The Daily Incite - April 12, 2006

Submitted by Mike Rothman on Wed, 2006-04-12 08:03.
::
Today's Daily Incite

April 12, 2006

Good Morning:
Yesterday was Patch Tuesday and Microsoft finally patched the issue that caused all that 3rd party patching activity. They also released 3 critical patches and continue to show that protecting the desktop will remain challenging. For more details, check out Shavlik's blog (http://shavlik.typepad.com/mark_shavliks_blog/2006/04/new_microsoft_p.html). That's why a layered security architecture is so important. There are lots of ways to get compromised. Our job is to make it very unlikely that a series of events will lead to an issue.

On the topic of self serving statistics, I saw a release from FaceTime yesterday saying IM and P2P attacks are up 700%. Hmmm. Sorry, I don't buy it. There are more vulnerabilities too, so why is this different? I still don't think there is a market for this stuff. It's a feature. And on the topic of things that are 5 years late, Entrust has announced a Managed PKI offering. Like PKI is making a comeback, eh? Hasn't VeriSign been doing this for years? Nothing like being first to market.

Have a great day.

Top Security News

The Telecommuter Security Kit
So what?End user security education is a hot button of mine lately. There is a lot of good stuff out there on the web to give users the information they need, but it's not organized or consolidated particularly effectively. This TechTarget tip is a good example of this. It is short and concise and provides some perspectives on what's important for telecommuters to think about when configuring their set up.
http://snipurl.com/p1o7 

Centralized control of local resources from Altiris - Interesting.
So what? - We all know that with Windows XP (and Win2K for that matter), it's very difficult to run the local machine without administrator credential. Vista's permissions model fixes that, but what do we do in the meantime to get some level of central control for what the local admins do. Altiris added some capability to their family of configuration management products to address the issue. It seems pretty interesting.
http://www.altiris.com/Company/PressReleases/2006/04112006.aspx

Patch Proxy - Another new category?
So what? - "Technology update" from NetworkWorld is nothing more than a forum for start-ups to discuss how their widgets work. Which is OK, it's part of the game. Sometimes this section previews interesting technologies that we should take a look at. In this one, a guy from Blue Lane Technologies goes through "patch proxy" technology which seems to be an inline appliance that applies the patches, so you don't have to on the main server (or can do it on your own time). Clearly patching is a hassle, especially for those with large environments - so customers are interested in different ways to solve the problem. But you always get back to the question of whether this a company or a feature? Seems to me like a feature.
http://snipurl.com/p1oe

New encryption chip from IBM - Does anyone care?
So what? - IBM still has R&D mojo. They recently announced some new encryption capabilities that can be plugged into any chip. Of course, it remains to be seen if other chip makers would be interested. But more to the point of "so what?," Bruce Schneier has a great quote in the article which is exactly right. It's not clear that more encryption is the answer, given all the other things that can (and do) go wrong.
http://biz.yahoo.com/ap/060410/encryption_on_a_chip.html?.v=4

Why phishing still works - a real study
So what? - Some researcher at Harvard and Berkeley did a usabilty study to figure out why it's hard to stop phishing attacks. Basically it's because we trust the content and look/feel of the web site and don't check things like URL links and SSL certificates. Unfortunately, it is hard to do that level of checking consistently - so the issue will remain a problem. Enterprises can try to stop the phishing messages at the perimeter, but that doesn't help the consumer much. Some of the new capabilities built into Vista (and which I expect to appear in Firefox 2.0 before that) like the safety bar, will make the issues front and center and more visible. But that is still months/years away from full deployment, so I continue to default to education being the best tool we have.
http://www.scmagazine.com/us/news/article/552717/?n=us

Top Blog Postings

Are companies liable for email their employees get?
George Ou asks the question based upon a recent threat from an employee of a small company that got porn spam. Is that harassment? As you would expect, I have an opinion on this from my days in the anti-spam space. Companies can and should provide the best defenses they can to stop those messages, but clearly no system is perfect. The fact is we live in a litigious society, and companies tend to have money - so the outcome is predictable and not likely to change. The issue is whether these frivolous lawsuits get the time of day from our justice system. The reality of the situation is that it's usually just cheaper to settle the situation than fight it, since years of litigation are expensive with no assured outcome. So yes, it may not make sense George. But these kinds of lawsuits are the way of the world.
http://blogs.zdnet.com/Ou/?p=190

Should SSN's be public?
At time Pete Lindstrom does think out of the box. Here he goes through a process that gets us to ask the question about how secret SSN# really are. Should we make them public? That's a very interesting idea. Lots of it hinges on the ability to use the SSN as a key aspect of proving identity and getting credit. If there are more regimented ways required to prove identity, then I don't have an issue making SSN public. BUT - everyone must play along. Because if one joker is issuing credit cards based on the SSN and address, the whole idea collapses.
http://spiresecurity.typepad.com/spire_security_viewpoint/2006/04/a_modest_propos.html

A New infosec management model
There is a new model in town, called the Information Security Management Model (or ISM-cubed) that attempts to bring ISO-9000 type quality management to security management. You can link to the paper from the NoticeBored blog. Not sure how I feel about yet another "thing" security folks have to do. And ISO-9000 adds a lot of documentation requirements to everything that you do. In the current regulatory environment is that a huge departure from what we are already required to do? I'm not sure. But it's worth watching to see if it catches on, especially in places were very sensitive private data is at risk.
http://www.noticebored.com/blog/2006/04/ism-cubed-new-infosec-management-model.html

Another view on Xenophobia
Martin McKeay has my back on this post. I did a podcast with him a few weeks back and the topic was xenophobia, so I thank him for a positive comment in what was a sea of negative feedback. By the way, I don't have any issue taking some heat when I make a call that I know is right. There are lots of folks that think after 9/11, the best thing to do is close our borders. But the global economy cat is out of the bag and it's too late to stifle innovation happening outside of the US.
http://www.mckeay.net/secure/2006/04/government_xenophobia.html

About "cool" vendors
The guys at Matasano are pretty entertaining. This post is dead on. Since the G-men introduce their "cool vendor" rankings, you have lots of start-ups doing a jig on the table once they are named to that list. But does it matter? Of course not. I may get them on the short list (since many end user automatons just search the G website and go from there), but it won't win them the deal unless their stuff solves customer problems. There is a great graph on this post that slams the analyst business, but for the most part it's true.
http://www.matasano.com/log/241/youre-so-cool-clarencenetworkscom-youre-so-cool/

Recently on the Security Incite Rants Blog

The Role of Organized Crime in Cyberspace
A quick little scene in The Sopranos episode this weekend got me thinking about this topic. Hacking is a business now, and clearly the various "mobs" out there want to play.
http://securityincite.com/blog/mike-rothman/the-role-of-organized-crime-in-cyberspace

Xenophobia strikes a chord
Here is a follow-up post to my NetworkWorld column discuss some of the "feedback" I've gotten. It's been mostly negative, so clearly I'm getting some folks to think out there. Which is a good thing.
http://securityincite.com/blog/mike-rothman/xenophobia-strikes-a-chord

Read Tuesday's Daily Incite
 http://securityincite.com/blog/mike-rothman/the-daily-incite-april-11-2006

Patch Proxy: Its a new category
Submitted by Anonymous (not verified) on Wed, 2006-07-19 16:41.
You may initially think of a patch proxy as being a feature; that is, until you start considering the implications of increasing server patch cycles and deployment complexity (reboots, maintaining state, intertwined apps) juxtaposed with steadily increasing hacker skills and increasing focus on critical enterprise databases and applications. Then there is the coming shift to virtualization. I'll check back with you a year from now to see if you still think fixing a security patch inline for hundreds of critical servers at a time (with very little risk if any) is a mere feature.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.