April 2, 2008 - Volume 3, #33
Good Morning:
I hate April Fool's Day. That's right. I said it. Hate. Despise. I'm
basically bored with it. You know a bunch of horse's asses are going to
try stuff and 99% of it will be stupid. In fact, we all expect it. So
April 1 is probably the second least productive work day of the year.
The first day of March Madness being the first.
That's why I
didn't publish yesterday. I started going through my news feeds and I
had to take twice as long to really tighten up my bullshit detector. It
just wasn't a good use of my time. So I got other stuff done instead.
My general 4/1 disdain aside, there were some innovative hoaxes that
were very indicative of our general situation. The first I'll highlight
is Jeremiah and RSnake's Scanless PCI [1]. What a great idea,
and I guarantee if just one auditor said that was cool, you'd have a
hundred million dollar business overnight. But they are giving it away.
So you'd have a million customers overnight. Note that the site was
built with Jeremiah's side project Roxer [2].
The second is Bejtlich's "acquisition" of Sguil by the
Cisco empire [3]. This was pretty funny and I actually will admit
to searching Cisco's site just to make sure. I think acquiring the
Sguil project would actually be a great move, which is why Richard's
hoax got a few to bite.
But some of the bigger ones like TechCrunch suing Facebook were stupid.
Who gives a crap? And that's the point. Folks spend a lot of time
trying to create a plausible ruse. And then they do it on April 1. It's
a waste of time.
Let me relate that back to security for a second. This is why being
predictable is the death knell. If everyone knows you are pulling a
stunt, they are ready for it. If no one knows, you have a chance. If
you do predictable stuff in your defenses, then a skilled attacker will
shred you. Part of success is keeping folks off balance. At least the
bad guys.
That's what made the Mogull and the Hoff's hoax about Chris
reprogramming Rich's house [4] so good. It was unexpected. It
wasn't during
a predictable time. And if you read the comments on Hoff's post, a lot
of folks went for it. Rich clarifies a bit [5]. If you are
predictable, you are a sitting duck.
Have a great day.
Photo: "the
horse's ass was smiling at me..." originally uploaded
by saintovbastards [6]
Technorati: Information
Security [7], CSO [8],Security
Mike [9], Internet
Security [10]
 [11]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [12] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [13]  [14] |
Top Security News
Hannaford Brothers data breach was the
result of an inside job [15]. Really? More details are here [16], as well as Stiennon's take [17]. Evidently
the malware planted on the servers to intercept transaction traffic
just couldn't have been planted by an outsider. Really? I'm not saying
it wasn't an insider because I don't know that. It is a good reminder
to make sure you are watching the watchers, and have good
administrative controls and separation of duties implemented. I'm with
Mogull in not being willing to make the assumption that an outsider
couldn't have done it. If they got access to one server, they could
have done a lot of reconnaissance, found the other servers, planted the
malware and ran to the bank. Of course, if they were monitoring their
network, they should have been able to see the odd traffic dynamics
which would have been indicative of either an insider or outside job.
If they kept good, secure log records off the device, then they'd be
able to know if an administrator changes something like permissions and
installed the malware. But it's not clear that they did either of
these, so we all get to speculate while the forensics guys try to clean
up the mess.
Link to this [18]
this guy profiled in this NetworkWorld story
takes the cake [19]. How about this quote: "Whenever I smell
flowers, I think funeral." That's awesome. Ian Angell's point to all
this is that we have to think about the ramifications of the technology
we use to solve problems, and the security folks are at the forefront
of those efforts. We need to somehow be more proactive about dealing
with those issues. Perhaps Professor Angell has a crystal ball or other
fortune telling technique he shared with the Black Hat Europe audience.
Unfortunately, we are always reacting and we need to be. Security
cannot hinder innovation, not for long anyway. The world keeps turning
and our job is to make sure it's as safe as it can be, within
acceptable constraints. We cannot eliminate all security issues, in
fact we probably don't want to. But we need to understand them, and
make sure that business managers get the full picture of what can
happen, so they can decide how to most effectively allocate resources.
Link to this [20]
a little ditty detailing 10 security "land
mines" [21] that can and should be avoided. Before I get to the
list, I'm just happy this wasn't delivered as one of those stupid
screen shows on the media networks. You know, the Top 15 hackers or the
Top 10 ass-scratchers and you click only to get an amateurish set of
PPT slides and a paragraph of text. It's just a way to boost page
views, since evidently that is a more important metric than REVENUE for
the media companies. If you fail to remember history, ... But back to
the topic. Hines top 10 list is pretty good and covers a lot of the
stupidity that many of us security folk spend a lot of time cleaning
up. He also covers some compliance and general security no-no's.
There's even a quote or two in there from me, which I'm sure totally
ruins this piece's credibility. Like not checking the email address
list or giving away passwords
to sophomoric social engineering tips. Read the list and make sure this
stuff is baked into your security awareness training and other
defenses.
Link to this [22]
The Laundry List
- OMG. Security spending slowing down. According to Raker anyway and this is a ballsy call. Most folks still think security is safe from a recession. Not so much. - Barron's coverage [23]
- Websense introduces the "HoneyGrid," Barry B. Benson [24] is really pissed. Another misuse of slave Bee labor. - Websense release [25]
- McAfee asks people to volunteer to be spam receptacles for 30 days. Didn't they see "Super Size Me." - McAfee press release [26]
- Trend goes for the X-beam to increase performance of their email gateway. There's already a virtual security layer for email, it's called Postini or MessageLabs. - Trend Micro release [27]
Top Blog Postings
http://www.avolio.com/weblog/security/Zero-to-expert-Mark2.html
[28]Link
to this [29]
http://blog.ivanristic.com/2008/03/ive-recently-ha.html [30]
Link
to this [31]
http://srmsblog.burtongroup.com/2008/03/is-pci-complian.html [32]
Link
to this [33]