April 19, 2006

Good Morning:
Today we are going to focus on phishing. Given yesterday's anti-phishing working group meeting and today's Sender Authentication meeting, there is lots of noise out there about new (and old) methods to stop phishing. Fact is, we have made almost no progress in two years to stop the problem. There are toolbars out there now, but I say the data that drives them is suspect. And the folks that need the help the most are not going to download a 3rd party toolbar. Will IE7 help? Not for another 18 months to 2 years, best case given Vista requires a hardware upgrade.

So it's more of the same. Lots of vendor hand waving and the crime bosses continue to run to the money laundry machine to launder all of their profits from these constant phishing attacks. And unsophisticated consumers take the brunt of the losses.

Have a great day.

Top Security News

Microsoft's SenderID chest thumping - Spin, spin, spin
So what? - Here is Microsoft's annual SenderID success release. Their marketing folks do a good job of throwing all sorts of stats around about how much Hotmail traffic is not stopped because it has SenderID. But should it be stopped? Is it spam? These nuances seem to get lost in all the statistics. Every email security vendor works frantically to be involved in the release and to get customers to show up at the sender authentication summit to curry favor with Microsoft. I know - I used to have to do it. All I can say is there are Lies, Damn Lies, and Statistics. Take these for what they are worth. Not much.
http://biz.yahoo.com/prnews/060418/sftu062.html?.v=51

Sender Authentication is flop
So what? - Larry Seltzer's opinion column in eWeek is usually pretty good. Sometimes he blows a bit of hot air, but I know someone else that's guilty of that from time to time. This week he basically says sender authentication is a flop, and he's right. You need both sides of the transaction to play. Messages must be "signed" or sender ID'd, which isn't that big of a deal (even though it hasn't really happened yet), but the much bigger deal is that recipients need to stop accepting unsigned mail. But what about false positives? True, there will be a period of pain where some legitimate messages will be rejected. And if the cost of that is too high, I just wish everyone would stop bitching about phishing because it's not going to get fixed. Period. There is no silver bullet folks, no magical elixir that will make the problem go away. Not even IE7, as Larry suggests.
http://www.eweek.com/article2/0,1759,1950280,00.asp

Sender ID is a non-issue
So what? - The Sender Authentication Summit happens right around the APWG meeting each year, and lots of email security vendors get together to pay homage to Microsoft and tell them how wonderful they are. Fact is, Sender ID is a bust and DKIM (Cisco and Yahoo's attempt at sender authentication) is having a similar impact. Namely, none. But the Microsoft spinmeisters continue to put stats out there about how much email has a sender ID record associated with it. Who cares? What problem does it solve? It certainly not helping to fight spam and it hasn't done anything to fix phishing, so they can jabber all they want. In my view, sender authentication will fade into the background - another technology on the scrap heap of failure.
http://www.informationweek.com/story/showArticle.jhtml?articleID=185303938

Enterasys' New NAC - Anything new?
So what? - The old adage about announcing new products the week before a trade show has now stretched to two weeks. At Interop in early May, Enterasys (the IDS/IPS folks) will announce a new NAC product that doesn't require an agent. They claim it's unique. It's not. I know of at least 4 other companies that do agent-less NAC and I haven't even looked hard. What's interesting is that the answer is not agent or agent-less, it's both. For some machines that you need a greater level of control, you'll want to use an agent. For those unmanaged devices (or printers, etc. that can't take an agent), agent-less is the only option. I guess maybe my expectations are a bit high for a beat reporter, but to paint something like this as unique just because the vendor says it in a briefing is disappointing. No wonder users are confused about everything. The trade press perpetuates the mythical and false differentiation put forth by vendors that all do the same thing.
http://www.eweek.com/article2/0,1895,1950373,00.asp

OK, enough already about security researchers
So what? - The media continues to be in a frenzy about security researchers, especially since Microsoft boned one of the patches from last week. This article in Information Week digs a little deeper and actually talks to users. It reinforces a lot of what I've been saying, which is that we need security researchers. As is the case with most Information Week stuff, they dig a bit deeper but don't really uncover anything new. It's still not clear what the ultimately business model for these folks is going to be, but the market will work that out. It always does.
http://www.informationweek.com/security/showArticle.jhtml?articleID=185301289

Top Blog Postings

Awesome Bot posting - They'll be back
This is a good post by Kelly Martin on SecurityFocus about bot nets and their prevalence within seemingly all major attacks nowadays. He uses a Terminator 2 (one of my favorite movie series) analogy basically gazing into the crystal ball and seeing bot nets as the bacteria origins to the eventual Skynet. Hmmmm. That's interesting, if not a little overdramatic - but it's not totally off base either. Fact is, bots are the way attacks happen now, which makes universal endpoint hygiene very very important, especially for unsophisticated consumers in emerging lands.
http://www.securityfocus.com/columnists/398?ref=rss

Security Policy - the place to start
Here on Tom Olzak's ITToolbox blog (seems every media outlet has a set of bloggers now, eh?) he goes over the role of security policies in the process to protect assets. Policy is one of the key aspects of the Pragmatic Security Architecture [link], so I'm on board with these ideas. Of course, setting policy is one thing, enforcing policy is quite another. But just like with any trip, if you don't know where you are headed, how do you know if you ever get there.
http://blogs.ittoolbox.com/security/adventures/archives/008830.asp?rss=1

Will biometrics stop fraud?
Another good post by CJ Kelly, this one analyzing whether the upcoming requirement for at least two factor authentication to do online bank transactions will have any impact. The answer is that fraud is a consumer problem, not an authentication technology problem. If customers cannot be trusted to protect their credentials, no amount of feasible authentication hoops is going to fix that. I made a similar point during my identity management training session at TechTarget yesterday. Identity management (or the authentication sub-category) will not stop identity theft. The only answer to that is consumer education, and that's always a challenge.
http://www.computerworld.com/blogs/node/2312

Industrial espionage is real
This post by Ross Graber is interesting and does detail some simple defenses to electronic industrial espionage. These tips fall into the duh category, but again - I mention these because its usually the simple stuff that has the most impact. I also like to see stories where unscrupulous competitors are nailed for some of the tactics they use. What some of these guys are thinking (using a Trojan to compromise machines within a competitor to get proprietary information) I don't know. They may as well walk into the lobby of the competitor with a shotgun, no?
http://blog.rossgraber.com/2006/04/16/httpblogrossgrabercomisraeltrojanhorsehtml.aspx

Recently on the Security Incite Rants Blog

My vote for inventor of the firewall
Looks like people are voting now on Dave Piscitello's blog about who really invented the firewall. I weigh in with my recollection of history.
http://securityincite.com/blog/mike-rothman/my-vote-for-inventor-of-the-firewall

Read Tuesday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-april-18-2006