November 1, 2007 - Volume 2, #149

Good Morning:
It's the first day of November. How did that happen? I'll tell you, this year has been a blur. But on the first day of November, we in Chez Rothman always take a breath to celebrate a bit. It's my oldest daughter's 7th birthday today. Hard to believe that it's already been 7 years. I remember it like it was yesterday and it kind of feels like it was. Of course, I had a lot more dark hair back then, but I feel pretty much the same. Leah has become quite a spectacular little girl, so I guess it has been 7 years - but it doesn't seem that way.

It's been an eventful 7 years for all of us. I remember staying up all night watching the 2000 election returns. Hanging chad, anyone? Leah was 4 days old and under a billi-light to deal with birth-onset jaundice while I learned more about electoral law than I ever wanted to know. It really does seem like yesterday, but it also seems like a lifetime ago. That's the thing about memory, you kind of lose track of time and context.

Leah has seen a lot of change in her 7 years - 4 houses and 4 schools. Oh yeah, two siblings have shown up as well. She still remembers living in Virginia. The twins don't, they were less than a year when we moved to Atlanta. I'm on my 5th "job," if you count the two months I was employed by Authentica after the SHYM deal closed. Over a 7 year period I guess a lot does change. I've had unbelievable highs and some pretty low lows. 

Sometimes I wonder what the next 7 years has in store. But not too much. I'm pretty happy just letting it roll nowadays. At work, I'm operating more on a project/product basis. I have a few big ideas that are constantly gestating in my head and I'll get to them - when I get to them. I've got decent optics on this projects/products I'm working on right now and the next 2 or 3 that will hit over the next 6 months or so. Beyond that, I'm not sure. To be honest, I love the flexibility.

That may be the biggest change of all over the past 7 years. I've thrown out the Gantt chart that specified wealth and materialistic milestones. When I lived in Virginia, I had one of those motivational posters in my home office. It said, "Success is a journey, not a destination." I'm not even sure what success means anymore, but I'm trying my best to enjoy the journey. I hope you are doing the same.  

Have a great weekend.

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com

Top Security News

Mac worm in the wild
So what? - It was just a matter of time. Now it seems a DNS changer Trojan is in the wild, attacking Macs by downloading a fake codec found on various p0rn sites. The payload is not all that dangerous, but as the folks as SANS discuss - this is the first indication of a professional, business oriented Trojan being built for the Mac. There is a screen shot on the Sunbelt blog. Does that all of us Mac fanboys need to go out and get AV? Of course not, since we (as security professionals) should know better than to install a random codec when surfing adult sites. More interesting to watch will be Apple's response to this. Will they release a little DNS changer patch to restore the settings? Will they change their tune on AV? Will this result in the AV industry (all 3 or 4 companies that sell Mac AV) jumping on the Mac as a new opportunity, especially in light of continued OS X market share gains? Interesting times for sure.
Link to this

Deal: McAfee gets HACKER SAFE
So what? - McAfee continues to exercise their checkbook, this time buying the folks behind the HACKER SAFE service for $51 million, with another $24 million riding on an earn out. To be clear, I've never been a fan of these low cost (like $99/year) web site "certification" services. Personally, I've always thought these certs set the wrong expectations with consumers. Since a large scale attack usually involves much more than just a simple web application or network attack, the fact that a web site is scanned everyday doesn't really mean much. But it seems consumers do feel safer with these certs and will spend more money, based on this MarketingSherpa study. Though when I put myself in McAfee's shoes, this deal makes a lot of sense. DeWalt is thinking out of the box, that's for sure. This deal brings 8,000 primarily small business customers into the fold. Now the success of the deal will hinge on a compelling bundle of products/services to follow the HACKER SAFE offering.  Scan some folks, find out they are broken and sell them some more stuff. This is McAfee's new SMB Trojan, especially for their channel - who are now in a great position to fix the issues found during the scans.
Link to this

If we are stronger, why doesn't it feel that way?
So what? - The recent PwC Information Security Survey shows that companies continue to invest in security infrastructure, but are lagging on monitoring and enforcement. The title of this coverage on the Big4alumni blog is that security is "getting stronger." But I will push back on that conclusion. Because we continue to spend money DOES NOT mean we are more secure. If anything, the fact that monitoring and enforcement are lagging means we really have no idea whether we are more secure or not. Just because you have a firewall in place doesn't mean it's configured correctly. That's what kills me about these studies and most security practitioners as well. They think throwing money at the problem will fix it. As the elfin security guru (just ask him) says, "Security is a process, not a product." I think that's his quote anyway. And monitoring is a key part of that process. We may as well flush that money down the drain because if we can't substantiate what we do and contain damage that is occurring, then why are we even bothering?
Link to this

The Laundry List

Top Blog Postings

Best or essential?
Grumpy Pete talks about best practices in this post and I tend to side with the idea that "best practices" are not useful in a security context. Dusting off my TruSecure Security Management Program roots, the concept was NOT doing what was arbitrarily "best," rather focusing on what was "essential." Remember, you don't get a grade in security (I guess except maybe FISMA), you are evaluated mostly on whether you had an incident and how you responded to it. So the idea of trying to be the "best" is not relevant. But by doing the set of practices within a "program" that are essential to make sure you are managing your risk effectively seems to be a much more effective way to think about the problem. Of course, this is all words and semantics because the reality is most of the "best" practices are things I would call "essential." But as the lawyers keep telling me, the words are important, so I'll split a few more hairs before I'm done.
http://spiresecurity.typepad.com/spire_security_viewpoint/2007/10/no-such-thing-a.html
Link to this

Anonymity unmasked
Ken Belva has an interesting post a few weeks ago about how easy it is to find people who are trying to remain anonymous on a place like Craigslist. The jackass in question wanted to find some chicks for a threesome, so he posts on Craigslist (where evidently you can find anything), but doesn't cover his tracks. So a few Google searches and WHOIS requests later, Captain Ken knows who this guy is. Would Ken's data stand up in court? Who cares? The point is that there are usually tracks, so for those of you that enjoy anonymity in your nasty comments and the like, there is technology now that can find you. Unless you know what you are doing, which 99% of the folks out there trying to be anonymous don't. 
http://www.bloginfosec.com/2007/10/23/how-i-unmasked-a-craigslist-poster/
Link to this

Credit cards loss isn't the only kind of ID theft
Rebecca Herold clarifies a recent post (which I kind of chopped up a bit) in which she talks about the true damage of ID theft. As she details, there are lots of ways for your ID to be stolen beyond just your credit card data being compromised. Things like account takeover and true name. That's why I'm a fan of credit monitoring services and locking down your credit, so that verbal authorization is required before issuing new credit. It's true that if any of these attacks happen to you, it's a mess and will take a long time to clean up. The monitoring service I use guarantees that they will fight the battles with the credit bureaus and other financial institutions and that peace of mind is worth the $250 a year I pay for the service.
http://www.realtime-itcompliance.com/identity_theft/2007/10/many_kinds_of_identity_theft_c.htm
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://securitymike.blogspot.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite