The Daily Incite - May 30, 2006
May 30, 2006
Good Morning:
Welcome back after what I hope was a nice long weekend for my US readers. I had a great weekend, spending lots of time at the pool with family and generally just enjoying the first week of summer here in Atlanta. But, it is good to be back in the saddle and getting back to work. In fact, I'm so excited to be back I'm posting The Daily Incite a day ahead of time. Actually I'll be up in the air tomorrow AM, so I needed to get this posted before I left.
In the security business, things were pretty quiet over the weekend. I'll highlight the open source answer to Blue Security's woes, called Okipaki - after some type of frog - and also point out that this is still a bad idea. The answer to stopping spam is not to launch denial of service attacks on the spammers. I'll also point you to an interesting blog post from George Ou wondering whether we still need desktop AV. I'm a fan of layers (which maybe makes me a security dinosaur), but I'm not willing to give up my last line of defense quiet yet (on my PC's anyway).
Have a great day.
Top Security News
Spamming spammers is still a bad idea
So what?- It seems that bad ideas never die, they are just reconstituted as open source endeavors. Just when I was hopeful we'd be able to shovel the final bits of dirt on Blue Security's grave, a new group taking largely the same approach appears. They call themselves Okipaki, after a dangerous frog. Their network is called "FrogNet" and is going to move towards a more distributed model - so there is no central target for retribution by spammers. My position on this hasn't changed. This is a bad idea also, and the only way to address the problem is to have end users stop buying products advertised through spam. As long as there is an economic payback, there will be spam. I'm not alone in this opinion. Check out SecuriTeam's similar perspective (http://blogs.securiteam.com/index.php/archives/425)
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1190407,00.html
IdenTrust - nice original name
So what? - What do you get when you cross a DST and an Identrus? Evidently you get IdenTrust. When I first saw this news clip of a business development deal between IdenTrust and Bharosa, I figured there would be some legal wrangling because it was so close to Identrus - the PKI folks. Well, evidently these folks decided to change their name and they didn't tell anyone. Nice branding. But this deal with Bharosa is interesting because DST did have a strong position providing services to financial institutions and it could magnify the efforts of Bharosa to gain traction. Perhaps IdenTrust even understands what Bharosa does (check out my Bharosa drive-by here).
http://www.marketwire.com/mw/release_html_b1?release_id=0131458
Yes, outsourcing is a security risk
So what? - Digging into the archives a bit, here is a feature story from SC Magazine from the beginning of the month which presents some food for thought about outsourcing. First, let me say that outsourcing is happening and will continue to happen - because the economic benefit is too compelling. Now, as security professionals, we need to figure out where we are exposed and take action to make sure it's not a train wreck. So, as the article suggests - SLA's are good, but understanding how the outsourcer protects their networks, doing background checks on their folks, and periodically auditing their environments are good things to do as well. Fact is, if there is a big problem - many of these outsourcers will cease to exist, so it's in their best interests to make sure security is tight. But I don't take anyone's word for anything, and you shouldn't either. Ultimately, it's your ass on the line if there is a problem, so make sure they are doing the right thing.
http://www.scmagazine.com/us/news/article/556844/avoiding+hostile+host/
Controlling USB leakage
So what? - Ah, that old USB thumb drive scheme again. With fairly cheap USB thumb drives able to store gigs of data now, malicious folks can do some damage just by copying files. But there is technology to control the use of the USB ports on any device. This profile on Dark Reading shows how one health care firm is using SecureWave's Sanctuary to control what is done with the USB ports. SecureWave is not alone in this (other folks have similar technology) and I think USB control is just one aspect of broader endpoint security. Depending on how you secure your information, you may want to think about this technology as a stepping stone.
http://www.darkreading.com/document.asp?doc_id=95682
Light Reading gets turked
So what? - I respect folks that can come clean when they have issues. A number of CMP sites, including some Light Reading properties (they are the group that does the Dark Reading security site) got nailed by the Turkish hacker that redirected like 30,000 sites a couple of weeks ago. It's OK when things happen, it's not OK when folks don't acknowledge it and put defenses in place to make sure it doesn't happen again.
http://www.darkreading.com/document.asp?doc_id=95434
Top Blog Postings
No AV?
George Ou is stirring up the pot. In this post, he tells his own story about not using AV and how he protects his networks and machines without it. He uses the data point of Symantec's most recent vulnerability to show that AV is no panacea and can actually cause problems. He makes the point that AV can and should be used on the gateway to the exclusion of the end devices. The real question is whether it causes more problems than it solves. Part of me (the security traditionalist) wants to call him an idiot, so blatantly diverging from defense in depth best practices. Yet another part of me knows that with the other defenses I have in place and the training I've given to my users (basically my wife), I can't remember the last time a virus got through to even be caught by the AV. But for the $30 a year it costs me and the maybe once per year vulnerability, I'll stick with the AV on my PC's, thank you very much. Maybe AV only catches the edge cases now, but I'm not willing to take a chance of my network getting hosed because I was either cheap or lazy. And I do believe that layers are important and I'm not willing to give up my endpoint layer.
http://blogs.zdnet.com/Ou/?p=234
The information black market is alive and well
This post from Larry Greenemeier on the InformationWeek blog reminds of what we already know (but should constantly be aware of), which is the prevalence of marketplaces for stolen personal data. Larry mentions a few, but more importantly notes that these sites are here today and gone tomorrow, with another set springing up - just like weeds.
http://www.informationweek.com/blog/main/archives/2006/05/stolen_data_tro.html
UTM is happening
For a while I was a fan of Alex Niehaus' Scrapture blog. But of late, it feels more like a slanted marketing tool and not really adding much value to the conversation. I guess it is for marketing, but sometimes I wish it wasn't so blatant. That being said, this post is kind of interesting because Alex goes after Barracuda because they aren't going to combine their boxes to play into the UTM space. I do agree that smaller customers do need UTM and over time Barracuda will need to integrate their products onto a common platform. But note that Barracuda is playing a very predictable marketing game here. Since they don't have an integrated product, clearly customers don't need it. They need to be careful because as good a job as they've done building a brand and selling a ton of boxes - they can very easily miss the next thing if they start believing their own hype. I'm not sure if this is Drako trying to freeze the market a bit until they can integrate things or whether they really believe separate appliances is the answer at the low end.
http://www.scraptureblog.com/2006/05/natural_selection_does_not_fav.html
MPAA caught with their hands in the cookie jar
Maybe it's just me, but I don't see a lot of gray area between right and wrong. Hiring hackers to break into someone else's network (regardless of what they are doing) is wrong. So the MPAA is just wrong by stooping to these lows to try to dig up dirt on networks that "aid" in helping folks "share" movies. CJ Kelly is right on with this post, when the alleged good guys start behaving like the bad guys, there is very little reason to be sympathetic. This was a huge blunder on the MPAA's part.
http://www.computerworld.com/blogs/node/2614
Recently on the Security Incite Rants Blog
Inciting: SSO Webcast at Searchsecurity
I recently did an on-demand webcast for Searchsecurity on single sign-on. It's a pretty comprehensive treatment of the technology and when and how you should introduce it into your environment... Check it out.
http://securityincite.com/blog/mike-rothman/inciting-sso-webcast-on-searchsecurity
Read Thursday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-may-25-2006
You still haven't got it right.
Blue Security didn't try to "spam the spammers" or "fight spam with spam". Instead, they tried making spam unprofitable. They succeeded in that, to the level that spammers saw them as a strategic threat on their business model.
I can elaborate on that if you like, for I followed Blue since the early days of closed (private) beta testing.
I'm happy that an open source project (named "Okopipi", not "Okipaki") aims to replace Blue Security, but I don't think they'll succeed - because it's almost impossible to do what Blue did in a distributed manner.
I still hope they'll make it, I just highly doubt it.
Noam.