July 25, 2008 - Volume 3, #64

Good Morning:
The DNS flaw exploit code is in the wild. And people are surprised, chagrined, angst-ridden, and otherwise all up in a tizzy about it. Some folks are lashing out via their blogs. The Mogull questions why, Hoff figures a way to work wand extensions into the discussion. But Martin waters down the discussion to it's very core.

"...There’s a serious problem with the security researcher community where being the first to discover and disclose an incident like this is more important than getting the problem solved for as many companies as possible."  (from Network Security Blog)

Why are we surprised? Researchers are researchers are researchers. This has been a problem relative to healthcare research since the beginning of time. It took someone like Mike Milken (yes, the infamous Drexel Burnham banker) to bridge the gap and start getting cancer researchers to work together and partner with industry. 

And how'd he do that? MONEY. That's right, tradeable hard currency. Which by the way is one of the major problems with "research" or let's say basic research at it's core. There's very little money it. Medical researchers toil away, trying to kill (or heal) rats for years to isolate a compound that very likely will have no impact on anything. Many of them have to hump the legs of governments, charities, and anyone else to fund their life's work. That's time they aren't researching.

If they do find something, maybe they can start a company and maybe then they can make some money. That's a big maybe. So in the absense of clear financial gain, researchers will usually opt for public recognition and fame. Some have sufficiently big egos, that money aside, it's still all about them. So you think some of these ego-maniacs are going to let someone else take the credit for years of toil in dark, dingy laboratories.

Fat chance.

It gets even better because some researchers have such huge egos that they can't let anyone else be successful. They treat it like a zero sum game. Either trying to talk down the findings or figuring out a way to piggy back on the research to get their attention fix. It's sad really, and since this is not only precedent in healthcare research, but typical behavior. Why do we think security researchers would be any different?

Human nature tends to evolve in eons, so accept the game for what it is. But that doesn't mean you have to like it or even accept it. If by chance you find yourself in a position to do the right thing, then do so. You can't control any one else's actions - but you certainly can control your own.

It all starts with one person. One person can change the world. Don't ever forget that. Have a great weekend. 

Photo: "It's all about me." originally uploaded by Monceau

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Greene continues the NAC pile on
So what? - The challenge in being a beat reporter is that you are kind of beholden to whatever news peg shows up in the inbox. These folks are the ultimate flip-floppers. Some days they are talking about how great a technology is, and the next they focus on the issues. Tim Greene of NetworkWorld is no exception. He tends to regurgitate whatever study, survey, or nebulous product announcement comes his way. By the way, this isn't meant to be critical of Tim - that's his job. The tech trades basically serve to aggregate the news, but how we interpret that news is up to us. It's called PR folks. This week, Tim highlights an Infonetics survey about delayed NAC deployments. Since they talked to 242 users, that is representative of the mass market. Uh huh. Whatever. He also points out that NAC is still pretty complex, and finds some users to verify that. Remember that bad news makes much better news than good news. And generating page views is their business. It's much harder to find success stories, but at least try to have a balanced view of what you read, and don't believe it all. That's why I read so much and varied stuff. It allows me to see the trends and draw conclusions from a wide swath of territory. Not just from 1 opinion piece or a statistically insignificant survey. 
Link to this

How often do you meet with the CEO?
So what? - Does the CEO know you name? Do they know what you do? Have you gotten their opinion about what's important to protect? If the answer to any of those questions is no, then you have a lot of work to do. The InformationWeek folks have done yet another survey about CEO visibility, but they asked the CIOs - where presumably they'd have a lot more visibility with CEOs than a security professional. Most tend to either see the CEO weekly or monthly (70% of the total). Is that a lot or a little? It depends on what you are trying to do. I guess another way to ask the question is how often does the senior security professional meet with the CIO? Is it weekly, is it more often? There are no right or wrong answers here, but if you don't feel you are getting enough face time, then start to agitate to get more. Whining about it or complianing about how you can't get anything done because you have no executive support isn't really a good answer.
Link to this

Banks shoot themselves in the online foot
So what? - One of the issues with the Compliance First mentality is that you open yourself up to the law of unintended consequences. Two years ago, all financials were aflutter about FFIEC's mandate for mutual authentication. So they spent a bunch of money to make that happen. And then they thought their work was done and they'd get back to doing things like counting money or something. But some folks from U of Michigan analyzed 214 online banking sites and found that 76% had design flaws. Some were serious (secure login box on insecure pages, improper use of SSN, redirect to 3rd party sites) and some not so serious, but the issue the researchers had was that the banks are providing mixed messages to their customers. We've got to train consumers to be more security aware and if their banks can't even do it right, it's hard to see how we are going to make progress. Since there is no mandate for decent web design, this is what we are stuck with.
Link to this


The Laundry List

Top Blog Postings

Remember about Plan B
This post is old, but it's so good I just couldn't let my vacation schedule hinder my ability to highlight it. Shrdlu talks about the "Power of Fail," and it really is a key tool in the bag of the security professional. It's really about having the security mindset. We have to constantly be thinking about how we can get killed. What can go wrong, how would a bad guy/gal use something for nefarious purposes. It's a tough job because most people don't think this way, and that's why they are constantly surprised when things go wrong. Of course, you can't examine every single combination and permutation of an outcome - BUT in reality there are only a few reasonably likely failure scenarios and they have to be considered and planned for. If you hit one of the edge cases? Then you focus on REACTING FASTER.
http://layer8.itsecuritygeek.com/layer8/the-power-of-fail
Link to this

One person can change the world (or lock you out of your house)
I actually found the SF network fiasco to be rather entertaining. A rouge employee gets pissed off and locks everyone out of the network. Ooops. He won't spill the beans from jail until the Mayor goes and kisses his ass. As Shrdlu points out, this is about narcissism. Plain and simple. So find these folks and throw them off the bus quickly, and make sure you remove their access BEFORE they know what's going to hit them. Martin brings up a number of good, derivative points about logic time bombs. But ultimately, you have to wonder how could this happen. How could one password control all of the keys to the kingdom? Crappy design, and inability to think about FAIL (see above). But entertaining nonetheless. 
http://www.mckeay.net/2008/07/16/why-no-one-person-should-control-it-all/
Link to this

Think different and maybe survive
RSnake highlights some ideas about whether it makes sense to use common defenses to protect your web apps. I think of this as being a lemming, in terms of using similar tactics (usually the easy, path of least resistance kind) to everyone else. The Snake points out that this is a huge liability. As the man says: "That’s why it’s critical that we throw best practices to the wind unless it comes down to compliance issues. Sure, we don’t want to go to jail for not being compliant, but if you follow best practices to the letter of the law, it will only make you as weak as all the others who did the same." But just being compliant isn't going to help you be secure. Let's use a football analogy because summer camps have opened up. If everyone knows what defense you are going to run, they can design an attack to shred you. So you have to be a bit like Belichick and be constantly changing up schemes, trying new stuff and keeping your foes on their toes. And having a video recording of your competition doesn't hurt either. HA!
http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=159324
Link to this