Archive for the ‘Blogs’ Category

Check it out: this morning, yours truly shared space with the L1ndst0rm in an article about security in the channel. Always a pleasure to show up next to the Maverick from Malvern.

Last week, Ross Brown posted his Four Questions to Improve Security over on the Technobabylon blog. I highly recommend checking out the post if you haven’t done so already. Now, Ross’ questions were targeted toward vendors to help vendors (i.e. they are questions to help a potential customer improve the security of their environment.) Anyway, so you have it without having to go to the original post (although I recommend that you do), his questions were:

1) How are you protecting the network?
2) How are you protecting applications and data?
3) How are you protecting systems?
4) How do you know how you are doing?

Now, these are useful in the context of vendor-client interaction. However, within the enterprise itself, I am oftentimes surprised at the questions that practitioners don’t ask themselves. Like:

1) What does the business I support do? And how do I know when they do something that impacts security?
2) Who are my vendors and how do I make sure they handle security appropriately?
3) Where does the data come from and where does it go?

And so on. Very often, I meet individuals in industry tasked with protecting data, tasked with securing resources, and tasked with protecting assets who don’t have answers to these questions. Although I’m not sure that it’s appropriate for a vendor to ask them (and therefore probably not appropriate for inclusion in Ross’ list), I do think somebody should be asking these things.

Clearly I’m a fan of blogs… and bloggers for that matter. However, I had to take a step back when I saw the recent article about the CIA Blogger who was recently fired; what she was fired for we don’t really know – she says she was fired because she wrote about torture and the Geneva convention, but the CIA says she was fired because she was blogging instead of doing her job… Interesting.

So, I accidentally stumbled across the Gizmodo’s parodies of the “I’m a Mac” commercials this morning and I can’t stop watching it… 100 percent pure hilarity. Check it out, but be careful of 1.3 since it’s not fully work-compliant:

http://www.youtube.com/watch?v=UA3NyRr4Eng.

If you’re not reading it already, I highly recommend reading Mike Rothman’s Daily Incite. Today, he’s got an awesome take on the fluffy “research” Yankee put out yesterday – and trust me, somebody needs to take Yankee to task for it. Anyway, check this out:

I love it when analysts tell us what we already know, and then try to spin in into why customers should buy their services. Yankee Group is today’s offender. They did a survey (you know how much I like surveys) of some small business owners and amazingly enough SMB folks are worried about security. WOW! They also end up deferring some security investments because of budgetary issues. Shocker! The insurance gets deferred because they have to pay the electric bill. Then an association of VARs points to the Yankee survey to highlight the “dangers” of taking security advice from peers. Of course, what they need are VARs to tell them exactly what to do, which amazingly correlates to which vendor is providing the best SPIFFs this month. Sometime marketing folks make me nuts.

There’s a great post by Pete Lindstrom over at Spire today about Michal Zalewski and his recent disclosure of a zero-day IE vulnerability without notification to Microsoft. Pete takes the “devils advocate” position by saying that Zalewski’s actions are pretty much OK in Pete’s view:

Here’s the interesting thing about Zalewski’s approach: if it inspires a lot of “shock and awe” in you, then you are nowhere near able to protect your environment in a reasonable manner. The fact that he didn’t provide enough time for a little song and dance before publishing is pretty much what I’d expect from an attacker, too…

True enough. Anyway, I highly recommend giving this post a read. Just for the record, I don’t share his opinion about the evils of “white hats”: it seems to me that bugs will always be present in software. White hats find those bugs and ultimately they get fixed; of course they do it because they are incented – either by the press or (more recently) for monetary remuneration. As communism taught us, people are less likely to do things without some kind of benefit to them (i.e. “greed is good”.) It seems to me that the current “de facto” process (“flawed though it may be”) does lead to bugs getting fixed – and I think that’s a good thing.

Citi acknowledged the rumors started by the Boing Boing that ATM cards have been comprimised, that there is a PIN-block in place preventing customers from using thier cards in certain countries, and that new cards were being issued. Silly me, I would have thought that Citi would have made customers aware that their cards were being frozen proir to the “Boing Boing” putting it up – apparently that’s not the way it is.

Came across the link today to “Contrasts in Presentation Style” at Emergent Chaos. This is a must-read.

I came across Geoff Huston’s IPv6 discussion today by way of the Hack the Planet Weblog. Totally a must-read.

That’s right, two sets of props today for the Emergent Chaos crew: Propz #1 for telling us about the Excel 0day up for bid on eBay – whoever did this has an axe to grind with the various vulnerability franchises and a vein of sarcasm wide enough to criticize in an attention-grabbing way. Note that I happen to disagree with that criticism, but I still can appreciate the manner of delivery.

Propz #2 for mentioning Gobbles in the same post.