The Daily Incite - December 18, 2007

Submitted by Mike Rothman on Tue, 2007-12-18 13:32.
::
Today's Daily Incite

December 18, 2007 - Volume 2, #164

Good Morning:
I talk frequently about how I treasure the innocence of kids. They haven't come face to face with what is (in some cases anyway) a cold hard world, and they actually believe in whatever is the flavor of the day. With the holidays, the Boss and I always have to be careful, especially when discussing good old Santa. This is a pretty confusing time of the year for my kids. How do you explain to a 4 year old (and even my 7 year old is not clear on how all this stuff works) that Santa doesn't come to our house, even though they got tons of stuff for Hanukkah. Their memories are pretty short. They are hammered with images of Xmas and it's confusing.

Pop!Personally, I'd just as soon tell the kids the truth about Santa. But after many discussions with the Boss, we've decided to smile and play along and make up some nonsense that pacifies the kids for a couple of minutes anyway. Why? Because it wouldn't be fair to all their 4 year old friends that actually believe. I'd feel pretty bad if it was our kids were that delivered the cold hard truth that it's the parents, friends and other family that provide all those great presents under the tree every year and not old St. Nick.

But it's not just an Xmas thing. Like most parents, our kids worship at the Disney temple multiple times per day. We've made the pilgrimage to Disney World, but do you tell the kids that the Princesses are out back smoking a butt during their breaks? Actually, I don't think they are allowed to smoke in the costume, but all the same. Half of them probably leave their dancing jobs during the High School Musical 2 show at MGM and climb some pole at one of the clubs in town. A dancer is a dancer, no? Or that the guy in the Frozone suit is an 18-year old pimply faced teen?

It's a tough call. But actually not that tough. As long as my kids want to believe that a dude in a red suit can traverse the entire world on a sleigh in a night, more power to them. If they think that Cinderella lives to take a few pictures with them and then retreats to Prince Charming and the Castle, I'm cool with that. They've got a lifetime of dealing with reality ahead of them, there is no point in bursting their bubbles too soon.

But it would be nice to suspend disbelief for a little while and just dream a bit. That maybe with the upcoming US election we can get to a happier, less partisan place, regardless of the side of the fence you call home. That maybe we can make some progress in closing down those gaping exposures that keep the bad guys flush with stolen private data. That maybe our bosses will take what we do seriously, or at least a little more seriously.

I know, I'm being optimistic again. It doesn't happen too often, so I'm going to enjoy it for as long as it lasts. I spend most of the year worrying about the things that I'm not getting done, as opposed to celebrating all things that I have gotten done. It's just my nature. As we close out the year, I suggest you take a look back and feel good about all the stuff you've done. I'm sure it's more than you expected, though less than you wanted. January 2 will be here before you know it and then it'll be time to focus again on that to-do list.

Have a great day.

last breath image originally uploaded by niddufias.afatsum@sbcgl obal.net

Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
 Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

It's easier to play the ostrich game
So what? - I'm a big fan of the NO SURPRISES doctrine. That's why I push anyone who will listen to test their networks, applications and systems as often as practical. I call the process "Security Assurance" and have even built it into the Pragmatic CSO methodology. So when I see about a new service from the folks at XSSed.com (as covered by Dark Reading), I think it's pretty cool. These folks act as an archive of all the publicly disclosed XSS bugs, and will let you know if something you are in control of shows up. It'll be even better if they do execute on the idea of giving webmasters a days notice of an issue, so they can get it fixed before it shows up in the archive. The online web scanning folks are starting to play around with XSS tests as well, although it's not easy to automate the process yet, but it'll get there. If you've got a site that is frequently targeted by the bad guys, this is a service you may want to check out.
Link to this

Evolution accelerated
So what? - Some of the scientists out there should be studying the evolution of the fraudster. They are getting much more sophisticated at an alarming pace. First you hear about the way the phishers are defeating CAPTCHA challenges when signing up for bulk email addresses and now these folks are coming up with interesting ways to basically screen scrape a typical user interaction with a banking web site. If it wasn't so dastardly it would actually be cool. Remember low and slow is the name of the game for these folks. They don't want to be detected or caught until the money is gone from the account. Another innovative attack was perpetrated on the US National Labs. This one was a phishing attack that provided access to the bad guys and they used that access to compromise a couple of databases. The good news is that the bad guys only got to the "unclassified Yellow network." Great, now I'll sleep better. As that guy in the Guinness commercials says, "BRILLIANT!" Unfortunately we are going to see a lot more "innovation" like this in 2008. So we'll need to bring out A game, or it will be a mess.
Link to this

Jericho still speaking in tongues
So what? - It wouldn't be a fun end of the year unless I could beat down the Jericho Forum a bit more and perhaps raise the ire of the Hoffian one, so maybe he can try to pwn my home automation system as well. Since home automation for me means me getting off my large ass and getting up to tune the thermostat and turn on and off the lights - good luck with that. But in this NetworkWorld op-ed, Paul Simmonds works to make Jericho relevant by recasting it's message around "endpoint security," especially many of the new portable devices that can drive us nuts. Conceptually, the message that Jericho is bringing, which is really about securing inside-out, as opposed to outside-in, continues to be mired in overly complex characterizations that are next to impossible to follow. Take this for example:

The Jericho Forum believes that end-point security is about raising the level of inherent trust in computing devices, to a point where all the devices involved in any transaction meet the criteria of trust required for that transaction. Simple to say, but the technologies to achieve this are severely lagging.

That is simple to say? What a mouthful. Devices, transactions, criteria, trust? Arghhh. I seriously think the old Jerichonians need to invest in some real marketing. Not a PR flack that is trying to get the muddled messages heard. There is a pony somewhere in there, but it seems to continue to be buried under 2 or 3 tons of elephant dung.
Link to this

The Laundry List

  1. My firewall is bigger than your firewall. As if it matters, but NetworkWorld does a speed test and amazingly enough, most are pretty fast. Though some (ahem, Fortinet, ahem) get caught with their thruput stats in the cookie jar, I mean UDP at max packet size. - NetworkWorld review
  2. Symantec weighs in with 2007 trends and 2008 predictions. The verdict, 2008 will be more of the same. At least there is some consensus on that suckitude. - Symantec release
  3. Spell check much. Fratto seems to have forgotten the l in Alcatel. No matter, he points out that ALU will get into be with all the NAC folks, except Shimel I guess.  - NAC Immersion Center
  4. The end of an era. NetManage is acquired by Rocket Software. Remember when IP stacks used to be cool and valuable? Those were the good old days. - NetManage release

Top Blog Postings

Now that's a big pipe
Bejtlich covers what seems to be a promising initiative in the US Fed world about reducing the number of egress points to the Internet. They figure they have about 1000 of them now (and that's probably being conservative) and they'd want to get down to maybe 50 and then monitor the hell out of those pipes to look for bad behavior. It sounds good in principle, but we'll see if they can make it happen. First of all, those Internet connections would look a lot more like an ISP and a pretty big one at that, so there are network engineering challenges, but smart guys can figure that out. What may be more problematic is getting every on board to share their pipes. Who wants to share with the FCC as they are out looking for all that illegal video and making sure they get some good net neutrality going? But I'm with Richard here, this is definitely a move in the right direction.
http://taosecurity.blogspot.com/2007/12/feds-plan-to-reduce-then-monitor.html
Link to this

We still have a failure to communicate
After going around and around, it seems that Cutaway is still looking for some answers relative to UTM. Yet we keep getting caught up in the words.

I have a problem with vendors who are developing products that provide many security controls on one system (not UTMs, I’m talking firewalls performing a combination of spam detection, anti-virus, protocol analysis, data evaluation, and whatever else the vendor thinks will sell) and selling it as the ultimate solution for the perimeter of a company’s infrastructure.

Ah, isn't a firewall with all this other stuff on it a UTM? That's my definition anyway. Whether the product comes from a heritage of firewalls or has been purpose built to do a lot of things is of no import. Hoff makes many of these points in his comment to the post, and I'll just sum it up by saying, every firewall vendor is a UTM vendor now. You can't draw this artificial distinction anymore.
http://www.cutawaysecurity.com/blog/archives/218
Link to this

Yes, there is bad revenue
When you are just starting out, you basically take whatever will come into the door and has some moola attached to it. I know, that was 2006 for me. Lots of other start-ups, especially the ones targeting the large enterprise are usually in the same boat. So they'll sell their souls for a 7-figure deal with a money center bank, maybe not knowing that those 7 figures represent 8 figures of opportunity cost because those large organizations tend to have very unique requirements that are not representative of the broader market. Mitchell does a great job of describing this issue in this post. He's right, the hardest thing to do is to turn down revenue. But you also should be aware of what that revenue will cost you in the stuff that you can't get done. I wish the magic 8-ball would tell you with certainty which of the projects you are looking at (or customer engagements or anything else) will be the best for you, but it doesn't. You also need to be able to cut and run. It's a lot better in the long term to acknowledge that things aren't going well and to come up with a contingency plan, than to have something go nuclear and force you to wait 10,000 years to get another shot.
http://mitchellashley.typepad.com/the_converging_network/2007/12/product-bistro.html
Link to this


Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite