September 1, 2006 - #108

Good Morning:
Hello September. August is in the rear view. How about that? I'll be brief on this Friday morning. One, it's the last day before a long weekend - so you should be focused on getting your work done and getting out of Dodge. Second, we are bringing the twins (yes I have boy/girl twins that will be 3 on 9/12) to see their pre-school this AM, where they start next week. So, for a change, it's all about me.

In security land, let's focus on vendor dynamics. There is an interesting interview with Citrix' head of M&A (here) which provide some perspective on how they are systematically attacking the security market. Vendors out there take heed. I'll also point to the small guys perspective on big mergers (here), with Thomas of Matasano espousing the virtues of the "euthanization" of ISS. Also check out the DIY Trojan kit (here) because you never want to get caught without your raincoat on.

I also have to point out that the Medusa/super model saga continued yesterday (here). Shimel couldn't help himself but to respond, and then again restraint has never been my forte - so I dug deep into why nice guys finish last in our business. If you ever wondered why vendors exaggerate or why there are so many Porsche and Mercedes dealerships in Silicon Valley, or even why super models like guys with big boats - then you should check out the post.

Have a great long weekend and be safe. See you on Tuesday.

Technorati: Information Security

Top Security News

Kill the zombies!
So what?- But aren't they already dead? Not the bots or zombies that we security folks have become intimately familiar with. This tip on SearchSecurity provides 5 things you can do to mitigate the risk of zombies in your environment. They are pretty straight-forward, but (if you couldn't tell) I'm into repetition and keeping focused on the simple stuff. So we'll go through them again. Like default-deny on your routers and firewalls. And AV on every desktop and patching. One that is commonly overlooked is blocking outbound Port 25 for all machines except your email servers. That will stop inter-company proliferation, but doesn't do much to help internal issues. But that's what the other defenses are for.
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1204163,00.html
Link to this

What's a worm's half-life?
So what? - If the number of worm carcasses in my driveway is any indication it isn't that long for real worms, but it seems to be infinite for cyber-worms. This article delves into how new attacks are still being launched against MS06-040, which was patched a couple of weeks ago. We still hear about Zotob and Bagel as well. Why? Because those attacks still work on machines that have not been patched. I would say many of the offenders are consumer and SOHO situations, but that's besides the point. Make sure that it isn't you. I'm not saying you need to patch on Patch Tuesday. But your change control process needs to be able to get this stuff done within a week, and you should also have mitigating defenses in place (IPS rules, blocking ports, etc.) until the patch is done.
http://news.yahoo.com/s/cmp/20060901/tc_cmp/192500863
Link to this

Smart vs. secure
So what? - Of late, many people have been engulfed by the Mac vs. PC security wars. As this article points out, it's nice that you have tight locks on your upstairs windows. But what about the DOOR? The path of least resistance for the bad guys is the user, compromising them (and their machines) through social engineering attacks like phishing and the stupidly named SMiShing. I agree that statistically private information is compromised as often on Mac as PC. Of course, Macs aren't turned into zombies and bots, but a secure OS is no protection from social engineering.
http://www.securitypronews.com/insiderreports/insider/spn-49-20060901SmartIsMoreImportantThanSecure.htmlLink to this

Citrix' march on security land
So what? - Most security folks don't take Citrix seriously. They do that remote control stuff, right? What the hell do they know about security? Well think again, Citrix is rapidly becoming a player in security. Why? They have a tremendous channel into the mid-sized enterprise and they've got a story that shows how access and security come together. If you doubt their ability, they've come out of nowhere to a unit share lead in the SSL VPN market. They aren't going to be on the front end of the security curve (mid-sized customers aren't interested in cutting edge), but once they put new product into their distribution engines, they sell a lot of it. This interview with their top M&A guy is pretty instructive as to what their strategy is. I look for them to continue buying security stuff. Next on the list should be application control and maybe strong authentication.
http://www.networkworld.com/news/2006/083006-citrix-qa.html
Link to this

What ever happened to security software?
So what? - A long time ago in a galaxy far away, customers used to buy security products on CDs and install them on machines they had lying around. And vendor margins were fat, PC vendors sold lots of boxes, and life was good. Of course, that was then. Now, everything comes on an appliance. This article talking about identity management appliances is the latest. Why is the appliance form factor compelling? Because it seems too hard for customers to lock down the old PCs, but 90% of the appliances out there are just standard, rack-mounted PCs with the vendor doing the work to strip out unnecessary stuff from the OS. But since rack space is infinite and the power companies need to stay in business, we'll continue to see every little friggin' problem solved with a new box. Until the pendulum swings back the other way (no mas box) that is. Virtualization, UTM, and data security are big catalysts for  software (or at least less boxes) to come into vogue. Now before guys like Hoff blow a gasket, there is a lot more to the discussion. A TDI snippet does not represent a full discussion of a topic. There's your disclaimer for the day.
http://searchnetworking.techtarget.com/generic/0,295582,sid7_gci1202444,00.html
Link to this

Top Blog Postings

Fred AV is back!
I've known Fred Avolio for years. Since the early days of the firewall market and he was VP of Marketing at Trusted Information Systems trying to pitch me (when I was at META) on the benefits of application-proxies. Fred later opened up his own consulting shop and has been doing lots of varied things. But of late (like the last year) Fred's blog has been devoted more to Mac stuff, than to security. Which is a shame. Fred got motivated yesterday to dig through his archive to show that the more things change, the more they stay the same. It's amazing to see how the conversations really haven't changed since 2003. Fred has a whole series up which are very interesting. And I can only hope that we hear more about security from Fred. He has a lot to add to the conversation.
http://www.avolio.com/weblog/security/SameOldStuff.html
Link to this

Where's that silver lining again?
Leave it to Thomas over at Matasano to try to find the silver lining in the ongoing consolidation saga in the security industry. I also wish I could rhyme as well as my rapping friend. He goes into why smaller companies like Matasano look very favorably on big deals because it diverts the attention of bigger security players that have the resources to make life hard for Thomas. He believes ISS is going to now be focused on figuring out IBM, as opposed to beating their small competition into submission - so this is a net positive. The one point that I'll argue is whether a companies like ISS or Cisco could buy him if he's getting traction. Of course they can. It's about economics and if they think the quicker path is to buy a small player to get the technology - that's what they'll do. I also disagree with his contention that HP isn't going to do something. They just bought Mercury, so they seem to be able to multi-task.
http://www.matasano.com/log/444/big-blue-hp-digging-deep-make-my-scary-competitors-go-to-sleep/
Link to this

Anger management class for Stiennon?
Seems Richard may need to spend some time in therapy trying to figure out the root cause of his anger, which causes him to recommend common people destroy computer equipment with hammers and anvils. Clearly I jest, and in this post (on Emergent Chaos) Richard goes after that bastion of personal information - the cell phone. I read about Mich Kabay (here) keeping bank account numbers on his watch (hello Dick Tracy), so I guess I shouldn't be surprised that folks keep a lot of "personal data" on their cell phones. When you are still using the phone, make sure it's password protected and hopefully (like the Blackberry) it wipes the device when you fail maybe 10 times. But when you are done with it, Richard's advice is to slam it into submission, thus destroying the flash memory. I guess it's one option. But I let my kids (the twins are not yet 3) get my hand-me down phones to use for chew toys. I'm not too worried about hackers getting into the info after that treatment.
http://www.emergentchaos.com/archives/2006/08/mangle_those_cell_phones.html
Link to this

DIY Trojan
No I'm not talking about condoms. The folks over at Symantec put some detail behind what we already know, relative to the ease of building worms and Trojans. Script kiddies have had access to tools that made their job easier for years, but it's a good lesson to remind ourselves what we are competing with. As time has progressed, the "tools of the hacker trade" have gotten better, easier, and cheaper. Probably a bit faster than our defenses have improved. These Trojan DIY (do it yourself) kits are relatively new, very dangerous and just underscore the need for constant vigilance. They arrest people that write books on bomb-making, but these folks can build cyber-bomb kits with impunity. Go figure.
http://www.symantec.com/enterprise/security_response/weblog/2006/08/buildyourown_trojan_starter_ki.htmlLink to this

Recently on the Security Incite Rants Blog

Nice guys finish last
and assholes sleep with super models. Yep, that's how I started this post which is basically a response to Shimel's poke relative to throwing all vendors into the slick-backed hair, snake oil salesman camp. I go chapter and verse into how and why vendors bend (and sometimes break) the truth, the frustration of seeing the other rep climb into his/her 911, and why some end users wake up next to Medusa and the vendors who have sold their companies before it came around end up with the super models. And if you need another opinion about the penchant of vendors to bend the truth, read the Mogull's post here, he sees it every day too.
http://securityincite.com/blog/mike-rothman/nice-guys-finish-last

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-08-31