The Daily Incite - July 20, 2006
July 20, 2006
Good Morning:
Sometimes I feel like the rabbit in Alice in Wonderland: "I'm late. I'm late. For a very important date." You know, those days where you get a lot done, but the pile is probably a bit bigger than when you started the day. But that's OK - better to be too busy, than not busy enough. Not that you can't always be busier, but some weeks the bubbles go up.
On to more important topics, we had a few earnings releases yesterday including RSA. RSA showed significant top line growth (release here), but seemed to spend like drunken sailors (and that wasn't just Art's parachute when the EMC deal closes) impacting earnings. But no matter, RSA clearly has the revenue growth that EMC was looking for, and that's without any synergies and leverage of bringing security into the data center. Continuing on the consumer authentication trail, Entrust acquired Business Signatures to gain more exposure to that space. How long before Vasco needs to buy something that looks like contextual authentication? Not long, I suspect.
And it never ceases to amaze me at how much I don't know and how much I don't see. Reading a post by the Matasano folk (notice Thomas, I didn't say "guys" this time) forced me to take a much different view of Symantec's research into the Vista attack surface. I still don't buy that Symantec had good intentions in doing the research, but being able to point to the progress Microsoft has made is very interesting.
Have a great day.
Top Security News
Deal: Entrust acquires Business Signatures
So what?- There is no doubt consumer authentication is hot, and supposedly only 20% have moved on the FFIEC mandate. This is pushing public companies to acquire basic technology for $50 million to gain exposure to the market. In this deal, Entrust acquires Business Signatures, which is a Silicon Valley start-up that touts a "non-invasive" seemingly network-based approach to detecting fraud. Before today I hadn't heard of these folks, so I don't know much beyond what's in the release. I do find it interesting that Entrust now has a "west-coast" presence - wasn't enCommerce (which they bought in 2001) on the west coast? In separate news, Entrust announced their Q2 results (link here). I'd have more of an opinion, but it doesn't seem that any Wall Street analysts cover them anymore, so it's not clear how they did relative to expectations.
http://www.entrust.com/news/2006/6363_6463.htm
Technorati tags: Entrust, Business Signatures, authentication
Link to this
Oracle's patch-o-mania
So what?- If you work for a big company, you use Oracle somewhere for something. That means you are interested in their quarterly or so critical patch update which fixes some broken things. But not all the broken things evidently. There are still 10 or so outstanding patches that needs some quality fixes. Suffice it to say, Oracle's got a lot of work to do to nail down their patching process and it's just a matter of time before it turns out they didn't get it done fast enough. Carnage will ensue, and their process will change. That's the way the game works.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1201186,00.html
Technorati tags: Oracle, patching
Link to this
The rise of ERM
So what? - I've mentioned Enterprise Rights Management a couple of times because I think the persistent control of data is the ultimate place we need to get to for "information security." It will be a LONG road to get there, especially with seemingly few companies willing to get involved. This article highlights one of the remaining few, Liquid Machines, but the others are EMC (via Authentica buy), SealedMedia, Microsoft, and Adobe. None of which seem to be in a particular rush to get much done. So this may be one where it incrementally gets added to the plumbing (storage by EMC, documents by Adobe, and operating systems by MSFT) and then it's just there a decade down the road. But the problem is without unbelievably broad coverage of platforms and applications, ERM doesn't really secure much of anything.
http://www.gcn.com/print/25_20/41307-1.html
Technorati tags: ERM, enterprise rights management, Microsoft, Adobe, EMC, Liquid Machines
Link to this
Spam continues to be a mess
So what? - This multi-page expose on spam by InformationWeek is pretty interesting. Filters have become pretty effective (though far from perfect I say), but that masks the increasing volumes and more destructive payload in these messages. Statistically, the numbers are on the side of the bad guys. They can have minimal conversion rates and still wreak havoc. They also talk about sender authentication as a solution to phishing, but I still think that is a waste of time. Fact is, even if a message is authenticated and signed, you are counting on the user to understand that? Or the spam filter? There is a huge margin for error there. The answer is still two-way authentication with consumers being more effectively trained to recognize the site of their trusted partners (banks, credit card companies, retailers, etc.).
http://www.informationweek.com/research/showArticle.jhtml?articleID=190600156
Technorati tags: spam, phishing, sender authentication
Link to this
Will technology ever trump size?
So what? - I wanted to highlight an announcement that Webroot made on Monday about a new version of their anti-spyware stuff to make a point. Clearly these guys have a technology advantage over the other big folks (Microsoft, Symantec, McAfee, etc.) in fighting spyware. But how much of an advantage and does it matter? When your market is subsumed by someone much bigger that just bundles it into their offerings, how do you compete on the merits of technical gizmos? We saw Microsoft do this to Symantec (back when Symantec was mostly Windows utilities) countless times. Oops, backup is now in Windows 2000. And now we are seeing all of these folks do it to Webroot. You can compete for a time, but not a long time when the competition is good-enough and free (or bundled into something else you are already paying for). Another alternative is to build a "lifestyle" company, which does a good business - but is never going to be considered a market leader. The AV guys not Symantec or McAfee come to mind (Kaspersky, Panda, Sophos). I doubt the folks that pumped $100 million into Webroot about 2 years ago are interested in a lifestyle.
http://www.webroot.com/company/pressroom/pr/spy-sweeper-5.html
Technorati tags: Webroot, anti-spyware
Link to this
Top Blog Postings
The other side of the application control debate
I love it when two bloggers go after each other. In this post, Bob Lewis takes on Roger Grimes contention's that one way to secure your environment is to clamp down on unauthorized applications. Bob takes the user's perspective and shows (rather vehemently) that some of those arguments are powerful. But Bob is not entirely right either, in that GoToMyPC and other unauthorized applications do create another ingress point to the network that can be compromised. So sure, the employee is conscientious and trying to get work done, but still - ultimately the information security folks have to act in the best interest of the company and that may mean not allowing some stuff that would be more convenient to the users. In the end, Bob does sum it up nicely - "Grimes appears to consider the role of Information Security to be achieving total security, not striking a balance between risk and opportunity." Clearly we have to find that balance for our organizations. I do believe that application control is one of the solutions, but there need to be shades of gray.
http://weblog.infoworld.com/lewis/archives/2006/07/information_sec.html
Technorati tags: endpoint security, application control
Link to this
Symantec poking Microsoft is a good thing?
I will admit to having a very market-driven perspective on things. I tend to see the competitive impact of something, as opposed to being able to take a step back and see more. Thanks to Dave over at Matasano for providing a different perspective on Symantec evaluating the attack surface of Microsoft's Vista. It seems Microsoft has made a lot of progress in fixing many of the issues and it provides hope that Vista will be something short of a security train wreck when it shows up in 6 months or so. But I still need to wonder if this is the conclusion that Symantec wanted folks to draw. I suspect not and the media (myself included) was only too quick to jump on the remaining issues that Symantec pointed out. Falls into the category is swing and a miss for Mike.
http://www.matasano.com/log/374/symantec-paper-validates-trustworthy-computing/
Technorati tags: Microsoft, Vista security, Symantec
Link to this
Incredible insider impact
I think it was my high school English teacher that taught me when you have nothing to say, try alliteration. This post by Martin McKeay is right on the money. He points to TaoSecurity's perspectives on the insider threat and I agree. By sheer numbers, the insider threat is minimal. By impact, it's a different story. Why? Because as Martin says, we trust the insiders and expect them to the right thing. So when they don't, our defenses are weak and inadequate. Protecting the infrastructure is not much use against insiders. That's why we've got to treat data and information separately and protect them separately.
http://www.computerworld.com/blogs/node/3016
Technorati tags: insider threats, data security
Link to this
Instant vs. Responsible Disclosure
It's great when two smart guys (Alan Shimel and Martin McKeay) can be on different sides of a debate, and both have their points. Given the McAfee fiasco this week (uh, we didn't know we patched it), vulnerability disclosure is once again in the headlines. That has been compounded by folks figuring out how to game Microsoft's patching process - announce a vulnerability/exploit the day after Patch Tuesday, ensuring that Microsoft won't patch until the next month. I am on Alan's side here in advocating for responsible disclosure. Sure, if the company (Oracle, listen up) is not responsive and does not fix the issue, then by all means - go public with it - but only after a legitimate waiting period. Disclosing something without giving the vendor adequate time to react is not just irresponsible, but it puts a lot of innocent folks at risk.
http://www.stillsecureafteralltheseyears.com/ashimmy/2006/07/fire.html
Technorati tags: exploits, responsible disclosure
Link to this
Recently on the Security Incite Rants Blog
No other posts yesterday.
Read yesterday's Daily Incite
http://securityincite.com/blog/mike-rothman/TDI-2006-07-19
Thomas,
I hear your point and that's more good perspective. But I also don't think that Oliver was out there humping his work in the press this week. That would be uncharacteristic given what I know about "most" vulnerability researchers. It's plausible that Oliver has free reign over what gets researched, but I highly doubt he has much to say about what Symantec's PR machine decides to push.
If their objective is to regain lost ground on the research side, your friend Oliver is going to find himself a pawn in a very high profile game. Maybe he knows this, maybe he doesn't. Since I don't know him I can't say. But when his group finds something of interest (like they did this week), the Big Yellow PR machine will try to bend it to their own devices.
I'm not doubting that the research was genuine. But I'm very comfortable in my assessment of what their PR aims were.