November 26, 2007 - Volume 2, #156

Good Morning:
Rain rain, go away - come back another day. It's kind of strange, but this old nursery rhyme needs to be put on the shelf for a little while. As I awoke this morning, it was great to hear the pitter-patter of rain drumming away. We are having a pretty severe drought in GA, so every day it rains (even if it's Thanksgiving), you smile and hope that we get some more. 

All of the gratuitous consumption of the past week have gotten me thinking. Do I really need all this crap that I've accumulated? The Boss spent a good part of yesterday going through all the kid's toys and starting to figure out what we should sell, what we should give away and what we should toss. It's just amazing how much crap you think the kids just "gotta" have. And the reality is their relative attention spans resemble a gnat's. So they play with the new new thing for a day and then move on to the next new new thing. After a bunch of days and a bunch of new new things, you are overrun in crap.

Maybe that just doesn't make any sense. With the 2008 US Presidential Election cycle hitting high gear over the next few months, we are going to hear an awful lot about the environment, the economy, and lots of other topics that should make everyone around the globe think. Are we each doing right by our selves, our neighbors, and our world?

I can't speak for anyone else, but I certainly get caught up in my day to day activities. It's pretty rare that I worry about the resources I consume. Most of my utility bills are paid automatically, so most of the time I don't really pay attention to how much my electric or gas bill is. I know it's a legitimate charge to my account, so I move on to the next transaction. I suspect most people are like me, just living our lives.

I guess it's a bit early to start thinking about New Year's Resolutions, but I think I'm going to start paying more attention to the environment. And I'm not going to wait until 2008. Do we really need the latest and greatest trinket? Can I buy something that is a bit more "green?" I guess the constant chatter about ruining the world for our Grandkids is starting to set in. I can and will start trying to be a little more earth-friendly. 

I don't want to preach, there are plenty of folks out there that are already doing that. But maybe I can get you to think about it a little too. That's the only way things are going to change. One thought at a time. One person at a time. One step at a time. 

Have a great day.

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Policies to protect mobile devices
So what? - Over in Network Computing's Data Privacy Immersion Center, Avi Baumstein brings up a critical part of mobile device protection that is commonly overlooked - the policy. Right, in many cases we just buy something and throw technology at the problem. But by focusing on the policy and getting buy-in (and maybe even consensus - oh horrors!) ahead of the purchase about how and when data needs to be protected on mobile devices - you can avoid the issues of dimwits not paying attention and messing something up. This is pretty consistent with rolling out any other big initiative in a company of size. You need to spend at least a bit of time figuring out the business drivers for any new project and be able to communicate those to the front lines - who have to live with the changes. This piece alludes to laptops, but increasingly we are seeing sensitive data show up on "smart-phones." Thus we will start seeing vendors bringing out more focused smart-phone security offerings - like Symantec's recent announcement. I still think this is a solution looking for a real problem (as opposed to the theoretical problem), and could very well be the equivalent of killing an ant with a jackhammer. But at least we will start discussing the issues of how vulnerable smart-phones really are.
Link to this

Security Marketing Gone Wild: IronPort makes PCI "easy"
So what? - It's been a while since did any "Security Marketing Gone Wild" pieces, calling out some just ridiculous statements from vendors. Today's winner is IronPort. I guess the Cisco money has gone to their head and their own exhaust is starting to smell mighty nice. How else do you explain a press release where IronPort claims to "help retailers comply with PCI standards?" The headline must have been written by a lawyer, because it's pretty nebulous. But this release stepped out of the time machine from about 18 months ago, especially since the meat of the release is in a section called "PCI Compliance Made Easy." Ah, hello. Earth to IronPort. Putting an anti-spam appliance on the perimeter of my network will not make the auditor go away. Basically they think that searching for some regular expressions on outbound email traffic and using SSL to send email will make PCI easy. Not so much, and shame on any end user who actually believes this bunk.
Link to this

Who is your bosses boss and are they relevant?
So what? - I'm not sure I ever believed that old adage about one of the paths to success was to make your boss look good. But I can tell you a clear path to the toilet is to let your boss look bad. Especially when it's due to their own incompetence. I guess you can hope that the top dog will be taken out and you'll be in decent shape, but it usually doesn't work that way. Any new regime tends to napalm the existing staff. What am I talking about? Well, it seems CIOs out there are becoming less relevant by the day, as a decreasing number are reporting directly to the CEO. The data mentioned in the article pinpoints one cause as the technically-oriented CIO not being able to add value in an increasingly business centric environment. When technology was the cat's meow, then folks that knew how to build systems were valued. But now that technology is finally understood for what it is - a means to an end - now the requirement for technology leaders is to relate how the bits and bytes actually help to sell more stuff. So what does this have to do with security? I'm glad you asked because it's all about security. We as security professionals need to learn the same lessons, which is a message I've been preaching for a long time. If your boss (assuming it's the CIO) can't or won't talk business, you better find someone in the senior ranks that will. When the hammer falls and a business person is put in charge, you need to understand how to deal with that.
Link to this

The Laundry List

Top Blog Postings

Understanding CSRF
To be candid, I thought I knew how Cross-Site Request Forgery attacks (CSRF) worked, but it you would have asked me to explain it back to you... Hummina hummina hummina. If you are in the same boat as I am, head over to this fantastic post on GNUCITIZEN which really explains CSRF in a very understandable way. Basically, this is a pretty significant application attack, since you can launch privileged requests to any website just by having a malicious tag in a web page. It seems that the attacker would need to be pretty sophisticated to get it to work, but it's also very hard to detect and very hard to protect against. One answer is to require a CAPTCHA for every type of data change request. Ouch. So the defenses are still evolving against CSRF, but at least us laypeople can understand how it works now.
http://www.gnucitizen.org/blog/csrf-demystified
Link to this

Security vs. compliance vs. the rule of law
Rebecca Herold has a series of posts over the past few weeks about whether some doctors are subject to HIPAA and whether they can send private information via IM or email. Since HIPAA is an empty suit anyway, it's not really about compliance - it's about doing the right thing. And if I got a clear text email from my doctor with private information, I'd be PISSED and I wouldn't be seeing that doctor anymore. In that case, I'd be voting with my feet, which I fear is probably about all we can really do. I've tried to have technology and privacy conversations with the staff at any of my medical providers, and it didn't go too well. Blank stares were about the most reaction I got. Rebecca is right about all the ways that clear text IM and email can be compromised, but again given that their is lax enforcement of HIPAA violations at best - you are better off taking your business (and your medical records) elsewhere.
http://www.realtime-itcompliance.com/privacy_and_compliance/2007/11/sending_cleartext_im_and_email.htm
Link to this

But we've got to keep the vultures busy...
Shostack rues a bit about the age old debate relative to liability for software vulnerabilities. The reality is that at some point, some desperate ambulance chaser is going to bring one of these suits. And it will probably be against a small software vendor, that likely provides open source tools, because its easier to shake down a small vendor that doesn't have the resources to fight a class action suit. Taking on someone like Microsoft or IBM, who employ a third world nation's population of lawyers, without a strong legal precedent is suicide. But as Adam says, any kind of litigation, even if it comes from the government, even if it's in the UK, is a really slippery slope. You don't think that the vultures would go after civil damages if the Feds go after criminal issues. But then again, what fun would it be without these legal taxes on the economy?
http://www.emergentchaos.com/archives/2007/11/the_costs_of_liability.html
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite