March 28, 2006

Good Morning:
Fairly slow news day yesterday, which in our business is not a bad thing. Do note the evolution of spyware is happening fast. With the appearance of a $20 kit, we are going to see a bunch more unsophisticated spyware attacks. Just like spam, we will get numb to the number of different attacks out there. Just like spam, the mushrooming attack vectors waste time, resources and bandwidth. This gives the carriers another reason to bitch about how they can't make money. We've all seen this movie before.

Have a great day.

Top Security News

Microsoft Zero Day Vulnerability Brings Attack of the Press Releases
So what? - It's that time again. Exploits in use for an unpatched Microsoft vulnerability. So every security vendor must issue a press release to toot the horn that they stop the attack before it started. There are many ways to skin any cat and a balanced, pragmatic security architecture requires for multiple levels of defense against type of attack. No wonder Warren Buffet bought Business Wire. During these kinds of outbreaks, the wire services are the only ones printing money.
eEye release: http://www.eeye.com/html/company/press/PR20060327.html
Third Brigade release: http://www.thirdbrigade.com/company/Media/pressrelease/03262006.html
 
$20 Spyware Kit (http://www.eweek.com/article2/0,1895,1942497,00.asp)
So what? - We've seen this movie before. Whether it was a free tool like SATAN or spamming software, this is the logical evolution of every specific new class of attack. This kind of tool now provides "script kiddies" with the tools that they need to develop spyware. The attacks from these folks won't be sophisticated, but there will be an avalanche of activity. I'm not worried about my readers, I'm worried about the "great unwashed" that have no defenses and will continue to be overrun by spyware. Law enforcement will be pretty busy, since these folks won't know how to adequately cover their tracks.

Case Study: Secure Applications (http://snipurl.com/oas1) 
So what? - Have I said lately that I like case studies? This is another one about how DTCC in New York has changed their development process to integrate security testing and tools. Sure they are an early adopter, but secure coding is going to happen and it's just a matter of time before the big dev tools vendors (IBM Rational, Mercury, Borland, Microsoft) get serious about this. Security is a feature and will be baked into dev tools within 2 years.

Another Anti-Phishing Group  (http://biz.yahoo.com/bw/060327/20060327006101.html?.v=1)
So what?- Just what we need, another anti-phishing group. This one called the "Phishing Incident Reporting and Termination Squad" driven by consultant CastleCops and Sunbelt Software focused on taking down the phishing sites. They pay lip service to the Anti-Phishing Working Group (APWG), but ultimately will confuse the issue. Given that a typical phishing site is operational for only a few hours before being shut down, I'm not sure what value these guys add. Besides gathering some statistics that will be useful from a PR standpoint.

Network World's 20th Anniversary Spread (http://www.networkworld.com/supp/2006/anniversary/)
So what? - Having been in the networking and security space for the better part of the last 20 years, this was a very interesting read. The changes in the technology landscape have been breathtaking when you look at a 20 year timetable. It's also interesting how revisionist history comes into play. Shlomo Kramer of Check Point is credited with inventing the firewall in 1994. Wonder what Marcus Ranum has to say about that. To the victor goes the spoils.

Top Blog Postings

Brad Feld on Check Point/Sourcefire
Brad Feld is a VC with Mobius Venture Partners, and he makes some great points in this post about why we should be very concerned with the government's meddling in the Check Point/Sourcefire deal. I do think that many of the folks out there are minimizing the value-add of Sourcefire's product vs. the Snort open source engine. But that is secondary to the fact that the US Government is sending a clear message that information security will be controlled by US, NOT GLOBAL companies.
http://www.feld.com/blog/archives/2006/03/our_government.html

Gallant Talks to Security Pros
John Gallant, president of Network World, writes up what he found when moderating a panel of CISOs. This quote says it all: "I think probably too many folks in the security business - talk too much about specific threats, such as the latest worms and viruses, and too little about the organization, financial, political and human issues that shape the security landscape today." Amen to that.
http://www.networkworld.com/weblogs/vortex/2006/011600.html

Balanced Security
Douglas Schweitzer talks about "too much security." Amen to this as well. I wrote in my Network World column about eliminating complexity, well these points are one and the same. No one gets a bonus for having too much security. We need to be pragmatic, with "just enough" to keep everything safe but not dramatically impact the user experience.
http://www.computerworld.com/blogs/node/2098

High School Hacking
Ellen Messmer covers a very disturbing trend of high school students hacking into a school's systems to influence their grades. What ever happened to working hard? I have some experience trying to pull the wool over your parent's eyes, and it doesn't work. It also highlights the fact that K-12 is a real market for information security products, but only the best funded districts can afford top flight protection.
http://www.networkworld.com/weblogs/security/011578.html

SoX as a Protection Racket
Chandler Howell discusses how the auditors are gouging customers because SoX is so nebulous. This is not a surprise, since auditors operate on either feast or famine. Now they are feasting, but as these hijinx come to light the pendulum will swing the other way. It's the natural order of things.
http://thurston.halfcat.org/blog/2006/03/24/sox-is-a-protection-racket/