January 17, 2008 - Volume 3, #6

Good Morning:
It's a winter, freakin' wonderland. At least for a few hours last night it was anyway. When you live in the South (of the US), you kind of get used to having to wear your fleece for a couple of weeks, but that's about it. The fall lasts through early December, and the Spring starts in mid-February. And the winter just isn't that bad. If it gets down to 25 degrees F, people think the next ice age is upon us. I break out my jacket a lot more to travel on business than to wear at home.

I was a bit surprised as I was sitting in the BBQ joint yesterday doing some writing when I saw the snow start. Big deal, a little flurry. And if anything sticks, it'll be gone within the hour. At least that's how every other snowstorm has been since I've been in Atlanta. But not so fast, this one seemed to have some legs.

Now legs are relative. It's not Boston, that's for sure. Hell will freeze over before we get a 24-inch snow drift. But we ended up with about 3/4" of wet, heavy snow that is great for snowballs. And snowmen evidently as well. The picture to the left is actually the snowman that we built on our cul-de-sac - pipe and all. I thought the soul patch was a particularly cool decoration. Kind of like the Howie Mandel of snowmen. It was over 6 feet tall (so definitely not the Howie Mandel of snowmen), which is probably the biggest snowman I've seen.  

The twins have NEVER seen real snow. Never had it fall on their heads and ice up their hair. When we were up North over the holidays they saw a 2 week old dirty ice drift, but no fresh snow. So they had an absolutely ball out there. Making snowballs, running around, doing snow angels, and best of all - staying up late. Leah was very young (like 3) when we were in Virginia for the last snowstorm. She claims to remember, but who knows.

I'm not a big fan of snow. I don't ski since I left my shoulder on Killington about 18 years ago. Most people can't drive on snow, so it's a safety hazard to the folks (like me) that do know how. And I just remember back to the days when my brother and I had to shovel my driveway in NY so my Mom could get to work. That was as fun as a root canal, especially since we were too young to use the snow blower.

It's not like I'm going to move to Denver or something to get closer to the white stuff. But it was a lot of fun to get out there and spend some time with the kids, while they were just in heaven. So once a year (or maybe twice because it's supposed to snow on Saturday again), I can suck it up and suspend my snow aversion for a few hours.

Have a great long weekend, root for the Giants on Sunday and take a few minutes on Monday to appreciate the courage of Dr. MLK, Jr. For some of you it's a day off, but make sure to acknowledge the reason we have the day off. There will be no Incite on Monday. I'll be back on Tuesday.

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Rolling NAC triumvirate
So what? - Running the risk that Shimmy will tell me I don't know Jack about NAC, yet again - I'll point to the third leg of Fratto's NAC rolling review. This is the one with the kickstand. Actually, since they've done some in-line and out-of-band testing of NAC products, the only thing left to do is to test host-based (or agent-based) NAC solutions. These products install an agent on the device to ensure policies are adhered to and enforced. It'll be interesting to see how this shakes out because some of the folks with non-conventional solutions like InfoExpress will be tested. Yet, the line-up is a bit strange. No Symantec, but you have Senforce (now Novell) and StillSecure, which use the same technology. You also have Great Bay, which is more of a NAC management tool, than an actual solution. I'm also not sure I understand the definition of host-based in this context. I guess if you download a persistent agent, then you can be considered host-based. This is actually splitting hairs, since the reality is host-based NAC will become a feature of the endpoint security suite (Sophos and McAfee are already getting there) and to ensure proper coverage, typical networks will want to also do some network-based enforcement. For a change, the answer is D - all of the above.
Link to this

The Art of the Security Feature
So what? - Big Dennis sits down with the Art of Coviello for a little tete a tete about where security is going. Art made a lot of waves last year with his death threat to the security industry, and he clarifies some things about that and also about being part of a big company. There are a couple of other interesting tidbits in this, including some perspectives on why more retailers haven't been TJX'd: "But I can tell you that every retail customer I went into, and I say, Why hasn't this happened to you? They say, Luck. All these systems were built prior to the Internet and they get connected to the Internet and then all of a sudden everyone's a schmuck." If the shoe fits... He also weaves in a pretty good big bang analogy as to why there will continue to be innovative security companies, but the reality is that we'll probably never see another really big security company emerge.
Link to this

Why buy it onces, when you can buy it twice for twice the price?
So what? - That's my favorite line in the movie Contact, and it's very applicable to how established big security continues to milk the cash cow that is their installed base. Seltzer has evidently had enough and goes on a tirade about being expected to shell out some more cash for anti-bot technology. I absolutely agree, although Larry is a bit behind the times here. SYMC is pretty much the only one that is trying to nickel and dime their customers on this anti-bot technology (the others are saying it's already in their endpoint suites), and that is more likely due to the licensing agreement with Sana than anything else. The one thing Big Security won't do is share any of the wealth. There is no way they are going to just bundle into the big suite, if they have to pay a royalty on all 100 million endpoints out there. But Seltzer's point is that you shouldn't have to draw a distinction between any of the attack vectors. It's bad, make it stop. What's so hard about that? 
Link to this

The Laundry List

Top Blog Postings

We don't need no stinkin' DB patches
The folks at Sentrigo got a lot of airtime this week by running a survey that said most DBAs don't patch their Oracle databases. Some jackass analyst was quoted in there saying that's a pretty scary situation and it is. But lots of DB people got all in a huff because it's "not their fault." That's a load of crap. You can check out Jai Vijayan's follow-up article where a DB guy basically admits that the DBAs have no juice and that they cannot make a case as to why keeping a database updated is important. Maybe I need to write the Pragmatic DBA next. To be clear, Oracle doesn't make it easy to patch their stuff, but that doesn't mean you shouldn't. Every IT shop should have a change control process, and sometimes that means some scheduled maintenance downtime. Oracle updates happen maybe once a quarter. It's not like these are anti-spam signatures being blasted out every 45 seconds. Considering a lot of the data that's valuable is in the DB, doesn't it make sense to keep it protected? Don't take my word for it, since the Mogull makes the same points and he used to be a DBA.
http://securosis.com/2008/01/14/please-patch-your-freaking-database-servers/
Link to this

Everything makes my ass look fat
Omar the tent maker can do wonders, but there is only so much you can do to hide the fat. Hoff is a bit tongue in cheek here, but he makes a number of great points about the benefits of the thin client architecture. Yet again, we see the pendulum swinging back towards centralization and fancy computers basically running terminal to host applications. At least it's in color this time. The next wave of security is going to focus on data. But data is hard to protect, since it's everywhere. We have a couple of options. First we can try to build security meta-data into the data, so the authorization and usage policies will travel around with the data. That's hard, ask anyone that's tried to do DRM. Or we could keep the data centrally and provide access to it. Not sure that works in practice either, but the reality is that continuing to ignore the problem is definitely not the answer. And thin clients certainly don't address the airplane scenario. Since everyone needs to get at their critical data when they are at 30,000 feet. Though as more ubiquitous broadband proliferates, we are definitely getting closer to being able to embrace a thin model. No go eat those vegetables.
http://rationalsecurity.typepad.com/blog/2008/01/thin-clients-do.html
Link to this

Free markets don't know good vs. bad
Liquid Dave Lewis asks what we think about these vulnerability marketplaces, where vendors pay the bad guys to for vulnerabilities they find - presumably so they can protect their customers before the next guy. I'm sure you are surprised, but I do have a number of thoughts. First of all, free markets bring marketplaces. So whether it's a legit vendor trying to buy exploits or it's a bunch of bad guys bartering for the latest attacks, you can't put a free market in a box. Money is there and the markets will go after it. Until you repeal the laws of economics, it'll be that way. I also like the idea of vendors, in effect, sponsoring security research. The reality is that most of these attacks are generally known within a few days of being discovered, so every vendor is working on new signatures or whatever solves the problem. Security research is a thankless job and in many cases the vendors try to poke researchers in the eye, as opposed to thanking them for making their product better. It's far more thankless if there is no monetary gain. So if these vendors can outsource research and give some folks doing the right thing an economic incentive to continue doing the right thing - what the problem with that? i'm sure kurt will have all sorts of reasons why i'm wrong, but at least I use CAPITAL LETTERS.
http://www.liquidmatrix.org/blog/2008/01/17/on-vulnerability-marketplaces/
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite