The Daily Incite - February 2, 2007

Submitted by Mike Rothman on Fri, 2007-02-02 09:35.
Today's Daily Incite

February 2, 2007 - Volume 2, #21

Good Morning:
It's Friday, and I once again find myself with too much to do for any 24 hour period. Compound that with all of the preparations required for my annual Super Bowl bash and it will be a busy weekend. But it's been a good week. Lots of comments on the newsletter telling me I'm wrong. That usually means I'm right, especially about market and industry evolution.

And I even got a call from a lawyer (general counsel for a vendor) complaining about something I wrote. Let's just say it was a short conversation because what I publish in the Daily Incite is MY OPINION. It may hurt folk's feelings and it may cause consternation, but it's not against the law. In the US, I am constitutionally permitted to write whatever I want, as long as it's not libelous or slanderous. So I do. One other point of note. Having a general counsel call me is the wrong approach. It starts the conversation on the wrong note. I get my guard up and usually go immediately on the offensive (ask the GC I spoke to yesterday). If you have a problem with what I write, call me yourself and we can talk about it. But get lawyers involved and the only thing that can result is ill-feelings.

Not a lot of security news because everyone is still in a huff about the Lite-Brite incident in Boston. It is pretty asinine because if those marketing billboards were bombs, why would they be in plain view? The objective of a bomb is to NOT be detected until it blows something up. Just another example of the idiocy of some folks. 

I do want to point to a blog post on McAfee's blog which goes after Symantec (here). It's actually really funny and quite delusional. Just goes to show how finely tuned some folks rationalization engines are. Just because you buy something bigger and more expensive doesn't mean it's the wrong thing to do. You won't know if you paid the right price for a company until years after the deal closes. So McAfee continues to act like that annoying little brother that wants to hang out with the big kids, but just doesn't have the stones to do something to get you to take them seriously.

For those of you that missed it yesterday, both parts of the Pragmatic CSO podcast interview with Alan and Mitchell are now up. Part 1 is here. Part 2 is here. To be clear, this is a LOT of free stuff. I go much deeper than the introduction, as well as tip my hand a bit about what's next for the Pragmatic CSO. Short of buying the book (which you should do anyway), this is the most comprehensive description of the program yet.

Have a great weekend.

Technorati: ,

The Pragmatic CSO
The Pragmatic CSO is Here!


Read the Intro and Get
"5 Tips to be a Better CSO"


www.pragmaticcso.com

Top Security News

MOAB ends, damage contained
So what? - Was it just me or did the Month of Apple Bugs amount to much ado about nothing. Sure there were some bugs identified, Apple even patched one of them. But did we hear about widescale chaos? Did we hear about a bunch of new OS X bots out there? Did we hear much of anything after the hype of the first bug? No, no, and no. So hopefully the security researchers out there looking for a pedestal (or something to make their ego feel good) will get back to work, find something of use, and present it in a forum where it can be appreciated (like a hacker oriented conference). Even my pal Dave Maynor needs to weigh in about the potential danger of these bugs in this article. And I could get hit by a bus every time I step outside of my house. Every piece of software has problems that "could be very serious," but until it is serious - I'll get back to my day job of annoying people.
http://blogs.zdnet.com/security/?p=9&tag=nl.e622
Link to this

Mobile security is a joke
So what? - So first it was SMSing and now McAfee is introducing their "Mobile Security Risk Management" strategy to help mobile operators do a better job of controlling content. Is this a problem? Since they failed miserable (as has everyone else) to generate any interest in mobile device security, I guess it makes sense to go after the carriers. That's where the money is anyway. Yet, given how well the carriers are dealing with small problems like zombies (meaning not at all), I find it hard to believe they really care about the minimal amount of porn SMS spam that gets sent. I also understand a bit about trying to create markets, but I am sick of everyone saying 1 billion handsets get sold every year to 2.5 billion subscribers, so it's a security risk. Huh? It's a big number, but since when does a big number indicate a security risk? I am still very skeptical that the true risk to mobile devices will amount to much of anything. But I assure you we will continue to see folks trying to push on the string that is the mobile security market.
http://biz.yahoo.com/prnews/070201/sfth029.html?.v=83
Link to this

But the bar is green!
So what? - Extended validation (EV) SSL certificates were supposed to be a panacea to help stop the success of phishing attacks. I guess the answer is not so much. This article on Dark Reading points to a study done by Stanford and Microsoft that showed the green bar (or lack thereof) made very little difference in whether a user (especially an untrained one) could detect a fraudulent site. And even if the user did know what to look for, a sophisticated phisher would still be successful. Shocker. So what we have is a bunch of e-commerce companies that will buy EV certificates because they think they should, but it probably won't matter much - except to VeriSign's bottom line. That is, until customers get sick of paying for non-existent "value-add."
http://www.darkreading.com/document.asp?doc_id=116041
Link to this

Piracy works and Microsoft as country builder
So what? - In what had to be something really funny to see, the Romanian President admitted that pirating Microsoft's software led to a resurgence in the Romanian economy. Talk about unintended consequences. And if you are Bill Gates, what do you say to that? "Thanks Mr. President, though I'm still working on eradicating malaria, at least I know a new generation of Romanians are now well trained to steal my stuff and profit handsomely." Actually, if you take a step back, it's developing countries where Microsoft is most at risk from alternatives like Linux. If the next generation is trained in Linux (and not Windows) because it's free, that becomes a big problem in 10 years time. But that's too deep for a Friday.
http://www.informationweek.com/showArticle.jhtml?articleID=197002479
Link to this

Top Blog Postings

McAfee takes off the gloves
In what has to be a first, someone actually admits to writing a McAfee blog post. And it's a doozy. Seriously, you need to check this one out. Dan Molina goes medieval on Symantec/Altiris. Unfortunately, his perception is a bit kooky, if you ask me. So McAfee has been doing "Security Risk Management" for 3 years? That's funny, they just announced the term in the fall of 2006. Maybe it's seemed like 3 years, but it's really been 3 months. He also pats his company on the back for only spending $50 million on Citadel, while Symantec paid $800 for Altiris. Dan, let's get back to Economics 101. Altiris did about 28 times the amount of revenue that Citadel did. Based on those numbers, McAfee may have overpaid for Citadel or Symantec got a bargain. And Symantec is about 5 times bigger than McAfee. So for the Big Yellow to move the needle, they can't buy mediocre companies in a mature market (like patch/remediation). Altiris also brings a number of other systems management products that helps Symantec broaden their offerings. I know, I know. Symantec is crappy at integrating acquisitions. But to think that McAfee is going to get anywhere by buying struggling small vendors (like Citadel) seems a little delusional to me.
http://siblog.mcafee.com/?p=65
Link to this

Messing up an incident response
Even if you win the battle, you may lose the war. That's really the point of this good lesson from the Security Monkey about the importance of following a structured incident response plan, especially if you want to have the option to persecute a fraud. Though the scenario is a bit trumped up, the message is very clear. Security folks need to be involved if there is a suspected security breach. The only way folk know to do that is to be trained on a structured containment process. You need to protect the chain of evidence and document everything. That is Step 8 of the P-CSO process.
http://blogs.ittoolbox.com/security/investigator/archives/the-turkey-shoot-14221
Link to this

Understanding security assessments vs. pen tests
Jeremiah does a great job of describing the difference between an assessment and a pen test in this post. Clearly there are differences and both are important. Assessments give you an idea about all the POTENTIAL holes. Pen tests prove whether the holes are in fact actionable. To me a pen test is a more accurate gauge of the security of an environment. Why? Because you can only die once. Even if there are 20 possible causes of death, you only need one of them to actually happen for you to eat the dirt sandwich. And a pen test also can determine other areas of exposure. So once you compromise the first machine or application, what else can you get to? Again, there is a place for both assessments and pen tests in your security program. But don't just do assessments and figure you'll know how exposed your environment is. 
http://jeremiahgrossman.blogspot.com/2007/01/difference-between-security-assessments.html
Link to this

Setting up a secure WLAN
For those of you with a wireless AP in your house (which I assume is most), this is a good primer on making sure you set it up securely. Change the default password and use WPA to feel the best. The reality is WEP would do the job as well. Why? Because if someone wants to get onto your home network, they are going to. But it's very unlikely that they want to, so by making it a little harder to compromise (buy using encryption, for instance), an amateur will move onto the next target. I also use non-standard IP addresses for my access point and DSL modem. Not sure it matters (since presumably they can't connect to the wireless), but it makes me feel better.
http://www.computerworld.com/blogs/node/4503
Link to this

Recently on the Security Incite Rants Blog

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite