April 2, 2008 - Volume 3, #33

Good Morning:
I hate April Fool's Day. That's right. I said it. Hate. Despise. I'm basically bored with it. You know a bunch of horse's asses are going to try stuff and 99% of it will be stupid. In fact, we all expect it. So April 1 is probably the second least productive work day of the year. The first day of March Madness being the first.

That's why I didn't publish yesterday. I started going through my news feeds and I had to take twice as long to really tighten up my bullshit detector. It just wasn't a good use of my time. So I got other stuff done instead.

My general 4/1 disdain aside, there were some innovative hoaxes that were very indicative of our general situation. The first I'll highlight is Jeremiah and RSnake's Scanless PCI. What a great idea, and I guarantee if just one auditor said that was cool, you'd have a hundred million dollar business overnight. But they are giving it away. So you'd have a million customers overnight. Note that the site was built with Jeremiah's side project Roxer.

The second is Bejtlich's "acquisition" of Sguil by the Cisco empire. This was pretty funny and I actually will admit to searching Cisco's site just to make sure. I think acquiring the Sguil project would actually be a great move, which is why Richard's hoax got a few to bite.

But some of the bigger ones like TechCrunch suing Facebook were stupid. Who gives a crap? And that's the point. Folks spend a lot of time trying to create a plausible ruse. And then they do it on April 1. It's a waste of time.

Let me relate that back to security for a second. This is why being predictable is the death knell. If everyone knows you are pulling a stunt, they are ready for it. If no one knows, you have a chance. If you do predictable stuff in your defenses, then a skilled attacker will shred you. Part of success is keeping folks off balance. At least the bad guys.

That's what made the Mogull and the Hoff's hoax about Chris reprogramming Rich's house so good. It was unexpected. It wasn't during a predictable time. And if you read the comments on Hoff's post, a lot of folks went for it. Rich clarifies a bit. If you are predictable, you are a sitting duck.

Have a great day.

Photo: "the horse's ass was smiling at me..." originally uploaded by saintovbastards

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Hannaford's inside job
So what? - According to the initial reports, the Hannaford Brothers data breach was the result of an inside job. Really? More details are here, as well as Stiennon's take. Evidently the malware planted on the servers to intercept transaction traffic just couldn't have been planted by an outsider. Really? I'm not saying it wasn't an insider because I don't know that. It is a good reminder to make sure you are watching the watchers, and have good administrative controls and separation of duties implemented. I'm with Mogull in not being willing to make the assumption that an outsider couldn't have done it. If they got access to one server, they could have done a lot of reconnaissance, found the other servers, planted the malware and ran to the bank. Of course, if they were monitoring their network, they should have been able to see the odd traffic dynamics which would have been indicative of either an insider or outside job. If they kept good, secure log records off the device, then they'd be able to know if an administrator changes something like permissions and installed the malware. But it's not clear that they did either of these, so we all get to speculate while the forensics guys try to clean up the mess.
Link to this

That's why I hate flowers too
So what? - Most folks think I'm a Luddite. I don't Tweet and I don't have a high-def DVD player yet. I don't even have a gaming console, though I probably need to get one for the kids. I hear it improves their coordination. I'm also pretty paranoid and think of most things as half-empty (though I'm working on that). But this guy profiled in this NetworkWorld story takes the cake. How about this quote: "Whenever I smell flowers, I think funeral." That's awesome. Ian Angell's point to all this is that we have to think about the ramifications of the technology we use to solve problems, and the security folks are at the forefront of those efforts. We need to somehow be more proactive about dealing with those issues. Perhaps Professor Angell has a crystal ball or other fortune telling technique he shared with the Black Hat Europe audience. Unfortunately, we are always reacting and we need to be. Security cannot hinder innovation, not for long anyway. The world keeps turning and our job is to make sure it's as safe as it can be, within acceptable constraints. We cannot eliminate all security issues, in fact we probably don't want to. But we need to understand them, and make sure that business managers get the full picture of what can happen, so they can decide how to most effectively allocate resources.
Link to this

Top 10 land mines
So what? - Matt Hines posts a little ditty detailing 10 security "land mines" that can and should be avoided. Before I get to the list, I'm just happy this wasn't delivered as one of those stupid screen shows on the media networks. You know, the Top 15 hackers or the Top 10 ass-scratchers and you click only to get an amateurish set of PPT slides and a paragraph of text. It's just a way to boost page views, since evidently that is a more important metric than REVENUE for the media companies. If you fail to remember history, ... But back to the topic. Hines top 10 list is pretty good and covers a lot of the stupidity that many of us security folk spend a lot of time cleaning up. He also covers some compliance and general security no-no's. There's even a quote or two in there from me, which I'm sure totally ruins this piece's credibility. Like not checking the email address list or giving away passwords to sophomoric social engineering tips. Read the list and make sure this stuff is baked into your security awareness training and other defenses. 
Link to this

The Laundry List

Top Blog Postings

Freddy AV on how to become a security expert
I get a lot of questions from folks that want to become security "experts." I tell them to go to the bathroom and give themselves a root canal. If they enjoy that pain, then they are a perfect candidate for a career in security. All kidding aside, there aren't enough good lists of resources for novices to check out to get conversational in security stuff. Fred Avolio refreshed some old work he did to keep the list up to date. There are all sorts of goodies listed here, and some topic specific links as well. I do tell folks to read A LOT. There is so much great information out on the web and the media networks do provide a lot of it. I agree that SearchSecurity is a good place to start, especially their schools. But really becoming an expert is about more than reading. It's about doing and screwing up and learning and screwing up some more. That's the cycle and the only way I know to gain expertise in anything. Experience is painful, but there is no substitute for it. 
http://www.avolio.com/weblog/security/Zero-to-expert-Mark2.html
Link to this

News flash: The bad guys are winning
Innovation from the criminals happens at hyper-speed and the reality is that the good guys are struggling to keep up. A lot of these issues are highlighted by Sir Ivan, based on a talk from some wizard named Merlin. And they are shockingly true. Most corporations don't use email encryption, but the bad guys have been using it for years to hide their communications. Yet, let's keep a lot of this in context. This isn't really new. Bad guys have been finding seams in the system since the beginning of time. And over time the system adapts to eliminate one issue, but in the meantime another 20 have materialized. The big difference now is the speed of new issues and the global nature of attacks. So if it feels like we are falling further behind, it's because we are. So do we retreat to our underground bunkers and wait for the inevitable cyber apocalypse. No way. Basically work your butt off to make sure you aren't low hanging fruit. Ivan calls this "focusing on prevention." You don't need to be totally secure, you just need to be more secure than some other punk down the virtual street.
http://blog.ivanristic.com/2008/03/ive-recently-ha.html
Link to this

Does PCI create a false sense of anything?
Burton Analyst Randall Gumby (dammit, I mean Gamby) asks an interesting question, "Is PCI compliance creating a false sense of security?" Hmmm. I guess I'd ask the question, FOR WHO? That's the issue to me. If security professionals think that an audit makes them secure, they are idiots. I'm sure there are a lot out there, but they are dumb. Compliance does not equal security. Maybe it makes the senior folks sleep a little better, but they'd be dumb too. Anyone in a position of power needs to understand about risk and containing risk. Let's look at the problem from a different perspective and examine whether PCI makes a difference for customers. The answer there is a resounding no. No retailer that I know of has been marketing around the fact they are PCI compliant. They use those silly HackerSafe certs because that is a much better known brand by consumers. Just another case in point, I was talking to the Boss about my speaking schedule at next week's RSA conference. I mentioned the 2 Peer2Peer sessions I was doing on PCI. She's like, "what's PCI?" I just said it's this thing for retailers and it's pretty important for security folks. She shrugged and said, "whatever." Right, whatever. PS: Gumby admits to using a debit card at a retailer in this piece. And this guy calls himself a security analyst. Come on man. That's just stupid.
http://srmsblog.burtongroup.com/2008/03/is-pci-complian.html
Link to this