March 29, 2007 - Volume 2, #53
Good Morning:
The Kathy Sierra saga continues. Now one of the folks accused of doing misdeeds is claiming that he's been owned, his email addresses hijacked and is claiming that it wasn't him. Ken Camp knows him and believes him (here [1]). Now this really is a security issue and besides the ethical issues of anonymity, this is an interesting case study.
Basically, this guy had an incident, and as opposed to moving to contain the damage immediately (by maybe calling Kathy on the phone), he let it fester into as Doc Searls says "a category 5 sh** storm." Here [2]. So his first mistake was not following the first rule of crisis communications - get out there and tell your side of the story. Don't let it fester, deal with it. Or else you are covered in sh**, just as this guy is.
Enough of that, whether he's guilty or not is not the issue, it really isn't. I think this is a wake-up call and definitive evidence that we need to have some kind of reputation system on the Internet for these Web 2.0 communities. Not sure if that should look like an eBay-like rating system or something more formal, administered by a 3rd party network (presumably commercial). With standards like OpenID maturing, the authentication piece may actually be possible. Now it's about integrating some kind of reputation database into the mix.
Would it entirely solve the problem? Maybe not, because this dude's identity could still be pilfered and his reputation hijacked, so maybe you overlay some simple second authentication factor (keystroke dynamics or something similarly portable). Hmm. That is pretty interesting. I know a lot of folks in the security community are trying to figure out what we can do to avoid this kind of issue, maybe this idea warrants some discussion.
You know me, throw some sh** against the wall and see what sticks. Maybe this will stick.
Have a great weekend.
Technorati: Information Security [3], CSO [4]
 [5] | The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [6] |
Top Security News
here [7]). Is it good? Or course not, but if a compromised company aggressively communicates what happened, what they are going to do for customers, and what they are doing to make sure it doesn't happen again, they can certainly recover. Those that stonewall customers, leave them hanging out to dry and basically point the finger at someone else don't fare as well. TJX anyone? I suspect we are going to have some folks start analyzing whether these data breaches (even the one's that are handled horribly) actually do any monetary damage to a company's market cap over a 2 month and 2 year time period. Now that would be interesting data.
Link to this [7]
here [8]). It's actually an interesting choice to target that market space. Firstly, I hope RSnake is prettier than Ace Frehley. Yes, that bar is pretty low. I actually think this is a good move, since RSnake is well known and clearly pretty smart. The only issue is whether the mid-market will pay enough. Services aren't really leverageable, so he's constrained by the number of hours in a day and I suspect a larger shop would pay more for a security rock star. But good luck Senior Snake, I wish you well. I have a lot of respect for entrepreneurs. Jumping out into the chasm is awfully hard to do.
Link to this [8]
Here [9] Tenable announces the ability to discover sensitive data at rest by scanning file shares and the like. Ron went into more detail about the capabilities on his blog (here [10]). It's the first step of poor-man's leak prevention (figuring out where your sensitive data is), but given that you need to be a rich man to do leak prevention today, it's an interesting alternative. Even more interesting is that this capability will be available ONLY to Tenable's paying customers. That means you won't get this after a week. So the open source and commercial derivative of Nessus are starting to diverge. It'll be interesting to see how the community reacts to this, but I think it's the right thing to do. At the end of the day, Tenable has to run a business, and I suspect folks will understand that. But I've been surprised before.
Link to this [10]
The Laundry List
Speaking of scanners, GFI updates their low cost vulnerability management suite. - here [11]
Alert Logic says SMB's "could have been" compromised twice a week by studying their clients. Hmm. I don't buy it, the findings seem funky to me. - here [12]
YASW. Yet another Skype worm hits. Big friggin' deal. Don't click on links in a Skype chat session. Is that so hard? - here [13]
PGP loves Vista, until they build PGP in, of course. - here [14]
Evidently VASCO is in the UTM business. Who knew? They add SSL-VPN here [15].
Top Blog Postings
http://taosecurity.blogspot.com/2007/03/security-operations-fundamentals.html [16]
Link to this [16]
http://www.stillsecureafteralltheseyears.com/ashimmy/2007/03/leaving_your_fa.html [17]
Link to this [17]
http://securityviews.com/blog/2007/03/28/getting-to-secure-incrementally-and-practically/
[18]Link to this [18]