logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - July 25, 2008

By Mike Rothman
Created 2008-07-25 09:48
Today's Daily Incite

July 25, 2008 - Volume 3, #64

Good Morning:
The DNS flaw exploit code is in the wild. And people are surprised, chagrined, angst-ridden, and otherwise all up in a tizzy about it. Some folks are lashing out via their blogs. The Mogull questions why [1], Hoff figures a way to work wand extensions into the discussion [2]. But Martin waters down the discussion to it's very core.
It's all about me!
"...There’s a serious problem with the security researcher community where being the first to discover and disclose an incident like this is more important than getting the problem solved for as many companies as possible."  (from Network Security Blog [3])

Why are we surprised? Researchers are researchers are researchers. This has been a problem relative to healthcare research since the beginning of time. It took someone like Mike Milken (yes, the infamous Drexel Burnham banker) to bridge the gap and start getting cancer researchers to work together and partner with industry [4]. 

And how'd he do that? MONEY. That's right, tradeable hard currency. Which by the way is one of the major problems with "research" or let's say basic research at it's core. There's very little money it. Medical researchers toil away, trying to kill (or heal) rats for years to isolate a compound that very likely will have no impact on anything. Many of them have to hump the legs of governments, charities, and anyone else to fund their life's work. That's time they aren't researching.

If they do find something, maybe they can start a company and maybe then they can make some money. That's a big maybe. So in the absense of clear financial gain, researchers will usually opt for public recognition and fame. Some have sufficiently big egos, that money aside, it's still all about them. So you think some of these ego-maniacs are going to let someone else take the credit for years of toil in dark, dingy laboratories.

Fat chance.

It gets even better because some researchers have such huge egos that they can't let anyone else be successful. They treat it like a zero sum game. Either trying to talk down the findings or figuring out a way to piggy back on the research to get their attention fix. It's sad really, and since this is not only precedent in healthcare research, but typical behavior. Why do we think security researchers would be any different?

Human nature tends to evolve in eons, so accept the game for what it is. But that doesn't mean you have to like it or even accept it. If by chance you find yourself in a position to do the right thing, then do so. You can't control any one else's actions - but you certainly can control your own.

It all starts with one person. One person can change the world. Don't ever forget that. Have a great weekend. 

Photo: "It's all about me." originally uploaded by Monceau [5]

Technorati: Information Security [6], CSO [7],Security Mike [8], Internet Security [9]

The Pragmatic CSO [10]
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com [11]
 Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com
 [12]
Security Mike's Guide to Internet Security [13]

Top Security News

Tim highlights an Infonetics survey about delayed NAC deployments [14]. Since they talked to 242 users, that is representative of the mass market. Uh huh. Whatever. He also points out that NAC is still pretty complex [15], and finds some users to verify that. Remember that bad news makes much better news than good news. And generating page views is their business. It's much harder to find success stories, but at least try to have a balanced view of what you read, and don't believe it all. That's why I read so much and varied stuff. It allows me to see the trends and draw conclusions from a wide swath of territory. Not just from 1 opinion piece or a statistically insignificant survey. 
Link to this [16]

InformationWeek folks have done yet another survey about CEO visibility [17], but they asked the CIOs - where presumably they'd have a lot more visibility with CEOs than a security professional. Most tend to either see the CEO weekly or monthly (70% of the total). Is that a lot or a little? It depends on what you are trying to do. I guess another way to ask the question is how often does the senior security professional meet with the CIO? Is it weekly, is it more often? There are no right or wrong answers here, but if you don't feel you are getting enough face time, then start to agitate to get more. Whining about it or complianing about how you can't get anything done because you have no executive support isn't really a good answer.
Link to this [18]

some folks from U of Michigan analyzed 214 online banking sites and found that 76% had design flaws [19]. Some were serious (secure login box on insecure pages, improper use of SSN, redirect to 3rd party sites) and some not so serious, but the issue the researchers had was that the banks are providing mixed messages to their customers. We've got to train consumers to be more security aware and if their banks can't even do it right, it's hard to see how we are going to make progress. Since there is no mandate for decent web design, this is what we are stuck with.
Link to this [20]


The Laundry List

  1. One spammer enter, another leaves. Soloway gets 47 months [21] (tell Vick we said hello) and Eddie Davidson escapes [22]. Guess he was having a bad case of email withdrawal. Ed Dickson wonders if any of it matters [23].
  2. Intrepidus launches PhishMe, which tests your employees ability to figure out an attack from legit email. I'm a big fan of testing, so I hope these guys do well with this. - Intrepidus release [24]
  3. Check Point announces 2Q results. You can also check out the conference call transcript [25]. - Check Point release [26]
  4. EMC also announces results. RSA growing at a slower rate (15% to $144 million top line) than the entire company. That can't be good. - EMC earnings release [27]

Top Blog Postings

http://layer8.itsecuritygeek.com/layer8/the-power-of-fail [28]
Link to this [29]

Shrdlu points out, this is about narcissism [30]. Plain and simple. So find these folks and throw them off the bus quickly, and make sure you remove their access BEFORE they know what's going to hit them. Martin brings up a number of good, derivative points about logic time bombs. But ultimately, you have to wonder how could this happen. How could one password control all of the keys to the kingdom? Crappy design, and inability to think about FAIL (see above). But entertaining nonetheless. 
http://www.mckeay.net/2008/07/16/why-no-one-person-should-control-it-all/ [31]
Link to this [32]

http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=159324 [33]
Link to this [34]

Source URL:
http://securityincite.com/blog/mike-rothman/the-daily-incite-july-25-2008

Links:
[1] http://securosis.com/2008/07/24/a-question/
[2] http://feeds.feedburner.com/%7Er/typepad/beaker/blog/%7E3/344881609/on-releasing-po.html
[3] http://feeds.feedburner.com/%7Er/MartinMckeaysNetworkSecurityBlog/%7E3/344682022/
[4] http://www.prostatecancerfoundation.org/site/c.itIWK2OSG/b.46634/k.5D3C/PCF_Supported_Research.htm
[5] http://www.flickr.com/photos/monceau/179314566/
[6] http://technorati.com/tag/information%20security
[7] http://technorati.com/tag/CSO
[8] http://www.tecnorati.com/tag/Security%20Mike
[9] http://www.technorati.com/tag/Internet%20Security
[10] http://www.pragmaticcso.com
[11] http://www.pragmaticcso.com/
[12] http://tdi.securitymike.com
[13] http://tdi.securitymike.com
[14] http://www.networkworld.com/newsletters/vpn/2008/071408nac2.html?nladname=071708security:networkaccesscontrolal&code=nlnac149120
[15] http://www.networkworld.com/news/2008/072108-network-access-control.html?nladname=072108dailynewspmal&code=nldailynewspm149670
[16] http://securityincite.com/TDI-2008-07-25#TSN1
[17] http://www.informationweek.com/blog/main/archives/2008/07/how_often_do_yo.html
[18] http://securityincite.com/TDI-2008-07-25#TSN2
[19] http://news.yahoo.com/s/ap/tec_banking_security
[20] http://securityincite.com/TDI-2008-07-25#TSN3
[21] http://seattle.bizjournals.com/seattle/stories/2008/07/21/daily15.html
[22] http://www.scmagazineus.com/Convicted-spammer-escapes-from-prison/article/112810
[23] http://fraudwar.blogspot.com/2008/07/will-one-spam-kings-conviction-and.html
[24] http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/07-22-2008/0004853218&EDATE=
[25] http://seekingalpha.com/article/86261-check-point-software-technologies-ltd-q2-2008-earnings-call-transcript?source=yahoo
[26] http://biz.yahoo.com/bw/080722/20080722005517.html?.v=1
[27] http://biz.yahoo.com/prnews/080723/new007.html?.v=60
[28] http://layer8.itsecuritygeek.com/layer8/the-power-of-fail
[29] http://securityincite.com/TDI-2008-07-25#TBP1
[30] http://layer8.itsecuritygeek.com/layer8/if-youre-going-to-san-francisco/
[31] http://www.mckeay.net/2008/07/16/why-no-one-person-should-control-it-all/
[32] http://securityincite.com/TDI-2008-07-25#TBP2
[33] http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=159324
[34] http://securityincite.com/TDI-2008-07-25#TBP3