December 11, 2007 - Volume 2, #162

Good Morning:
Damn you Senator Larry Craig. Damn you, damn you, damn you. Yes, that's kind of harsh, but it's how I feel. You probably think this is about his politics or even his alleged lifestyle choices. It's not. This has everything to do with public bathrooms. You see, I was at an all day meeting south of Atlanta yesterday (which is why there was no Incite), and before I braved the afternoon rush traffic, I decided to take care of business. There is nothing worse than having to throw a deuce when you are in bumper to bumper traffic. Absolutely nothing.

So I find the restroom in the hotel and was pleased to have the room to myself. Even if it is a public bathroom, it's nice to have some privacy. But then, some other interloper settles into the next stall. 6 months ago, this is no problem at all. I'd bust out McPaper and get caught up on world events before I got into the car for the long ride home. I was blissfully unaware of public bathroom etiquette. 

But now I'm not. Damn you Senator. So I pull in my feet as close together as possible. I hardly breathe and finish up. I'm not taking any chances. I'm out of there. What used to be the mildly horrible public bathroom experience is now downright horrifying.

I guess I always knew that kind of stuff happened. After all George Michael got pinched for similar activities back in 1998. But it certainly wasn't top of mind. Now all I can do is wish for the days when I could use a public bathroom and my biggest problem was whether there was enough toilet paper to properly cover the seat. The good days gone by.

Have a great day.

Public bathroom image originally uploaded by lrojas2cr

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

The only thing new here is this reporter
So what? - It really is amazing that some savvy PR folks can totally pull the wool over an unsuspecting freelance reporter's eyes and feel good about it. The first line of this article in NetworkWorld about network behavior analysis is "There’s a new weapon in the security arsenal that monitors network traffic and issues real-time alerts when it spots unusual or suspicious behavior on the network." NEW?!?!? Oh that's right, we all got into that time machine and were transported back to 2000 when the NBA players were just getting going. I've been pretty positive on the idea of NBA and I still think the idea of pulling a baseline and monitoring your stuff relative to that baseline is one of the only ways you can REACT FASTER to all the bad stuff that is going on out there. But to paint this stuff as "new" is a disservice to everyone. NBA is not new. Though I guess if they wait long enough, all of the folks that would remember that the category used to be called "anomaly detection" will have gone on to their great reward. To be clear, NBA is actually a feature of a network security moving forward. Maybe network ops too, but those are different buyers with different problems.
Link to this

Doubling of AV signatures must be the 6th sign
So what? - I guess since it's prediction season, we need to be more diligently on the lookout for more signs of the apocalypse. The idea that F-Secure's signature database went from 250,000 to 500,000 in 2007 must certainly mean something. Actually, all it means is that the bad guys are getting more effective at morphing their attacks to circumvent the signature-based detection of AV 1.0. Since the pace of new signatures is accelerating, I guess you don't need to be Einstein to see that at some point sooner rather than later the model just breaks. Is that 2008? Maybe, but in practice signature-based AV is bundled into an endpoint security suite with a lot of other goodies that will be marginally more effective at defeating malware. So I guess F-Secure is fighting yesterday's prediction battle because the number of signatures just doesn't matter anymore.
Link to this

Check out the hacker in seat 14D
So what? - Great, now JetBlue, Yahoo and RIM are working together to introduce WiFi to the friendly skies. That is the surest way to make sure the skies don't remain friendly. I can just imagine it now, a passenger runs Metasploit and pwns half the plane before you get to 25,000 feet. Sure the plane could log all the traffic, but with spoofed MAC addresses and some obfuscation, the odds of detection are pretty much nil. Maybe they'll train the air marshals to look for hackers as well. Just for giggles, I fire up my wireless card on most flights, just to see how many other laptops are searching for networks or broadcasting the popular "Free WiFi" SSID. I guess I could also rig up a battery to an access point and really create some havoc. It wouldn't run for long, but it wouldn't have to. Most of the plane would connect automatically to the network and then it would be trivial to pwn them too. Some days it's fun to speculate, and I'm not even good at this stuff. It boggles my mind to think about how a motivated and determined hacker could take advantage of these services. And help me understand how running WiFi through the plane is OK, but playing my iPod during take-off is a huge safety hazard. I love modern day hypocrisy. It just makes me smile.
Link to this

The Laundry List

Top Blog Postings

Manage the problems, not the products
It's been a while since I've ranted about the sorry state of security marketing. Most start-ups are trying to position their features as companies and providing solutions to the ills of society. Most of these companies will be put out of their misery at some point, but with the amount of money still floating around the security space, it will still be years before the shake-out really takes root. And I love the PR flacks that pound my phone and email with news of the latest "ground breaking" whatever, which is really a fancy way for saying point release. Oh please please can you cover our new thingamajig in the Incite? Yeah, right. But there is hope, you can change your attitude and start thinking about customer problems and managing those problems, as opposed to the product. Adele Revella (a Pragmatic Marketing instructor) has a great post here about that very topic. I think when you live with a product for too long, you think about it from that standpoint. When you are getting thumped by customers all day about what the product doesn't do, it's hard to rise above it and focus on the next customer problem. It's easy to add feature after feature because you're early customers will let you know what else the product needs. It's much harder to continually focus on solving new problems.
http://www.buyerpersona.com/2007/12/bring-me-proble.html
Link to this

Is full disclosure dead? Does it matter?
I'm hurt. No one invited me to the wake for Full Disclosure. I would have gone because it was nice (at least relative to where we are now) when vendors had some early warning about problematic vulnerabilities. Of course, the vendors maybe should have taken those reports from diligent researchers a bit more seriously. Or maybe not threaten litigation or do PR slam campaigns targeting the folks trying to help them. Jeremiah points to an op-ed piece he did for SC Mag and is right that the environment is too complicated to count on the fact that vendors will patch things before the vulnerabilities can be exploited. Maybe these 3rd party shops buying zero-day attacks (like TippingPoint or WabiSabi) can insulate the researcher from these shenanigans, but does this stuff even matter? Folks that subscribe to a Pragmatic CSO approach to security don't really worry about this stuff anyway. We know that you can't "get ahead of the threat," especially when the threat will increasingly hit in a zero-day fashion. You know where I'm going, right? The ability to react faster takes the need to worry about zero-day's and responsible disclosure off the table. Sure it would be great if we could patch before we get hurt, but it's better to make sure you can contain the damage, if you don't get there in time.
http://jeremiahgrossman.blogspot.com/2007/12/full-disclosure-is-dead.html
Link to this

When a blogger gets into deep water
It's very easy to just comment on stuff that you have no idea about in the blogosphere. My friend Cutaway is the latest to fall into this trap, and Hoff calls him out on it. First I'll say I'm a big fan of Cutaway. He works hard to improve his knowledge and is very generous with his time to help the industry. But in his post on why a UTM is bad and "causes increased risk and adds complexity," he is pretty much wrong. The idea that putting mature technologies like a firewall and IPS on a single box adds complexity how? It adds vulnerabilities to the system how? But Hoff already asks those questions. My opinion is that practitioners have too much to do in the real world. The folks I talk to need to get leverage in their environment in any way they can because they can't keep up with the simple stuff. Even if the policy interface provides control over the entire system, that would seem to me to be an acceptable risk in all but the most paranoid and locked down networks. Anyone depending on a UTM for the entirety of their information security needs to have their head examined anyway. Consolidating hardware and more importantly the management of these disparate network security functions is critical to helping today's security folks to keep their heads above water. Hopefully Don can answer Hoff's call to clarify what he's saying.
http://rationalsecurity.typepad.com/blog/2007/12/consolidating-c.html
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite