February 21, 2007 - Volume 2, #32

Good Morning:
Let's talk about the ripple effect a bit today. Which will explain (at least partially), why I'm so damn late this morning. The morning started out fine, got Leah off to the bus and went to start my normal morning activities. Of course, I saw a stack of checks on the table to deposit and since I'm traveling this week, I knew I needed to take care of that. Easy enough, put the checks into Quicken, fill out the deposit slip and we're done, no?

Well actually no. One of the checks was a distribution from a limited partnership the boss and I are investors in. So I had to dig up information about the cost basis and the like for the investment. Pain in the ass, for sure - which included one password reset on the investment firm's website and digging through my office closet recently reorganized by my dear mother in law for some other info. Once I got that taken care of, I realized I needed to do payroll as well, since next week is the end of the month. Got to love the one-man band thing. I get to do everything.

By now it's 9:45 and I had a scheduled press call at 10. 30 minutes later the boss needed to come and vent about a situation regarding some furniture we recently bought. 20 minutes after that, I'm starting TDI and the stack of other crap I've got to get done today is untouched. And I'm recording a webcast at 1:30 as well. I guess it's going to be one of those days. I guess it's good that I don't punch the time clock at 5 PM.

It's one of those days for Cisco as well. They announced yet another acquisition of Relativity this morning (release here). Only $135 million for this one, on what is probably minimal revenue. This continues Cisco's assault on security, moving up the stack. Relativity makes an XML gateway (yes, it's a box) that does some hygiene on XML traffic (encryption, filtering, authentication, acceleration, etc.). Of course, this market is really early and there were only maybe 2 or 3 other players (Forum and Vordel come to mind). But let's be very clear, Cisco intends to be a player at the application layer. And they are flexing their checkbook to get there.

Speaking of days, the Days of Incite continue, with yesterday's piece on "You (Mal)ware it well" (here). Today's piece will be on leak prevention.

Have a great day. I may or may not do TDI tomorrow. I have an early flight and I'll try to get it done tonight, but who knows if that will happen. If not, then I'll see you Friday.


Technorati: Information Security, CSO

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Acquisitions are rarely good for customers
So what? - Echoing a piece I recently wrote for SearchSecurityChannel, Bill Brenner actually goes out and talks to a couple of grumpy customers, who are on the wrong end of a deal (here). Which is pretty much every customer because inevitably someone you bought something from gets bought by someone else (presumably bigger). That bigger someone proceeds to bungle the integration, causing product delays, support snafus, and channel confusion. Causing, you guessed it, angst on the part of the acquired company's customers. Like we haven't seen this movie a thousand times. But if you only buy stuff from companies that won't get bought, you can't really solve all your problems. So grin and bear it and make sure you have a plan to deal with the inevitability that your vendor will be bought.
Link to this

Encrypted email still ponderous
So what? - Having spent time in the email security business, I know first hand that encrypting email requires a pretty significant change in user behavior. It's not as bad as in the mid-90's when the idea of inter-enterprise use of certificates was a joke. But it's not much better. As evidenced by this profile in Baseline Mag (here), the folks at Harvard Pilgrim use PGP to encrypt email sent to customers. But it seems that they depend on the employee to hit a "send secure" button. Like they'll always remember to do that. They don't mention any outbound gateway filtering or leak prevention gateways to ensure the employees don't inadvertently forget. And then the recipient needs to go to a web server and download a certificate for decryption. Right, very ponderous. I know other vendors say they have a better way (so don't send me nasty grams), but the fact still remains - until it's transparent, adoption will be minimal.
Link to this

PCI gravy train - yummy
So what? - I loved those old commercials for Chuck Wagon dog food. They had the horse and carriage and the dogs chasing it and then dog was lapping up some stuff that looked like bird droppings in some kind of brown gravy. Now that was quite a gravy train. I'm feeling the same thing about PCI. Everyone is jumping on board. For example, INS (recently bought by BT) is now PCI-certified for Europe (here). That's interesting. Are the requirements in Europe are different? Or is that another revenue stream for Visa and MasterCard? And Cambia announces a PCI ecosystem (here). Now we need an ecosystem? Jeez, give me a break. A bunch of resellers that are trying to spin a configuration auditor do not a PCI ecosystem make. But we will see more of this, I guarantee it. Every Tom, Dick and Harry will be chasing the Chuck Wagon to get a taste of those delightful bird droppings. And then they'll get sued by compromised retailers, who have been sued by compromised banks, because they've been owned after passing a PCI audit. Compared to that pile of crap the bird droppings will be quite yummy indeed.
Link to this


The Laundry List

Oakley Networks announces their new line of hacker bags, I mean leak prevention gizmo - here
Seltzer on OpenID, which is the great white hope of interoperable user-centric identity - here
Watchfire thinks developers will actually security test something before it goes into production. I guess we can hope! - here

Top Blog Postings

Curiosity killed the Bob
This post from the Security Monkey highlights one of the leading killers of over-inflated egos everywhere. Envy. Those folks that think they are just so important and cannot be happy with what they've got. They've got to have what the other guy has too. And they tend to get caught trying to get it. But as the Monkey points out, no one is above the law and this guy should have known better and covered his tracks more effectively. Anyhoo, why wouldn't he just compromise the payroll database, since the information on his colleague's salary would be there as well? I guess that would be too much work. But pulling the bullet out of his head probably wasn't.
http://blogs.ittoolbox.com/security/investigator/archives/why-bob-got-fired-14549
Link to this

Farnum goes on a Dreamer Hunt
Sometimes I wonder why I'm always getting into trouble. But then I see how Farnum just randomly put my name into a little caption as he goes after a Steve Hunt post about the futility of security assessment. As I mentioned yesterday, clearly you are vulnerable but asking Steve Hunt that doesn't help you understand what needs to be fixed pronto. Farnum's point is that an assessment without a structured program isn't going to help things too much, since you can find out what's broken but not necessarily have the structure in place to fix it. And to be very clear, I have my passwords on a sticky note that I keep in my desk. The keyboard is so passe. I'd hate my kids to get access to all of my "work" sites.
http://infosecplace.com/blog/2007/02/19/you-need-to-have-a-security-program-in-place-before-it-can-be-assessed/
Link to this

It's all software
Rob Graham gives a good lesson here that there are many ways to skin a cat and make the scalped feline run faster. A lot of folks throw hardware at the problem because that's easier (usually). But there are other ways (like using your head and understanding how the technology works) to increase speed. I guess I wonder what would happen if you ran Rob's wonder code in an ASIC. Would that approach the speed of light? Given that I can get out of my depth pretty quickly when discussing hardware architectures, suffice it to say don't always assume a proprietary hardware box is going to be faster. Bring it in, pound it into submission and see which device will work better in your environment.
http://erratasec.blogspot.com/2007/02/high-performance-security-appliances.html
Link to this

BCC is your friend
How many times have you gotten an email that seems innocent enough, maybe a job update from a friend. Or an off-color joke. Or some cool gossip. And then you look at the address box and you see 250 of your closest friends with their email addresses in all their glory. As Scott Wright points out, this is a privacy no-no. You should just use BCC: so no one can see who is on that list. Or better yet, use something like LinkedIn because that's not annoying enough. It's great to hear that some jackass I met once (and stupidly accepted their invitation to connect) just had hemorrhoid surgery. Use BCC: please. Pretty please. But of course, since you are reading this, odds are you wouldn't do something so stupid. The problem is all the folks that don't read TDI. Still care to tell me why awareness training is useless?
http://securityviews.com/blog/2007/02/15/going-blind-for-privacy-and-spam-reduction/
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite