The Daily Incite - April 23, 2007

Submitted by Mike Rothman on Mon, 2007-04-23 09:19.
Today's Daily Incite

April 23, 2007 - Volume 2, #66

Good Morning:
Traveling on Sunday is a kick in the groin. Sometimes it's unavoidable, like yesterday. I've got a morning speaking engagement today, so I physically couldn't get there in time by leaving Atlanta this morning. But it really screws up your Sunday. I left pretty late, so I had most of the day with the family, but I found myself looking at the clock and not enjoying the time as much as I should have.

Which is too bad because the kids were exceptionally funny this weekend. My oldest has been doing pretty well and we give her points (actually stickers on a poster board) when she takes care of her chores, gets a perfect progress report from school, etc. She got enough points last week to get a gift. She picked a kids camping set, complete with tent and sleeping bag. I'm not big on camping (something about pine needles in my underwear isn't too interesting), so I offered to set up the tent in the basement and I could sleep down there with her. We'd do our own little camping trip.

But she figured, why not just put the tent in her room? So that's what we did. It was very cute to see her sleeping in the tent on Saturday night. She is my daughter though, so by the next morning she was back in her bed. Guess camping to her means a 3-star hotel... It was also cute to see the kids playing in the tent on Sunday afternoon, until I had to leave for the airport. Arghhh.

Seems the investment bankers aren't taking any time for camping trips. A few more mega-mergers today, including Astra-Zeneca buying MedImmune (here). This one hits a bit close to home because MedImmune is headquartered around the corner from my brother-in-law in Maryland. That boxy looking white building is worth $15 BILLION. I guess it's what's going on in there. A big merger in Europe also, as Barclays and ABN Amro are merging (here). That one is for $91 Billion, though I'm not sure if that's dollars or drachma.

I know what you are thinking, who cares? What's a few more big ass mergers? Actually there are always security implications to these mergers because when mixing up two cultures, integrating systems and platforms, and changing brands - there is risk all over the place. The CSOs of the acquiring companies are always busy, hopefully doing due diligence before the deal closes (to make sure there isn't a deal-breaker), but more likely going in right after the deal closes to figure out where the holes are.

Then the painful integration starts. Evaluating people, looking at protection, defenses, and controls. Figuring out what needs to stay and what needs to go. All this while the rest of the business is presumably operating at acceptable organic growth levels. Yeah, there are security implications in big deals, and this was a good opportunity to remind folks of that.

On Friday I announced the first P-CSO Bootcamp, needed to be moved from early May to early June. It seems the first date I picked conflicts with another analyst firms annual security conference (you know the guys, start with a G and end with -artner), so I'm revisiting the date (here). Regardless of where and when (those are only details, right?) Sign up now, there are only 10 spots available.

Have a great day.

Technorati: ,

The Pragmatic CSO
The Pragmatic CSO is Here!

Read the Intro and Get
"5 Tips to be a Better CSO"

Top Security News

Stop the presses - Macbook pwned
So what? -  The big news over the weekend was Matasano's (or maybe formerly Matasano) Dino coming up with a 0day on the Macbook. Krebs coverage is here. He gets $10,000, a friend of his gets the Macbook (because he was at the conference) and Mac fanboys get a lot of angst. So let's go over this again. NOTHING is 100% secure. Smart guys (like Dino) can break your stuff, and it will only take a few hours. Overall, I think the Macbooks actually did pretty good, though it just goes to show that nothing is totally safe, layers are critical and be careful what you are surfing to, since it was a client-side exploit that did the trick. Another interesting article about 0days here at TechTarget. The conclusion? Finding 0days is hard and working with the vendor can also be challenging. That's why I have a lot of respect for the security research community. They are very smart folks and call them "hackers" "white hats" or whatever, they are finding things and pushing vendors (hopefully responsibly) to fix things. That's A-OK in my book.
Link to this

The botnet economy? - What the hell??
So what? - This one definitely goes into the sad, but true category. Dark Reading has a piece here about about basically botnets competing with each other. They patch a compromised machine, so someone else can't compromise it. Kind of entertaining. But the idea that bots are commodities and the bot masters are trying what seems to be "hostile takeovers" of someone else's assets is kind of weird. But this is the free market economy (even if this stuff is practiced where the economy isn't exactly free) at work. Though it will be interesting to see how the investment bankers figure out a way to profit from these "transactions." You know some low level i-banking grunt is getting reamed right now because he missed out on the fees of some dude in Romania taking over a Brazilian botnet. 
Link to this

Get the skinny on NAC
So what? - NetworkWorld published a review of NAC solutions here. The reason I call it the skinny is that it's pretty thin. Not the analysis that was done, but basically only Cisco and Juniper were evaluated. That's pretty skinny to me when there are 20 or so other providers that can bring solutions to market. Restricting an analysis of a big market category to two folks, one of which is not really considered a leader in the space seems light to me. You know, skinny. Neither are known to have ground breaking technology either. But the conclusions are what you would expect, pre-admission stuff works pretty well (after 3 years - it better), but post-connect enforcement is tough and management is still a nightmare. But keep in mind, that's for THESE TWO VENDORS.        
Link to this

The Laundry List

  1. McAfee start to "focus" on SMB renewals. Duh! That would be called market share loss in my book. - here
  2. Mainframe security for the mid-sized company??? Talk about being house poor, but I guess there are lots of suckers buying big iron in that segment, which amazes me but they need security too. - here
  3. The security lobbying group, CSIA, wants a federal breach notification law. Complying with each state is too expensive? How about protecting your data in the first place?!?! - here
  4. RSA jumps on the PCI bandwagon and partners with nCircle and Qualys to pull some more data into Network Intelligence. If it's a bandwagon, I guess RSA needs to be on it. - here


Top Blog Postings

Get yer Free WiFi here...
Over on the Ethical Hacker blog, Brian Wilson goes through how he compromised a public WiFi access network to get "complimentary" access. To keep himself on the right side of the law, there were lots of caveats about how he just did the attack to experiment and prove it works and then subsequently paid for access, so he wouldn't have to say 50 Hail Mary's at confession. But the attack is very interesting and seemingly easy. I know that most of the public WiFi networks I deal with (and yes, since I work out of the house - I find my self using public WiFi 3-4 times a week) use MAC authentication to govern my access. Figure out who's MAC address is kosher, spoof it and you are on. Yes, this is fraud and it doesn't seem worth it to save like $7, but it can be done. But, I'm too cheap to splurge for the EVDO card (even though they now have a USB version that will work with my Macbook), though I know it is much more secure. I guess I should probably do that.
Link to this

SMB - Security's weakest link
Being an SMB myself, I know that many of my fellow entrepreneurial friends have no idea what I do and why it's important. That's partially because when I'm socializing I'd rather be drinking beer than talking shop, but the risk to the SMB user is real. And these folks don't have the resources to do much of anything. They have a cheap modem/router that connects them to the Internet, they do some AV, and that's about it. Most don't have a problem, but it's statistical - not planned. Rebecca Herold points to a few interesting statistics about how many of these small business are out there (think 25 million, just in the US) and how much they aren't doing. Makes the marketers out there foam at the mouth, but getting to that market is hard. Making them care about security is even harder.
Link to this

Can Black Hats reform?
Dave Piscitello rants a bit about the ethics of hiring former black hats. He doesn't believe in redemption or forgiveness and I don't blame him. BUT, and this is a big BUT, we've got a very serious skills shortage in the security business right now and it's not going to get any better. We can't teach folks fast enough about security and with the number of applications mushrooming, we are really behind the 8 ball. So, do we deal with the former Black Hats, or do we do nothing? The answer is based more on your corporate culture and compensating controls. I do think that some of these folks can rehabilitate and be productive. Yes, they can be assets to your organization. But it will take an investment to make that happen and there is risk. Some folks never reform. You need to do probably 4 times the amount of due diligence to prove they are really changed. And you need to watch them closely and make sure that you have got multiple defenses against insider attacks. Most companies won't make that kind of investment, which is their prerogative and again, I can't say I blame them. One other thought, how much checking do you do on penetration testers or other consultants that your organization engages? At least be consistent between in-house resources and contract resources. Remember, they have the same access to your data.
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog

Read the most recent Daily Incite

Submitted by Brian Wilson (not verified) on Mon, 2007-04-23 21:17.

Thanks for the nice write up on my Free WiFi paper. And yes i realy did pay for service as it is just a write off on a business trip. I guess I was just too board on a layover. What is worst than the fact you can get free wifi is the fact that 90% of the business travelers are not using a VPN on the WiFi and are wide open to a Man In The Middle Attack. I guess security is only as good as the users.


Brian Wilson

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.