The Daily Incite - December 3, 2007

Submitted by Mike Rothman on Mon, 2007-12-03 09:59.
::
Today's Daily Incite

December 3, 2007 - Volume 2, #159

Good Morning:
As I read on Friday afternoon of the passing of Evel Knievel, a flood of emotions hit me. OK, not actually a flood, which would be a bit of an exaggeration. How about a stream? Nah. A few trickles of brown, murky water? Yeah, that's about right. RIP Evel, who was one of my childhood heroes.

That's right, I looked up to a guy who couldn't seem to land a jump. He was just cool. He didn't care. Taxes, phooey! Just put me in a rocket ship and send me across the Snake River Canyon. I even had the Evel Knievel Stunt Set, though my house was covered with blue shaggy carpet (got to love the 70's), so it didn't work too well. You can't buy it anymore (except maybe on eBay), which is too bad because every kid should look up to a guy who jumps over things on a motorcycle. At least Evel wore a helmet.

But Evel's passing made me think of how things are so different today. There weren't a lot of "heroes" for a kid growing up in the 70's. Or maybe it was just me. I liked the rebels and the outlaws. I was a Raiders fan, mostly because of Kenny "The Snake" Stabler. Then I liked the Oilers, mostly because the Snake went there to play when Al Davis was done with him. I wasn't until I moved to DC after college that I reunited with my beloved G-men. I couldn't root for the Redskins, now could I?

Today our heroes are manufactured and for that we can thank MJ. Yes, Michael Jordan. He was the first to be more than just a sports hero, but rather a business enterprise. Now we see not only sports stars, but musicians and even movie stars that are more about the business than the sport or the art. We even have Fortune 100 companies that are in the business of manufacturing stars (like Hannah Montana and the High School Musical franchises).

I guess sometimes I long for the simpler days when outlaws were outlaws and they had their fans because they were outlaws. Now we have outlaws, they just masquerade as the wholesome "heroes" until they end up having their email broken into and their "personal photos" posted on the Internet. Or they dig on seeing pit bulls rip each other to shreds.

Maybe I just yearn for some authenticity. Everything seems so planned, contrived and manipulated that it's very easy to let my cynical side show. Did you see the Fortune article this week about LeBron Inc.? It's a fascinating article, and very indicative of what I'm saying. LeBron is a fine role-model and seems like a genuine guy. But that's because that's what they want us to see, as he's angling for equity in these businesses he's flogging.

All I can do is keep it real. And keep looking for those promotional tie-ins. I know you are all waiting for your Security Mike t-shirts and sneakers. Maybe there will be one under your tree for the holidays. Have a great day.

Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
 Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

Can't live with them and you can't kill them
So what? - No I'm not talking about your significant other or even your kids. I'm taking about your employees. Personally, I think most of the research coming out of the Ponemon Institute is trumped up vendor nonsense. Not that the folks at PI don't do the work, I'm sure they do. But asking the right questions to get the answers that your sponsors want is definitely an art form that these folks have mastered. Yet, every so often, if you can wade through the jungle of vendor-hype (bring your machete) there is actually something of value from these surveys. Like this one talking about the 2007 Annual Study: US Cost of a Data Breach. The top line data breach cost number (which allegedly went up) is what got a lot of the media attention. But in reality, the more interesting tidbit was that 80 of data breaches are due to human error. That's right, you can throw all the technology you want at the problem, and 80% of your problem will still be because a lot of people are stupid, or at least make dumb mistakes. So what do you do? Do you stop rolling things like laptop encryption (even though sometimes it's futile, as Rich points out)? Of course not, but you also better make sure you know how to deal with the inevitable mistake because for most of you getting rid of all your employees probably isn't an option.
Link to this

Spam is still out there, but does it matter?
So what? - One of Google's anti-spam dudes is out there talking about the fact that maybe spam is declining for the first time in years. Woo Hoo! That's great, if only it were true. The truth is, I suspect the bad guys have gotten a lot better at being more selective about who they blast with spam. Google (and Yahoo! for that matter) do a pretty good job of blocking spam. So it's not too hard for the bad guys to maybe eliminate Gmail.com from their sending lists. Remember, spam is all about ROI. If they aren't getting sufficient ROI from spamming a certain domain, they stop doing that. Well, the sophisticated ones anyway. I just have a hard time believing that the trend is down. But I guess it's like Microsoft's market share in OS or office suites. It gets to 90+% and then tops out. Ultimately, does this matter anyway? I get about the same amount of spam. Some days it's less, other days it's more. My service is pretty mediocre, but I think they all are. Does it impact my ability to do my job? Nope. And that's really the point. Whether spam is up or down, most folks don't let it impact them, means the good guys are winning for once - even if it's a pyrrhic victory.
Link to this

Bots on the barbie - the sequel
So what? - Evidently the Kiwis are adept at more than just Rugby, sheep and Hobbits. It seems that bots have been a major export of the New Zealanders as well. OK, that's probably not fair. Bots are a major export for at least one 18-old New Zealander, who found himself at the center of another FBI bot-roast sting. Bravo again to the FBI, not just for coordinating some law enforcement activity on an international basis, but for again ramping up the PR engine to talk about it. I'm a big fan of deterrents. As I've mentioned numerous times, the deterrent isn't going to stop the truly motivated criminal, but it will stop the script kiddie who decides maybe it's better to try to get to the next level of World of Warcraft than mess around with potential jail time by playing bot master. Also check out Ed Dickson's blog for more details of the FBI's sting.
Link to this

The Laundry List

  1. Why not focus on the real problem? McAfee updates VirusScan for Mac, but why isn't there a better centrally managed endpoint suite, including a two way firewall, mobile protection, and laptop encryption? It's not about stopping viruses, it's about enforcing a corporate policy. - McAfee release
  2. TJX pays Visa $41 million to make the problem go away. Seems this holiday season, this will be the gift that keeps on giving. - Jaime Chanaga blog
  3. What do you get when you put two loudmouths on the same podcast? A decent (and quick) assessment of database security. I welcome the Mogull to my eBizQ podcast this month. - Rothman eBizQ podcast

Top Blog Postings

The key to innovation - buy low/sell high
Last week, the Hoff finally finished his summary of the keynote he gave at Information Security Decisions. First, I'm sure it was a great speech. Hoff's slides are pretty (if not a bit wordy) and the concepts are powerful because he really underscores one of the key issues with practicing security today. It's all about how you keep all those plates in the air with fastballs coming at your head at a high rate of speed. It's hard. Hoff's answer? "That means we need to actively invest in and manage a strategic security portfolio -- like an investor might buy/sell stocks." That's kind of interesting, but unfortunately it's very hard to balance the idea of long term vs. short term. You may be looking to solve a short term problem, but unless you communicate that effectively - your management may think the money you are investing has a half-life of 10,000 years. And what is long term nowadays? Two, three weeks? With the rate of change in new attack vectors, it's really hard to even feel marginally good about your security posture. But Hoff wraps things around to a lifecycle analogy and his real point seems to be that innovation (or at least looking at new products) need to be weaved into the fabric of your business. Right, you need to run security as a business and looking for new "offerings" to do your job better needs to be part of the business process. That doesn't mean it's easy, but it is necessary. Read Hoff, learn from Hoff.
http://rationalsecurity.typepad.com/blog/2007/11/security-and--3.html
Link to this

Even if we trust, we still need to verify
Marcin Dre rants on the TSSCI blog in a brutally long post about whether we still need pen-testing. The sub-head is that "pen testing is an art, not a science" and most of the piece focuses on how security must be built into the development process and how that can happen. I actually agree with many of Marcin's  Dre's points. We do need to let the developers into the fold, and educate them on how to develop better and more secure code. Marcin Dre has some interesting ideas on how to do that. But I'm not ready to give up the ghost on having security assurance as a key part of the security program. Even if we have gotten the developers on board, we still need to verify what they are doing. Web applications are getting more and more complicated. Even if you have a "continuous-prevention security lifecycle" in place, you still have to test and make sure the defenses will stand up to real attack scrutiny. And pen-testing certainly is an art, which is why we'll always need good white hats to help protect us from the black hats. Tools can help, but tools don't (and can't) automate all the nuances of a well-executed social engineering attack. So there is always room for people in the process, and that's not going to change.
http://www.tssci-security.com/archives/2007/12/02/why-pen-testing-doesnt-matter/
Link to this

The MPAA's unintended consequence
A couple of weeks ago, the MPAA made a lot of "headlines" as they tried to strong-arm some large universities to basically install a network monitoring device to figure out who is stealing movies. Of course, the MPAA is worried about movies, but the tool could also be compromised and provide access to all the traffic flowing on a university network. Got to love those unintended consequences. If the MPAA or RIAA was so worried about this, then why put forth an amateur-night tool? They would be much better served by putting together a deal with a network monitoring firm to sell tools for a good price to some of these universities. That would become a win-win. The associations could get a report of the folks that are stealing content. And the institution gets to figure out what is going on with their networks using a commercial-grade product. It seems that I've forgotten that we've talking about the movie (nd by proxy) the record industry. We can't expect these folks to look for win-win situation, it's all about them fighting yesterday's war.
http://www.realtime-itcompliance.com/laws_regulations/2007/11/dont_throw_away_the_privacy_of.htm
Link to this


Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite