September 4, 2008 - Volume 3, #74

Good Morning:
After seeing so many live music shows this year, the sizzle is waning. Sure, it's great to see fantastic, charismatic singers. And folks that can make sounds come out of guitar that boggle the mind. But while I was seeing My Morning Jacket last week or John Mayer over the weekend, I didn't focus on the guitarists (as good as they are). I wanted to pay attention a bit to the unsung heroes that make live music happen.

That's right, let's hear it for the rhythm section - the bass guitarist and the drummer. With very rare exceptions you don't go see a band because you like the bass player or the drummer. Of course, you go to see Rush to remind yourself how great Neil Peart is. I think that Sting guy may be able to sing also. But beyond that, who is the drummer? Who is the bass player?

So at the last two shows I tried my best to pay more attention to the bass player and the drummer. They were good. MMJ's drummer had long hair that seemed to do more damage to the cymbals than his drum sticks. John Mayer's bass player kept the rhythm going, but now a few days after the show, I couldn't tell you what that guy looked like. I guess I'm like everyone else. It's the shiny objects that are memorable, not the rhythm section.

The guitarists get all the money and the chicks (or guys if they swing that way). So this weekend let's try not to forget these other folks, even if they are entirely forgettable. Go find a bass player or a drummer and thank them for the labor they provide during every live show. Tell them without their contributions, you'd only have half a band. Half a band sounds like crap. 

And then get back to staring at the guitarist. Man, those guys can play!

Have a great weekend. 

Photo: "bass player" originally uploaded by davidex

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

All that glitters isn't Chrome
So what? - So Google goes and releases a "browser" and the entire Internet is a flutter. Open Source, ooooh. New JavaScript engine, ahhhh. It's even secure! OK, maybe not, since it seems someone ran a fuzzer on it and found some vulnerabilities already. Not that wasn't expected, but it's still funny. Evidently the browser works OK, according to the folks that have played with it. Dennis Fisher figures won't make a huge dent in market share beyond the digit heads, Mitchell is bitching about having to Q/A another browser platform. Do I think this is earth shattering? Nope. But it's clear that the underlying OS will just be a host for a variety of "application" platforms that are optimized for specific use cases. Chrome will be one, maybe Firefox another, maybe you'll get developers extending Chrome to optimize it for their own environments. And it won't matter if you run Windows or Mac OS X or even Linux on your device. This will likely accelerate the marginalization of the OS, and that's a good thing. Amrit is on the right track about this being a "platform" more than anything else. But let's not anoint Chrome as the best thing since sliced bread from a security standpoint until it's been proven. Google does beta stuff pretty well and until I can get NoScript type of functionality (and a Mac version), I'll be waiting on the sidelines.
Link to this

Private browsing - so much for snooping on your folks
So what? - A lot of organizations have deployed user web monitoring, I mean web filtering in order to make sure their users stay productive. That's how they justified the expense anyway. You have a gateway and it stops users from going to "bad" sites that would burn up most of their day (Facebook anyone?). You also could enforce your acceptable use policies based upon cookies and other cache items left on the browser during an investigation. But now everyone is taking Apple's lead and adding a pr0n mode, I mean privacy mode to their browsers. Maybe that's why most of the Apple users I know are a lot happier than those suffering through with IE. IE8 will have it, and so will Google Chrome. So aside from allowing boys to be boys, what are the risks of these private browsers? Basically these do cut off a significant information source for investigations. As Seltzer points out, it's not clear what the real impact will be for compliance purposes and monitoring the use of technology usage by employees. But all is not lost, since we can still monitor the network. You also may want to (try to) enforce the usage of a VPN for remote employees, so their web traffic is routed through your network. Then you can monitor that too. That one's a bit harder, but it's possible. The action-reaction process continues unabated. At least you know these new actions are happening, so you can plan your reactions. 
Link to this

What about #21: Get some hemlock...
So what? - It's happened to most of us. You are walked into the bosses or maybe the HR persons office and then notified you no longer have a job. It's pretty unsettling, though it gets easier every time it happens. Unfortunately, given the state of the global economy, this is likely to happen more frequently over the next couple of months. NetworkWorld has a good article that provides some tips to dealing with it. Basically, you can't freak out and hopefully you've been making contingency plans all along. If you work for someone else, it's kind of silly to assume things won't change in the business and that you'll always be welcome. This isn't the 1950's folks, there is no guaranteed, lifetime employment and a cushy pension at the back end of 30 years of toil and trouble. If you are too "busy" to take some action and get out and network a bit or to even develop a contingency plan, do a little visioning exercise with me. Vision that you are packing up boxes in your office. Then vision how you are going to pay the bills and keep your significant other in the lifestyle she/he has become accustomed to. Not a pretty picture, right? So make sure you are constantly thinking about what's next. Better to be safe, then dealing with the repo man.
Link to this


The Laundry List

Top Blog Postings

It's a big world and it takes time for them to do anything
Gunnar gnashes his teeth a bit regarding how small the aggregate software security market is. Yep, early markets are like that. You have a couple of big vendors that get 80% of the market share and a bunch of smaller one's that don't. When you add everything up, you get a market size probably 15% of a Big Security player like Check Point. The reason is simple. Everyone has a firewall. Not many do software security YET. And the yet is the point. Emerging markets are all about hype and making customers think they have problems they're not sure they have.  No one questions whether they need a firewall. Of course companies should be spending more on software security, but they don't understand that yet. They haven't seen it and been beaten over the head with it for years. That's what it takes. The firewall has been around for over 15 years, software security has not. It's great the software security market is growing, but don't expect it to become very big anytime soon. Only time can make that happen. 
http://1raindrop.typepad.com/1_raindrop/2008/08/software-security-market.html
Link to this

First person XSS
Let me send out a hat tip to Dave Piscitello for pointing me towards Russ McRee's excellent piece on cross-site scripting in the ISSA Journal. A key to being a good defender is to understand your adversaries. So being able to put yourself into the mind of the criminal is critical to being able to defend yourself. So what do you see here from a XSS attack standpoint? Basically it's something that can happen to anyone, and it's hard (as a user) to defend against. I know I pimp NoScript a lot, but it adds a bit of XSS defense as well to your Firefox browser. From a developer standpoint, there are a few tips at the end to keep in mind. Of course, it's unlikely you are the actual developer, so you'll need to evangelize these points to your developers at every turn. Validate inputs, verify outputs, and look at both web app firewalls and code reviews. Russ forgot to tell you to keep fighting the good fight because behaviors don't change overnight and building secure applications does require a behavioral change. Note the link below is a PDF file.
http://holisticinfosec.org/publications/anatomy_of_an_xss_attack.pdf
Link to this

Is there a silver lining in all these clouds?
Cloud this, SaaS that. Every day it's more crap about clouds and services, services and clouds. What's a guy, who likes to keep his feet on the ground, to do? Amrit's been busy lately. I guess spending some time in the Ashram during his Asian swing was good for his writing and time management skills. This post makes a lot of good points relative to the fact that cloud computing will require a different security model. I'm not sure what that model ultimately is, but it's different. Maybe a little different, maybe a lot different, but it's definitely different. Yet, we are still missing the point about what's most important to do now. Thankfully Amrit didn't as he points out it's all about RECOVERING from the inevitable incident. Remember, whether you are consuming or providing cloud services, if there is a question about the reliability and/or security of those services, it takes everyone down with the ship. So make sure you focus on CONTAINING the damage as you architect these services. It will make or break your business. No joke.  
http://techbuddha.wordpress.com/2008/08/29/saas-and-cloud-computing-change-the-cia-paradigm/
Link to this