Friday, June 16, 2006

On 0days - in Excel this time

Ah, just another client/worstation software 0day ... who cares (*) :-)

"Here's what we know: In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker."

(*) If you are 0wned by this, than you should :-)

Thursday, June 15, 2006

A Fun Observation on Reporting in Consumer and Enterprise Products...

"Reporting trumps analysis. There is too much emphasis on delivering raw numbers; not enough emphasis on presenting information in ways that allow users to understand what is going on. Put another way: success is defined as delivering accurate data filtered as the user has defined it. What if success was about delivering new insights about what’s going on in the enterprise? "

OMG, I love the quote! That is exactly what I think log management should focus on!

Just what is a log (and what is not?)

Logblog: A Log By Any Other Name: "A log file is a file that lists all actions that have occurred on a device, within an application, or on a server."

Seeing blog post on our blog reminded me of a debate I had with one of my friends: is SNMP trap a log?

Why 'yes'
* it comes over UDP, just like syslog
* it helps to know what happened on a system

Why 'no'
* people don't think so :-)
* traps are supposed to be acted on, not analyzed

Overall, more often than not I think that SNMP traps should be considered logs for most practical purposes (and, most certainly, for security purposes)

On "How to jam your neighbor's Wi-Fi legally"

Kinda cool, ins't it?

» How to jam your neighbor's Wi-Fi legally George Ou "While Airgo's third generation product achieves record breaking throughput, it annihilates any legacy 802.11 b/g product in the vicinity and effectively shuts them down. .. What's crazy is that these products are FCC legal and are being sold on store shelves today."

Challenge 9 from "Hacker's Challenge 3" book

Have some time to burn and learn security in the process? Check out this challenge from a recently released book Hacker's Challenge 3: Challenge 9: The Root of the Problem

My review for the book (where I happen to be one of the contributors, actually) is coming soon...

On Infosecpedia

Here is a resource that might be fun to watch (or fun to contribute) - Infosecpedia: "Welcome to Infosecpedia, the free information security encyclopedia and handbook."

Just imagine the combo: the reliability of Wikipedia and critical security information :-)

Microsoft vs "the Real World": Battleground Security [humor]

I am sure you've heard this one already, but just for posterity: - Even the Builders of Windows Find Tech Support a Challenge: "Once upon a time not that very long ago, Microsoft CEO and chief cheerleader Steve Ballmer was attending a friend's child's wedding. One of the parents complained that his PC had slowed to a crawl and was performing miserably. Would Steve mind having a look?"

What happens next? Read the story!

Old News, but Fun Comments on Recent Acquisitions

Don't you just hate it when folks say this about your product :-)

Deal: Novell Buys e-Security Security Incite: Analysis on Information Security: "Not that e-Security had a bad product, after 7 years it actually kind of worked."

Social Engineering + USB Flash Drive = Dynamity Penetration!

This penetration method did impress me a lot! Get some USB drives, plan Trojans, enable autorun and scatter them where employeer can find them - next day you are an "insider" :-)

Dark Reading - Host security - Social Engineering, the USB Way - Security: "Of the 20 USB drives we
planted, 15 were found by employees, and all had been plugged into company computers. "

Trust Wikipedia - Its a *Community* Effort...

Just a comment for you Wikipedia fans that I saw on a mailing list - its funny as hell ...

"I needed a reference for a paper and couldn't find one that agreed with my definition of the problem ... So I uploaded a definition to wikipedia and the cited the wikipedia entry. Noting also that wikipedia is well respected as an authoritative reference."

Another Fun Observation on Log Management

"... Basically you better look like a log management vendor or you need to get into the remediation business... Given the continued focus around compliance there is a lot of running room for the log management business. For the time being, the auditors have money. The compliance budget is not long lived, but for now take the money and run."

The main insight is: if you think you are in the "protection business", you'd better protect and not just report/alert/scream/bitch/harass (or people would laugh at you!) What if your technology provides a superior capabilities to do just the above? Relax, you should be in the "audit business", there is nothin' wrong with that!

Tuesday, June 13, 2006

On compliance vs something useful...

Some fun incite that I was also thinking about lately, but couldn't spell out as succinctly as Mike Rothman...

The Daily Incite - June 12, 2006 Security Incite: Analysis on Information Security: "So all of those folks chasing compliance dollars better figure out how your value proposition contributes to operational activities. "

Compliance spending will level off, but IT folks will still need to do their jobs, day after day. And its nice if your "compliance tool" actually helps them (ours does :-))

On McAfee and Preventsys firesale

So, I am bit late, but blogger crashed killing my previous post on this so here it goes again.

Deal: McAfee acquires Preventsys Security Incite: Analysis on Information Security: "And clearly it doesn't mean anything to customers, since it's not like Preventsys was blowing the doors off of anything. Nor is anyone else in the SRM business. All of these SRM things seem like glorified reporting engines. "

I personally am happy to see Preventsys go [down the drain of a firesale]. Over the last 2-3 years I always brought them up as the example of a deeply confused company, which itself doesn't know what it is doing. Other terms that I've heard were "solution in search of a problem that doesn't exist", "in need of adult supervision" and (sorry!) "enterprise crapware."

Seriously, I looked at their website some time ago and I was also confused on what they actually do. So, I went and talked to their engineers at a conference and - wow! - they also were confused and couldn't explai neither the technology nor their ROI model. Hmmm! I went and did it in a year - with exactly the same result.

Now, I see McAfee using the pieces of their technology in various areas to bulk up Foundstone and other solutions they have. I hope I won't see them selling it as a whole, since, in this case, the "Confusion" spell will be cast onto McAfee itself :-)

Tuesday, June 06, 2006

And you thought you are wasting time blogging ...

Brazen Careerist: Blogging essential for a good career: "This column shows eight reasons why you should make blogging part of your career. "

BTW, this post was highlighted on Brazen Careerist blog by Penelope Trunk. Definitely check it out (Why? Its fun, why else? :-)

And here are the reasons, quoted from the paper - some of them are kinda fluffy, but read the paper anyhow:

"1. Blogging creates a network.
2. Blogging can get you a job.
3. Blogging is great training.
4. Blogging helps you move up quickly.
5. Blogging makes self-employment easier.
6. Blogging provides more opportunities.
7. Blogging could be your big break.
8. Blogging makes the world a better place."

On the Value of Monitoring

Very smart outlook on things related to monitoring comes from SecurityIncite:

"From a security point of view, monitoring is not very interesting. The idea of knowing what has happened, without really doing anything about it - strikes me as a waste of time. But that is if your job title has SECURITY in it. If you are an auditor or compliance officer, the last thing you want to do is remediate. "

Monitoring =/= protection, it never did equal that, and should not be. Monitoring is about verification, confirmation, assurance!

"Product Management Haikus"

Here are a few of the product management haikus I found. Enjoy! I especially like this one:

"For long term success
Just focus on becoming
More market driven"


Monday, June 05, 2006

TaoSecurity, Donn Parker and Risk Debate/Smackdown

So this discussion on risk was ignited by Donn Parker's piece (called "Making the Case for Replacing Risk-Based Security") in "ISSA Journal", but now others have chimed in (and took sides!) I will blog more on this in the coming days, but for now, here is something to medidate on (a quote from Richard Bejtlich's blog): "As security professionals I agree we are trying to reduce risk, but trying to measure it is a waste of time."

So is this as dumb as it seems? One would think that when you reduce something you have to know that the above something became smaller which to me sounds like you need to measure it?

One possible explanation that one doesn't need to come up with an absolute value of risk, but the relative will suffice. But can we go further in our mind experiment of justifying the above seemingly silly line? Yes, we can! If you've just been compromised, you know what actions will improve security, even if you don't think of it in terms of reducing risk.

Thus, here is the idea to think about: does improving security always 'reduces risk'?

[NEW!] Here is another fun bit from the same:

"* Hardly anyone can assess threats.
* Few can identify vulnerabilities comprehensively.
* Some can measure asset value."

What do we have if we multiple the above "numbers"? A true scientific value of risk!!! :-)

Report or don't: vuln reporting is trouble...

... and some folks wonder in vain "what fuels the anti-sec movement?"

Stuff like this does! Report security vulns at your peril The Register: "it has become too risky to report security flaws in websites to their administrators. " They later say that it also applies to anonymous reporting as well.

The heresiarchs of anti-sec can rejoice in their evil ways :-) : their world is coming back!

On "Why Startups Condense in America"

Just a fun paper: "Why Startups Condense in America"; should be read with its companion paper "How to be Silicon Valley"...

On "Security without firewalls: Sensible or silly?"

Security without firewalls: Sensible or silly?: "The SDSC has suffered only one security incident in a period of almost six years. "

Isn't "that they know of" relevant here"?

In any case, the paper has some good points; the one I liked most was that its not that firewalls are useless, but that they are seen as a solution to waaaaaay too many problems...

Using 'HIPAA Compliance' to Sell Something Expensive?

Are you using compliance to sell something expensive? If HIPAA is your favorite regulation to do that, you should check this out: CSI Blog HIPAA's Got No Bite: "According to the story, the Health and Human Services office (HHS) has not yet imposed a single fine for HIPAA violations." (as of 06/01/2006)

Thursday, June 01, 2006

The Product Management View: The Top 12 Product Management Mistakes

Sorry for quoting almost the entire blog post, but it is a fun read for those involved with product management: “The top 12 Product Management Mistakes” by Martin Cagan, Silicon Valley Product Group:


1. Confusing Customer Requirements with Product Requirements
2. Confusing Innovation with Value
3. Confusing Yourself with Your Customer
4. Confusing the Customer with the User
5. Confusing Features with Benefits
6. Confusing Building Right Product with Building Product Right
7. Confusing Good Product with Good Business Model
8. Confusing Inspiring Features with “Nice-to-Have” Features
9. Confusing Adding Features with Improving Product
10. Confusing Impressive Specifications with an Impressive Product
11. Confusing a Complete Product with a Sellable Product
12. Confusing Product Launch with Success"

On "Data Retention of Event Logs for Compliance"

This - yeah, you guessed it! - fun report by Eric Ogden from Enterprise Strategy Group is called "Security Information Lifecycle: Data Retention of Event Logs for Compliance" Among other interesting bits, it has this point that "typically active Fortune 500 corporation [is] generating 250,000 events [or log records] per second"

Is it scary? It depends what scares you (and, of course, whether you are easily scareable :-))

* Does collecting all this data scares you? Actually, its not that scary as long as your log collection is distributed and thus does not cause any major bandwidth consumption in one network segment...
* Does storing all this data scares you? Actually, its pretty benign given a great combination of log high compressibility with cheap disk drives (even when sizes hit terabytes). Yes, we are talking about storing all this data on a disk, not tape (it will be clear why in the next item!)
* Does accessing all this data scares you? Aah, we hit a good one. Some of the solutions that claim to support the above rate only support it for collection+storage (which as the easy - or easier - ones), and if you want to actually access the data - its another story. It might involve a bit of waiting...
* Does making sense of all this data scares you? Well, this one is a bummer as well- it is pretty scary. But, it opens a whole universe of log analysis, which justified a later post... One thing I would like to note is that making sense of data should be more automated than in most current solutions: the less time the user spends thinking the better (after a lot of thinking was done by the software developers and log analysis researchers...)

Dr Anton Chuvakin