July 31, 2007 - Volume 2, #112

Good Morning:
Dead. Gone. Sayonara. End of the road. Yes, that's right. My power supply Hail Mary didn't pan out yesterday. So the PC is gone. Moved on to the great junk heap in the sky. Or more likely the computer recycling center, after I strip out all the interesting hardware.

What was general annoyance has now become pretty sharp anger. I'm just pissed because going out and buying a new machine will cost time and money. I won't lose any data, so that is a positive. But I'm not looking forward to setting up the new machine over the weekend. It's not like I don't have better stuff to do. Reinstalling software, copying files, testing everything before my trip to Metricon on Monday. What a hassle.

My annoyance was compounded in trying to explain to the Boss why some machines last 5 years and some only 2. A general discussion of MTBF (mean time before failure) wasn't going to work. So I just held my hands up, gave a shrug, and got back to work on the Mac. I'll get home from Black Hat, make a beeline to one of the computer retailers, be somewhat thankful that the computer died the week before school starts - which is a tax free weekend in GA - and move on. What else can I do?

Speaking of passing on, I was saddened to hear of the passing of Bill Walsh yesterday. Walsh was a legend, even though I'm no 49ers fan - the innovation that Walsh's teams brought to the league still amazes today. His legacy will be more than the Super Bowl wins, but the number of players and coaches that have prospered in the NFL under his tutelage. Have a good trip Bill, all football fans will miss you.

While I'm on the topic of football (one of my favorite topics, besides myself), things aren't looking good for hometown QB Mike Vick. One of his posse rolled yesterday and that's not a good thing for Vick. This guy didn't even have a deal on the table in exchange for a guilty plea, which means the evidence must be pretty damning and ironclad. Word is the US Government Attorney is going to expand the indictment sometime next month. What a train wreck. What's next, a low speed white Hummer H2 chase through Metro Atlanta?

I guess I wasn't surprised to see on Monster an ad for NFL-caliber QB - position requires solid moral and ethical compass. Membership in PETA and Westminster Kennel Club a big plus. Sure Stabler and Pastorini were a bit wacky, maybe trashed a hotel room or ten, but some of the stuff the NFL guys do today is appaling. What is it with these kids today? Vick couldn't just buy a share in a strip club or something? OK, off soap box.

I'm off to Black Hat. Hope to see many of you there. Have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

The downside of the network effect
So what? - Fox recently had a website compromised. By itself, it's neither that big of a deal or that newsworthy. But this eWeek column, by Steven Vaughn-Nichols, does some interesting derivative analysis. Basically his contention is that not only was Fox compromised, but also any of their syndication partners that feed content to the news organization. You don't need to be a brain surgeon to extrapolate a bit further and see the clear downside of this information-sharing based network economy. Lots of folks have talked about the need to perform some due diligence on trading partners to make sure their security is up to snuff. The reality is that's a fools errand. Unless you are constantly assessing and monitoring the partner's network, you won't know when things have adversely changed, thus impacting your security. The answer? Drum roll please... There is none. Basically, you need to assume that the partner's network is compromised and share only the bare MINIMUM amount of data required by the business process and isolate any access the partner has to your environment. Oh yeah, you also need to monitor the crap out of your networks to make sure you are on top of any possible malfeasance.
Link to this

NAC NAC. Who's there? Confusion...
So what? - One of my Incites this year projected the inevitable reality that NAC would disappoint in 2007. It's not that the technology isn't useful or that vendors won't show growth - the law of small numbers ensures that. But that is can't possibly meet the unbounded expectations set by a market craving for something exciting. NetworkWorld does a reasonably exhaustive review of NAC gear and come to the conclusion that (for the most part) pre-admission NAC works pretty OK. Too bad that is the least interesting part of NAC. Symantec takes home the prize with Forescout, Lockdown and Juniper coming in close behind. McAfee and Cisco bring up the rear. The challenge with this kind of review is that they are just assessing one feature, albeit the feature that most unsophisticated buyers would call NAC. The products are also pretty early, given the issues in complex policy configuration and crappy reporting - both hallmarks of immature product sets. So NAC will get here, it's just going to take a while. I've spoken to a bunch of folks in and around the NAC business (users, VARs, etc.) and there is interest - but people are still trying to figure out which NAC is up.
Link to this

Mobile devices over WiFi - what's the big deal?
So what? - I'm sure many of you folks share my frustration with broader tech media's general lack of understanding about security. This story on Crackberry.com about Blackberry's upcoming support of WiFi is a case in point. It seems folks that don't know much of anything are figuring putting a WiFi radio in a Blackberry creates all sorts of security concerns. Actually, not so much. First, it seems that all the Blackberry will do is sync up data (as opposed to support voice) and pretty much since the beginning of time, the BB has encrypted the transmissions between the device and the BES server (or Internet service). Just because the communications medium is different, doesn't mean the protocols riding on top change. The other major attack vector is connecting to a bogus access point and downloading a Trojan. Anyone know of a Trojan that will 0wn a Blackberry? I don't. So this is, once again, much ado about nothing. At least for now... 
Link to this

The Laundry List

Top Blog Postings

Hunting for security value
Steve Hunt is digging through his blog archives and republishing some posts from 8 months ago. This one about discussing the "value" of security is a good one. He's exactly right in that we have to figure out the value proposition for security and that FUD (fear, uncertainty, and doubt) are no longer the tickets to be successful in getting funding for security projects. He also points to a pretty simple process issue - issuing temp badges and letting the visitors roam unescorted - as undermining the entire security environment. So it's not just about blocking and tackling and the simple stuff - it's also about focusing security as a means to serve the business. Not vice-versa.
http://www.securitydreamer.com/2007/07/featured-post--.html
Link to this

Nobody cares about secure email
It's funny how every so often I read an exchange of posts that brings me right back to 2001, in the midsts of trying to create a market for secure email. It didn't work too well back then, and it's not working any better now. George Ou and David Berlind piss on each other's legs a bit about the true state of secure email. It is pretty funny to see George take such offense to David's attacks. In this discussion both are right and both are wrong. Yes George, the technology is there. But it's too hard to use. My Mom couldn't figure it out. Yes David, some of the implementations of the protocols don't work as well together as they should. But why, after 15 years of brutally hard effort to get people encrypting email, isn't it happening? It's actually pretty simple - no one cares. Sure, there are some markets (like statement delivery or M&A correspondence) where the technology makes sense and folks will suck up the complexity. But for the most part people just don't care. Most companies send folks a link to get at statements, requiring them to log into their account securely. No need to send sensitive data via email. Inter-enterprise collaborative workgroups are starting to use things like private Wikis and other community oriented platforms. Mr. Market has said that email isn't the medium for those kinds of communications. And Mr. Market isn't wrong.
http://blogs.zdnet.com/Ou/?p=636
Link to this

Data security - Waiting for Godot
Rob Newby has been doing some thinking about how to get the data-centric security ball rolling. His thoughts are interesting, but the biggest problem (that he points out) is that we've got petabytes of data out there that aren't secure and someone is going to have to go through and classify, tag or do whatever else is required to figure out if that data needs to be secure or not. Then Rob goes into some storage mumbo-jumbo that loses me, so let's get back to data security (not data storage optimization, thank you very much). That's a big task if we weren't producing scads of new data every day. Given that if anything data creation is accelerating, it creates quite a problem. What's the answer? I have no idea. I think perhaps we need to pick a few high profile applications/data stores and get that working. Then you move on to other stuff, and so on and so on. The reality is, at best you'll get to maybe a couple percent of your data. But that's better than nothing, no?
http://robnewby.blogspot.com/2007/07/driving-data-security-forwards.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite