May 11, 2006

Good Morning:
Slow news day on Wednesday. Must be a hump day thing. So I'm going to cover some stories I couldn't wedge in from earlier in the week. The top blog post is about this USC "hacker" guy that compromised the USC network to prove a point. I want to be very clear that he's in the wrong. He may have had good intentions, but without explicit permission to compromise networks - it's against the law. Period. So they should make an example out of the guy if we ever want litigation to be a deterrent from cybercrime. Letting this guy off the hook sends the wrong message.

I also got a few notes about mentioning that guy's "security is a failure" post yesterday. Some thanked me for calling bunk, others were a bit chagrined that we even dignified the guy's position. Good or bad, it's not possible for me to sit on my hands and let someone say stupid things and go unchallenged. Most of the coverage I saw from Slashdot (http://it.slashdot.org/article.pl?sid=06/05/10/0451250) drummed this guy for just being stupid and not having his facts straight. Even the folks at Matasano weighed in (http://www.matasano.com/log/280/do-we-suck/) with a biting analysis of his facts. Bravo to all that will not let stupidity go unnoticed.
Have a great day.

Top Security News

Federation needed by outsourcers
So what? - I continue to do a bunch of work in the Identity Management space. One of the key drivers is the need to share and provide identity information to outsourcers, so the end user experience is not impacted because some systems may not reside "exactly" in house anymore. Here is a new peg from Postini about them providing directory sync and single sign-on between their services and their customers. From an admin standpoint, this is huge because I know it's a pain for large user communities to manually update Postini every time a user leaves or joins the company. And supporting SAML based authentication for end-users and administrators makes life a lot easier for everyone. This is the shape of things to come and federated identity support will become a clear requirement for all MSS providers.
http://www.postini.com/news_events/pr/pr050806.php

E*Trade nails two-factor
So what? - This is an interesting case study in SC Magazine regarding E*Trade's use of two factor authentication to get out ahead of the FFIEC mandate. Most of the time it's virtually impossible to get customers to go on record about what they are doing, but for strong authentication - E*Trade sees this as a differentiator, so they are talking freely about what they are doing. They are right, this is one of those rare cases where security is more than an insurance policy - it's a marketing cost. Interestingly enough, I've heard that E*Trade's original use of tokens for authentication (a couple of years ago) was approved by the CMO (marketing guy), not the CISO (security guy). Who would've thunk it?
http://www.scmagazine.com/us/news/article/556845/if+once+good+twice+better/

Is Certified Email good for anyone?
So what? - Here on Dark Reading, they have a good point-counterpoint about this whole certified email thing. It seems AOL learned their lesson and didn't publicize that they recently turned on the certified email stuff from GoodMail (spamroll covers that here). I fall firmly in the NO camp on this one. My inbox belongs to me and I don't want to get solicitations from folks because they are paying AOL. If I opt-in, then things should be delivered. If not, not a chance. Maybe I'm simplifying the decision and there is some value that I don't see. Nah. I know AOL needs to figure out how they are going to continue making money. But leave my friggin' inbox alone.
http://www.darkreading.com/document.asp?doc_id=94398

Another day, another survey - Credit Unions more at risk
So what? - You all know what a fan I am of surveys. Today's offender is SecureWorks, a MSSP here in the ATL. Evidently financial institutions are more heavily targeted. As a subset, credit unions are more at risk. Duh! Credit unions tend to be smaller and thus have less resources. Is MSS an option for these folks, absolutely - for security operations anyway. They aren't going to be able to outsource the FFIEC stuff two-factor requirement unless they outsource their ecommerce systems altogether. I know these surveys are a part of the game, but I'm not clear on what value they add to the discussion.
http://www.secureworks.com/mediaCenter/pressReleases/20060508-swxcubk.html

Virtual UTM will impact the perimeter
So what? - Astaro announced a UTM offering that runs on a virtualized server. I'm not sure if it's the first, but that's not the point. The point is that virtualization is a trend that is here to stay and could have a fairly dramatic impact on what the perimeter looks like over time. I'm not a fan of more boxes, especially in the perimeter - so these kinds of virtual security devices are interesting. Obviously performance needs to be up to snuff and the underlying OS must be hardened like titanium. So maybe these start at the low end and migrate their way up the stack as performance is proven. But this could be a renaissance for the security software folks, as opposed to the folks the rely on their own ASICs and network processors to get things done. You listening Check Point? You may luck out yet...
http://www.astaro.com/about/press/astaro_ships_world_s_first_unified_threat_management_virtual_appliance

Top Blog Postings

USC guy was wrong
Patricia Keefe provides a more balanced perspective of the USC hacking situation on the InformationWeek blog. It seems the guy that did Netsky only got 30 hours of community services. Will they throw the book at the USC guy? I hope so. Is it fair? Who ever said life was fair? There is right and wrong. I don't think they need to send the guy to a maximum security facility, but when you break the law there must be consequences. OK off soapbox now.
http://www.informationweek.com/blog/main/archives/2006/05/hacking_a_few_c.html

Is free anti-spyware good enough?
I like Brian Krebs stuff a lot. The security report for the Washington Post writes a blog that goes far beyond anything I've seen out of the mainstream press. He actually uses the products. In this post, he challenges some of the survey results that Webroot got and the contention that free anti-spyware products suck. He did a lot of research on this and drew the conclusion that Webroot is a little better, but not much. Is it worth $30 for incremental protection? That depends on what other defenses you have in place. Do you try to block spyware on the gateway? Do all of your folks use Firefox? Anti-spyware is a piece of the puzzle, so as interesting as it is to compare products stand-alone. The effectiveness is dependent on what else you have minding the chicken coop.
http://blog.washingtonpost.com/securityfix/2006/05/your_spycar_ran_over_my_dogma.html

Is the security business dead?
David Berlind thinks so. And Microsoft is going to put all the existing companies out of business. Give me a break. I love it when a broad tech commentator think he knows the security business. Will Microsoft continue to pull capabilities into the OS? Absolutely. Does that mean that there are no niches for others to fill? Of course not. That's ridiculous. His main data point is that two former Zone Labs guys have decided to get out of the security business. Well, security is hard. There is a lot of competition, and neither of these guys need to work particularly hard after cashing in at Zone. Because there is too much VC money, which has resulted in too many companies - DOES NOT mean that there are no opportunities because Microsoft is going to build it all into the OS. He also needs to check his facts. Gene Hodges left McAfee because he was President (NOT CEO) and Websense (also in the security business) offered him the chance to be a CEO.
http://blogs.zdnet.com/BTL/?p=3007

Recently on the Security Incite Rants Blog

Is reputation an anti-spam differentiator?
In this post, I revisit the world of content security - specifically anti-spam and reputation systems. There were a few new reputation systems announced recently, so I wondered whether reputation even matters anymore? I look at it from a couple of different angles, but suffice it to say - content security is still very much an individual decision.
http://securityincite.com/blog/mike-rothman/is-reputation-an-anti-spam-differentiator

Inciting: Security Wire Weekly Podcast
I did a 6-7 minute interview on the Security Wire Weekly podcast regarding the Blue Security DDoS attack. It's towards the end of the session. We also discussed some other topics relative to anti-spam.
http://securityincite.com/blog/mike-rothman/inciting-security-wire-weekly-podcast

Read Wednesday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-may-10-2006