August 10, 2007 - Volume 2, #118

Good Morning:
I hate Vista. Well hate is a pretty strong word, so let me think about it for a second or two. Yup, it's hate. Why? Because a computer is a tool. It's supposed to help me save time and do things more effectively. My new Vista PC doesn't do that. It costs me time. I guess after a few months of this misery I'll actually figure out how it works and maybe not have to reboot so much. Maybe I'll get used to the constant UAC dialogs or just turn it off. Maybe I'll get used to how sucky Symantec is, but probably not. Once I pull the screen shots I need for my summer project, Symantec is gone. I'll go with some other endpoint security product.

I should have bought the iMac, though I would have missed the cool new upgrade. I have lots of excuses as to why the PC was the right thing to buy, but they all ring hollow right now. Especially as I remember my experience trying to get a video card to work yesterday. Oh yeah, nVidia sucks too. Evidently they've only had 8 months to get their Vista drivers working and they still can't get it done well. You didn't get a TDI yesterday because I went into Captain Ahab mode and had to figure out how to get the Windows Aero feature working with my dual monitors.

I feel horrible about it, but Captain Ahab was definitely in the house yesterday. I just couldn't let it go. It made no sense to me why a brand new machine with 2 GB of RAM and a video card with 512 MB onboard wouldn't be able to run Aero on two monitors. So I futzed with all the settings, downloaded and re-downloaded the crappy drivers a bunch of times, and rebooted what seemed like a million times. I was right, I finally did get my whale. Turns out, you can select the Aero interface by going to Control Panel -> Personalization -> Window Color and Appearance. Who knew?

Vista doesn't just work. Not by a long shot and I kind of know what I'm doing. At least I'm not alone. InformationWeek's Alexander Wolfe talks about what he hates about Vista as well. Say what you want about Apple being a closed system, but it just works. I'm way past the phase where I get excited about having to solve these kinds of problems. Now it's just really annoying.

Let me turn my ire towards Symantec for a bit as well. I was doing a webcast yesterday and I needed to get to the LiveMeeting service to push my slides. So I pop open IE (which I use sparingly for things like LiveMeeting that don't work in Firefox) and no dice. Can't navigate to the page and the time before the event is supposed to start is ticking away. Crap! What to do? Basically as a last ditch effort I shut down Symantec (after about 10 UAC prompts) and lo and behold, it worked. There were no warnings, no user communication - it just wouldn't let me navigate to a LiveMeeting web page. What the hell is that about?

The PC ecosystem is broken. I broke out the piggy bank and will be saving my pennies until I can buy that new iMac. I should be able to get 30 or 40 cents on the dollar for the PC on eBay. Or maybe I'll just donate it to a worthy cause and take the tax write-off. Maybe I'll even earn some karma points for all this misery. You see, I'm trying to stay optimistic.

Have a great weekend. I'll have the uncommon pleasure of waiting in my house on Saturday for the DirecTV folks to come by and fix my service. I guess when it rains it pours. Arghhhh.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Deal: EMC/RSA buys into the DLP space
So what? - Sometimes being late on something works out. For instance, if I did the TDI as I was supposed to yesterday, I wouldn't be able to rant about EMC buying Tablus. There have been lots of rumblings for a long time about EMC buying into DLP. It makes a lot of sense since EMC is all about doing stuff to drive more spindle sales and managing data leakage certainly adds value to the storage end. The real question was who would they buy? The pretty consistent rumor had been Vericept, but evidently not. There are actually two schools of thought in buying into a pretty early market. Take out the market leader (or initial leader anyway) and pay a premium, as evidenced by Netscreen/Neoteris. Or you can buy some technology for cheap and wait for the market to develop. Without having a firm deal size, I have to go out on a limb and figure EMC opted for the latter approach. Which makes a lot of sense. We do wave our hands a lot about DLP, but it's still very very early in that market.
Link to this

PCI in 60 days? HOGWASH
So what? - Martin Hack has an interview up with some consultant who has bought into Ingrian's 60-day PCI plan. I think this has about as much chance of happening as a 4-hour workweek. Let's try this again. Unless you've got your act together big time, any company of scale CANNOT get to PCI compliance in 60 days. Now maybe you can get to Requirement #3, which is to protect stored cardholder data - but the whole ball of whacks? Very unlikely unless the organization was 90% of the way there at the beginning of the 60-days. So for the 100th time I'll say it, compliance is not a product you buy. It's a process that is based upon a strong and documented security program. If you think you can get there in 60-days, starting from pretty much nowhere, then name that tune. A related PCI oriented announcement comes from SoundBite. These guys provide voice messaging services and announced they are PCI-compliant, so they can accept payment on behalf of their customers. That's actually kind of interesting in that service providers are now starting to try to differentiate based on PCI compliance, which is important because it's just a matter of time before trading partners and the extended business ecosystem is subject to the same regulations as the mother ship. Hmmm. I guess PCI will be everywhere, but I doubt SoundBite got there in 60 days.
Link to this

Stopping the scourge of XSS
So what? - SearchSecurity provides a good, quick overview of how to defend against cross-site scripting (XSS) attacks in this tip from Ed Skoudis. The reality is that XSS is pretty much everywhere. Between Fredrick Lee's (from Fortify) and Jeremiah's (from White Hat) presentations at Metricon, there is no doubt that it's a problem. But the reality is that XSS is pretty straight forward to detect nowadays with scanning. Other types of application attacks (like cross-site request forgery) not so much. But if you have XSS, it's because you didn't do a scan before you went to production. Ed provides some tips and points to a tool called CodeIgniter to give some code to do the necessary input validation and filtering to avoid XSS. Sure there are things that users can do (like turn off JavaScript), but that pretty much breaks the user experience, so it's not going to happen. What we need are cheaper scanners and a bit of focus from developers to pay attention a bit.
Link to this

The Laundry List

Top Blog Postings

But I can't even keep track of my own stuff...
Rebecca Herold makes a good point about an issue that we are first starting to scratch the surface on. Basically, we are responsible for what our trading/business partners do. If they lose our data and violate our customer's trust - guess who is responsible? Right. So how do you check into this stuff? It's not easy, but I think the answer is listed above when I talked about SoundBite getting PCI compliant. Is PCI the acid test for good security? Maybe yes, maybe no. It depends on what you are trying to do. And a SAS 70 isn't either. But a 3rd party verifiable audit and certification will become a critical aspect of deciding who to do business with. The reality is that we have a hard enough time keeping on top of our own stuff. There is no way we can do it for other folks, so we'll need to rely upon auditors, etc. to vouch for the business partner. Yes, I know this creates an Andersen/Enron type of opportunity to deceive, but what other options are there? I'm all ears.
http://www.realtime-itcompliance.com/information_security/2007/08/you_will_be_judged_by_the_comp.htm
Link to this

And they didn't even wear masks
After I saw Rob Graham break someone's Gmail at Black Hat, I'm not surprised at all to see this guy talk about his hijacked Gmail. It's actually cool that he's coming clean and talking about it because it brings up a number of good points and it all gets back to your own personal incident response plan. I know a lot of folks that rely on Gmail, even for their business stuff. Yet, it seems all you can do is send an email to Google and pray that they respond if you have a problem. For my personal stuff, that's fine - the price is right. But for my business, ah, not so much. The point once again is to make sure you have a plan in place, whether it's redirecting an MX record or something else to make sure you aren't at the mercy of a big, faceless company that will fix your problem when they get around to it. And that piece of mind is worth the $24 bucks a month I pay for a hosted Exchange + Blackberry service.
http://www.theinnovationjunction.com/2007/08/gmail-hijacking.html
Link to this

More PCI wisdom from AndyITGuy
Since it's all PCI all the time here at the Incite, I may as well point to a good piece my friend AndyITGuy wrote on his experiences. In his new gig, Andy has a PCI compliance burden, as well as working for a huge entity that didn't really have a security group until Andy got there. Now that sounds like a lot of fun. I'll take the dental drill scene from Marathon Man, thank you very much. That seems more enjoyable. But seriously, PCI is pretty straight forward, but unless you've been working on it and have your infrastructure in decent shape - it's going to be a long and hard road to get there (and longer than 60 days). The good news is that we've gotten more specificity about what the regulations mean over time (try to implement HIPAA with any sense of precision), but it still gets back to a basic truth. If your security program is strong and well-run, this compliance stuff is a walk in the park.
http://andyitguy.blogspot.com/2007/08/pci-and-your-network.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite