March 5, 2007 - Volume 2, #38

Good Morning:
I feel a rant coming on. Since I'm moving to a 4 day/week publishing schedule for TDI (no more Friday incite, as I'm focusing on the P-CSO Weekly), I need to make the most of my ranting time. The boss is on a little trip today, so I'm flying solo with the kids for half of Sunday and all day today. Being the sloth that I am, I figure I'll take the kids to the gym (yes, I'm still working out) where they can be someone else's problem for two hours. Great workout, but it was when I was freshening up that I had one of the more horrifying experiences in recent memory.

I've gotten into the habit of taking a little sauna after my workout, but as I enter the room I instantly come to the conclusion that someone dropped an anvil on my head and I had moved on to my great reward. First off, it's hotter than hell (OK, I guess it's supposed to be), but to my horror I see two naked guys with all their glory hanging out who resemble Laurel and Hardy in there. That's when I realize what awaits me in the great beyond - sweating my ass off in a hot sauna with naked Laurel and Hardy. The only thing missing is the Devil himself, naked and sweating as well.

But it made me wonder, what makes these guys think I want to see them naked in the sauna?!?!? I joined one of those fancy-ass health clubs where they provide towels for free. FREE, I say. Free as in beer. It's not like these jackasses can't afford to bring their own towel. There are hundreds of them, right outside the sauna. Cover up man, nobody wants to see your mushroom.

Do women have this problem? I have no idea because the closest I've ever gotten to the women's locker room is watching Porky's. I don't recall seeing Laurel and Hardy in that one.

Been busy on the social front as well, as the boss and I went to go see the Piano Man on Thursday night. I hope I have the energy and spunk of Billy Joel when I'm 57. He put on a great show, played all the classics, cracked lots of jokes and kept a packed arena entertained for over 2 hours. If Billy is coming to your town, go see the show - it's worth every penny.

OK, enough ranting. Back to work. Have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

I must break you
So what? - How can you not love Rocky IV (that's 4 for you non-numerologists)? Drago was evil, the training scenes were campy and the dialog one step above kindergarten level. Just my speed. But as I was reading this summary of the Black Hat DC conference (here), the famous Drago words echoed in my head. I'm pretty sure I ranted quite a bit about how real deal security researchers could pretty much break into anything and how the flare-up where Joel Snyder wanted to bet some folks they couldn't find private data on 3 of 10 websites was ridiculous. Of course they can find private data. Some of the hardware based attacks divulged last week are pretty arcane, but they show that theory eventually becomes practice. They show that there seem to be an infinite number of ways to own a machine. Finally, they show that 100% security is a myth (but we all knew that already, right?). So you better make sure your incident response plan is up to date and practiced. Your number will be called. It's not a matter of if, it's when.
Link to this

Vista cheese
So what? - What kind of cheese is Microsoft's Vista? Does it have more holes than Swiss cheese? Does it smell bad like Limburger? Is it sharp like Cheddar or does it go down easy like American? Or is it high brow, like Brie? Based on these articles, it seems that Swiss cheese is most appropriate. Actually that isn't exactly fair, and architecturally there is no question of Vista's advantages. But in practice maybe not so much. Kevin Beaver's point here is that going after Vista may not be the path of least resistance, especially since the software that runs on Vista is easy pickin's. It's also interesting that Microsoft is now admitting user account control is vulnerable to social engineering (here). This is much ado about nothing. Just because stupid users may just hit OK if a rouge application spoofs a UAC prompt, doesn't mean that UAC doesn't help to increase the security of the device. I'm sure the Mac fanboys will correct me if I'm wrong, but there is nothing in OS X that precludes a similar type of attack. Finally, George Ou delves into EFS vs. BitLocker (here), which is an interesting analysis. Even more interesting is the presence of two different encryption schemes. So much for leverage, but since EFS is a higher level abstraction and BitLocker works at a lower level - both are actually needed. Who woulda thunk?   
Link to this

Wherefore art thou innovation?
So what? - Ogren longs for the day when there was innovation in security (here). I guess he's looking for more products like the SecurID modem (sorry, inside joke). Eric is right and wrong. There isn't a lot of innovation and disruption in security nowadays (despite what overpaid marketers try to tell you), but that's OK. I'd rather folks try to solve today's problems and make the solutions better, faster, easier and cheaper. Is that innovation? Nope. But this also is an industry, kind of like networking. When was the last time someone went to Interop and said, "Wow, there's lots of innovation happening here!" I don't know, maybe 1994. That's not saying that we won't ever see innovation in security, of course we will. But it probably won't be for a while. Customers are so focused on solving today's problems, most companies wouldn't know what to do with something truly innovative and disruptive. Shimel weighs in on the topic (here) and comes to the conclusion that innovation will come from stuff we are already familiar with. Now that's deep, but it sounds like a mash-up to me and is that really innovation? Me thinks not.
Link to this


The Laundry List

Yes, full disk encryption is important. NSS. - here
Fortinet gets more patents. Lawyers stay employed. - here
RSA figures out the channel. Pay them more. Geniuses. - here
Lessons learned from TJX. Yeah, don't do that. More geniuses. - here
Go see your Guidance counselor. He's got EnCase 6. - here

Top Blog Postings

Can we defend new web applications?
Hoff is right (here), this post from Gunnar is great. And it brings up some disturbing truths about today's web applications. The fact is we are really far behind on protecting applications. Really really really far behind. Web application technology is advancing quickly and the security defenses - not so much. Something got to give. Will it be more and varied attacks that compromise significant amounts of private data? Yup. No doubt about it. Network based attacks will become a thing of the past (it's actually happening already), but because the path of least resistance is through the applications. It's a good time to know something about web application security, you will be in a big seller's market and it's going to last for years.
http://1raindrop.typepad.com/1_raindrop/2007/03/understand_web_.html
Link to this

Seals: Great music, entertaining show, security - no so much.
I'm a big fan of Seal(s). How can you not love a guy that sings pretty OK and is married to Heidi Klum? I also like the seals at the aquarium. They can do amazing things for a few chunks of fish and they've got a better sense of humor than Shamu. But these folks that sell security "seals" or certifications DO NOT indicate that a site cannot be compromised. There was a blow-up a few months back and one of the certification companies (can't remember which one off the top of my head) went into major spin control mode when one of their certified sites had credit card numbers showing up on lots of hacker sites. These services do eliminate the low hanging fruit, just as any vulnerability scan will tell you what's possibly vulnerable. But to think that these certificates ensure that a site is "safe." That's a joke, as this Maine Seed Company found out the hard way.
http://www.realtime-itcompliance.com/privacy_incidents/2007/03/maine_seed_company_website_hac.htm
Link to this

It's a wonderful day in the neighborhood
After seeing the Microsoft keynote at RSA, this analogy to Mr. Gate's neighborhood is pretty appropriate. Gates and Mundie didn't change into their sweater and tennis shoes on stage, but they may as well have. The only thing missing was King Friday himself. Joe Wilcox makes an interesting point here and it's something I've written about in the past. Microsoft is trapped in their own legacy. Sure Vista is better, but as long as they have to support inherently insecure applications and provide backwards compatibility with previous versions of Windows, they are doomed to more of the same. It's sorry to say, but they basically need to start over. I mean really over, like leave the past behind. That will be hard but with everything running in a web browser (it should be anyway), you at least have one main application to worry about. Everyone talks about innovation or lack thereof. Maybe a new, truly secure operating system is next. I don't even know if this is possible, but it's fun to think about, no?
http://www.microsoft-watch.com/content/security/the_sad_truth_about_mr_gates_neighborhood.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite