Daily Incite

The Daily Incite - March 22, 2006

Submitted by Mike Rothman on Wed, 2006-03-22 07:37.
Today's Daily Incite

March 22, 2006

Good Morning:
We are the good guys. Always remember that. Reading a story about the cost of data loss reminded me that information security is important. We may not win all the battles, but we must win the war. People get hurt when scammers and fraudsters are successful in compromising personal data. Keep that in mind next time you get discouraged because of the 1000th stupid thing some user did.

On a lighter note, The Daily Incite is evolving rapidly. Each morning I'm going to list what I think are the TOP 5 security news stories. I'll apologize for burdening you with 8-10 stories each day because I thought they were interesting. I always need to remember (and pay attention) to my role, which is to save you time. I'll still post the blog stories that I think are interesting, but the filter on those is going to get tighter as well.

Finally, in some cases you'll see a "snipurl.com" link for the news stories. This is intentional as some of the URLs that the trade pubs use (got to love those content management systems) are long and very ugly. SnipURL gives me the ability to shorten them.

Have a great day.

Top Security News

Endpoint Security RoundUp (http://snipurl.com/nx6g)
So what? - Yes, endpoint security is still happening. In this story, SearchSecurity mentions a couple of different news items focused on controling endpoints from doing bad things. It may be using USB thumb drives to steal data or having a risky wireless profile, but the issues are similar. Enterprises need to gain more control of their devices by enforcing policies to make that happen. How granular and draconian the policies are will vary, but not being able to control those devices is a mistake.

The High Cost of Data Loss (http://www.informationweek.com/security/showArticle.jhtml?articleID=183700367&pgno=1)
So what? - InformationWeek's cover story this week is about privacy and data loss. It's worth a read. Not because it tells you things you don't know. But because it reminds of the personal cost that the bad guys extract when they are successful. When things get tough and you are overwhelmed, these are helpful stories and anecdotes to keep you focused. 

Data Centers Do Not Have Risk Management Plans (http://www.informationweek.com/story/showArticle.jhtml?articleID=183701425&cid=RSSfeed_IWK_winsecurity)

So what? - AFCOM, an association of data center managers, did a survey that showed 17% have no risk management plan. Usually I am suspect of surveys, but this one was used to bolster a prediction (as opposed to sell products). That prediction, "Within the next five years, one out of every four data centers will experience a serious disruption;" is right on the money. So not having a clear, practiced plan for disaster recovery is career suicide. Organizationally, the data center organization and the security group may be separate, but I'm not in the excuses business. By the way, neither is your boss. So make sure there is a plan to recover from any type of system compromise and keep the business operational.

Following the Money (http://www.cdt.org/privacy/20060320adware.pdf)
So what? -Very interesting report at this link by the Center for Democracy and Technology. They break down how adware networks permeate their ads through unsuspecting (or uncaring) advertisers. They actually spoke to a couple of sites and exposed the fact that most of these folks have no idea who is advertising on their site. If you have time, it's a good read.

VeriSign Offers Managed Skybox (http://www.verisign.com/press_releases/pr/page_037248.html)

So what?
- VeriSign introduces a new Security Risk Profiling Service, based on technology from Skybox Security. This offering produces a report detailing known issues with a customer's environment. Skybox's technology is well regarded, so this is a good move for them and also VeriSign to differentiate in increasingly undifferentiated MSS circles. Will customers pay above and beyond for "risk profiling," instead of risk fixing? That's always been the problem with vulnerability scanning. It tells you what is broken, but then you are left with even more stuff on your to-do list. I'm going to do a drive-by on Skybox later today to be posted this afternoon.

Top Blog Postings

Securing a Solution to Data Theft
Patricia Keefe on the InformationWeek blog follows up on their "Cost of Data Loss" story with some ideas and suggestions to deal with the situation. The fact is it is a messy, non-trivial issue that will take years to solve. The reality is the sooner I can get truly sensitive private information back in my control, using user-centric identity technology, the better. But that is going to take some time before my key online vendors will accept an assertion in the form of an InfoCard or some other Identity token. So in the meantime, you need to stay on top of your own assets and watch them diligently. The sooner you can pinpoint an issue, the sooner it gets dealt with.

Link: http://www.informationweek.com/blog/main/archives/2006/03/securing_a_solu_1.html

StillSecure Endpoint Security Index
Alan Shimel of StillSecure mentions his company's "endpoint securty index," which is a pretty cool set of tests they run monthly to figure out how "bad" it is out there for devices surfing the net. Statistics driven by vendors are more of a PR tool than anything else, but at times can be useful to provide some perspective. You can check out the index at http://stillsecure.com/endpointindex/index.php.

Link: http://ashimmy.typepad.com/ashimmy/2006/03/honeypot_stills.html

The Daily Incite - March 21, 2006

Submitted by Mike Rothman on Tue, 2006-03-21 08:23.
Today's Daily Incite
Good Morning:
Today's Incite is pretty long, but there is a lot going on. A few vendor announcements (but as always, are related back to a bigger theme) and also some vulnerability and attack news. It also looks like Microsoft is ramping up it's global legal team to go after phishers. Good luck to them on that.

I'd also like to wish my wife Jodi a Happy Birthday. As captain of the household, she keeps things running and lets me sit in my office and bang away at the keyboard. She was also a major influence when I decided to start Security Incite. Her support and confidence in my abilities is unwavering. I couldn't have asked for a better partner.

Have a great day.

Top Security News

It's Raining IT Security Surveys (http://snipurl.com/nwt7)
So what? - NetworkWorld provides some insight into IT security surveys in this article. This quote says it all: "Leading security vendors, looking to scare up interest in their products, pumped out more than twice as many of these surveys last year as in 2004, and this year are on an even more aggressive pace." They do the surveys because they are counting on peer pressure to be a catalyst for activity. In many cases, the survey tool is suspect and can present biased results - but I guess that's the point. This topic get me kind of fired up, so I'm going to do a longer blog posting later today.

Cyber-Ark Delivers User Management Support (http://www.cyber-ark.com/networkvaultnews/pr_20060320.asp)
So what? - Cyber-Ark is bringing their vaulting technology to bear on the problem of managing administrator passwords. This is a big problem because the administrator password usually provides the keys to the kingdom, so they need to be handled wisely. The idea of monitoring admin password use is also important because not only do you want to protect the keys, you want to know how and where they are used.

New Zero Day Bug Crashes IE (http://www.informationweek.com/news/showArticle.jhtml?articleID=183700672)

So what? - This time a one malformed HTML tag can bring down IE. That's comforting. It's not clear that the exploit can result in a hijacked session, but nonetheless IE remains problematic. But in this case, there is actually an easy fix. Use Firefox. That's what I do.

Get Ready for More DoS Attacks (http://snipurl.com/nwu6)
So what? - The folks over at VeriSign where hitting the circuit this week talking about a new wave of denial of service attacks on the horizon. These are kicked off by compromising name servers out there and using them to amplify the attacks. The most interesting nugget here is that these are FOCUSED attacks. They are not trying to take down the entire Internet, but rather a few targeted sites. Just more evidenced that hacking is a business now. Hobbyists need to get back to their train tables.

Fallout from Poor Government Security? (http://snipurl.com/nwub)

So what?
- In this searchsecurity article, the author posits whether the US Federal governments continually failing IT security grades will prevent the private sector from sharing information. I don't buy it. I have a hard time believing that a commercial company is going to say no when DHS or the FBI come asking for help. I'm not sure how often this happens, but there tends to be a great halo effect for helping out the Feds and I don't see vendors walking away from that.

Now Microsoft Taking on Phishing (http://biz.yahoo.com/bizj/060320/1261715.html?.v=1)
So what? - Since Microsoft's legal attack on the spammers a few years ago was such a rousing success, they are now targeting Phisher's. Give me a break. Phishing is against the law, it's clearly fraud. Sure spamming violates CAN-SPAM, but that was a concocted law that is very hard to prove. Many of these folks are off-shore, so it will be interesting to watch how this goes. I do think litigation does have a role in stopping bad stuff, and I'm glad Microsoft is paying for it and not me. BUT ultimately I think this is as much for PR effect as to try to impact change.

Pushing for Secure Code (http://snipurl.com/nwuj)
So what? - NetworkWorld does an article about secure coding. I'm a big fan of these tools, but think it will take a long time to change the behavior of the developers out there. Getting rid of vulnerabilities early in the process is critical and will save money, but it's a pain in the ass. It usually takes some time for folks to see the light and actually do something. This will be no exception.

Setting the Foundation for Identity Management (http://www.networkworld.com/supp/2006/ndc1/032006-ndc-identity-management.html?page=1)
So what? - NetworkWorld is running a series on the "New Data Center" and this article highlights the role of Identity Management. It provides some customer profiles of IdM implementations and what impact the technology is having. IdM is a pillar of the Pragmatic Security Architecture, so I'm glad to see these kinds of articles highlight its importance.

Top Blog Postings

Microsoft Solving the Spyware Problem?
Richard Stiennon has rejoined the ranks of the security analysts. This is the guy that pronounced IDS to be dead with great fanfare a couple of years ago. In this posting on his Threat Chaos ZDNet blog, he's at his sarcastic best. He's right in saying that we cannot prematurely annoint Microsoft the spyware savior. In my view, that's because there is no answer. It's just like AV and soon will be a feature of AV. There will always be bad guys out there and spyware is another attack vector. It's a battle we'll all need to fit indefinitely.

Link: http://blogs.zdnet.com/threatchaos/?p=294

More on Security Surveys
Ellen Messmer on her NetworkWorld blog adds a companion piece to the IT security survey article (mentioned above) with some more data. This one references the same PGP/Ponemon study that I ranted about yesterday. The reality is that surveys are a marketing tool like anything else. If the data helps support your decision, that is great. If not, disregard it because if you look (and you don't need to look that hard) there will be holes in the methodology and the survey tool. These are vendors doing this study, not a university professor looking to publish bulletproof results.

Link: http://www.networkworld.com/weblogs/security/011538.html

Sophos Cracks the RansomWare Password
Mark Gibbs, on his NetworkWorld blog, mentions that Sophos has solved the ransom attack of last week. These jokers would make a password encrypted zip file of your key files and then demand $300 to get the password. Kudos to the folks over at Sophos who cracked this. The password actually looked like a file name, so anyone looking at the source would just pass right over it. Ingenious.

Link: http://www.networkworld.com/community/?q=node/5120

It's Tax Season for Phishers
Douglas Schweitzer on his ComputerWorld blog refers to a CW article that this is high time for IRS phishing scams. Folks are pretty sensitive to all issues tax, so this is a pretty effective ruse to separate folks from their personal information. I've personally seen a bunch of these show up in my spam quarantine, so it's happening.

Link: http://www.computerworld.com/blogs/node/2048

Ed Moyle Doesn't Trust E&Y
I think I've lost the title of the most pissed off security pundit. Ed Moyle rants on E&Y in this blog posting about them being hypocritical and wondering why we take their advice. It's actually a great question because it gets to the heart of trust. Why do you trust an organization and most importantly what do they need to do to maintain that trust?

Link: http://www.securitycurve.com/blog/archives/000362.html

Open Source Log Analysis
Randy Bias points us towards a new Ruby-based open source tool to do log analysis and find vulnerabilities called Oedipus. This is the first of what I expect will be many new open source initiatives aimed at simplifying and democratizing big fat and expensive security software. If something like this, over time, can provide 80% of the functionality of SIM - then that is one more nail in the coffin of that sector.

Link: http://www.randybias.com/archives/000246.html

No Such Thing As Privacy
CJ Kelly on the ComputerWorld blog posts some pretty disturbing thoughts about how much information Google is learning about all of us and how that may be used against us. It did get me thinking a bit, but as Scott McNealy once said, "there is no privacy, get over it." The fear of losing my privacy is not as great as trying to figure out how I'd do my job without tools like Google.

Link: http://www.computerworld.com/blogs/node/2046

The Daily Incite - March 20, 2006

Submitted by Mike Rothman on Mon, 2006-03-20 08:33.
Today's Daily Incite
March 20, 2006
Good Morning:
Today's Incite has a focus on the channel, which is becoming very important in the security world. Also a pretty active weekend in the blogosphere, so lots of interesting posts there. Hopefully you all enjoyed the weekend (the weather was great down in Atlanta), and are ready to jump back in this week.

Have a great day.

Top Security News

Screwed Up Updates - The Sequel - Microsoft OneCare This Time (http://www.informationweek.com/story/showArticle.jhtml?articleID=183700356&cid=RSSfeed_IWK_winsecurity)
So what? - Microsoft is the latest vendor to bungle a product update (after McAfee and Apple last week). Again, this stuff is going to happen, so don't be surprised. At least Microsoft can say "it's still beta." What is McAfee's excuse?

ScanSafe Announces Integrated Managed Service for IM and Web Security (http://www.scansafe.net/scansafe/news/story?id=129591)
So what? - Clearly IM security is a feature. At this point, all of the email security service providers have announced an integrated IM security offering and now ScanSafe coming at it from the web traffic security world. Many of the email security appliance makers have also brought IM solutions to market. Now IM traffic looks a lot more like web traffic than email, so architecturally you favor folks that have expertise dealing with web traffic. But ultimately all of these functions need to be enforced under the same policy on a common gateway platform or service provider network.

Channel Focus -
VARBusiness and CRN are kind of like the USA Today of the technology world. You can read these books in about 10 minutes and its more about the money than it is about the technology. That is refreshing, since the technology trade press is so enamored with new cool widgets. If resellers can't make a buck, then you can be assured that CRN will not be covering it. Here are  few recent selections about what the channel folks thinks is important.

Channel Focus: SMBs Ripe for Secure E-Mail (http://www.channelweb.com/sections/allnews/article.jhtml?articleId=181502843&cid=ChannelWebNews)
So what? - SonicWall, a darling of the channel, recently bought MailFrontier [link to Deal coverage here] to gain exposure to email security. Suffice it to say, SMB has been interested in email security for quite a while, so this is not news. It was also interesting in this story that the two SMB email security gorillas - Barracuda and Postini were not mentioned. But as the enterprise business continues to be very messy, SMB is looking attractive. We'll see a lot more activity in this space.

Channel Focus: VARs Eye Threat-Management Security Appliances (http://www.channelweb.com/sections/allnews/article.jhtml?articleId=181501952&cid=ChannelWebNews)

So what?
- I've been saying for a while that we'll see more integration of security functions on the perimeter (No mas box). CRN provides a news clip overview of a number of recent offerings from the likes of Symantec, D-Link, Juniper, IronPort, and Imperva. Of course, many of these boxes are apples and oranges (Imperva protects internal applications, while the new IronPort appliance is focused on managing all the other IronPort appliances out there), but why let the truth get in the way of a good story.

Channel Focus: Security Vendors Expanding Channel (http://www.channelweb.com/sections/allnews/article.jhtml?articleId=181501928&cid=ChannelWebNews)
So what? - This is another CRN fluff piece, but underlies an important trend. Mastering the security channel is becoming a critical success factor for any company wanting to sell security products. SMB users have always relied on their reseller to point them in the right direction, and now larger enterprises are jumping in. Not so much to buy whatever the channel says like automatons, but to streamline their own procurement process. So, yes Symantec and McAfee continue to expand their channels, but more interesting is how many new security vendors are rolling out channel-only models from the get-go. It's a lot.

Top Blog Postings

US Federal Government Security Report Cards are Out
Ellen Messmer of NetworkWorld covers the recent "report card" on how various US Federal agencies are doing relative to security. There is also a link in there to the actual report card. It's very interesting in that the overall grade is still D+, there are some agencies that have their act together. I also think that this will not get better anytime soon, as the Feds keep rolling out new requirements (like HSPD-12 for authentication) as a large portion of the government cannot do simple blocking and tackling.

Link: http://www.networkworld.com/weblogs/security/011517.html

Securing USB Ports
Douglas Schweitzer on the ComputerWorld blog points out the difficulty of securing USB ports. One of the anecdotes involves actually gluing USB ports shut. Wow! That's pretty stupid. But it brings up an important point, which is that USB hygiene must be part of any endpoint security capability. That does bring up some sticky issues including whether to allow iPods to be used on work computers.

Link: http://www.computerworld.com/blogs/node/2041

Even Security Pros Don't Use Encryption
Rebecca Herold on her IT-Compliance blog points out that most of the vendors at the CeBit show didn't use encryption. Why would they? The point of putting up an access point at a trade show is for branding. You want someone to try to connect and see your company name. It's not about keeping people out of a public network. She goes on to say encryption is "easier to use and stronger than ever." This strikes me as pretty naive. Encryption is NOT easy to use (except SSL) and it's not clear what problem it solves. Are we talking about encrypting data in motion or data at rest? Or both? I do think that unsophisticated end users will continue to buy encryption because some expert says it will help with compliance. My opinion is that encryption is a tool in the compliance tool bag, and a misused tool at that.

Link: http://realtime-itcompliance.typepad.com/itcompliancecommunity/2006/03/even_informatio.html

Cybercrime a Bigger Threat than Physical Crime
Alan Shimel of StillSecure mentions a few studies on his blog that continue to indicate that end users are worried about the "internal threat." This is exactly right as most folks feel reasonably comfortable with their perimeter and now we all need another windmill to chase. Network Access Control or NAC will be a huge beneficiary of this need, so look for this technology to break out this year and mature rapidly. That will also bring the inevitable consolidation.

Link: http://ashimmy.typepad.com/ashimmy/2006/03/cybercrime_a_bi.html

Server Patching in a Few Easy Steps
Mark Shavlik talks about best practices on patching servers in this post. Obviously his perspective is self-serving, as it should be, but the post brings some good points to light. End users pick a patching vendor because they trust that they get it right. Shavlik talks about their QA and regression process to make sure patches don't break stuff. Sure, you can take a precautionary stance and test everything yourself, but you may be dead by the time you figure out the patch worked. In the early stages of a technology, I'm all for caution. But at this point, patching (and Microsoft's process) is fairly mature. That doesn't mean they won't screw things up, but taking the time and resource hit of testing everything yourself just doesn't make a lot of sense to me.

Link: http://shavlik.typepad.com/mark_shavliks_blog/2006/03/server_patching.html

It's Time to Fix Banking Security From the Ground Up
George Ou on his ZDNet blog makes a very insightful post on the fundamental issues of banking security. By basing everything on a shared secret (your PIN number), you don't build any fail-safes into the system, especially when that PIN is stored whenever anyone uses a Debit card (did I mention I NEVER use debit cards at POS terminals). Is the answer a smart card? Or a one-time password? Or "contextual authentication" that would require more data if coming from a POS terminal rather than the banks online banking site? I'm not sure any of us know the answer, but the fact that it's broken is pretty clear.

Link: http://blogs.zdnet.com/Ou/?p=173

The Daily Incite - March 17, 2006

Submitted by Mike Rothman on Fri, 2006-03-17 09:26.
Today's Daily Incite
March 17, 2006

Good Morning,
Happy St. Patrick's Day from the least Irish guy I know. Today's daily update is light, since there was little news. So buzz through it and enjoy the rest of your day. Also, maybe take some time to relax a bit today. If you are a basketball fan, this is the nirvana weekend with the NCAA hoops tournament. I can only speak for myself in that I run fast always, and sometimes you need to just take a breath. I'm going to go watch some games and drink some green beer this afternoon with a friend NOT in the security or tech business. I suggest you do the same, if at all possible.
Have a great weekend.

Top Security News

Man Charged with Hacking into GM Database (http://news.yahoo.com/s/ap/20060315/ap_on_hi_te/gm_security_breach_3)
So what? - If this guy was dead, he'd definitely be a candidate for the Darwin awards. The perpetrator was a contract security guard who got into GM's databases to get their social security numbers to find out what kind of company vehicles they had. Then he sent them emails from a Yahoo account asking them what they thought of the cars. If he wanted some references, he probably just could have gone into the cafeteria. Clearly not the sharpest tool in the shed, but the real questions remain. How could a contract security guard get personal information about GM employees? It's also a reminder that the human element is the weakest link in any security architecture. Never forget that.

Macs Just As Vulnerable to Wolverine Attack (no link)

So what?
- Part of my goal with The Daily Incite is to save you time. So this story is a joke about the fact that both Macs and PCs are just as vulnerable to being physically attacked by a Wolverine. The text is funny, but you have better things to do with your time.

Oracle Siebel Applications Get Common Criteria (http://biz.yahoo.com/prnews/060316/sfth014.html?.v=40)
So what? - Oracle of late has been the whipping post of the blogosphere over their clear disdain for vulnerability research and most other things security. Yet, they continue to toot their horn about things like Common Criteria certification. For the most part, this certification is a joke. It's mostly done based on paperwork and at best, it takes 18 months to get through the process - so Siebel customers should feel great that the software they used 2 revs ago is CC certified. I get that it's a part of the government procurement process, so a lot of vendors need to shuffle the papers. But, DO NOT be deceived into thinking that this is any kind of indication that the software is any more secure than anything else.

Is RFID Vulnerable? (http://www.informationweek.com/story/showArticle.jhtml?articleID=183700423&cid=RSSfeed_IWK_winsecurity)
So what? - It seems that a PhD student in Europe believes viruses can be spread by RFID. The security cogescenti jumped all over her pretty much immediately. To me it's a non-issue. An RFID tag is part of an application like anything else. You need to make sure that compromised devices and/or data does not make it's way into your infrastructure. You do that via a layered security architecture and for applications where the data sources are suspect, by making sure you have precautions built directly into the applications. It's fairly straight forward, but makes a good sound bite, so the media is jumping all over this.

Top Blog Postings

The Banks are in Trouble
CJ Kelly on the Computer World blog says the recent security breach extends beyond just Citibank. I think we already knew that. But it still does indicate that the banks are going to get a black eye about this. But I'm not sure throwing more widgets at the problem is the answer. CJ is correct in saying it may be time for the banks to really re-evaluate how they do security.

Link: http://www.computerworld.com/blogs/node/2030

Block Ad Serving Cookies in IE and Firefox
Dave Piscitello of Core Competence writes for Watchguard about a couple of Firefox extensions than can help block ad cookies. I'm going to try these later today. He also makes a point to thank the open source folks, which I agree with. securityincite.com is driven by an open source CMS called Drupal. It is truly amazing the type of support you get in the forums and the fact that for the most part, the software just works. So, thank you open source folks.

Link: http://www.watchguard.com/RSS/showarticle.aspx?pack=RSS.FiFoxCookies

Has Linux Patching Surpassed Mac and Windows
George Ou on his ZDnet blog posits that due to the architecture and multi-vendor and multi-module nature of Linux itself, it is more adept as patching 3rd party software. Mac and Windows focus (and do a decent job) at patching their own stuff. That is when the patch works, right Apple? This is a very interesting position and I think he's right. Even the commercial patching products are focused on the management and completion of patches from Microsoft, as opposed to potentially other damaged software. Seems like an opportunity for the Shavlik's and BigFix's of the world to extend their patching prowess to other products and maybe even sell an update engine to other vendors that have less sophisticated means.

Link: http://blogs.zdnet.com/Ou/?p=172

Recently on the Security Incite Rants Blog

Drive-By: RedCannon - Your Life on a USB Drive? - Not Yet - This is the first of a new content type I'm calling the "drive-by." Basically I see an interesting article or press release and check out the company behind it based only on their marketing literature and web site. I DO NOT TALK TO THE COMPANY (YET). Then I go through my thinking on whether the announcement makes sense. That's why I call it the drive-by. They won't know it's coming. In this first installment, I go through my thoughts on a USB access device by RedCannon Security and tell you that based upon what I can see, this is a technology looking for a problem.

How Secure Are Wireless Networks? -
 A recent study by Panda Labs showed that 60% of wireless networks are unprotected. Do you care? Should you care? If you care, what should you do about it. This post is a bit of a rant about consumer vs. business wireless security considerations and some other random WiFi topics (like how I secure my home network).


Read Yesterday's Daily Incite

The Daily Incite is a service of

The Daily Incite - March 16, 2006

Submitted by Mike Rothman on Thu, 2006-03-16 08:01.

Today's Daily Incite
March 16, 2006
Good Morning:
I'm incrementally improving the layout of TDI. Let me know what you think. In terms of activities in security-land, we continue to see innovative techniques to hack your systems. Whether it's the Cryzip Trojan or VM Rootkits, there are new attack vectors that we need to make sure our security architectures factor in. The goal of the architecture is to ensure you don't have to respond to every new attack, but there will always be some types of reaction required. That's just the nature of the beast. 

Have a great day.

Top Security News

Cryzip Trojan Steals Files (http://www.eweek.com/article2/0,1895,1937408,00.asp?kc=ewnws031406dtx1k0000599)
So what? - The innovation of the bad guys still amazes me at times. This article goes through a very targeted, innovative attack where a Trojan encrypts critical files into a password protected Zip file. The only way to get the password is to pay a $300 ransom. Some folks have cracked the crypto already, but the point is still the same. This is a BUSINESS and entrepreneurs (yes it hurts to call hackers that, but it is what it is) will continue to find innovative ways to separate people from their money.

VM Rootkits - The Next Big Threat? (http://www.eweek.com/article2/0,1895,1936666,00.asp)

So what?
- The big news this week (well beside McAfee deleting half of a user's hard drive) has been the ability to install a root kit on a virtual machine. With virtual machines proliferating through data centers at exponential growth rates, this would create quite a problem if undetectable rootkits could be used to compromise the various virtual machines. We need to be thinking about how to apply (and enforce) policies to make sure each of those virtual machines is not doing bad stuff. So, you'll need to look at traffic patterns for those VMs and to see when something is amiss. 

Reflex Security Blazes New Trail with Security for Virtual Computing Environments
So what? - This falls into the category of pretty timely. So they are either very very lucky or pretty prescient in terms of getting out ahead of an emerging issue. I've only read the press release, but it seems to address some of the issues inherent to virtualization from the inside (as opposed what I suggest above addressing the issue from the outside). But the marketing literature always does that. I'll take an action item to get with the Reflex folks and learn more, then get back to you all with what I've found.

SiteAdvisor Issues Spyware Challenge (http://www.siteadvisor.com/press/releases/03_15_06.html)
So what? - These tests always seem corny, but they are a great way to show folks what they don't know. Now this specific test is a bit concocted. I happened to get 7 out of 8 right (I know, my Mom is very proud), but some of the questions didn't provide enough information to answer the question. I absolutely guess on two of the questions, and got one right and one wrong. But, it definitely points out that spyware and adware sites are VERY hard to detect and that means education will not totally solve the problem. But, as I've said about a hundred times already, spyware detection is part of the desktop security suite (including AV and endpoint security), so everyone will have it.

Vericept Announces Version 7.5 (http://www.vericept.com/news/press_info.asp?pid=57)
So what? - Normally I don't think incremental product releases are interesting, and this is no exception. Vericept adds some stuff. Ho hum. But, this does give me an excuse to revisit the Pragmatic Security architecture that I'm fleshing out. Clearly the content filtering and management segment provides "information security" as I've defined it, and for the time being (in the early market stage) a stand-alone entity is OK. But, over time I need to be able to detect and stop some type of issue. A report saying something bad happened is not good enough. A great level of application integration (probably using SOA as mechanism to get leverage, while working with the 2 or 3 remaining enterprise application players) is also needed. So we are going to see some rapid evolution and the inevitably consolidation in this space over the next 12-18 months as we focus on INFORMATION security, and not just pumping out a report to keep an examiner happy.


Top Blog Postings

Gibbs on VM Rootkits
Here is Marc Gibbs take on the VM rootkit issue. He's thinking about processor based remedies for this type of attack, but by the time that happens, we'll all be dead.

Link: http://www.networkworld.com/community/?q=node/5067

The 5 Rules of The Regulatory Process
I stumbled upon this post by Dana Epp regarding regulatory issues. The content is presented in a reasonably simple taxonomy of a few rules that should govern what you are doing. The points are simple and that's why I like it. We all spend way too much time making life complicated and hard, and if we could just get beyond our own ego (if it's easy then what's my value?) we'd be able to get a lot more done.

Link: http://silverstr.ufies.org/blog/archives/000926.html

Anti-Virus Recommendation - Exhaustive Testing vs. Pragmatism
I was confused by this post on the Ferris blog. The point seems to be that the large AV vendors are not putting enough effort behind the validity of the big labs (ICSA labs, etc.) that validate all of these AV programs. But users increasingly rely on word of mouth to determine what works. I don't see anything wrong with that, and if anything, that's they way things are supposed to work. Sure, ICSA can figure out whether an AV product can catch every single virus known to man. But a friend can tell you if the user experience and manageability of the product works for him/her. Which is more important in a very mature market like AV, where 95% of the products are going to do exactly the same thing at the same level of effectiveness? You guessed it. Once I'm convinced the product will work, I buy off the recommendation of someone I trust every single day of the week.

Link: http://blog.ferris.com/2006/03/antivirus_recom.html

Quarantine - Not Delete on AV Settings
Douglas Schweitzer points to an article that reminds us of a good policy, which is to quarantine files flagged by AV software as opposed to outright deleting them. That would give us some remedy when the AV vendor boots something (like our friends from McAfee did this week). Not using AV is not an option. Not having it automatically update is not an option either. So this gives a bit of a fall-back position.

Link: http://www.computerworld.com/blogs/node/2021

Shout-outs for Security Incite
Ellen Messmer of NetworkWorld and Mark Shavlik mention Security Incite on their blogs. I certainly appreciate the mentions.

Link: http://www.networkworld.com/weblogs/security/011472.html

Recently on the Security Incite Blog

Can You Have a Review if No One Shows Up? - I got a kick out of the difficulty that SC Magazine had in getting vendors to participate in a email security services review. They shouldn't have been surprised and I explain why in this post.

Vendor Vigorish: Access, Not Bribes -
A posting by analyst relations firm ARmadgeddon
got me going about vendor's motivations on why they do analyst relations. Their position is that vendors pay for better access, not to try to win favor. There is some truth to that, but to not paint the other side of the picture tells only half the story.

Read Yesterday's Daily Incite

The Daily Incite - March 15, 2006

Submitted by Mike Rothman on Wed, 2006-03-15 08:41.

March 15, 2006

Good Morning:
Kind of a slow news day in security-land, with the bigger issue being how McAfee and Apple screwed up some updates/patches over the past week. But lots of interesting stuff in blog-land, so I've put in a bunch of links for those interested. I've got 2-3 posts ready to go for Rants as well, so I'll be posting throughout the day. Have a great day.

Top Security News

Security Screw-Up 1 - McAfee (http://www.eweek.com/article2/0,1895,1937154,00.asp)

So what?
- McAfee sends out a DAT update that wreaks havoc on enterprise by deleting lots of good files. This situation was inevitable due to the velocity of threats. Response time is measured in minutes (not hours) and when you need to respond that quickly, shortcuts are going to be taken. This time it was McAfee, next time it will be someone else. But this will happen again. Users are advised to grin and bear it. I know that's a crappy answer, but you can't test every AV update - and you can't wait until someone else does. You can get pissed and think about switching vendors, but the reality is switching costs will be high and there is no guarantee whoever you pick won't screw up next month. If anything, if your renewal is coming up in the next 3 months, use this as leverage to drive the price down a bit.


Security Screw-Up 2 - Apple (http://www.informationweek.com/story/showArticle.jhtml?articleID=181503692)
So what? - Apple missed some stuff with last week's patch, so they fixed it. This is also inevitable, as Apple has a lot of learning to do about the security patching process. I have my iBook set to check daily for updates, so the new patch was downloaded and I restarted and it's all good. This is a low impact issue. Told you - slow news day. 

Top Blog Postings

Protect your teens
Johanna Ambrosino of InformationWeek has a great piece on protecting teenagers online reflecting her personal experience. This is a huge issue for many, so if you have teenagers - read this posting. My oldest is not even 6 yet, so she's still quite happy tooling around the Disney and PBSkids sites, but it's just a matter of time before any of us with kids will need to deal with this problem. Being security professionals, we have a leg up (since we know what's available out there), but ultimately we need to equip our kids to make the right decisions, as opposed to expecting software to be a silver bullet. Also go visit K9, which is a service of Blue Coat to educate consumers about the bad stuff happening on the net.

Link: http://www.informationweek.com/blog/main/archives/2006/03/keeping_kids_sa.html

Shortcuts are a fact of life
Jim Rapoza of eWeek vents about company's taking shortcuts on protecting private information. This was driven by a court decision releasing the financial provider from liability because they didn't have proper protections on student load data. DUH! Some folks take shortcuts and it pays, for others...not so much. And we can't count on the courts to defend us. I was actually talking to someone this week that commented about healthcare companies taking shortcuts because the penalties for violating HIPAA are a rounding error. That's pretty scary, but it's true. I don't spend a lot of time agonizing over human nature, which is that people are going to take the easy way pretty much every time. So, it's reasonable to ask your bank and healthcare providers how they protect your data. And then you can decide whether that is someone you want to do business with.

Link: http://www.eweek.com/article2/0,1895,1935518,00.asp

Hack Thyself?
Interesting article by Matt Sarrel in PC Magazine (which is targeted at SMB types) called "Hack Thyself" about vulnerability management. They don't really call it that, but the article is about using a scanner to see if/how you are vulnerable. Again, as security folks, this is obvious. BUT there are lots of unsophisticated users out there that need help like this. If you are a vendor, take heed. It needs to be simple (and preferably transparent) to be mass market applicable.

Link: http://www.pcmag.com/article2/0,1895,1932661,00.asp

Military Mindset?
My old friend Jay Heiser (now of Gartner) writes in his monthly Information Security Magazine column about security professionals needing to move away from the military mindset. I am mostly in agreement with this, in that we must act pragmatically and not do security just for security's sake. BUT, this is war and the bad guys want to do a lot of damage, so having a structured containment and response process and mechanism that is practices and runs with military precision is absolutely critical to keep your information safe. The point of evolution is to leave the useless stuff behind, but improve on what works. Sure, there is some part of the military mindset this is not helpful, but a lot is - so I say not to throw the baby out with the bathwater, but to make sure that you are constantly looking for ways to do more of the right stuff and less of the wrong stuff.

Link: http://searchsecurity.techtarget.com/columnItem/0,294698,sid14_gci1171862,00.html?track=NL-102&ad=545608

Face-off on Anomaly Detection
I really enjoy the face-off's that Network World publishes. This one is about anomaly detection, and both participants make good points and are misguided on others. The reality is that behavioral-based techniques are another tool in our tool bag. It should be treated as such. It's not a panacea, nor is it a waste. In fact, anomaly detection techniques are being added to most of the perimeter defense offerings out there because it makes a good complement to traditional IPS signature and heuristic methods. That doesn't mean it's a stand alone opportunity for a vendor, but users need to figure out how to integrate all applicable techniques into their defense schemes. The answer continues to be "all of the above" regardless of what the vendors say.

Link: http://www.networkworld.com/community/?q=anomaly&nettx=031406netflash&code=nlnetflash26594

Ed Moyle on the futility of Hacking Challenges
Amen to the this! Like any test, review or challenge - inherently the answer will be biased because of how the test is set up. Users need to look as these results in context. The Swedish Mac OS X hacking challenge seemed to be a farce. The one done at U of Wisconsin may have been too. The fact is, just as stupid as it was for Oracle to claim they were "unbreakable" a couple of years ago, it's stupid to think that any OS will be free of malware and threats. They can all be broken if given enough time. Nothing is foolproof. So make sure you have layered defenses in place, so you are not putting all your eggs in one basket.

Link: http://www.securitycurve.com/blog/archives/000358.html

The Daily Incite - March 14, 2006

Submitted by Mike Rothman on Tue, 2006-03-14 08:58.
March 14, 2006

Welcome to today's Daily Incite. Given this is the maiden voyage and a bunch of stuff piled up over the weekend, it's a bit longer than normal. But you should still be able to scan it in 5 minutes and stay on top of the security world. I also appreciate your patience as I work out the design concepts for the newsletter. I'm not there yet, but you'll see some rapid improvements this week and I nail down the process.

Have a great day,

Top Security News

Identity Federation Potpourri - Ping Identity Raises $3 million and RSA announces Federation Manager 3.0.

So what? - Federation is increasing in importance as more and more companies deploy identity management. The logical first step is to clean your own house, basically implementing identity internally and then you start focusing on your trading community. That's where Federation comes in. All of the big stack players (Oracle, CA, BMC, HP, IBM) have federation products, and RSA and Ping are the most visible niche federation providers.

Links: Ping Identity Press Release - http://biz.yahoo.com/prnews/060313/sfm051.html?.v=42
          RSA Press Release - http://www.rsasecurity.com/press_release.asp?doc_id=6617

Patch Tuesday - Two More on The Way - Microsoft will release two patches today (down from 5 last month).

So what? - Details are sparse, but we know that one is a "critical" issue. Ramp up your patching engines sports fans, you'll probably need to implement this patch sooner rather than later. More details tomorrow I'm sure.

"The worst hack ever" - Information Week covers the Citibank (and loads of others) having debit card PINs stolen.

So what? - It seems everyone still has a flare for the dramatic. If this is the "worst" hack ever than we'll see it on the cover of Time Magazine. I don't think that's the case. But it does highlight some of the issues of using Debit Cards (like it's your bank account, as opposed to a fraud protected credit card). There seems to be a pretty simple fix to this - don't use debit cards at point of sale terminals. I know, I know. The consumer banking folks will yell at me about the evils of credit. Blah blah blah. Not everyone has a credit card. Blah blah blah. Whatever. I don't use a debit card - EVER! So I'm personally not too concerned about this.

Links: http://www.informationweek.com/story/showArticle.jhtml?articleID=181502474

Counterpane and MessageLabs Release Joint Intelligence Report - Cyber Attacks To Significantly Impact Financial, Healthcare and Utilities Sectors

So what? - This definitely falls into the category of MASTER OF THE OBVIOUS. Yes, hacking will continue to be an issue. But MSS players see lots of data and they can point out some cool trends that most users just don't have the breadth of information (or time) to figure out. So, things will continue to get worse before they get better. No kidding. Get back to work and make sure your security architecture makes sense.

Link: http://biz.yahoo.com/bw/060313/20060313005260.html?.v=1  

Bit9 Releases New Online Search Engine that Draws from the World's Largest Knowledgebase to Identify Computer Files

So what? - This is a big database of all the files out there and some idea of whether you want them on your machine or not. This kind of thing will save you time. When a machine is acting up, you usually see what applications and processes are running to see if something is amiss. Usually I'll find some executable that I'm not familiar with, so I Google it. Then I need to read a few postings to draw my own conclusions about whether it makes sense or not to have it running. This kind of database can eliminate a few of those steps, so I think it's a good thing.

Link: http://biz.yahoo.com/bw/060313/20060313005163.html?.v=1

Top Blog Postings

Shavlik and Ellen Messmer of Network World on Microsoft's anti-spyware stuff - My thoughts on this are covered in the "More Musings on Spyware" blog posting.


Wireless Security is Not that Hard - Paul McNamara of Network World hands over the keyboard to Joel Snyder of Opus One to discuss the lunacy of people being surprised when a neighbor (or worse) jumps onto an unsecured access point. I'll write up my own blog posting on this later today, since I have a few ideas on the topic.


Teaching the Next Generation of Security Pros - Martin McKeay on the ComputerWorld blog writes about a school that has a 10-week class in cyber-security. This is a great thing, and the shape of things to come. We will see a lot more focus on initial training (like initial computer skills), so today's generation at least knows where the key exposures are. I'm hopefully that my kids know about anti-X and simple network security stuff as they are learning early programming and other computer skills.


Real spyware and botnet stuff - Suzi Turner's blog on ZDnet has a great overview of a real spyware attack and some of the counter measures used to control it. You'll need to jump around a bit (there are lots of links and sites in the post), but it's cool. When these attacks happen, lots of folks need to act quickly, so it's nice to see a bit about what happens in the background that keeps the unsophisticated of us reasonably safe.