September 2, 2008 - Volume 3, #73

Good Morning:
As you read this, I'm on my way down into ATL to do my civic duty as a juror. That's right, jury duty. I know it's our responsibility and one of the things we have to do when you live in the US. That doesn't make me any happier. First of all, I need to go into the city. Yes, Atlanta has the worst traffic in the US. I can only hope that most folks decided to take a 4 day weekend and saunter in around 10 AM or later, so I can get into town.

And then there is the waiting. On a good day, I'm impatient, so sitting around for hours, watching Regis and Kelly or whatever other inane crap is on the tube may be the end of me. What about those chairs? They may as well sit us all on beds of nails, as comfortable as those are. Evidently they want to make sure your jury duty experience is as memorable as possible. Call in the chiropractor!

The last time I went down for jury duty, I didn't even get called to audition for a jury. That was lucky. I was bored to tears, but all in all it was just a day and I went along on my merry way. I don't expect to be so lucky this time, so I'm strategizing on how best to make myself as undesirable a juror as exists. My friend told me just to shout "They are all guilty." Maybe that would work, but could also land me in the lock-up.

There are lots of ideas on the Internet on how to avoid being called for the jury. Just Google "get out of jury duty," and all your questions will be answered. The reality is, I'll likely just opt for the truth option. I'm sure I'll get some hate mail from my law enforcement friends, but I don't trust evidence. I know how easy it is to alter and futz with any kind of digital files. Not all evidence is digital nowadays, but a lot is. And the odds most folks are sufficiently skilled in forensically gathering evidence? Probably pretty small.

I'm also pretty hard-headed. So once I make up my mind, it's hard to change it. Not impossible, but pretty hard. Not the general open-minded approach they like to see, I'm hoping. I can be pretty persuasive, at times, so I could muck with a jury something fierce if there are any gray areas regarding the trial. I also have a lot going on right now, so the idea of sitting on a multi-day jury makes me want to puke. If they think I'm generally ill-tempered today, wait until Thursday after I've had to cancel a scheduled business trip and stayed up half the night doing the stuff I should have been doing during the day.

Thankfully my EVDO card should work while I'm waiting, at least I'll be productive. And if not, then I've got enough writing to do to keep a small armada of dilettantes at their keyboards for weeks. I'm sure I'll be able to keep busy and with any good fortune I'll be released right after lunch, having completed my civic duty. Don't get in my way, I've got to get back to my cloistered life of Starbucks, Delta and Hertz.

Have a great day. 

Photo: "jury summons" originally uploaded by Lee Bennett

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

I wasn't kidding about password reset
So what? - I wrote a while back about the evils of password reset. Of course, Shimmy getting owned just seared that into my paranoid psyche, and then I read this story about Herbert Thompson breaking into someone's bank account (with permission) and we can all see how easy it is, especially when you live a reasonably public life. Though when you examine the steps of the hack, there isn't anything really novel here. He started with a bit of information, that gave him a bit of a head start, but it's not a huge amount of stuff. Add to the list of things I mentioned in the password reset post the idea of a nonsensical (and unique) user name. Basically for your bank, there is no reason to use the old first initial, last name user ID. You could use a random string of characters and add to that a random long, very strong password, and it would be hard (again, not impossible - but hard) to find that information out. Using a password manager shields you from the complexity of having a random user ID and a random password. Of course, you could make yourself crazy with all this randomness, so at some point you have to find the balance of security vs. convenience.
Link to this

Don't believe everything you read
So what? - Hopefully I'm constantly reminding you to not believe everything you read. If anything, you should be hyper-skeptical as to most of what you read. Controversy generates page views, thus most tech media (and mainstream media ain't much better) have a great vested interest in finding controversy, even when none exists. If you look at the alleged Best Western breach from last week, we have a number of cases in point. Best Western did have a breach, but the errors they made were more in the art of communicating that, rather than what really happened with the data loss. InformationWeek actually talks to someone at Best Western to get the "real story." You see, they didn't break the news, so they didn't control the story. So the media ran wild with the story, made up some numbers, and were looking for Best Western's head on a stick. It's the mob mentality at it's best. Of course, I'm sure there is some spin happening from the Best Western side as well. The truth is somewhere in that dark, murky middle. The Breach blog presents both sides of the story, and draws the right conclusion: "At the end of the day, I haven't a clue as to what happened in this incident." Stuart King takes the opportunity to maybe share some lessons learned, like the ambulance chasers in the media will jump all over bad news. But more importantly, the breach (however large it was) happened due to a malware infection. Check (and re-check) your defenses, hack thyself and make sure you use these incidents as a reminder of what is at stake.
Link to this

The political impact of NAC
So what? - Lots of folks, me included, have beaten down NAC because of hype and the fact that the market space has not been able to live up to said hype. Clearly there is a role for NAC in protecting information, but it's not the Rosetta stone of all things Internet security. One of the forgotten issues of making NAC work is brought up by the Verizon Business folks (looks like they have some new PR team, since they've gotten more visibility in the last 2 months than in the past 2 years), which is the fact that NAC requires a cross-disciplinary effort to make it work. The network team has to work with the endpoint team, and they all have to work with the security and risk/compliance teams. Yes, big companies have disparate teams to work on all these functions, and in many cases there is a lot of territoriality and angst amongst them. Remember, the enemy is out there, although on many days it seems they are sitting 3 cubes down. Basically any large scale IT initiative is going to require a lot of coordination, buy-in and support (not to speak of funding) from a bunch of different groups. That's why I keep saying that one of the (if not the) most important skill sets for a senior security professional is the ability to persuade. In this heavy political season, there is a lot we security folks can learn by seeing the big dogs do their political thing. Playing politics is part of every job, probably more so for security folks because we don't really "control" anything.
Link to this


The Laundry List

Top Blog Postings

Free may be too much...
I've followed the token authentication business since it began. Yes, that's almost 20 years at this point, and I can tell you that since almost the beginning, it's been a constant search for what will be the killer app to get consumers (or everyone within a business) using a little token fob to log into their stuff. RSnake goes into a bunch of reasons why it won't happen, and I agree with them. He focused mostly on the fact that federation isn't going to work. I think the reason is a bit more simplistic than that. The fact is CONSUMERS DON'T CARE ABOUT SECURITY. Really, they don't. They say they do, and if they've gotten hacked, they certainly do. But as long as it's the neighbor getting their bank account pilfered, they are fine with their predictable user name and weak password. A while back Entrust started the price war with a $5 token, but that was targeted towards business users. VeriSign with partner eBay/PayPal have been trying to push cheap tokens to their users as well. Power sellers don't have to pay for them, but there has been minimal adoption. Right, consumers don't care and it's not like it's a universal token that lets me log into all my sites. Now combine a token with VeriSign's PIP service and maybe things could get a little interesting, but probably not. Tokens get lost and I can just imagine the Boss calling me and complaining that she can't get into her email or web sites because she misplaced the token. Yeah, not interested in taking that call.  
http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=161941
Link to this

Yeah, hack your third party vendors as well
You all know I'm a big fan of testing. Test your web apps, your databases, your networks, your systems, your people and pretty much everything else. If it can be hacked, you should be trying to hack it. The bad guys certainly are. Stuart King also reminds us that we've got a cross-enterprises collaboration model in effect now, and that means we've also got to be making sure your third party vendors have adequate defense. So I say, hack them too! At a minimum, scrutinize their security program and look through their pen tests and other reporting mechanisms. They may not want to do that, but I don't view that as an option. Stuart says he frequently visits his vendors and makes sure things are where they need to be. He also learns from what his partners are doing and can apply that to his own environment. Basically, we can't leave data protection to chance and if someone (whether they are internal or external to your organization) has access to your data, then they should be tested.
http://www.computerweekly.com/blogs/stuart_king/2008/08/third-party-vendor-security.html
Link to this

Remember to wear your seat belts
Of course, this falls into the category of "too little, too late" from an advice standpoint. Most folks do a lot of driving over the holiday weekends, so reminding everyone to do that after the holiday weekend is a bit silly, but maybe a good reminder. I bring up the idea of seatbelts because Matthew Rosenquist has a good "fortune cookie security advice" tip which reads: "Security policy is like a seatbelt. It will not protect you every time, but it is guaranteed to fail if you choose not to use it." His other fortune cookies were a bit less interesting, but this one resonates. I'd also replace security policy with [any control] because the statement is a truism. Not security control is perfect, but if you don't use it - I'm pretty sure it's not going to work. Relative to policies, Matthew is absolutely correct in stating they need to be constantly updated - basically living documents. But at the end of the day, policy is grand, strategy is fine, but execution of those policies and strategies are the only thing between us and chaos.  
http://communities.intel.com/openport/blogs/it/2008/08/25/fortune-cookie-security-advice-august-2008
Link to this