to be back at Incite Central, and I've got a lot of catching up to do after close to a week away.

In security land, I want to remind everyone to focus on the stuff they can control (here). The reality is that every time you get in your car (or go check your mail) you are at risk. You can't worry about it or you'll be paralyzed. Don't be stupid and play in traffic, but don't stay in your house all day either. I feel the same way about the way tech media covers security. There are an infinite number of ways to be owned and it seems we learn about a new one every single day. You could get flustered and just give up, but that's the wrong thing to do. Focus on what you can control, make sure it's not your machines that are exposed to becoming bots and that you are protecting the key assets of your company. That's your job, not to take the world's security problems on your shoulders.

I do focus a bit on rootkits today, highlighting some of the research stuff that Matasano's Dino did on hypervisor rootkits (here) and also Kevin Beaver's tip on how to eliminate rootkits (here). But the real answer to fixing rootkits is to have a good process to rebuild your machines quickly without losing data. Anything less can't guarantee you've eliminated the problem.

In blog-land, let me call out a new web site attack called cross-site request forgery (here) and it's yet another thing to wring your hands about. Again, focus on the process to discover these issues, identity whether you have the problem and then to fix it. It wouldn't be a Thursday unless I bitched about some security marketing thing (here). Just be wary of what vendors write in white papers. Not that it's bad information, in most cases it's pretty useful - but it is biased. So I suggest you triangulate whatever you learn between a number of vendors to make sure that it's important.

Have a great day.

Technorati: Information Security

Top Security News

Worrying about the "bot" problem is futile
So what?- This article in eWeek does a good job painting a pretty bleak picture of the industry's attempts to stop the bots. I agree that the bot masters are very sophisticated and they are compromising more machines every day. But that's not my problem, and it's not yours either. Worrying about stuff you can't control is a good way to get an ulcer and basically be miserable. What you can do is focus on layering your defenses to make sure that all of the machines you CONTROL are not bots and that you train your users so that they aren't compromised at home. Ultimately the ISPs are going to have to deal with the problem in the cloud (as BT has announced), since there doesn't seem to be any other good ways to stop it.
http://www.eweek.com/article2/0,1895,2029720,00.asp
Link to this

Desktop suite smack down
So what? - For those of you open to looking at a new desktop suite, check out PC Mag's very detailed review on 7 of the top contenders. They come to the conclusion that all of the suites are pretty good and some don't crush the performance of the machine. In the end, they like Symantec's Norton Suite and Check Point's ZoneAlarm. Microsoft's OneCare was not evaluated, but they say there is another article coming - so maybe it's in there.
http://www.pcmag.com/article2/0,1895,2031667,00.asp
Link to this

Get rid of that rootkit
So what? - Kevin Beaver puts together a tip for SearchSecurity about Finding and Removing a Rootkit. He lays out four steps (identifying the problem, choosing the right scanning tool, clean up the mess, bulletproof your efforts), and the information here is good. There are screen shots of how to eliminate these things. But Kevin himself comes to the right conclusion, in that his process is 3 steps too many - "Still a little paranoid about rootkit infections? Want to be sure your system is truly clean? The best and most reliable method is to repartition, reformat and reload Windows. It's painful, but it's really the best way to go if you really need some closure." Right, just blow the machine away after step 1 - once you realize there is a rootkit on the system.
http://searchwindowssecurity.techtarget.com/general/0,295582,sid45_gci1224912,00.html
Link to this

Have some vitriol for Vista?
So what? - I like the word vitriol. Sums up how I feel on most days, so I read with interest about how Matasano's Dino has proven that by using virtualization technology, he can defeat the kernel protection (PatchGuard) of Vista. Microsoft can argue all they want about whether Dino's approach is really "defeating" PatchGuard - but the fact remains that once you implement a hypervisor, it controls the machine and can tell the OS's layered on top whatever they want to hear. So the hypervisor becomes the quickest path to owning what will become a large part of enterprise data centers. Hmmm. It doesn't seem to me that anyone's scrutinized these products to the same degree as Vista or even Firefox. Hopefully Dino's research will spur some other folks to dig quite a bit deeper into this. 
http://www.eweek.com/article2/0,1895,2032661,00.asp
Link to this

1(01) is the loneliest number
So what? - So Oracle had their quarterly patch extravaganza and all told, there were 101 bugs that needed to be fixed. About 30% of the issues were not database related, but found in other Oracle apps. Oracle does seem to be learning a bit by starting to score the issues, but some industry folks (like the guys from Imperva) think Oracle is downplaying the risks. They may be right or not. There is no way to know. But the reality is that keeping the datacenter up and running will require both Oracle to keep improving their process and data center managers to start building additional layers of defense into both the server environment and the applications.
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20061018/599039/
Link to this

Top Blog Postings

Getting our arms around data/information security
The Mogull has spent the last few years digging deep into the data security market and in this post shares his framework of the solutions. Hopefully at some point we'll reorient the framework around problem spaces and data elements because this model is still pretty confusing to me. I also get that I'm not the sharpest tool in the shed. I'm not being critical of Rich's work here - at this point it's pretty much all we've got. And Stiennon's leak prevention + encryption + device management focuses on vendor categories, not necessarily customer problems. I'm just pointing out that we as an industry need to simplify what data/information security really means, especially for folks that are not the Fortune 1000. Clearly it's not just encrypting data (though that's part of it), but rather figuring out how to layer technologies to provide the persistent control of the data that we know we need. 
http://securosis.com/2006/10/16/data-protection-its-more-than-a-b-c/
Link to this

Yep, it's the ISPs problem
As I mention above relative to the botnet problem, it's becoming increasingly clear that we aren't going to fix the malware problem until the ISPs get much more aggressive about removing compromised machines from their networks. Steve Gold (at the SecurityProPortal) points to an interview where MessageLabs' Mark Sunner makes the same point. Mark uses the old clean water/utility analogy to make the point as to why we should expect clean pipes to come from our ISPs and that's fine from the end user point of view. But I suspect the ISPs are starting to figure out how much the zombies are actually costing them in consuming additional bandwidth and impacting the user experience of their other customers.  
http://securityblog.itproportal.com/?p=528
Link to this

Is CSRF the new XSS?
We are hardly past understanding the issues around XSS (cross-site scripting), when Kelly Jackson Higgins is kind enough to point out another new web application attack vector in her blog. Called CSRF (cross-site request forgery), this attack allows a compromised site to in turn, cause your browser to launch malicious requests without your knowledge. I'm no web application expert, but it sounds nasty. It does point out the need to periodically scan your web applications if you deal with private and/or privileged information. Web application firewalls that presumably block this stuff (I'm not sure if they specifically deal with CSRF yet, but bear with me) will also become a key part of the layered data center defense.
http://www.darkreading.com/blog.asp?blog_sectionid=342
Link to this

Beware "tips" from folks trying to sell you something
Jeff Hayes points to an IronPort study about the 5 tips they think can help customers more effectively protect their email. Amazingly enough, these tips correlate almost exactly to what IronPort does and how they differentiate. Fact is, they are right about most of the tips. Each one will help, but I want to make a broader comment about industry white papers. End users reading these pieces need to be skeptical about many of these "tips" and at a minimum triangulate with a number of other vendors (and hopefully users as well) about how important some of these "tips" are. For example, IronPort says you should segment outbound mail to protect your "identity and reputation." Should you? It depends. If you send out a lot of spam, I mean commercial email, then you probably should. But none of the other email security vendors offer this capability. So how important is it? In a fairly mature market like email security, all of the vendors will have all of the key features.
http://mycsosolutions.net/2006/10/18/five-steps-to-safer-email/
Link to this

Recently on the Security Incite Rants Blog

Apple stays on message
Based on Apple's ridiculous positioning relative to the iPod virus, almost everyone is taking them to task. They are right, but I wanted to take a different look at it - from the perspective of Apple's great marketing. This announcement was Apple marketing 101 - always stay on message to the target constituency. This post also elicited a lot of comments, which was kind of expected, but check it out and join the conversation.
http://securityincite.com/blog/mike-rothman/apple-stays-on-message

A tale of two strategies - Symantec and McAfee - Parts 1 and 2
Given the pretty significant announcements from Symantec and McAfee over the past two weeks, I thought I'd go a bit deeper and analyze each strategy more than I did in the TDI posts. The first post is predominately about Symantec and the second hones in on McAfee.
http://securityincite.com/blog/mike-rothman/a-tale-of-two-strategies-symantec-and-mcafee-part-1
http://securityincite.com/blog/mike-rothman/a-tale-of-two-strategies-symantec-and-mcafee-part-2

Read Wednesday's Daily Incite
http://securityincite.com/TDI-2006-10-18