July 17, 2006

Good Morning:
Hope you enjoyed your weekend. Mine was a blur of activity, but it always seems that way. I made some changes to the format of TDI, adding Technorati tags for each snippet and also a direct link. I know a lot of folks link back to the entire newsletter, when all they want are one of the snippets. Hopefully this will make it easier for ya.

In security-land, we are entering the dog days of summer. Which means not a lot of real news, but enough stupid stuff going on to keep a guy like me pretty busy. Today's "El Stupido" award goes to McAfee, who thought that they could pull one over on everyone by stealthily patching a vulnerability in their AV stuff. Too bad eEye found the vulnerability and called them on it. Given some of the spin coming out of McAfee (including an apology to customers) it seems their patching process has a few "kinks." Sounds like Lola to me.


In the non-security post of the day, check out this post on the 37signals blog about the F*** Off Flag (link here). What a great idea. I can't tell you how many times I needed to leave my office (when I used to have an office) to get something done. If I had a flag (or sign) that basically flipped everybody the bird and made it clear that I wasn't in a conversational mood, I probably wouldn't have been so grumpy all the time. That reminds me about my "F*** You you F***kin F***" cup that one of my buddies got me. Definitely sums up how I feel some days.

I'll also apologize for anyone that had trouble getting to the web site early this morning. The upgrade to Drupal 7 went, but not as smoothly as I would have liked. At this point, I know too much about .htaccess and other wacky PHP permissions stuff. Those that add comments will see a snazzier interface and there were lots of scalability and reliability benefits to the upgrade. Have a great day.

Top Security News

What was McAfee thinking?
So what?-  Folks get pissed off at sports stars for not setting a good example. Well, I think it's time we held our security vendors to a similar standard. If you are going to come down on Microsoft's credibility in security, you better make sure your house is in order. Last week's, McAfee's wasn't. They found a vulnerability in the ePO product and "inadvertently" patched it without telling anyone. eEye found the hole and gave McAfee an "oh crap!" moment when they had to publicly apologize and urge customers to upgrade. Those that live in glass houses ought not to throw stones, or something like that...
http://biz.yahoo.com/ap/060714/software_flaw.html?.v=4
Technorati tags: McAfee, ePolicy Orchestrator, vulnerability management
Link to this

It's a bird, it's a plane - no it's bulletproof Firefox
So what?- One of the great things about Firefox is the community of folks building extensions for it. I use quite a few to make my daily work activities much easier, so it's been sayonara IE for quite a while for me. Security is one of the areas where a lot of third party activity happens and this article highlights a number of extensions (like NoScript and SiteAdvisor) that can make your browser more secure. But with open source, non-supported code - you should check out all of these things yourself before you tell a user to do it.
http://www.informationweek.com/internet/showArticle.jhtml?articleID=190400479
Technorati tags: Firefox, browser security
Link to this

IBM Does SIM
So what? - Last week, IBM announced an upgraded SIM package, which is based on the GuardedNet stuff that Micromuse bought which then IBM bought. Most interesting to me is how they are trying to paint this as "new" technology, and now because IBM does it - it supposed to be interesting. Not so much. I still hate SIM, though integrating identity stuff is sort of different, it's still looking in the rear view mirror.
http://www.channelweb.com/sections/allnews/article.jhtml?articleId=190400244
Technorati tags: IBM, Tivoli, SIM, security management
Link to this

McAfee's Sage Debuts
So what? - Looks like McAfee's Lab guys don't have enough to do. Now they are publishing a semi-annual technical journal clearly because they were sick of Symantec's Threat Report generating a bunch of press activity. They go light on stats, but have a very polished presentation of a lot of the research they've already done. Like on rootkits and open-source security. So, these are not new positions - but rather more of an artifact of the outbound activity the Labs folks do throughout the year. I haven't gotten through the whole thing yet, but it seems fairly high level.
http://www.mcafee.com/us/about/press/corporate/2006/20060717_174026_r.html
Technorati tags: McAfee
Link to this

Application control coming to an endpoint near you
So what? - I've ranted extensively about the benefits of application control in stopping the proliferation of malware and maintaining a standard, orderly computing environment. But those damn users want their iTunes and all sorts of other crap, making endpoint lockdown a political hot potato. Bit9 and SecureWave provide this kind of capability and Bit9's new version adds some enterprise management and reporting capabilities. To be clear, application control is no panacea, but all of the endpoint offerings really need to have it - so I'd expect both of these companies to be prey for a Big Security predator sooner rather than later.
http://www.bit9.com/press071706.html
Technorati tags: Bit9, application control, endpoint security
Link to this

Top Blog Postings

Big is for the unsophisticated - Huh?
Richard Bejtlich discusses some notes he took of a Marcus Ranum speech at TechnoSecurity. It seems (and this is 3rd hand) that Marcus' contention is that small vendors build things for the sophisticated users, and big vendors deal with the unsophisticated. Actually, that is true, but sort of an unfair characterization. You tend not to see great innovation from big companies, but they wait until the market is large enough for them to play, and that's when the technology is adopted by the mass market (unsophisticated) users. I wouldn't call them unsophisticated, just not early adopters. Also interesting is the perspective that data will be centralized (that is what he's saying) and you'll use "disposable" appliances in many form factors to get to it. This is the promise of utility computing. We've got a long way to go until network access is ubiquitous enough to truly allow this kind of model, but it's exactly right. Marcus is a smart guy, that's for sure.
http://taosecurity.blogspot.com/2006/07/more-notes-from-technosecurity-2006-i.html
Technorati tags: Marcus Ranum, information security futures
Link to this

But Microsoft is the security underdog
This post from CJ Kelly perplexes me. So many people just pre-suppose that Microsoft is just going to run rough-shod over the security business and go to the next step about "world domination" and the like. I don't get that because if anything, Microsoft is a big challenger in the security business. It's Symantec and others that have gotten fat, dumb and lazy, being content just to milk their cash cow. I mentioned this last week, but folks like Intuit and Oracle have beaten Microsoft at their own game, and the security folks can too. But not unless they start innovating. If Microsoft brings forward better value and quality, then they deserve to dominate the security space. But to assume that's going to be the case is just wrong.
http://www.computerworld.com/blogs/node/2946
Technorati tags: Microsoft, security business
Link to this

Two factor is better than no factor
Thanks to Pete Lindstrom for being a voice of reason relative to the phishing attack on Citi last week that compromised two-factor authentication. Calling out Ed Moyle and the inimitable Bruce Schneier was exactly the right thing to do because they are wrong. More security is better than less security and thinking anything is foolproof is amateurish. The luster is off the two-factor rose, but the reality is it has been for a while. And it's not like a man-in-the-middle attack is something new. Putting the two together was innovative, but it just goes to show that we can take NOTHING for granted anymore. But to say there is no value to two-factor is ridiculous.
http://spiresecurity.typepad.com/spire_security_viewpoint/2006/07/nothin_doing_on.html
Technorati tags: authentication, phishing, man in the middle attack
Link to this

S/MIME is not the answer to phishing
Sorry George Ou, but S/MIME is too damn complicated to ever be adopted widely enough to prevent phishing. Technically, sure - if every bank digitally signed every piece of outgoing email (and you could trust their certificate), then you'd have authenticated email. That's what DomainKeys is all about, but no one understands it and no one uses it. Browser toolbars are a shorter term answer, but the reality is that banks need to embrace two-way authentication and spend a crapload of money to educate their customers about how to ensure they are communicating with the bank. Ten years later, PKI is still a solution looking for a problem.
http://blogs.zdnet.com/Ou/?p=272
Technorati tags: authentication, phishing, PKI, DomainKeys
Link to this

Recently on the Security Incite Rants Blog

EAC blog: Dealing with the death of the moat
For a long time, the right analogy on how to describe security was the moat. Dig it deep and wide and keep the bad guys out. In this 2nd to last post on the EAC blog, I go through why deep and wide is still necessary, but not sufficient given the increasingly quantifiable insider threats and the need to secure our data.
http://snipurl.com/svaf

Is small the new big?
In this post, I share a little angst regarding the fact that marketing guru Seth Godin is calling his new book, "Small is the new big." Most of you know that I get a lot of mileage out of "Big is the new small," but once someone with a Godin-sized megaphone turns your hallmark on it's ear - what now? Basically, we are both right - depending on which side of the problem you are looking.
http://securityincite.com/blog/mike-rothman/is-small-is-the-new-big

Read Friday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-july-14-2006