logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - February 14, 2008

By Mike Rothman
Created 2008-02-14 11:15
Today's Daily Incite

February 14, 2008 - Volume 3, #15

Good Morning:
Another year, another Valentine's Day. The time of year concocted by the flower business in cahoots with the chocolate industry and the greeting card folks. Let's just say I'm not a big fan of this annual February ritual. Yes, the fact that I'm so romantic is not lost on the Boss. I've been apologizing for almost 14 years now.

When you think about it, Valentine's Day is pretty kooky. Let's celebrate our love by eating chocolate. Huh? And not like a good 2 lb bar of Hershey's. It's got to be those weird chocolate things will gooey filling. Life is like a box of chocolates, you never know what you are going to get... It worked for Forrest Gump, not for me. Could they think of a worse, more addictive vice to use in celebration? Why didn't they just use opium if they wanted us to revisit our addictions every February. We could set up a big neighborhood hookah and party. Maybe we'll have a free basing lesson for the kids. Now that would be festive, wouldn't it?

Dead Roses [1]I'll also admit to not being a flower guy. I'm horrified to admit that more than once my kid brother sent flowers to the Boss and signed my name to the card. Actually not that horrified or I wouldn't be telling you. Yes, my brother is a good, considerate guy. And me...not so much. He saved me from a bunch of hot water through the years.

I don't get flowers. They die. They don't smell that good to begin with and if you leave them in a vase for a few days they start to get funky. What's the use? I guess they add a little color to your house for a few days. If I want color, I could get fake flowers. At least they last a little longer, and they don't smell.

But that would once again put me in the soup with the Boss. She doesn't like the fakes. So I shelved that plan. 

What works for me is a card. I know the greeting card folks are in on the conspiracy, but that's OK because I like cards. It might have something to do with the fact that I write for a living. I usually pick a cards that are funny and then I take a few minutes and write a nice note inside. A heartfelt message. One that is timeless and that she'll be able to look at in the years to come and remember that I'm not always a total jackass.

Another thing that I like is cards last forever. I still break out the first Valentine's Day card I got from Leah in 2001. It says, "To my First Valentine..." It's awesome. It's in the draw right next to my desk and has been for 7 years. Try doing that with a flower.

Have a great weekend, and oh yeah, Happy Valentine's Day. Also enjoy President's Day on Monday. It's a Daddy weekend that is bleeding over until Monday - so I'll be back Inciting on Tuesday.

PS: I've posted the first two Days of Incite Posts. The 3rd hits later this morning and the 4th tomorrow.

  1. Express Your Inner Bean Counter [2]
  2. It's time for an audit revolution [3]

 
 dead flowers image uploaded by lolla_sig [4]

Technorati: Information Security [5], CSO [6], Security Mike [7], Internet Security [8]

The Pragmatic CSO [9]
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com [10]
 Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com
 [11]
Security Mike's Guide to Internet Security [12]

Top Security News

George is calling them on it [13]. Will it have any impact? Probably not because it's a low footprint issue, given the number of folks that are likely vulnerable. You can't fix everything, so something has to fall off the list - I get that. If people were setting up MySpace pages with these kinds of voice exploits, it may get a higher priority. But until then it's back to the ostrich game. I hope the sand is warm. 
Link to this [14]

Here is a good overview of OATH at Network Computing [15]. But the fact remains that almost no one cares about strong authentication. The FFIEC did, so the banks had to spend the end of 1996 adding things like mutual and two-factor authentication to their banking sites. Last time I checked I was still able to get into my online banking system with a simple password. In fact, it's a password that can have NO MORE than 8 characters. How friggin' strong could that be? But are they going to issue tokens to everyone? Not a chance. It's cheaper for them to pay for the eventual fraud, then it is to fix the problem. Yes, it's risk management gone wild, but it's all about the economics. I actually use very strong passwords (I use 1Password on my Mac to manage them) and thus I feel as safe as I'm going to. But the reality is that as long as it's cheaper to suck up the costs of fraud, passwords will be good enough.
Link to this [16]

Symantec researcher on their blog [17] (H/T to Ed Moltzen for pointing it out [18]). That's an interesting question. My answer is an unqualified no. We can move on from PDF no sooner than we jettison DOC or XLS or PPT. PDF is the way a lot of information gets sent around. Now to be clear, Adobe needs to bring their A game (like what Microsoft has done) because they are now a target. They need a structured patching process and to invest a crap load of money in security research to be able to respond to the threats. But ultimately it's software, which means there will be holes. What to do? Don't leave all your eggs in one basket. You need layers, strong anti-spam that stops a lot of the solicitations from getting through, web gateways that protect users from themselves, and endpoint protection just in case the other stuff doesn't get it done. And then you'll still get nailed. Then you kick your incident response plan into gear. I guess if I think about it, we could stop using PDF. In the same way we could unplug from the network as well. That's definitely one way to stay protected.
Link to this [19]

The Laundry List

  1. Speaking of passwords, BioPassword can stop credential sharing. It's interesting, but only after someone finds their accounts shared on warez boards. - BioPassword release [20]
  2. Ron Gula answers the question, "How often should we scan?" A lot and with Nessus. What did you think he's going to say? To Ron's credit, he actually has decent reasoning behind it. - Tenable blog post [21]

Top Blog Postings

2008 Incite [22] (#9), I pretty much took a dump on DLP. Though to be clear (and I will be when I write the Days of Incite post) it's not because DLP doesn't solve a problem. It's really a market acceptance issue. The parallels I see between DLP and SIM are significant. Both are hamstrung by taking a long time to get value and there are other ways to solve the problem for a lot less money that are good enough. Not perfect, but good enough. Before we write off DLP, let's get back to the problem. The fact remains that our data is pretty much everywhere now and although controlling is a losing battle, we need to fight the good fight. Tom Olzak brings up another use case, and that is the online collaboration applications. I'm starting to use Google Docs for some work I'm doing and over time I'm sure I'll be doing more of that, not less. My data isn't that important, but yours might be. I don't think this will be enough to push DLP through the chasm this year, but it's certainly something to think about.
http://blogs.ittoolbox.com/security/adventures/archives/the-promise-and-the-threat-of-webbased-productivity-suites-22412 [23]
Link to this [24]

http://securitybuddha.com/2008/02/07/security-marketing-spinning-further-out-of-control/ [25]
Link to this [26]

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1295905_tax309647,00.html [27]
Link to this [28]

http://sm-blog.securitymike.com [29]

Check out the latest on the Security Incite blog
http://blog.securityincite.com/ [30]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [31]

Source URL:
http://securityincite.com/blog/mike-rothman/the-daily-incite-february-14-2008

Links:
[1] http://www.footballfanatics.com/NFL_New_York_Giants/Reebok_New_England_Patriots_vs_New_York_Giants_Black_Youth_Fight_Night_Super_Bowl_XLII_Dueling_T-sh
[2] http://securityincite.com/blog/mike-rothman/2008-doi-day-1-express-your-inner-bean-counter
[3] http://securityincite.com/blog/mike-rothman/2008-doi-day-2-its-time-for-an-audit-revolution
[4] http://www.flickr.com/photos/lolla/138563104/
[5] http://technorati.com/tag/information%20security
[6] http://technorati.com/tag/CSO
[7] http://www.tecnorati.com/tag/Security%20Mike
[8] http://www.technorati.com/tag/Internet%20Security
[9] http://www.pragmaticcso.com
[10] http://www.pragmaticcso.com/
[11] http://tdi.securitymike.com
[12] http://tdi.securitymike.com
[13] http://blogs.zdnet.com/security/?p=875
[14] http://securityincite.com/TDI-2008-02-14#TSN1
[15] ttp://www.networkcomputing.com/immersion/nac/showArticle.jhtml?articleID=206401699
[16] http://securityincite.com/TDI-2008-02-14#TSN2
[17] http://www.symantec.com/enterprise/security_response/weblog/2008/02/pidief_a_byword_for_0day_explo.html
[18] http://www.crn.com/security/206400920
[19] http://securityincite.com/TDI-2008-02-14#TSN3
[20] http://biz.yahoo.com/iw/080212/0360411.html
[21] http://blog.tenablesecurity.com/2008/02/security-metric.html
[22] http://securityincite.com/blog/mike-rothman/2008-security-incites
[23] http://blogs.ittoolbox.com/security/adventures/archives/the-promise-and-the-threat-of-webbased-productivity-suites-22412
[24] http://securityincite.com/TDI-2008-02-14#TBP1
[25] http://securitybuddha.com/2008/02/07/security-marketing-spinning-further-out-of-control/
[26] http://securityincite.com/TDI-2008-02-14#TBP2
[27] http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1295905_tax309647,00.html
[28] http://securityincite.com/TDI-2008-02-14#TBP3
[29] http://sm-blog.securitymike.com
[30] http://blog.securityincite.com/
[31] http://securityincite.com/security-incite-rants/daily-incite