September 24, 2008 - Volume 3, #78

Good Morning:
I remember when I was a kid, one of the "crazy" things we used to do were crank calls. You know, call someone up and call them a name. Or dial the phone at 2 AM and just let it ring. Or call them and say the pizza will be delivered in 15 minutes, thanks for the order. Silly stuff like that. We even took advantage of three way calling phones to put together some ad hoc conference calls. We'd call the really cute girl and then connect her to the not so cool guy. They didn't have a lot to say to each other. Those were a lot of laughs.  

And then called ID became available. And the *69 service to ring back a number that just called. I'm sure it was quite a surprise to the first few crank callers that got a call back from an irate parent about a call at 2 AM. OK, that gig is done. A casualty of technical innovation.

Now it seems that simple hacks are also done. Since they have allegedly identified the Gov. Palin email attacker, through of all things, a proxy log - it's a lot more dangerous to do simple pranks nowadays. Of course, hacking into the email account of a vice presidential candidate is more than just a simple prank, the outcome is the same.

You can run, but you can't hide. Unless you live in Estonia, that is. Script kiddies be warned, unless you fancy a visit from the FBI at an inopportune time (is there an opportune time for a visit from the FBI?), you better improve your obfuscation techniques. Attackers always leave a trail, the question is does the trail lead to your dorm room, or somewhere it would be very hard to track. Like Estonia.

But that's not even the point. They'll make an example out of this Palin email attacker, and they should. It'll be a deterrent for all of the novices that realize they are out of their league. Not in attacking, almost anyone can do that. But not getting caught.

Will something like this public execution deter the general increase in Internet fraud that we've seen? I say nope, not by a long shot. The reality is the risk-reward equation is still heavily weighted in favor of the bad guys. Especially in Estonia. It's prohibitively expensive to prosecute them and it's incredibly lucrative for them to continue stealing. How do you think that ends?

Right, don't leave anything to chance. Monitor your bank accounts and credit cards almost daily. Use strong passwords (and probably a password manager) on the accounts that matter, like your financial accounts, web mail, and ecommerce sites. Teach your friends and family to do the same types of things. Apply the REACT FASTER doctrine to your own personal lives. They'll catch some of the bad guys (especially if they live in the US), but there are always another 10 to fill the wake of the last one.

That's just the way it goes. 

Have a great day.

Photo: "0898 Hot Monkey Talk" originally uploaded by lemur

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Truth? Who needs that...
So what? - For liars, the lies aren't really lies. They are "spin." We are seeing a lot of that type of crap emanating from the Presidential election (on both sides) and it seems we still see it in our own little technology world. Susan Hanley rails against this kind of crap on her NetworkWorld blog. Sometimes I'd like to have a conversation like I have with my kids. The reality is kids don't think you are any smarter than them. They can't really because the idea of smarter or dumber is an abstract concept. So they figure they can just pull the wool over your eyes and you'll smile and be happy. Of course, they don't realize I pulled the same stunts when I was a kid. But at some point, you grow out of that. At some point you realize that the person on the other side of the conversation isn't dumb and by "spinning" a version of the "truth" that may not be so truthful, you not only alienate them - you piss them off. But it's like the old Cabletron pricing model (why are you three times more expensive? Because 10% of the customers just pay it and we discount for everyone else), they figure a certain percentage of customers won't know the difference and they'll just accept the spin as fact. Personally, I find that perspective appalling and do my best to call it out with great vengeance and furious anger those who would attempt to poison and destroy my brothers.
Link to this

Premature chasmuluation
So what? - Great observations here from Tim Wilson on the dichotomy between what problems customers need to solve today vs. what problems much of the vendor world is talking about. To use yet another political analogy, the house is burning down and all we talk about is lipstick on pigs. He's exactly right and in a lot of cases the media is responsible for this. Fact is, the media gets paid based on page views now. Most of the technology magazines are thin and many others have just gone away. Everything is online nowadays and that means it requires page views to monetize. No one wants to hear about the burning house because everyone knows it's burning. It's not interesting anymore. So the media covers the stuff that is new, maybe sexy, and certainly interesting (like virtualization security) REGARDLESS of the fact that very very few people actually have the problem. You also have another dynamic here which is technology M&A. Emerging vendors need to make their products interesting, and deceive the buyers (acquirers, not enterprises) into think there is a market for the product. Then they can get a big valuation and make market development into the acquirer's problem. And the final factor, most of the folks truly in the trenches don't listen to a lot of the vendor babble. They are too busy getting their ass handed to them every day.
Link to this

Finally, they got the memo - make endpoint security invisible
So what? - It's the fall, so that means many of the AV vendors update their endpoint security suites. You know, they need to put a new box out and increment the year to justify the extra $50-75 per desktop they need to collect to keep themselves fat, dumb and happy. Of course, the past few years have been problematic because most customers have started to notice that their PCs are increasingly sluggish and that makes them unhappy. They don't want to know the AV is working, they don't want to know it's there, and they certainly don't want their machine to bog down every time they open an application. Moreover, they don't want to be interrupted when they are doing something and they don't want to approve everything they are trying to do. Basically they want transparency Until they don't (which is when they are under attack). Finally it seems the Big Yellow was listening, according to Walt Mossberg anyway. And I tend to believe Walt because he's NOT a security guy. He's a tech user and he's much more interested in user experience. This is good news for Symantec, since reducing the nuisance factor will become a big differentiator - absolutely in the consumer space and I also suspect for business users as well.
Link to this


The Laundry List

Top Blog Postings

Incident response SCRUM
No, this isn't some new game coming from down under. This is a very interesting idea from Cutaway regarding building incident response and disaster recovery plans using a structured development process. I'm a huge proponent of making sure the incident response plan is documented and practiced (Chapter 8 of the P-CSO), but it's the documented part that is a challenge for most security professionals - especially given the number of other fastballs flying at their heads at all times. Don's idea is to use a system development lifecycle to identify the right folks, get their requirements, and then figure out the best way to achieve those requirements. It seems pretty straight forward, and in concept it is. But doing it in practice is a lot harder. But not as hard as cleaning up the mess after you've bungled the incident response.
http://www.cutawaysecurity.com/blog/archives/320
Link to this

Think like a billionaire!
Adam doesn't like that many folks recommend that good guys think like bad guys. It's too hard. We don't know what the bad guys are thinking. Adam suggests they try to think like a professional chef to get a feel for the futility of that kind of approach. How about we think like a billionaire, which is similarly remote? He makes a good point, but it's really a play on words. The concept of thinking like an attacker isn't so much to try to get into their dysfunctional heads, it's to USE THEIR TECHNIQUES. So you need to understand the tools they use and learn how they use them, and then you have a chance to defend yourself. Not to put words in Adam's mouth, but it sounds like he is really asking for is better educational tools to train the next generation of security professionals. Foodies have the Food Network, where if they watch long enough, they kind of can get an idea of how to "think like a professional chef." We don't have the Security Channel, so we've got to do something else to more effectively train personnel.
http://www.emergentchaos.com/archives/2008/09/think_like_an_attacker.html
Link to this

Rich needs to read the Black Swan (and so do you)
The Mogull condemns most risk quantification in this post, mostly because the Financials can figure out how to do it (and they have a lot more at "risk" than us security pukes), so therefore it can't be done. Rich is right on a lot of these points, but ultimately a lot of the issue has more to do with the reality that we CANNOT predict outliers. Every security professional should read The Black Swan. Yes, it's hard to get through. Yes, your eyes will bleed at times. But it really solidified in my mind the reality that we cannot predict the next successful, wide-spread attack, so you have to plan for that. The sin of the Financials is that they didn't foresee a total meltdown of the sub-prime business. It was an outlier and they didn't plan for it and now the US taxpayer will be footing the bill. You couldn't assign a probability to this kind of occurrence, but it did happen which makes Rich question the ultimately value of trying to quantify risk. The Black Swan approach assumes nothing and forces you to know how to react when an unknown happens. And that's how we live to fight another day.
http://securosis.com/2008/09/17/the-fallacy-of-complete-and-accurate-risk-quantification/
Link to this