logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - October 20, 2006

By Mike Rothman
Created 2006-10-20 08:13
Today's Daily Incite

October 20, 2006 - #139

Good Morning:
It's Friday already? Some weeks go slooooow, but not this one. Travel usually does accelerate the week and having a lot on the ol' plate doesn't help either. But since I was gone last weekend, there will be lots of catching up around the house and with the family this weekend. Kind of an eclectic day in security-land, with earnings on a lot of security stalwarts hitting (here [0]) this week. I get a lot of good perspective and detail from the earnings calls, but they are very time consuming. Until I found the SeekingAlpha site (here [1]), where they publish earnings call transcripts for free. It's pretty cool, so check it out if that's your thing.

In other security news, I found a couple of MSS related stories that I found interesting, such as Counterpane going deeper into the application layer (here [1]) and also a selection criteria article for SMBs looking at MSS (here [1]). In blog land, I look to some of the early information on IE7 including the first potential vulnerability (here [1]) and also point to a very interesting post by Ed Moyle about who is at fault for pretexting and social engineering if done with nefarious intent (here [1]). Thanks Ed for making me think.

Have a great day and enjoy your weekend.

Technorati: Information Security [2]

Top Security News

here [3]), VeriSign (here [4]), Juniper (here [5]), Citrix (here [6])
Link to this [6]

here [7]) and Craig Shumard, CIGNA (here [8])
Link to this [8]

http://money.cnn.com/2006/10/17/technology/bc.life.passwords.reut/
 [9]Link to this [9]

http://www.counterpane.com/pr-20061009.html [10]
Link to this [10]

http://searchsmb.techtarget.com/tip/0,289483,sid44_gci1225401,00.html [11]
Link to this [11]

Top Blog Postings

here [12]). Which is not surprising because although most hackers aren't looking for notches on their bedposts anymore (there's no money in that) - there would be some mojo for the guy/gal that broke IE7 first. Jeremiah does think it's pretty serious, but with a relatively small community (it doesn't go mass distribution via Microsoft Update until next month), the damage should be contained. More to the point as George Ou points out - for those of you that require IE for business, IE7 is a good thing for you. And his points about the restrictions are good as well. You should be running XP SP2. Personally, I'm a Firefox guy and that's not going to change - but for those applications that require IE I'll be upgrading my PCs to Oy Vey7. 
http://blogs.zdnet.com/Ou/?p=349
 [13]Link to this [13]

here [14]. Fact is, Apple elicits passion, but positive and negative. That's what makes them great. Microsoft, not so much. They are "pedestrian," which in marketing is not really a good thing.
http://securosis.com/2006/10/18/apple-security-and-trust/
 [15]Link to this [15]

Digital Fortress [16], which was very entertaining. Some folks get hung up on reality and editorial license, etc - but not me. I ripped through it and enjoyed it, which is good enough for me. But the main point of the book (without giving anything away) is that someone needs to be watching the watchers. This is a point that Ed Moyle makes first by talking about how he's not going to talk about Apple. Then he builds a case that the investigators in the HP pre-texting fiasco may not have been wrong. Huh? That was my reaction as well, but then Ed goes into how the same methods could be used in a penetration test. Under the guidance of a CIO (or CEO), if a pen tester does something bad - who takes the brunt of the fall-out? The pen tester is doing his/her job and I personally believe in using those methods in pen tests because that's what the bad guys will do and you need to know how you'll fair. But it's getting a bit murky. Then he further complicates the matter by positing a scenario where the CEO could be acting unethically and using pen testers to get information that he shouldn't have. Hmmm. So I'll get back to the point, who is watching the watchers? It's advisable to have lots of checks and balances to make sure that no one (not even the CEO) can do things without having to answer for them. We should have learned this lesson from the Tyco, Enron, and MCI fiascoes.
http://www.securitycurve.com/blog/archives/000468.html
 [17]Link to this [17]

http://www.identitytheftspy.com/2006/10/how_can_a_regul.html
 [18]Link to this [18]

http://securityincite.com/TDI-2006-10-19 [18]

Source URL:
http://securityincite.com/blog/mike-rothman/the-daily-incite-october-20-2006

Links:
[1] http://seekingalpha.com/
[2] http://technorati.com/tag/information%20security
[3] http://biz.yahoo.com/bw/061019/20061019005359.html?.v=1
[4] http://biz.yahoo.com/prnews/061019/sfth072.html?.v=63
[5] http://biz.yahoo.com/bw/061018/20061018005824.html?.v=1
[6] http://biz.yahoo.com/bw/061018/20061018005929.html?.v=1
[7] http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1225331,00.html
[8] http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1225100,00.html
[9] http://money.cnn.com/2006/10/17/technology/bc.life.passwords.reut/
[10] http://www.counterpane.com/pr-20061009.html
[11] http://searchsmb.techtarget.com/tip/0,289483,sid44_gci1225401,00.html
[12] http://jeremiahgrossman.blogspot.com/2006/10/ie7-exploit-in-under-24-hours.html
[13] http://blogs.zdnet.com/Ou/?p=349
[14] http://gigaom.com/2006/10/18/another-rotten-apple/
[15] http://securosis.com/2006/10/18/apple-security-and-trust/
[16] http://www.danbrown.com/novels/digital_fortress/plot.html
[17] http://www.securitycurve.com/blog/archives/000468.html
[18] http://www.identitytheftspy.com/2006/10/how_can_a_regul.html