The Daily Incite - January 24, 2007

Submitted by Mike Rothman on Wed, 2007-01-24 10:24.
Today's Daily Incite

January 24, 2007 - Volume 2, #14

Good Morning:
HD baby! I got my HD installed yesterday and it's cool. Of course, DirecTV figured out a way to nickel and dime me with the install, but I've been doing business with them long enough to have expected it. Picture is great, but the new DVR platform will take some getting used to, especially for the Boss - who just figured out how the Tivo worked. For me, it's great to live with someone who is not technically inclined. It tries my patience (no, don't hold down the rewind button!), but it keeps me focused on the mass market. You know, those who don't relish in playing around with new gadgets because they can. The mass market are folks that want to use technology to solve a problem. That's it. No bells and whistles to confuse things. I like bells and whistles, but I'm not the mass market.

Bit of a slow news day in security land. It seems the Storm virus/worm remains big news, but that's because nothing else has really happened. I'm with Dancho (here). Nothing seems novel about it, it's just social engineering on steroids. More zombies, more bots, more spam. That's pretty novel. I also want to point to some research that Dave Maynor did on Microsoft's response to a vulnerability relative to Apple's (here). It's interested, but to me more reflective of the maturity of Microsoft's process. Apple, Oracle and the rest of them have a lot of catching up to do. You can say a lot about Microsoft, but they've had enough practice patching things that they are pretty good at it.

Have a great day.

Technorati: ,

The Pragmatic CSO
The Pragmatic CSO is Here!


Read the Intro and Get
"5 Tips to be a Better CSO"


www.pragmaticcso.com

Top Security News

Month of Self-Promotion
So what?- Larry Seltzer sums up what many of my blogging and industry friends have been saying. This whole "month of XXX bugs" isn't a bad thing, as long as it's handled responsibly. Of course, responsible disclosure is still very much undefined and open to interpretation, so that's a bit of a problem. One guy's "responsible" actions may be another's faux pas. But ultimately, this is about marketing - it's not about security. The researcher's want to be considered "rock stars," they want their research to be highlighted at Black Hat, and they want their consulting revenues or pet projects to be taken more seriously. The fact that in some cases, these bug finding expeditions can actually improve code is a unintended benefit. But there is nothing wrong with marketing, as long as no one gets hurt in the process.
http://www.eweek.com/article2/0,1895,2086103,00.asp
Link to this


Don't give up your day job(s)
So what? - The folks at Network Computing can be pretty entertaining. Evidently frustrated with how vendors fail to meet customer expectations on existing product categories, they have taken the bull by the horns and set out to design a new product category - called PCS (privacy compliance suites). Of course, that name came right out of the buzzword generation tool, but their point is kind of interesting. They are looking for something to manage and enforce the technical components of privacy policies. Basically it seems like they are talking about leak prevention, and I'm pretty sure a bunch of folks already do that. Their point is that no one solution does everything yet, and the reality is - the problem of enforcing a privacy policies is bigger than a TECHNOLOGY. Why can't everyone get that this is a PROCESS issue, and the process can (and should) be bolstered by technology, but if a company doesn't understand where their private data is and how it's used - how are they supposed to protect it? Dropping a couple hundred grand for a box to sit on the edge of your network and act as a big-ass goalie to keep your private information out of the net isn't the answer. A wrist shot up and to the right will get them every time.
http://www.darkreading.com/document.asp?doc_id=115020
Link to this

VoIP constrained by security issues?
So what? - Huh? I just love these surveys of small business owners. I'm sure these folks called them up and asked "are you interested in VoIP?" I bet 50% said right off the bat: "I'm looking at Asterisk, but I'm really worried about the security!" Not a chance. More likely they heard, "what's VoIP? Is that like the Internet?" The fact remains that phones are a tool for businesses and small businesses have a lot on their plate (I know I do). I pay BellSouth (now AT&T) their ransom every month because I don't have time to figure out whether Comcast or some other phone service would be better for me. And I've heard enough nightmare stories about those other folks that I'll stick with POTS (plain old telephone service) for a while. But the point here is that I don't believe any of these survey results. VoIP will happen, especially in the SMB - when they don't realize it's VoIP. They just want dial tone.
http://www.net-security.org/secworld.php?id=4626
Link to this


10 Steps to a more secure firewall
So what? - ITSecurity is at it again. Here is another list and it's not too bad. Making your personal firewall more secure is the topic, but it's really more about making your home network more secure. The only thing I have an issue with is the step where they have you "tweak" your firewall settings. Tweaking - for those will little skill and even less interest - is a very dangerous thing. Very dangerous. What seems like a good idea at the time (like open up Port 4000), opens these folks up to something like the Storm Trojan and they don't understand the impact of what they are doing. Obviously the knobs need to be within the personal firewall for customization, but hopefully they aren't touched.
http://www.itsecurity.com/features/more-secure-firewall-012207/
Link to this


Top Blog Postings

Katrina it ain't
The Storm virus/worm remains all the rage. But I'm with Dancho on this one. It's more because there is nothing else interesting going on, as opposed to something novel. Not even Brian Krebs is doing much with this one. This is a bunch of over-zealous vendors trying to keep their corporate communications departments busy (and BusinessWire in the black) by saying they do all sorts of stuff to stop Storm. Block Port 4000. Don't let .exe attachments through the email gateway and TRAIN YOUR USERS to not execute programs sent to them in email. It's not that hard folks, and you too can ride out this Storm. Symantec has some interesting statistics about what they've seen on this virus here, if you are into that sort of thing.
http://ddanchev.blogspot.com/2007/01/social-engineering-and-malware.html
Link to this

You can't buy PCI compliance
Farnum is fired up and he should be. I saw this announcement between Cisco and CyberTrust regarding "PCI Compliant" network architectures, but just dismissed it as more huffy puffy marketing than anything else. But reading Farnum's rant shows me that I should have made a comment and reiterated what I've probably said 100 times. You can't buy compliance. It doesn't come in a box, not even one from Cisco. CyberTrust can't guarantee that Cisco's configuration is compliant because it's all in how you IMPLEMENT IT. I can tell you, when all the equipment is sitting in the boxes on the shipping docks, it is compliant with PCI. There is a very low likelihood that private data will be compromised by a network configuration that is on a pallet in the warehouse. But once you plug it in, all bets are off. A strong and effective security program results in compliance, not vice versa.
http://infosecplace.com/blog/2007/01/23/cisco-and-cybertrust-team-up-on-pcidss/
Link to this

Apple response - still work to do
Dave Maynor points out that Apple still has a lot of work to do relative to responding to exploits, especially those in the wild. Microsoft got their patch out in 10 days. It took Apple 23 days. But all is not bad news. First, Apple actually did something - which is progress. Second, Apple actually did something besides bury their head in the sand. Third, Apple actually did something that didn't involve trying to sue the guys that disclosed the exploit. All of this is progress folks. Microsoft took close to 5 years to get their patching process down pat. Apple is just starting. I suspect Apple will figure it out, but it may be later rather than sooner. A few more train wrecks usually helps facilitate the process. Ask Microsoft about that.
http://erratasec.blogspot.com/2007/01/test-of-apples-security-response-versus.html
Link to this

Religion is always religion
As interested as I am in Mitchell Ashley's moving activities over the weekend, the last portion of this post is far more interesting to me. It borders on religion relative to purpose-built hardware versus software platforms. Mr. Market has decided that for security applications, a hardware platform is preferred. Is that changing in the age of virtualization and higher performing standard-build servers? Maybe. But then again, maybe not. The fact is, if you are a vendor, why are you even choosing? If you do software, cool. But port it to an appliance (maybe it's a standard rack-mount or maybe it's a special appliance platform - like Bivio) and sell a packaged offering to a customer. Of course, the customer can buy a rack-mounted server from Dell or IBM, just like you can. BUT THEY DON'T WANT TO. That's what a lot of folks don't get. They want to buy a SOLUTION, not a component. Now as that solution becomes acceptable to run on a virtualized standard server platform (Hoff, I'm not talking about you here), that changes things a bit - but we aren't there yet in the security land. So what? It'll be interesting to play this out, but for the time being - appliances still rule the security roost.
http://www.theconvergingnetwork.com/2007/01/the_more_things_change_the_mor.html
Link to this

Recently on the Security Incite Rants Blog

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite