September 24, 2008 - Volume 3, #78
Good Morning:
I remember when I was a kid, one of the "crazy" things we used to do
were crank calls. You know, call someone up and call them a name. Or
dial the phone at 2 AM and just let it ring. Or call them and say the
pizza will be delivered in 15 minutes, thanks for the order. Silly
stuff like that. We even took advantage of three way calling phones to
put together some ad hoc conference calls. We'd call the really cute
girl and then connect her to the not so cool guy. They didn't have a
lot to say to each other. Those were a lot of
laughs.
And then called ID became available. And the *69 service to ring back a
number that just called. I'm sure it was quite a surprise to the first
few crank callers that got a call back from an irate parent about a
call at 2 AM. OK, that gig is done. A casualty of technical innovation.
Now it seems that simple hacks are also done. Since they have allegedly
identified the Gov. Palin email attacker, through of all things, a
proxy log - it's a lot more dangerous to do simple pranks nowadays. Of
course, hacking into the email account of a vice presidential candidate
is more than just a simple prank, the outcome is the same.
You can run, but you can't hide. Unless you live in Estonia, that is.
Script kiddies be warned, unless you fancy a visit from the FBI at an
inopportune time (is there an opportune time for a visit from the
FBI?), you better improve your obfuscation techniques. Attackers always
leave a trail, the question is does the trail lead to your dorm room,
or somewhere it would be very hard to track. Like Estonia.
But that's not even the point. They'll make an example out of this
Palin email attacker, and they should. It'll be a deterrent for all of
the novices that realize they are out of their league. Not in
attacking, almost anyone can do that. But not getting caught.
Will something like this public execution deter the general increase in
Internet fraud that we've seen? I say nope, not by a long shot. The
reality is the risk-reward equation is still heavily weighted in favor
of the bad guys. Especially in Estonia. It's prohibitively expensive to
prosecute them and it's incredibly lucrative for them to continue
stealing. How do you think that ends?
Right, don't leave anything to chance. Monitor your bank accounts and
credit cards almost daily. Use
strong passwords (and probably a password manager) on the accounts that
matter, like your financial accounts, web mail, and ecommerce sites.
Teach your friends and family to do the same types of things. Apply the
REACT FASTER doctrine to your own personal lives. They'll catch some of
the bad guys (especially if they live in the US), but there are always
another 10 to fill the wake of the last one.
That's just the way it goes.
Have a great day.
Photo: "0898
Hot Monkey Talk"
originally uploaded
by lemur [1]
Technorati: Information
Security [2], CSO [3],
Security
Mike [4], Internet
Security [5]
 [6]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [7] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [8]  [9] |
Top Security News
Susan Hanley rails against this kind of crap
on her NetworkWorld blog. [10] Sometimes I'd like to have a
conversation like I have with my kids. The reality is kids don't think
you are any smarter than them. They can't really because the idea of
smarter or dumber is an abstract concept. So they figure they can just
pull the wool over your eyes and you'll smile and be happy. Of course,
they don't realize I pulled the same stunts when I was a kid. But at
some point, you grow out of that. At some point you realize that the
person on the other side of the conversation isn't dumb and by
"spinning" a version of the "truth" that may not be so truthful, you
not only alienate them - you piss them off. But it's like the old
Cabletron pricing model (why are you three times more expensive?
Because 10% of the customers just pay it and we discount for everyone
else), they figure a certain percentage of customers won't know the
difference and they'll just accept the spin as fact. Personally, I find
that perspective appalling and do my best to call it out with great
vengeance and furious anger those who would attempt to poison and
destroy my brothers.
Link to this [11]
Tim Wilson on the dichotomy between what
problems customers need to solve today vs. what problems much of the
vendor world is talking about [12]. To use yet another political
analogy, the house is burning down and all we talk about is lipstick on
pigs. He's exactly right and in a lot of cases the media is responsible
for this. Fact is, the media gets paid based on page views now. Most of
the technology magazines are thin and many others have just gone away.
Everything is online nowadays and that means it requires page views to
monetize. No one wants to hear about the burning house because everyone
knows it's burning. It's not interesting anymore. So the media covers
the stuff that is new, maybe sexy, and certainly interesting (like
virtualization security) REGARDLESS of the fact that very very few
people actually have the problem. You also have another dynamic here
which is technology M&A. Emerging vendors need to make their
products interesting, and deceive the buyers (acquirers, not
enterprises) into think there is a market for the product. Then they
can get a big valuation and make market development into the acquirer's
problem. And the final factor, most of the folks truly in the trenches
don't listen to a lot of the vendor babble. They are too busy getting
their ass handed to them every day.
Link to this [13]
according to Walt Mossberg anyway [14].
And I tend to believe Walt because he's NOT a security guy. He's a tech
user and he's much more interested in user experience. This is good
news for Symantec, since reducing the nuisance factor will become a big
differentiator - absolutely in the consumer space and I also suspect
for business users as well.
Link to this [15]
The Laundry
List
- This is why Cisco has such market share. They've got their own fanboys that save their shekels to buy equipment for a lab to get more Cisco certifications. - Cisco Subnet blog (on NetworkWorld) [16]
- Words you live to regret. Evidently Websense sees the economy as a "non-recession." Help me understand the upside of that kind of statement. Especially after the class action attorneys go after them when they miss. - Tech Ticker [17]
- Imprivata gets two patents on biometrics, maybe they are looking at a Tumbleweed-esque go to market strategy. Except no one really cares about biometrics. - Imprivata release [18]
- Oracle updates their GRC offering, but forgets to mention what the thing does (at least in the release). It's Oracle, just trust them. - Oracle release [19]
Top Blog Postings
http://www.cutawaysecurity.com/blog/archives/320 [20]
Link
to this [21]
http://www.emergentchaos.com/archives/2008/09/think_like_an_attacker.html [22]
Link
to this [23]
The Black Swan [24]. Yes, it's hard to
get through. Yes, your eyes will bleed at times. But it really
solidified in my mind the reality that we cannot predict the next
successful, wide-spread attack, so you have to plan for that. The sin
of the Financials is that they didn't foresee a total meltdown of the
sub-prime business. It was an outlier and they didn't plan for it and
now the US taxpayer will be footing the bill. You couldn't assign a
probability to this kind of occurrence, but it did happen which makes
Rich question the ultimately value of trying to quantify risk. The
Black Swan approach assumes nothing and forces you to know how to react
when an unknown happens. And that's how we live to fight another day.
http://securosis.com/2008/09/17/the-fallacy-of-complete-and-accurate-risk-quantification/ [25]
Link
to this [26]