March 29, 2007 - Volume 2, #53

Good Morning:
The Kathy Sierra saga continues. Now one of the folks accused of doing misdeeds is claiming that he's been owned, his email addresses hijacked and is claiming that it wasn't him. Ken Camp knows him and believes him (here). Now this really is a security issue and besides the ethical issues of anonymity, this is an interesting case study.

Basically, this guy had an incident, and as opposed to moving to contain the damage immediately (by maybe calling Kathy on the phone), he let it fester into as Doc Searls says "a category 5 sh** storm." Here. So his first mistake was not following the first rule of crisis communications - get out there and tell your side of the story. Don't let it fester, deal with it. Or else you are covered in sh**, just as this guy is.

Enough of that, whether he's guilty or not is not the issue, it really isn't. I think this is a wake-up call and definitive evidence that we need to have some kind of reputation system on the Internet for these Web 2.0 communities. Not sure if that should look like an eBay-like rating system or something more formal, administered by a 3rd party network (presumably commercial). With standards like OpenID maturing, the authentication piece may actually be possible. Now it's about integrating some kind of reputation database into the mix.

Would it entirely solve the problem? Maybe not, because this dude's identity could still be pilfered and his reputation hijacked, so maybe you overlay some simple second authentication factor (keystroke dynamics or something similarly portable). Hmm. That is pretty interesting. I know a lot of folks in the security community are trying to figure out what we can do to avoid this kind of issue, maybe this idea warrants some discussion.

You know me, throw some sh** against the wall and see what sticks. Maybe this will stick. 

Have a great weekend.

Technorati: Information Security, CSO

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Forgiveness, it's human nature
So what? -  Speaking of crisis communications and containment strategies, this article on NetworkWorld makes the point that data breach disclosure may not be a death sentence for the company (here). Is it good? Or course not, but if a compromised company aggressively communicates what happened, what they are going to do for customers, and what they are doing to make sure it doesn't happen again, they can certainly recover. Those that stonewall customers, leave them hanging out to dry and basically point the finger at someone else don't fare as well. TJX anyone? I suspect we are going to have some folks start analyzing whether these data breaches (even the one's that are handled horribly) actually do any monetary damage to a company's market cap over a 2 month and 2 year time period. Now that would be interesting data.
Link to this

Is unmasking a good thing?
So what? - Anyone remember Kiss Unmasked? That horrific album from one of my favorite bands was a watershed moment for me. I saw the picture and it was like, DUDES - put the make-up back on. Seriously, just goes to show that any frigging dude with a guitar can score. Not pretty. Seems security researcher RSnake is unmasking and starting a company to provide security services to mid-sized firms (here). It's actually an interesting choice to target that market space. Firstly, I hope RSnake is prettier than Ace Frehley. Yes, that bar is pretty low. I actually think this is a good move, since RSnake is well known and clearly pretty smart. The only issue is whether the mid-market will pay enough. Services aren't really leverageable, so he's constrained by the number of hours in a day and I suspect a larger shop would pay more for a security rock star. But good luck Senior Snake, I wish you well. I have a lot of respect for entrepreneurs. Jumping out into the chasm is awfully hard to do. 
Link to this

Tenable diverges open source and commercial Nessus
So what? - Pretty much everyone knows Nessus, the open source scanner, and hundreds of thousands of folks use it. The folks at Tenable have done a good job of straddling that open-source/commercial fine line. Until now they offered pretty much everything on the scanner for free, but you need to wait a week for updates to scan for new attacks. If that's too long to be potentially exposed, then you pay $1200 for their real-time feed.  Here Tenable announces the ability to discover sensitive data at rest by scanning file shares and the like. Ron went into more detail about the capabilities on his blog (here). It's the first step of poor-man's leak prevention (figuring out where your sensitive data is), but given that you need to be a rich man to do leak prevention today, it's an interesting alternative. Even more interesting is that this capability will be available ONLY to Tenable's paying customers. That means you won't get this after a week. So the open source and commercial derivative of Nessus are starting to diverge. It'll be interesting to see how the community reacts to this, but I think it's the right thing to do. At the end of the day, Tenable has to run a business, and I suspect folks will understand that. But I've been surprised before.
Link to this

The Laundry List

Speaking of scanners, GFI updates their low cost vulnerability management suite. - here
Alert Logic says SMB's "could have been" compromised twice a week by studying their clients. Hmm. I don't buy it, the findings seem funky to me. - here
YASW. Yet another Skype worm hits. Big friggin' deal. Don't click on links in a Skype chat session. Is that so hard? - here
PGP loves Vista, until they build PGP in, of course. - here
Evidently VASCO is in the UTM business. Who knew? They add SSL-VPN here.

Top Blog Postings

Zen-like operations advice - it's even Pragmatic
Thanks to the Zen-master for using the Pragmatic methodology as a metaphor for some operational advice he is giving. Basically this post outlines what Richard does when he starts a client engagement. Not surprisingly the first thing he does is start monitoring the network, then he figures out what is important. In a nutshell, those are Steps 1 and 2 of the P-CSO (though in reverse order). Then he does take a lot more action to fix what's really broken and then position the customer for continued security success. He wraps up with "Think in terms of what problem am I trying to solve, not what new process, product, or person is now available." Focus on the problem, not the widget because ultimately we need to be problem solvers, not widget buyers. This is great advice and you should all read it. Even if you don't buy the book (Richard already told you do that), you can't go wrong listening to Richard.
http://taosecurity.blogspot.com/2007/03/security-operations-fundamentals.html
Link to this

Why forget endpoint scanning?
Hat tip to Shimmy for calling out Whitely from Forrester for proliferating some asinine advice. I seriously hope no one with any kind of responsibility saw this. He suggests that NAC vendors forget about host/endpoint integrity checking because ultimately Microsoft and other big vendors are going to own it. At some point he may be right, but what about for the next 3-5 years as companies embrace Vista and NAP actually becomes real? He's sure interoperability is going to work? Oh yeah, that's what the NAC standards are supposed to do. That's a joke. I don't know whether this guy is trying to get some notoriety by taking a controversial position, but throughout my career I've tried to do that by saying smart things, not stupid things. Sir, I know Richard Stiennon and you are no Richard Stiennon (in my best Lloyd Bentsen voice). So Robert Whitely wins the "Dumb-ass of the week award." Sorry dude, but it's a stupid position to take. And I love the fact that Shimmy will poke an analyst right in the eye when they say stupid things, even when it's me.
http://www.stillsecureafteralltheseyears.com/ashimmy/2007/03/leaving_your_fa.html
Link to this

Where do you start eating the elephant?
Scott Wright provides some good advice about how you get started when you are airlifted into a mess. And the fact that he mentions the P-CSO in the post is gravy. :-) Check out Bejtlich's advice above, which is a bit more comprehensive, but this is pretty good too. Yes, check out the logs and monitor the traffic. If you don't have that level of log data, then the first thing you need to do is get it. The sooner you figure out what's going on, the better. Flying blind is no way to do your security job.
http://securityviews.com/blog/2007/03/28/getting-to-secure-incrementally-and-practically/
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite