The Daily Incite - June 16, 2006

Submitted by Mike Rothman on Fri, 2006-06-16 07:53.
Today's Daily Incite

June 16, 2006

Good Morning:
I hate Patch Tuesday. It's become more of a media circus that anything useful nowadays. So instead of focusing on what needs to be done, most security administrators need to focus on what needs to be patched. Or not. And that takes up more time because in reality, existing defenses reduce (if not eliminate) the impact of many of the vulnerabilities being patched. Maybe it's just my ADD showing, in that these discussions are just not interesting anymore. If you do the right stuff, then there shouldn't be this crazy urgency to patch - you are protected via other defenses. But the lemmings need something to write about, so there you have it.

I'm taking next week off. So you'll get your next Daily Incite on June 26. But don't fret, I've got some surprises in store for you next week. Suffice it to say, you'll be hearing from me at least once a day (probably not by 10 AM though) and it will be Inciteful!

Have a great weekend.

Top Security News

Check out the new Microsoft guy
So what?- No, I'm not talking about Ray Ozzie's promotion, but the first interview with Microsoft's new security czar, Ben Fathi. Nothing earth shattering, but it's very clear that Microsoft is not in a rush and they do listen to customers. In the past, Microsoft has always told us what was good for us, but at least relative to security they seem to be listening better, as evidenced by the user account control (UAC) changes and more flexible ActiveX controls in the latest Vista beta. Most interestingly, Fathi did not portray to know all the answers. He's OK letting the markets tell them how much security should be integrated into the OS, and I like that approach. But this guy has his work cut out for him because no matter how much he does, it's not enough. Talk about a thankless job.

McAfee be nimble, McAfee be quick
So what? - McAfee is making Symantec look like a dinosaur right now. This AM they announced open betas for two new products, the so-called "Falcon" suite and also a new version of VirusScan. While Symantec won't commit to delivering anything at any time, McAfee is just getting it done. Beta in June means availability sometime this year, unless it totally sucks. Interesting to both suites is the spyware focus and the integration of SiteAdvisor, so for $60 million McAfee now has something that no one in the AV space has had for years, interesting differentiation. Microsoft is going to take share from someone, AV is a zero sum game after all, but it doesn't seem like it's going to be McAfee. The hole for McAfee (at least from a desktop perspective) continues to be rootkits, and they should just buy Exploit Prevention Labs and be done with it.

Administrators write down passwords too
So what? - More survey crap telling us what we already know. This time it's Cyber-Ark, who determined that 40% of IT administrators store passwords on a bits of paper. So I guess one of the job requirements to be an IT administrator is a photographic memory. And of course, Cyber-Ark sells a product that securely stores passwords. Yet, I'm not sure I'm comfortable with the idea of SSO for all administration consoles because if that credential gets compromised there are literally no defenses. At least having a few passwords/logins for different admin consoles gives some measure of a fall back position. No? Let me know what you think about this, since clearly my position is still forming.

Barracuda boots an AV update
So what? - So Barracuda sent a bad AV update yesterday and a bunch of folks didn't get mail. This is a good indication that Barracuda is selling a lot of boxes because this is news. Having been in this space, I wouldn't say it's routine to have bad AV signatures come down, but it does happen and it's not news. That's the difference between having 1500 customers and 30,000. Interesting to me was that their box got the bad update and STOPPED forwarding mail. I actually think that's a pretty solid way to handle an outage. Sure, there are lot of folks that say to fail open, but if there was a coordinated attack (knock out the defenses and then compromise the internal) failing closed would have worked well. And none of the mail was lost, just delayed. Don't look now, Barracuda is becoming a real company because I think they handled this well.

Like everything else, patching evolves
So what? - Given all the consternation around Microsoft's Patching escapade this week, this review of Big Fix Enterprise gives a bit of a perspective on where things are going in that market. As we've seen throughout history, products solve one problem and then they broaden to solve others, and patch management is no different. The folks at eWeek Labs like Big Fix, but realize it's more of an asset management platform, than patching nowadays. They also throw some spyware mitigation technology in there as well, which is similar to the direction Shavlik is taking. To me, all of these tools are systems management oriented and large enterprises like to buy them from large systems vendors (IBM, CA, HP, etc.), so there is an inevitable consolidation on the horizon. But we've been saying that for years and all of these folks remain independent.,1895,1973555,00.asp

Top Blog Postings

Skype in the Enterprise
Ken Camp writes a book in this post about the good and bad regarding Skype, sort of from a security standpoint. The most interesting nugget is "I think most enterprises block Skype by policy, with few implementing technology blocking that actually blocks Skype." Ken also makes a number of points regarding adhering to policies (even if you don't agree with them) and the risk of P2P applications moving forward. It's an interesting read.

Patch Tuesday is overblown

In Larry Seltzer's eWeek column, he dissects the recent Patch Tuesday and comes to the conclusion that other defenses would have eliminated the risk of each vulnerability. EXACTLY. That's why I am absolutely nauseated by Patch Tuesday now. I feels to me more like a media event than anything else. Bloggers get to blog, writers get to write, and I suspect customers don't give a crap. Larry's point is great in that by doing the stuff you probably already do (AV, IPS, firewalls) you are protected from most of these issues. Defense in depth baby! And Larry even shares a shred of hope in that he's "optimistic about security," which is surprising since most days he's as grumpy as I am.,1895,1976840,00.asp

Wisdom from Mitnick
Kevin Mitnick is a very gifted social engineer. Perhaps the most famous hacker, he's done time in the big house and now makes a pretty good living showing folks about social engineering. I've seen him speak and it's both compelling and scary. Kind of like watching a train wreck. He pulled some bloke from the audience and within two minutes had enough information to apply for a credit card. He's interviewed here on CNet and does have some stuff to say. Fact is, there are no technical defenses for a well orchestrated social engineering attack. We cannot forget about training our people to know what's right and wrong and when to share data. Every time you see Mitnick, think of that - as opposed to how much money the guy is making because he spent some time as Bubba's girlfriend.,+the+great+pretender/2008-1029_3-6083668.html

The weakest link is you

This is a quick post by Dave Piscitello, but it says a lot. He refers to discussion on an IDS/IPS/Firewall forum and the wisdom from Chris Blask is stunning. "Good firewalls managed badly suck, "weak" firewalls managed diligently and used with the right collateral don't." Amen to that. Gaping configuration holes will kill even Fort Knox type security. Configuration gets back to the administrator. Always keep that in mind.

Recently on the Security Incite Rants Blog

SearchSMB Column: Security VARs -- Buyer Beware
The first of my new monthly column on SearchSMB appeared yesterday. I clarify the role of the Security VAR in building a security architecture, as well as discuss some stuff customers need to be wary of. Finally there are the 5 questions you absolutely must ask your VAR.

Read Thursday's Daily Incite

Submitted by Rob (not verified) on Sat, 2006-06-17 09:33.
I wonder if a professional driver behind the wheel of a mazda could win a road race with a bad driver operating a formula car? Hmmmm? Blask's comments may be more honest than stunning. Seems like common sense to me. I have heard that the breach rate for enterprise firewalls is more than 40% per year. I would say that is due to things like the complexity of operating them, and rule making. The market leader is notoriously user unfriendly to set-up, so why would anyone be surprised that there are errors made? Poor design adds complexity, but hell, they have great marketing. Marcus Ranum's essay, "Dude, where's my firewall" found on his web site, provides some insight into this as well, putting forth the case that firewall designer's basically engineered themselves into this mess.
Submitted by Shawn Priebe (not verified) on Mon, 2006-06-19 16:28.
Having been in management in the Credit Card Industry for some time now, one of our top priorities (as is with most companies) is of course your PW's and how and where you store them. When I first got to the company I could walk out on the floor and some people in our center (mainly phone support) would store their pw's beside their monitor on a post it note. You had their User ID AND their PW. Every person I saw with using this method I would of course approach them and talk to them about the security risks involved with them placing that info there and we proceed to figure out another way for them to remember their PW's without it being so obvious.

Despite people being fired for access to VIP CC info, looking up accounts of employees located in the call center with them, blah blah blah and our constant lecturing, some people dont get the point of how big of a risk this really is. Being fired is just the tip.

So what happens next? Months go by and I notice people are not posting them up on the monitor anymore and I start to feel better about myself, maybe all those lectures about methods to create, and remember PW's are finally paying off. Later that day I go over to an employees desk and somehow he accidently knocks off his keyboard.. what do i find?.. Taped to the back of the keyboard is his User ID and PW, both tagged, User ID and PW. After all the meetings and discussions I have had with the center I couldn't do anything but to laugh it off try to explain to them that isn't much better.

Later that night after everyone left the building and went back thru some of the desks and notice that almost EVERYONE that used the Magical PW Remembering Monitor method before, had carefully switched to the Hidden Keyboard, Crouching Password method. So in this rant, one of my many opinions towards IT Admins, or anyone of that stores their passwords on paper, be sure to not make it acknowledgable that this is your UN and PW. Try to come up with some way to jumble it up so it doesn't seem so obvious what it is. Use it in a sentance or something, just dont have it tagged "My Username and PW"! Come on, your smarter than that. Also dont post them near your computer anywhere! This is a dead giveaway of what this information is. So if your going to store it anywhere, better be in your wallet somewhere behind that picture, because if it comes up missing and used innapropriately, you'll find yourself holding your wallet, but in the unemployment line.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.