August 19, 2008 - Volume 3, #70

Good Morning:
It's really amazing how a little change in perspective can totally change your outlook. I'm wired as a cynical pessimist. That means I tend to look for the downside in everything, and even when it's mostly upside - I'm still looking for the downside. No wonder I do security, eh? But it does make for a pretty bumpy ride because you are never really "happy." Or only happy for short bursts of time before your internal wiring reminds you that things can (and probably will) go wrong and you need to be prepared for that.

Obviously this is a tough way to go through the day. It's amazing that you can put two people - one optimist and one pessimist - through exactly the same situation and see how different their perspectives will be. So I'm working on trying to change this about myself.

Of course, it's almost impossible to change the way you are wired. Since a lobotomy isn't high on my list of things to do, I figure I need to make the best of my psyche and employ some little tricks to smile more and appreciate the great stuff that happens every day.

I call the technique "little things." In that I'm looking for the little things that are funny and give me an opportunity to remember how lucky I am. For example, I had a bunch of little things when I took the boy to the Falcons game on Saturday night. But the best was when we were on the train home and I asked him what his favorite part of the game was. I figured it would be the two exciting long runs from Michael Turner. Or a good tackle or a completed pass. But I forgot I'm dealing with an almost 5 year old here. His response was "I had a bunch of treats." Of course, cookies and Dippin' Dots are exactly what would appeal to him. That made me smile. That was a little thing.

Or when I went to the Boston/Styx show on Sunday. Two of my favorite bands growing up, it was great to see the old favorites live. And to see how much they (especially Styx) still enjoyed playing the songs they've probably played 10,000 times over the years. You wouldn't know it by seeing their performance. It was like things were brand new. That's a little thing too.

Or even yesterday when the barista at Starbucks made a mistake in my favor and I ended up with the venti (that I ordered), but got charged for a grande (the medium size). Again, I think I saved maybe a buck. But the folks behind the counter and I had a good laugh about it. And that was a little thing. Sure it's nothing major, but these little events help take my focus away from the fact that it won't be too long before I start looking over my shoulder again and assessing the risk of sitting at the far corner table facing the door (which I usually pick so I can see everyone that walks in and out). 

I know I can't turn off those aspects of the way I think. But I certainly can try my best to look at things a bit more positively. Have a great day. And pick maybe three "little things" to appreciate today. It'll totally change your outlook - for the better.

PS: I ranted a bit yesterday about password resets, and mentioned Shimmy and My Little Pwnie in the same post. :-) But my email broadcast systems was tempermental, so I couldn't send it out to folks that get the TDI via email. Sorry about that.

Photo: "Airplane 02 nano" originally uploaded by watdoenwijmetnl

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Maybe we should check Hoover's file cabinet
So what? - All hail Brian Krebs. He did a masterful interview of the FBI's head cyber dude on his blog and it's fascinating, and I'm not sure in a good way. They go through all the typical geek cred stuff (like the FBI guy favors Linux and builds his own video cards), but when it gets to security - that's when it gets interesting. Sure the guy still banks online (as do I) and most folks out there have no idea how to protect themselves, which I agree with. He also makes the point that security will be a differentiator for some institutions (especially banks), which I'm a bit skeptical of - but I understand the theory, which assumes that people care. It's when Brian asks him about how the FBI is evolving, our favorite special cyber agent becomes very testy. He even calls Brian "unpatriotic" by even asking the question about how the FBI is trying to catch bad guys. It's that one statement that really undermines all the positive PR work the FBI has been trying to do. It seems our cyber security chief forgets that there are only so many ways to catch a thief. And it's important for us common folks to gather the right data to actually maybe assist the FBI in their investigations. But it's all very secret and hush hush, so we can't talk about that kind of stuff. We wouldn't want to give the bad guys any tips. Like they don't know how to do a forensic scan of a device. It hearkens back to the days of Hoover's file cabinet. Clearly they shouldn't be talking about specific investigations, but to not talk about techniques? They think perceived mystique is a selling point. I think it seems a bit too close to the Wizard of Oz. Don't look behind the curtain, y'all.
Link to this

Hands on NAP
So what? - The folks at InformationWeek reports did a hands-on test drive of Microsoft's NAP (this is a PDF file) and it's kind of interesting to see how Microsoft's under the radar (for the last year anyway) approach to proliferate NAP in most places will likely work. If you recall, MSFT got caught up in all the hype back in 2006 and was really selling the "future" of NAP. Of course, it was mostly vapor and APIs. But then they stopped talking about it. And with Server 2008 on the street, now they can start doing it. The reviewers tested a bunch of different enforcement methods (DHCP, IPSec, VPN, Terminal Services and 802.1x) and the product seems to work (if you can believe a review, anyway). There are some gotchas (like turning on the NAP client service on the devices), but nothing that isn't more than a minor pain. To me the crux of the decision isn't about to NAP or not to NAP. It's about how to leverage NAP to solve the real problems, be it guest/contractor access or even specific access control. And it will be interesting to see how the NAC vendor community looks to take a page out of the MSFT play book and "embrace and extend" NAP, so their products add value when NAP is there. For the NAC industry - their window is still open to add value for heterogeneous markets and ease of configuration/use. But those aren't long term value propositions. That's why I keep maintaining that NAC functionality will become a feature of the network. We'll see in 5 years if I was right.
Link to this

No rootkit for you (you hope)
So what? - It's funny how the security industry seems to have the attention span of a gnat. Remember back in 2006, at Black Hat, rootkits were all the rage. Now we hardly hear about the attack. I guess it's just not newsworthy anymore. Unless you've been infected, then it's a lot of fun to reimage your machine and hope you didn't lose too much data. Why aren't we worried about rootkits anymore? Basically, in this case no news is bad news. As this NetworkWorld article details, not much has changed. The same old attack methods are still working well, and the defenses aren't. We don't like to draw attention to the fact that we aren't getting the job done, so we sweep the issue under the rug and hope it goes away. It's not and if anything, the bad guys are making rootkits harder to find and eradicate. So what to do? Continue blocking, tackling and monitoring? Again, you may not be able to figure out if/when a device gets nailed, but you can figure out it's doing something funky. Then you investigate and remediate it, if need be.
Link to this


The Laundry List

Top Blog Postings

I break your cert, and you will like it
Shostack rants quite a bit here about the new Firefox and it's penchant to break self-signed SSL certificates. He does a good job of presenting both sides of the issue here, since it's clear that when dealing with a branded web site (like PayPal or eBay), if the browser doesn't question a self-signed cert then the phishers will have a field day. OK, that's assuming that anyone actually does look for the green bar or the lock or whatever other visual cues they are building into the interface. But is it a legitimate tax to have to pay $29 a year for a signed cert? And does that really mean anything besides the fact that you control a domain and have an email address. If you are looking for even half-assed validation, then you need an EV cert and that's a couple hundred bucks. And Adam's question is really about whether it even matters. Most users are conditioned to just click off the warning boxes. Adam's answer is to stop sending links to users and to train them to actually type in an address that you know is legit and then bookmark it. It's an interesting idea, but it's not really practical. Because these businesses are all about making it easier for the customer to find their site and do business with them. They'll deal with the shrinkage and fraud because that represents a lot less financial impact in the aggregate then providing a more difficult user experience. And these companies are willing to shell out for the VeriSign SSL cert tax. And that seems to be the way it is.
http://www.emergentchaos.com/archives/2008/08/certifiably_silly.html
Link to this

Protecting endpoints is the key (especially when you sell endpoint security)
I get a good chuckle out of McAfee's blog most of the time. It varies from CEO-level rah rah stuff to weird stats to unadulterated humping of their product lines. Like this post that talks about why an integrated endpoint agent is "key to security control." Hmmm. Yes, most of today's device security is a mess. Lots of customers have lots of agents and it's all very inefficient for lots of reasons. So I'm totally on board (much to Shimmy's chagrin) with Big is the New Small and the need to integrate a lot of these functions, if only for simplicity's sake. But to figure that an integrated endpoint, managed by a central console is the Rosetta Stone is just funny. I know this blogger is only looking at it from the perspective of the endpoint. And I know that McAfee sells a bunch of other stuff to solve other security problems. I just think this kind of drivel is more entertaining than anything else. Wouldn't it be great if we could just trust a big vendor like McAfee (or anyone else for that matter) to get it right, and we could play a bit more golf? How cool would it be if we could sleep like a baby at night know that the integrated endpoint security is defending us against all of the charlatans and fraudsters out there? Yeah it would be cool and part of me thinks a lot of the folks at Big Security companies actually believe it. They should get out in the real world a bit more. 
http://siblog.mcafee.com/?p=278
Link to this

New times call for new security models
Gunnar makes the point here that mainframes are still good business. "Selling like hotcakes," which is actually making me hungry. Yet, underlying the desire for the simpler days when RACF made everything tidy and secure, is the real issue. There is an impedance mismatch between the security models of distributed apps and mainframes. So most folks rely to the tried and tested approach of a proxy looking gateway sitting in front of the mainframe to "translate" between the different models. Which is fine, as long as you can trust who is getting the data. Own that proxy box and you own all the data in the mainframe. Or most of it anyway. GP's point is that we need to start focusing on securing the DATA and not just the resource. That's exactly right. The existing security industry is all about securing devices (with a rather broad definition of device). But the problem is really about securing data. I know, I know. Hoff and the Mogull and even a small brained fellow like myself have been talking about data-centric security for a long time. But I just wanted to remind you that it's important. Just ask Gunnar.
http://1raindrop.typepad.com/1_raindrop/2008/08/mainframe-mindset.html
Link to this