The Daily Incite - March 21, 2006

Submitted by Mike Rothman on Tue, 2006-03-21 08:23.
::
Today's Daily Incite
Good Morning:
Today's Incite is pretty long, but there is a lot going on. A few vendor announcements (but as always, are related back to a bigger theme) and also some vulnerability and attack news. It also looks like Microsoft is ramping up it's global legal team to go after phishers. Good luck to them on that.

I'd also like to wish my wife Jodi a Happy Birthday. As captain of the household, she keeps things running and lets me sit in my office and bang away at the keyboard. She was also a major influence when I decided to start Security Incite. Her support and confidence in my abilities is unwavering. I couldn't have asked for a better partner.

Have a great day.
Top Security News

It's Raining IT Security Surveys (http://snipurl.com/nwt7)
So what? - NetworkWorld provides some insight into IT security surveys in this article. This quote says it all: "Leading security vendors, looking to scare up interest in their products, pumped out more than twice as many of these surveys last year as in 2004, and this year are on an even more aggressive pace." They do the surveys because they are counting on peer pressure to be a catalyst for activity. In many cases, the survey tool is suspect and can present biased results - but I guess that's the point. This topic get me kind of fired up, so I'm going to do a longer blog posting later today.

Cyber-Ark Delivers User Management Support (http://www.cyber-ark.com/networkvaultnews/pr_20060320.asp)
So what? - Cyber-Ark is bringing their vaulting technology to bear on the problem of managing administrator passwords. This is a big problem because the administrator password usually provides the keys to the kingdom, so they need to be handled wisely. The idea of monitoring admin password use is also important because not only do you want to protect the keys, you want to know how and where they are used.

New Zero Day Bug Crashes IE (http://www.informationweek.com/news/showArticle.jhtml?articleID=183700672)
So what? - This time a one malformed HTML tag can bring down IE. That's comforting. It's not clear that the exploit can result in a hijacked session, but nonetheless IE remains problematic. But in this case, there is actually an easy fix. Use Firefox. That's what I do.

Get Ready for More DoS Attacks (http://snipurl.com/nwu6)
So what? - The folks over at VeriSign where hitting the circuit this week talking about a new wave of denial of service attacks on the horizon. These are kicked off by compromising name servers out there and using them to amplify the attacks. The most interesting nugget here is that these are FOCUSED attacks. They are not trying to take down the entire Internet, but rather a few targeted sites. Just more evidenced that hacking is a business now. Hobbyists need to get back to their train tables.

Fallout from Poor Government Security? (http://snipurl.com/nwub) 
So what?- In this searchsecurity article, the author posits whether the US Federal governments continually failing IT security grades will prevent the private sector from sharing information. I don't buy it. I have a hard time believing that a commercial company is going to say no when DHS or the FBI come asking for help. I'm not sure how often this happens, but there tends to be a great halo effect for helping out the Feds and I don't see vendors walking away from that.


Now Microsoft Taking on Phishing (http://biz.yahoo.com/bizj/060320/1261715.html?.v=1)
 So what? - Since Microsoft's legal attack on the spammers a few years ago was such a rousing success, they are now targeting Phisher's. Give me a break. Phishing is against the law, it's clearly fraud. Sure spamming violates CAN-SPAM, but that was a concocted law that is very hard to prove. Many of these folks are off-shore, so it will be interesting to watch how this goes. I do think litigation does have a role in stopping bad stuff, and I'm glad Microsoft is paying for it and not me. BUT ultimately I think this is as much for PR effect as to try to impact change.

Pushing for Secure Code (http://snipurl.com/nwuj)
So what? - NetworkWorld does an article about secure coding. I'm a big fan of these tools, but think it will take a long time to change the behavior of the developers out there. Getting rid of vulnerabilities early in the process is critical and will save money, but it's a pain in the ass. It usually takes some time for folks to see the light and actually do something. This will be no exception.

Setting the Foundation for Identity Management (http://www.networkworld.com/supp/2006/ndc1/032006-ndc-identity-management.html?page=1)
So what? - NetworkWorld is running a series on the "New Data Center" and this article highlights the role of Identity Management. It provides some customer profiles of IdM implementations and what impact the technology is having. IdM is a pillar of the Pragmatic Security Architecture, so I'm glad to see these kinds of articles highlight its importance.

 
Top Blog Postings

Microsoft Solving the Spyware Problem?
Richard Stiennon has rejoined the ranks of the security analysts. This is the guy that pronounced IDS to be dead with great fanfare a couple of years ago. In this posting on his Threat Chaos ZDNet blog, he's at his sarcastic best. He's right in saying that we cannot prematurely annoint Microsoft the spyware savior. In my view, that's because there is no answer. It's just like AV and soon will be a feature of AV. There will always be bad guys out there and spyware is another attack vector. It's a battle we'll all need to fit indefinitely.

Link: http://blogs.zdnet.com/threatchaos/?p=294

More on Security Surveys
Ellen Messmer on her NetworkWorld blog adds a companion piece to the IT security survey article (mentioned above) with some more data. This one references the same PGP/Ponemon study that I ranted about yesterday. The reality is that surveys are a marketing tool like anything else. If the data helps support your decision, that is great. If not, disregard it because if you look (and you don't need to look that hard) there will be holes in the methodology and the survey tool. These are vendors doing this study, not a university professor looking to publish bulletproof results.

Link: http://www.networkworld.com/weblogs/security/011538.html

Sophos Cracks the RansomWare Password
Mark Gibbs, on his NetworkWorld blog, mentions that Sophos has solved the ransom attack of last week. These jokers would make a password encrypted zip file of your key files and then demand $300 to get the password. Kudos to the folks over at Sophos who cracked this. The password actually looked like a file name, so anyone looking at the source would just pass right over it. Ingenious.

Link: http://www.networkworld.com/community/?q=node/5120

It's Tax Season for Phishers
Douglas Schweitzer on his ComputerWorld blog refers to a CW article that this is high time for IRS phishing scams. Folks are pretty sensitive to all issues tax, so this is a pretty effective ruse to separate folks from their personal information. I've personally seen a bunch of these show up in my spam quarantine, so it's happening.

Link: http://www.computerworld.com/blogs/node/2048

Ed Moyle Doesn't Trust E&Y
I think I've lost the title of the most pissed off security pundit. Ed Moyle rants on E&Y in this blog posting about them being hypocritical and wondering why we take their advice. It's actually a great question because it gets to the heart of trust. Why do you trust an organization and most importantly what do they need to do to maintain that trust?

Link: http://www.securitycurve.com/blog/archives/000362.html

Open Source Log Analysis
Randy Bias points us towards a new Ruby-based open source tool to do log analysis and find vulnerabilities called Oedipus. This is the first of what I expect will be many new open source initiatives aimed at simplifying and democratizing big fat and expensive security software. If something like this, over time, can provide 80% of the functionality of SIM - then that is one more nail in the coffin of that sector.

Link: http://www.randybias.com/archives/000246.html

No Such Thing As Privacy
CJ Kelly on the ComputerWorld blog posts some pretty disturbing thoughts about how much information Google is learning about all of us and how that may be used against us. It did get me thinking a bit, but as Scott McNealy once said, "there is no privacy, get over it." The fear of losing my privacy is not as great as trying to figure out how I'd do my job without tools like Google.

Link: http://www.computerworld.com/blogs/node/2046