logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - May 18, 2006

By Mike Rothman
Created 2006-05-18 07:26
Today's Daily Incite

May 18, 2006

Good Morning:
Slow news day, but that's not all bad. Gives me a chance to catch up on those tasks that pile up during the crazy days. The most interesting news I saw related not just to Blue Security shutting down, but a massive denial of service attack launched against its DNS provider, UltraDNS. More and more layers to this story keep appearing, which does make for some interesting reading.

Have a great day.

Top Security News

VeriSign buys GeoTrust
So what? - Yes, I wrote a separate post last night about the deal, but here is the "official" release. Clearly the most security newsworthy item of the day, so I didn't want it to get lost. The link to my post is at the bottom of newsletter.
http://www.geotrust.com/about/news_events/press/PR_vrsn_051706.pdf [1]

Check Point still interested in Sourcefire?
So what? - I love the Internet. It really flattens the world and means when an executive says something in a far away land, everyone hears about it. Gil Shwed has evidently not given up on buying Sourcefire, according to an interview he gave with an Israeli newspaper anyway. Well Gil, you better bring your checkbook because the price is going up. And what makes you think the US Government would all of a sudden let the deal through? This seems like a red herring to me. Paint a picture of what could happen sometime in the future and don't focus on what is happening now. Time tested tactic, but I don't think it's going to work. Check Point needs to communicate a better strategy than maybe we'll try to buy Sourcefire again.
http://www.globes.co.il/serveen/globes/docview.asp?did=1000092912 [2]
 [3]
Ingrian goes down market
So what? - Slow news day today, so I'm digging a bit. Back on Monday, Ingrian announced a new lower end data encryption box. I think this is interesting from two perspectives. First, encrypting data at rest is important, given we are not sure if the bad guys are us anymore. Second, small boxes let enterprise customers ease into a big deployment. Encryption can really mess up an application, so allowing a customer to start small with limited traffic for a small number of applications is a good thing. Then they can grow into a bigger implementation as they start to understand the nuances of protecting the data and not impacting the user experience. The "information" security (as opposed to infrastructure security) will continue to be an early market for much of the next 12 months, but the need is there and the technology is maturing.
http://www.ingrian.com/news/pr060515.html [4]

Is endpoint security a feature of the pipe?
So what? - Having started my career as a networking guy, a pipe is a pipe is a pipe. But in the new world, differentiation is key for telecom providers. Digging into the archives for a release that hit on Monday, I found iPass has upgraded a pretty interesting "service" that offers a decent amount of endpoint policy control. They can do this because they run the remote access network. Yes, SSL VPN boxes can do a lot of the inbound security (patch levels, policy enforcement, etc.) but iPass has also added some outbound stuff (like blowing away a stolen laptops hard drive, distributing documents, etc.). Again, this isn't anything you couldn't roll on your own, but part of the value proposition of the service provider is to do it for you.
http://www.ipass.com/pressroom/pressroom_releases.html?rid=204 [5]

Secure Computing buddies up to Microsoft
So what? - Strong authentication is hot. With the banks focusing on FFIEC mandates and a lot of other companies starting to worry a bit more about how easy it is to gain access, folks are much more willing to discuss stronger authentication. It seems that Secure Computing has figured out that Microsoft has a lot of customers and by integrating with things like Active Directory - you can sell stuff. Duh! So they've upgraded their strong auth product to interface more tightly with Microsoft. Now my day is complete. The point is that as traditionally enterprise security technologies make their way down market, they better play with the Microsoft stack as tightly as possible. Mid-sized customers have no tolerance for integration and a great majority of them are Microsoft-only shops.
http://www.securecomputing.com/press_releases.cfm?p=irol-newsArticle&ID=857759 [6]

Top Blog Postings

Blue Security is gone, but not forgotten (by the DDoS anyway)
Brian Krebs does great work. You should add his blog to your RSS reader immediately. Blue Security admitting defeat was evidently not enough, now these folks want to show that DNS remains vulnerable (which it does). So they attacked Blue's DNS provider, evidently very successfully. Security folks in the know shouldn't be surprised by the fact that massive attacks can be launched against DNS, but the seemingly ineffective nature of companies portraying to stop DDoS attacks is a bit concerning. I'm not sure what the answer is to stop at DDoS at this point.
http://blog.washingtonpost.com/securityfix/2006/05/blue_security_surrenders_but_s.html [7]

Vulnerability disclosures - just clarify your stance
The Matasano folks spend a lot of their breaking stuff, mostly applications it seems. But what happens when they find something? With penetration testing outfits, you just don't know - until they spill the beans on an unpatched problem on one of the message boards. Matasano has published their disclosure policies. They are in favor of full disclosure, but don't see the need to put users in jeopardy. And if a customer tells them to keep it quiet, they will. I commend them for both disclosing their disclosure - but also for keeping customer's first. Not too many outfits do that nowadays.
http://www.matasano.com/log/302/matasanos-disclosure-rules-of-engagement/ [8]

Is your bank stupid?
It seems George Ou is a customer of Navy Federal Credit Union, and he's not exactly happy with their security policies. This is a pretty entertaining post about the communication he had with them and their ridiculous response that lots of banks don't secure logins even with something as simple as SSL encryption. Fact is George, you are pissing in the wind. Not every bank gets it (see yesterday's TDI for Winn Schwartau's interaction with his bank) and the answer is easy from my stand point. Bank somewhere else. Vote with your dollars. That's the American way and what happens in a market-driven economy. I know, that's not a very community oriented approach and I should fight for the little guys that don't know the difference. But I'm too damn tired to do that. All I can do is educate the little guy about what is right and wrong, I'm not about to go trying to change a bank's non-security culture.
http://blogs.zdnet.com/Ou/?p=226 [9]

Testing your AJAX application with open source
AJAX applications are happening, and I for one, feel totally unprepared to understand the security significance or even to tell customers what to look for. Read this post first [10] from Darknet, which is a good primer about AJAX and the security implications. Then see there is now an open source tool from a consultancy that can allegedly test an AJAX application. The tool is open source, which is an interesting model. I'd expect the web application scanner guys (Watchfire, SPI Dynamics, Protegrity/Kavado) to add this capability sooner, rather than later - or risk seeing their business go open source. And to be clear, I don't actually play hands-on with these tools, so I'm just letting you know it's there. I'm not vouching for it's capabilities.
http://www.darknet.org.uk/2006/05/sprajax-an-open-source-ajax-security-scanner/ [11]

Recently on the Security Incite Rants Blog

Deal: VeriSign buys GeoTrust
VeriSign has acquired their top competitor in the SSL certificate business, GeoTrust, for $125 million. There's not a lot to this deal besides furthering the economies of scale in VeriSign's security business. Though at least one reader voiced some chagrin in a comment about GeoTrust's good customer support becoming VeriSign's bad support.
http://securityincite.com/blog/mike-rothman/deal-verisign-buys-geotrust [12]

Blue Security and the drug dealer
The demise of Blue Security has some in the blogosphere worried that the spammers will now be more emboldened. Personally, I don't think so because hopefully no one will be stupid enough to launch another public DDoS attack on them (which was Blue Security's approach). In this post, I equate Blue to a drug dealer and go into why their approach is exactly the wrong way to combat the issue.
http://securityincite.com/blog/mike-rothman/blue-security-and-the-drug-dealer [12]

Read Wednesday's Daily Incite
 http://securityincite.com/blog/mike-rothman/the-daily-incite-may-17-2006 [12]

Source URL:
http://securityincite.com/blog/mike-rothman/the-daily-incite-may-18-2006

Links:
[1] http://www.geotrust.com/about/news_events/press/PR_vrsn_051706.pdf
[2] http://www.globes.co.il/serveen/globes/docview.asp?did=1000092912
[3] http://www.crn.com/showArticle.jhtml?articleID=187201659
[4] http://www.ingrian.com/news/pr060515.html
[5] http://www.ipass.com/pressroom/pressroom_releases.html?rid=204
[6] http://www.securecomputing.com/press_releases.cfm?p=irol-newsArticle&ID=857759
[7] http://blog.washingtonpost.com/securityfix/2006/05/blue_security_surrenders_but_s.html
[8] http://www.matasano.com/log/302/matasanos-disclosure-rules-of-engagement/
[9] http://www.networkworld.com/columnists/2006/051506schwartau.html
[10] http://www.darknet.org.uk/2006/04/ajax-is-your-application-secure-enough/
[11] http://www.darknet.org.uk/2006/05/sprajax-an-open-source-ajax-security-scanner/
[12] http://blogs.zdnet.com/BTL/?p=3007