October 23, 2006 - #140

Good Morning:
Kind of an eclectic Monday here in Incite-land. The weekend was good. I was reminded of my kids penchant to touch everything when we went to an art-festival in town on Saturday. I consider myself lucky to not have a house full of broken and battered arts and crafts after that little excursion. We also got to see the authors of the new book Jewtopia wax poetically about their creation on Saturday. Jews will find the book hilarious, non-Jews (who know Jews) will find it entertaining as well. And it was priceless to see my wife trying to set up one of the authors with a friend of hers in NYC. Yeah, that'll work out.

In security-land, I found a couple of articles relative to vulnerability research, first Microsoft blocking some kernel level stuff in the latest Vista RC (here) - which shows they are listening. Then an interview with Metasploit's HD Moore (here). It seems we've found our next security rock-star. Good for him, I personally think HD's work is advancing how seriously vendors take security issues. He's not alone in the fight, but he's been the most visible of late. I also love innovation, even if it's the bad guys. This new malware that ships with an AV engine (here) to eliminate any "competition" on the owned machine had me rolling on the floor. Let the bad guys kill each other off. Sounds like a good plan to me.

In blog-land, Matasano is back (after I fixed my reader, that is) and Thomas makes some good points about endpoint security and application control (here). But I haven't changed my tune. Those without the political mojo to lockdown desktops will have a hard time maintaining the security of their environment. I also point to an interesting post about defining risk management (here) and come to the conclusion that management is for managers and the soldiers should be following orders. But I've always been the bourgeois-type anyway.

Have a great day.

Technorati: Information Security

Top Security News

Vista blocks the Blue Pill, maybe
So what?- The more I dig into vulnerability research and white hats/black hats, etc. the more impressed I become. The folks that spend time trying to break things, for the most part, have very noble goals. They'd like to see things get better and given the profit motive, there is little incentive for vendors to fix things proactively unless they get publicly punched in the face. Of course, some companies have been punched so many times (think Raging Bull) that they've figured it out. Microsoft is one of them. Love them or more likely hate them, you have to give them props for seeing an issue and trying to fix it. I'm referring to Joanna Rutkowska's Blue Pill research presented at Black Hat over the summer that proved a rootkit could be inserted into a machine without the OS ever knowing about it. Microsoft has put in place a fix in Vista RC2 to stop unsigned drivers from getting access to the kernel. It's not clear to me whether this will stop the Blue Pill attack or just other means of compromising the OS via kernel-level drivers - I'll let the technical folks figure that out - but I'm impressed that Microsoft would take a threat like this seriously and move aggressively to fix it.
http://www.informationweek.com/story/showArticle.jhtml?articleID=193401107
Link to this

A view into an HD mind
So what? - Speaking of vulnerability and exploit research, HD Moore, creator of Metasploit is hitting the PR circuit hard. Not sure if it's intentional or kind of happenstance, but the guy seems to be everywhere. Last week he talked about the evade-o-matic tool to hide exploits from the browser (which I still don't get), and now everyone seems to want to know why he's doing all of this stuff. I don't know HD, but his intentions seem to be in the right place. Exploits are not bad, they are reality. Hiding your head in the sand is not going to change that. As with my thinking on pen testing, tools like Metasploit and their commercial brethren are an important part of any security person's kit. The bad guys will use exploits and they don't have a "code of conduct" so it's ill-advised for any security person to hide behind some wacky code of ethics about using exploits to figure out where they are really exposed.  
http://www.informationweek.com/story/showArticle.jhtml?articleID=193400966
Link to this

Web services security primer
So what? - This tip from Michael Cobb on SearchSecurity provides a pretty good (and quick) overview of considerations for web services security. Most folks don't know what to make of terms like Web services and SOA, but you better start understanding it a bit better. Why? Because every application in a few years time will have a web services component. It also totally decouples data from logic from presentation, further complicating persistent control of data. You hate to use terms like "game changer," because everyone wants to position their innovation as something that fundamentally changes things. But I suspect web services pretty much does, and that means how we build security capabilities must change as well.
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1220615,00.html
Link to this

This Trojan doesn't play well in the sandbox
So what? - Being the father of young kids, sharing is a very hard concept to get across to them. MINE is a common refrain you hear yelled at high decibels around the Rothman house at pretty much all waking hours. But this new malware that includes Kaspersky's AV engine (cracked, of course) to eliminate competing malware on the device is just too funny. It's not enough to take over the machine, but now these guys feel the need to optimize it for their own purposes. I do believe this could spur another test of the law of unintended consequences because we all know how well multiple AV engines work on a machine, so adding another one could just melt the 0wn3d machine. It'll also be interesting to see if this spurs a malware war, which is roughly analogous to a gang war. Let the jokers kill themselves off. I've got no issue with that.
http://news.yahoo.com/s/zd/20061020/tc_zd/191975
Link to this

Top 10 Security companies to watch
So what? - Every so often, my pals at NetworkWorld do a little top 10 list on interesting start-ups. This time it's security and some PR folks should be proud. How you get something so irrelevant as Void (which does the disappearing email VaporStream) on this list is really great PR. I've spoken to quite a few of the folks on this list, and some of the companies are interesting, but all of these companies feel like features to me. Some are just outright bad ideas, and none with the potential to be anything more than acquisition bait in 12-18 months for the one or two that gain some kind of traction. Of course, that's one man's opinion. But I like these lists because it keeps me up to speed on which PR engines are pitching most effectively. My advice to users is to disregard these lists for the most part. You don't have time for cool stuff, you have problems to solve and if one of these companies ends up meeting one of your needs - then you can check them out.
http://www.networkworld.com/news/2006/102306-security-companies-to-watch.html
Link to this

Top Blog Postings

Oy Vey is right - it's not IE7's problem after all
So it seems the IE7 hole was a wrongly attributed to the new browser and was more of an Outlook Express issue. Whatever. George Ou is wringing his hands about the evil media and how it's biased. I think the media is (for the most part) pretty clueless and they just follow the herd, but the reality is IF the vuln was legit - then that was BIG news. Yes George BIG. Even if it was just a "2" on Secunia's criticality meter, it was an indication of Microsoft blatantly missing something. Many of those same pubs went with the hoax story as well, so the conclusion I draw is one of clueless, not bias. But in the world of scoops and page views, it's better to go with news that may have a bit of hair on it, than to miss out on the boat. Or so the media thinking goes anyway. George is right in his issue of the media blowing the severity of the issue out of proportion, but why is that surprising? That's what the media does. 
http://blogs.zdnet.com/Ou/?p=350
Link to this

Matasano is back and railing on endpoint security
My RSS reader got a bit screwy over the last few weeks and I missed some Matasano. In catching up, I found this post from last last week about endpoint security, where Thomas basically challenges whether application control is really feasible. His point about "end users hating intrusive security products" is absolutely right. But I don't care what end users like or don't like. Yes, the real world is a messy place and it can be politically incorrect to tell some users they can't look at run unauthorized apps, but that dramatically impacts a company's ability to secure their environment. I also agree that there are inherent problems with the agent/server architecture. But what other options do we have? Of course you want to minimize the number of agents (which is why all of these desktop suites are getting bigger) and it'll be a wonderful world when we have ubiquitous network connectivity and we can all use our thin clients banging on a Citrix access environment - but that ain't today either. To me it's a maturity thing. When HIPS first came out, it broke all sorts of stuff. Now it works pretty OK. Application control with get there as well. It won't help with the politics of locking down desktops, but that's another story for another day.
http://www.matasano.com/log/555/dark-reading-on-endpoint-policy-tools/
Link to this

Risk Management is hard to pin down
But it's certainly not due to a lack of effort. Alex Hutton tries to summarize what Risk Management means to him, but it still feels confusing to me. Well not to me because I get it, but to most people that would be trying to use a risk-based approach in their day to day workings. Fact is, "security" must be based on a process that is relevant to business drivers and considerations. Understanding the risk presented to certain assets is a key part of figuring out what needs to get done when and how much you can/should spend to protect that asset. But I can't imagine how you get all of the "analysts and engineers to regularly/constantly consider likelihood and impact." Personally, I want my firewall guy managing the firewall. As CSO, my job is to make sure that firewall is protecting the right stuff. To me and maybe I'm being naive and keeping the proletariat down, but risk management is a MANAGEMENT discipline, and should be done by MANAGERS. Not everyone can be a chief or things go haywire - big time. 
http://riskmanagementinsight.com/riskanalysis/?p=34
Link to this

Blogging as a "tool"
I'm not sure why we are surprised that some Wal-Mart blogs were really planted PR campaigns, disguised to paint the client in a favorable light. PR is about influence and the rules of the game have changed. This post by Alex Eckelberry goes into the campaign in much more detail, but I personally don't have a problem with it. Is it slightly disingenuous? Sure, maybe they should have put a little "sponsored by Wal-Mart" disclaimer at the bottom. But still, is it disingenuous every time you see a Dell PC on 24 or a Pepsi being sipped in a movie. In most cases, these are paid placements as well. I guess we hold blogging up to a higher standard of truthfulness and disclosure, but let's be real folks. It's not different than any other media. It's about influence and the hidden purse strings are being pulled in our little world as well.
http://sunbeltblog.blogspot.com/2006/10/walmart-gets-slammed-for-sneaky.html
Link to this

Recently on the Security Incite Rants Blog

Understanding a "durable" advantage
Differentiation is a easy concept to understand, but unbelievably hard to achieve - especially in the technology business. This post delves a bit deeper into differentiation and how it's largely a myth in technology markets. Durable advantage tends to be much more about brand loyalty, than any kind of technical innovation, customer intimacy, or operational excellence. In tech-land, we have few (if any) brands that elicit any kind of loyalty, thus maintaining a durable advantage is probably not possible for more than a product cycle.
http://securityincite.com/blog/mike-rothman/understanding-a-durable-advantage

Read Friday's Daily Incite
http://securityincite.com/TDI-2006-10-20