Good Morning:
Ah Friday. On vacation, every day is Friday, isn't it? But when are are at the beach, it always helps to have Plan B. Inevitably it rains and when it rains, you better have a plan to keep the kids occupied. Or it gets messy pretty quickly. Optimally, you get a half and half. Glorious sunshine in the morning with the weather rolling in around 2 PM. 

By then, the kids are beached out and they probably don't need any more sun at that point. Then we can bring them back to the house, feed them and get some naps in. Maybe a late afternoon movie would be on the plan as well. It's also good to have some games to play and art projects ready to go. Better to be prepared than have a bunch of bored kids writing on the walls of the rented house. 

It used to be a lot easier. There was one thing we'd do on a rainy beach day BK (before kids). Right to the bar. It could be 10 AM or 2 PM, no matter. If it was raining, I was drinking. That always helped my sleep habits too, since I'd usually be incoherent right around dinner time, so I'd eat and then pass out. After a few hours of sleep, I'd go for round 2. What we could do when we were young...

But I am not that young anymore. Nor do I live in the past. So right about now, it's probably time to break out Sorry or Chutes and Ladders. I can't wait until we can bust out the Monopoly and Stratego. Of course, by then the kids will want to play online with kids from around the world, I'm sure. Yet, I can still hope for family game day, can't I?

Have a great weekend.

Incite #5: Night of the Internet Dead

With a majority of attacks (like drive-by downloads) no longer requiring user interaction; the number of active zombies continues to exponentially multiply. Organized fraud networks increasingly use targeted, social engineering-based attacks because they work, forcing users to put a premium on REACTING FASTER and training users to stop doing stupid things, as opposed to hoping a new shiny product will solve the problem.

Read the original Days of Incite post on this topic.

6-month grade: A

I'm happy to wind up the first week of Incite Redux on a high note. This Incite (although obvious) has certainly come to pass. We hear about new and more sophisticated bot networks weekly. We are starting to learn just how advanced the crime organizations are that drive much of the cyber fraud around the world. 

I heard (anecdotally, of course) that one of the crime networks has built a database of private information that rivals "legal" information sources like ChoicePoint. Of course, that could be boasting and hyperbole, but to think that a crime database that size is within the realm of possibility is nothing short of shocking.

If you've made it through the first half of the year with no issues, none of your users losing their devices, none of your trading partners firing someone who had access to your stuff, and no public disclosures, then pat yourself on the back. I'm not sure if you are lucky or good, but all the same - the likelihood that you'll have the same answer next year is pretty small.

So plan for the inevitable. There are a lot of very smart guys that I hang around with, who make a living trying to figure out what attack is next. They find a lot of bugs and they do the right thing by responsibly disclosing those "features" to the vendor in question. Most of the time anyway. But of all the smarts these guys have, they missed little things like Melissa and SQL*Slammer. They missed many of the new social engineering attacks and crimeware, spyware and other x*ware variants that have been compromising machines and converting devices into zombies at an alarming rate.

And this has nothing to do with the talent and capabilities of the researchers. My entire point is that no one has a crystal ball. None are practicing fortune tellers. One of the most valuable roles that security research plays in the ecosystem is to find new attacks, pull them apart, and figure out how to defend against them. But to be very clear, in most cases, these folks are not working ahead of the curve. They are working against the clock because the bad guys have already weaponized the attacks.

Which is why the REACT FASTER doctrine is so important. No widget is going to protect you against an attack you've never seen. Although truly new attacks are fairly infrequent, they happen enough that we need to plan for the next one. So we monitor our networks and our servers. Also our databases and applications. We look for anomalies and other funky behavior that is not the norm. Then we investigate to see if that strangeness is just random or representative of a real issue.

Then we address the issue. Once that work is done, we live to fight another day. Take pride in the fact that most of the world reacts slowly, if at all. They are the ones that get to disclose breaches to their customers and mop up a real mess, if they can. Or they are constantly working on their resume and hoping their number doesn't come up before they get that new job.

It's true you can run, but you can't hide. All you can do is REACT FASTER. And that deserves an A.


Photo credit: "fortune teller" originally uploaded by yunheisapunk

Stop the presses! Analyst Rob Enderle has caught security vendors being...security vendors. Here is InformationWeek's coverage of the news that security vendors are trying to capitalize on these new Mac OS vulnerabilities.

His big issue is that because the security vendors have publicized the vulnerabilities, the hacker community got to work on exploit code. That is crap and a very flawed argument. First of all, it's not like these vulnerabilities are a secret. Every security vendor shares information and there is a big open source community focused on vulnerabilities as well. So it's not like you can really keep this stuff a secret. And the fact that Apple had a fix very soon after the announcement indicates that these issues were not surprises to them.

Secondly, the architecture of the Mac OS means that even if you are infected, it will be hard to get exponential proliferation of the worm. But to think that security vendors wouldn't try to use this as a marketing hook is naive. How many press releases do we see after every Microsoft Patch Tuesday? You know the headlines: "Vendor A's groundbreaking ferpolator stops nasty Microsoft problem before it's an issue." We see at least 15 of these for every high profile issue announced.

Did security vendors take some kind of oath that they wouldn't market their wares opportunitistically? Give me a break! The AV vendors are trying to make their numbers like everybody else, why vilify them because they are doing their job?

Now the impetus is on end users to figure out whether there is anything to the hype or not. Personally, I think it's a non-issue. That being said, I am in the process of buying an AV product for my Mac. I've just been lazy and it's this kind of thing that is a buying catalyst for someone like me, and probably lots of other people. I'd rather be safe (and $40 poorer) than nailed if something really does happen.

So I will buy the insurance. But don't shoot the friggin' insurance salesman because he brings up the issue that someday you might die.

It seems I'll sleep better tonight, given that eWeek's Larry Seltzer has clarified that MacIntel devices will be no more vulnerable than Mac PowerPC's. There has been a bit of huff over the last few days (mostly perpetuated by the media) about how Apple moving to the Intel processor family will make it easier to find vulnerabilities. It's good to hear a reasoned explanation about why that is crap.

I won't sleep easier just because I have become a Mac convert. I'll sleep easier because finally someone in the media is calling out the various chicken littles out there that have nothing better to do than speculate about what will or won't happen. There are a lot of bad things that can happen. We need to spend time more productively making sure we minimize the risk of those things happening and that we can contain the damage if something does happen.

Just to level set, think about a few facts:

1. Every OS has vulnerabilities
2. Vulnerabilities are not an issue until exploit code is available
3. Exploit code rarely (like less than 10%) appears for a specific vulnerability
4. Even if a patch is available, some percentage (upwards of 50%) of people don't patch
5. Unpatched morons get nailed if exploit code appears
6. The rest of the world doesn't care about the exploit code
   

These facts continue to be proven over and over again, and still people don't learn. And this would apply to both Windows and Mac equally if not for "The Path of Maximum Impact." This dictum states that hackers and fraudsters go for the most prevalent OS (Windows) because they have the highest likelihood of finding the most people that are unpatched to wreak the most havoc. To be clear, they want to create havoc, regardless of whether the objective is to bring down networks or perpetuate fraud. Hackers don't waste their time trying to attack the Mac because it's just not worth it to them. Apple makes it a bit harder, yes. But the reality is there aren't enough users to make it pay.

So why do users care? Because ultimately it gets back to the same thing. Keep your systems patched, whether they are Macs or Windows devices. Most importantly, train your users to not do stupid things. Stupidity does not play favorites and is just as likely to happen on a Mac platform as Windows. Create smart users and it doesn't matter which OS you use.