April 24, 2006

Good Morning:
Hopefully you enjoyed your weekend. Today I rant a bit about rootkits, which are clearly the new new thing in 2006. I can't stand it when a vendor calls something out as important, but doesn't really have a good solution. Fact is, rootkit defense must be handled as part of the desktop security suite. Clearly they are not there yet, just ask them. We'll see a bunch of start-ups playing into this space (starting next week) and then the cycle begins. Early adopters, acquisitions, embedding within the solutions we know and love. We've seen the movie before, and this one won't be any different.

In breaking news, RSA has acquired PassMark Security to strengthen their grip on consumer oriented authentication for financial institutions. I'll do a separate post on that this AM, but it's a good move. Very complimentary (though there is some overlap) to Cyota.

Have a great day.

Top Security News

Rootkits to Mask Malware by 2008 - Says the guys that can't fix it
So what?- We know that the bad guys are hiding components of malware in rootkits to avoid detection and clearly that is a trend. But as opposed to McAfee saying they are working on anti-rootkit technology, they are raising the alarm bells. Long time (yeah, 4 months!) readers of my rants know that Chicken Little stuff makes me crazy. In this case, Chicken Little is premature - users don't want to hear about what's going to kill them unless they can buy an insurance policy. There is help on the way. I can't talk about it for another week, but you'll start to see more focused anti-rootkit technology - which may be the next new new thing in security.
http://www.channelweb.com/sections/allnews/article.jhtml?articleId=186700030

Microsoft Patches the Patch
So what? - Patching is a nightmare and this is just another example. There is such old stuff out there, fixing it is bound to break something else - which Microsoft found out last week. One of the patches broke some old HP and NVIDIA devices, so Microsoft fixed it. But it just underlies the fact that patches should be tested to make sure they don't break anything that matters.
http://www.informationweek.com/story/showArticle.jhtml?articleID=186500454

Blog Spam is a problem
So what? - I can tell you personally that this a problem. The trackback spammers have found Security Incite again, and though I have some technology that shields the bad stuff from visitors, I still have to go through and remove the bad stuff manually. The hope is that tools to handle blog spam will evolve more rapidly, but I can tell you blogging is largely an individual sport, so there isn't big corporate money out there to solve the problem. Look for the  open source folks to work diligently on solving the problem (since many of them are bloggers, feeling this pain on a daily basis).
http://www.informationweek.com/story/showArticle.jhtml?articleID=186500854

Your laptop will self-destruct in 1 minute
So what? - Given the focus around privacy violations as a result of lost laptops, we are going to see a lot more offerings like this one from Everdream, a remote desktop management company. These folks put an agent on a managed laptop and can either encrypt or blow away the data on a laptop once it connects to the Internet. This one doesn't go into action until you call up Everdream and tell them to do something, which seems a little weird to me. Why wait until the laptop is gone to encrypt the data?
http://www.securitypipeline.com/186500046

Top Blog Postings

Best Practices for containing keystroke loggers
This is actually a funny story from Steinnon about a big robbery on a Japanese bank that was stopped. The main attack vector was physical keystroke loggers that were plugged into a machine. Ingenious devices that record everything typed into the computer. The company in question addressed the issue by gluing the keyboards to the machines to make sure these devices are not replaced on the machines. Sounds like the folks that glue USB ports shut to make sure data doesn't leave the organization that way. Suffice it to say, that's not really a good answer.
http://blogs.zdnet.com/threatchaos/?p=319

Great story on how spyware works
Suzi Turner, who is a spyware researcher documents how she found an spyware attack that came in via spam email and what the malware actually does. As I've said many times, there is a lot of innovation in the security business right now, but not a lot of it is coming from the good guys. Read this and draw your own conclusions.
http://blogs.zdnet.com/Spyware/?p=813

Bouncing email a $5 billion problem?
The folks over at IronPort have concocted a "study" that claims that bounced email is costing someone $5 billion. The folks over at TechDirt are calling bunk, which I agree with. The claim is that there is lots of lost productivity when employees get bounced spam that they didn't send. I guess I wonder why a bounced spam wouldn't be caught by the existing spam defenses? Of course they are, so this is really a non-issue, but it shows how one enterprising company is trying to bring some sizzle back to anti-spam - which is commodity city and not really a focus for most companies anymore. That is until is stops working, then it becomes a focus real quick.
http://techdirt.com/articles/20060421/1010209.shtml

What's being done about phishing?
This is an older post from last week that I found pretty interesting. Alex Hutton talks about the fact that no one is really doing much about phishing because the US Government hasn't forced the issue as of yet. He references a few blog posts from F-Secure which posit that multi-factor authentication will stop phishing, yet the US Government has only required that banks "look into" this technology. I'm under the impression that a new mandate from the FFIEC requires multi-factor authentication, though I'm not sure they've been overly specific as to what that means. But that's neither here nor there. Fact is, some types of authentication will address phishing, but only if the consumers have adequate training to know there is problem if the 2nd factor is not there. A better solution (which is starting to appear) is some technology on the bank's website (Cyota/RSA, PassMark/RSA and Green Armor among others do this) that conclusively prove it's the bank.
http://alexhutton.com/?p=91

Grey listing is not a good answer
This post from Alex Scoble makes me think he's just stepped out of a time machine. Grey listing (basically dropping the connection from every mail sender, which forces them to resend) has been around for a while. This was the approach that TurnTide (bought by Symantec) had on their device. Symantec has since improved it to add intelligence to which connections are dropped. Folks like IronPort, CipherTrust and Borderware also do this, so it's not novel. And the spammers are already all over this, so again - this would have been a relevant post two years ago, but not so much anymore.
http://www.computerworld.com/blogs/node/2353

Hacking Stupidity: Never Hack from Home - Duh!
This CJ Kelly post reminds us that sometimes we are not dealing with the sharpest tools in the shed on the hacking side. For any of you readers out there that are bad guys, make sure if you do something bad - don't do it from home. Duh! That's like making a threatening call from your home phone. The technology out there to track who you are is very sophisticated and that's why zombies are so important to the bad guys. Zombies give them anonymity, which is the first step to getting away with these capers.
http://www.computerworld.com/blogs/node/2349

Recently on the Security Incite Rants Blog

Inciting: Second Fortinet IM/P2P Webcast - 4/25
Tomorrow I'll be doing another webcast for Fortinet on IM/P2P security issues. The first one (targeted at educational institutions) went well. This one will be a bit more generic, but will be entertaining nonetheless. Chris Roeckl, Fortinet's VP that does the webcast with me is an old friend, so we give each other a hard time throughout the session. Look forward to seeing you there.
http://securityincite.com/Inciting-Fortinet-webcast425

Revisiting the Early Firewall Days
I get that most folks have not been in the security business for that long, so from time to time I'll delve into the vault and tell stories from the good old days. Back then life was much simpler, but a lot of the market dynamics of the firewall market are pretty relevant to understand how security markets develop today. It's important for users to understand these dynamics because history repeats itself and you'll be able to save yourself a lot of heartburn by picking vendors based upon how a market is likely to evolve.
http://securityincite.com/blog/mike-rothman/revisiting-the-early-firewall-days

Read Friday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-april-21-2006