An Information Security Place

Since I am resolved not to get on this dang computer this holiday weekend, I leave you with this Eddie Murphy clip from Trading Places:

[ev type="youtube" data="vs08a4D0lgg"][/ev]

I have been blog-tagged by Ian Lamont, the Online Projects Editor over at Computerworld. I have mixed feelings about this stuff, especially since this is an information security blog and I am supposed to be guarding information. But it seems harmless enough. So, in the holiday spirit, I guess I will play along.

I am supposed to reveal 5 things about myself that few people know:

1. I drove a M1A1 Abrams tank with the 1st Infantry Division in Desert Storm

2. I was awarded the Army Commendation Medal (ARCOM) for assisting in capturing of a POW during the clearing of an enemy bunker complex don’t ask me why they had tankers doing this instead of infantrymen). He was hiding to avoid capture and came out with his gun drawn when we got close to his hiding spot. He decided against trying to shoot and run when he saw 5 American soldiers pointing M16’s and 9mm Berettas at various points on his anatomy.

3. I graduated seventh in my high school…out of 86 people.

4. I worked in a head shop in Manhattan, Kansas (in Aggieville, home of Kansas State University) when I was in the Army stationed at Fort Riley, Kansas. I was the only person who didn’t have long hair. No, I did not smoke weed or do any other drugs while I was in the Army. The people who owned the shop were just real cool.

5. I read novels voraciously, but I have to force myself to read nonfiction (except for engaging biographies and military / war stories).

So, now that I have told my deepest, darkest secrets, I am supposed to blog tag 5 other people. Not sure how some of the people I know will react to being blog tagged, but oh well.

Martin McKeay, Alan Shimel, Mitchell Ashley, Mike Rothman, and Michael at mcwresearch.com (not sure if he wants his last name posted).

Vet

Did a day trip to Dallas today for a lunch n’ learn on F5 iRules.  Looks pretty powerful.  I don’t have any real experience with their products, but they look pretty good.  They are definitely growing their South-Central team.  I think they are trying to grow the whole team to something like 8 or 9, which is up from 4.  They have a dedicated sales rep and engineer down here in Houston now, where before they were all in and around Dallas.

Let me know what you think about them.

Vet

I have to admit that I do perform the occasional vanity Google.  I usually just like to see what else pops up out there and how quickly things get indexed when I am on a podcast or comment on a blog post.  I ususally don’t dig deeper than a couple or three pages, but today I dug all the way to page 9, and I found this from Whatis.com.

It looks like I am on the favorite security blog list, along with Bruce Schneier and my friend Martin McKeay (of course and of course) and a few others.  This seems like a fairly obscure article since it is titled “Our Favorite Technology Blogs” and is under the “O” section in their database where I doubt anyone would really look.  You also have to go down to the table of contents and click “Security” to find me.  But hey, I’m honored!  Thanks Whatis.com people!

Vet

I enjoyed this little case study from SANS.  It talks about doing security inspections on some old laptops that all came from a company.  Mostly typical findings, but it demonstrated some points that we don’t need to forget.

Vet

Getting ready for church on Christmas-eve morning, so I don’t have time to write much. But if you are reading blogs on this holiday weekend, go check out the comments on my post about the Winsnort site being defaced back in August. Let me know what you think.

Vet

Here’s to hoping everyone has a Merry Christmas and an all around happy holiday season.

Vet

From Computerworld Career Watch page:

Troubled Certs
Pay for some certifications plummeted in the six months from April 1 to Oct. 1, according to a wide-ranging Foote Partners LLC survey covering 129 certification categories and 124 noncertified skills. The following are some particularly hard-hit certs:

• CompTIA Linux: -43%
• CompTIA Network Technician: -36%
• CompTIA Security+: -33%
• Cisco Certified Design Associate: -22%
• Cisco Certified Network Professional: -22%
• CompTIA Certified Technical Trainer: -22%
• Certified MySQL 4.0 Professional: -22%
• Citrix Certified Enterprise Administrator: -20%
• Microsoft Certified Trainer: -20%
• Microsoft Certified Database Administrator: -20%
• Cisco Certified Design Professional: -18%
• Microsoft Certified Systems Admin: Security: -13%
• Linux Professional Institute certification: -13%
• Cisco Certified Network Associate: -12%

Honestly, is this list very surprising?  The top three are CompTIA certs (I happen to hold the Security +).  How many people are roaring for those (except for A+, which is still respected in the nech tech world). 

CCNA has long been a joke, even though I heard it had been revamped and was tougher.  I have seen personally the interest for the CCNP drop quite a bit (I don’t know everyone, but most of the people I knew that were looking at it decided not to pursue it).

Now, where’s the list where it shows the CISSP cert causing 100% increase in salary?  Yea, right.

And here’s a certification that we all had in the 90’s and early 00’s:

Vet

First it was Alan Shimel on his blog turning me into the Grinch.  Now Misha at AlertLogic has a picture of me Warhol-style.  I think this may be the start of a trend.  Anyone else want to have fun with my mugshot?

Here it is.  Have fun!

Vet

Websense is buying PortAuthority for $90 million. If you are not familiar with them, PortAuthority makes a leak prevention security product. This makes sense in the Websense model, but I like the deal for another reason. This tells me that Websense may be seeing the light finally and is trying to diversify a little so they don’t implode.

Of course, we’ll see if they have learned anything at all by watching what they do to the pricing model of PortAuthority. If they follow their current structure, current PortAuthority customers might find themselves paying 100% maintenance every year.

By the way, has Websense ever bought anyone before? I need to do some research.

Vet

Alan and Mitchell at the StillSecure After All These Years podcast interviewed me last week for their podcast. It is up here at Alan’s site and here at Mitchell’s site.  I gave an update on my move to the channel, about honesty in selling security, the converging of the security professional and the general IT professional article I wrote at CW, and some other stuff.  It was fun.
Thanks to Alan and Mitchell for having me on again. I really enjoy talking about myself, as anyone can plainly see, and Alan and Mitchell actually seem to genuinely be interested in the people they interview. They are two great guys that I hope to meet soon at the RSA Conference security blogger gathering (not sure if Mitchell is going to be there, but I know Alan is going to show).

Thanks for the kind words, guys. You are two class acts.

And Alan, notice that I did not alter the picture in any way!  Or did I?
Vet

I was reading through my many newsletters I receive daily, and I ran across a couple of articles about security vendors warning about spam, spyware, phishing, the mob and hackers teaming up, etc. As I was reading those headlines, I found myself quickly sneering and thinking these were nothing but more FUD from people trying to make another buck.

Then I thought, Wow, I sure am getting cynical. Though it is obvious that there can be a lot of FUD coming from these guys, that doesn’t mean that I shouldn’t read their stuff. I’m sure there are people in those companies that are sincerely trying to help the security industry. It just comes out as FUD when those dang “marketeers” get their claws into it.

Maybe I’m a little gloomy because it has been raining down here for the last couple of days. I need to take a happy pill!

Vet

December 31 is the last day of free SkypeOut calls (calls using Skype to regular numbers outside the Skype network). I know a lot of people use Skype for calls. I personally use it for conference calls from the office quite a bit. I can switch to my mobile or office phone easily, but I know some people who use it for podcasts, and it makes it quite efficient.

The good news is that SkypeOut is pretty cheap. It will be $29.95 a year for unlimited US and Canandian calls, which I think is dang good. If you buy now, you can get it for $14.95.

So, anyone planning on signing up?

Vet

My wife and sister-in-law managed to convince my father-in-law to dig through the storage closet and pull out their old Classic Nintendo Entertainment System (NES).  They have a bunch of games like the original Mario Brothers, Duck Hunt, Dr. Mario, etc.  I am posting this at almost midnight Central time, and they are still playing.  I am trying to decide whether to go back or go to bed.

Anyway, this thing brings back all kinds of memories of my childhood.  I remember putting my original NES on layaway when I was in high school.  I think it was just over $100 back then, and I only earned about $200 / month, so it was quite the financial decision.  Waiting for a month to get that thing just about killed me!

When I did get it, I did nothing but play.  I was a Zelda master and a Mike Tyson ass-whipper back then.  I would stay up all night with a friend competing to see who could beat different games the fastest.  We would start right after dinner (around 7pm) and would not stop until the sun came up the next morning.  Remember those days?

Good times, good times…

Vet

Looks like the latest IBM ISS Proventia update is causing some havoc on networks.  Go see here. 

Thanks to SamVR for pointing me to the article.

Vet

I am in Citrix NetScaler training for most of this week.  I have heard good stuff about this product, but I am interested to hear about anyone else’s opinion.

Another interesting thought.  Now that I am not responsible for the security of a network, I have no issue posting on my blog what I am going to be doing for the next couple of days.  I feel so free! 

Vet

I posted a couple of weeks ago about me doing a talk at Alert Logic. Misha Govshteyn is the founder and CTO of AlertLogic was in the group as well, and we talked for a bit about various things. If you have not talked to Misha, he is a very informed person, and he is clearly intelligent with clear cut and well thought out opinions about security.

By the way, I WAS NOT PAID FOR THE TALK, AND I DO NOT HAVE ANY STOCK OR INVESTMENT IN ALERT LOGIC.

Anyway, one of the issues that came up was the possibility of Misha starting a blog. To my knowledge, he has not started one yet. However, Alert Logic has a blog that has been kept under wraps. Until now, that is. I have been given the honor of revealing their blog to the world (they chose me because of my thousands and thousands of readers and fans - **HACK, COUGH** - sorry, hairball).

But in all seriousness, I have read some of the stuff on the blog, and it looks good. The writing is often very witty and well though out (this Jeremy Hewlett guy has some great skills with the written word). And I have found them to be very informative as well. Go check ‘em out here.

Of course, now that you Alert Logic guys have been exposed to the world, be prepared for comments and criticisms. I hope you have some thick skin. It ain’t easy out here sometimes!

Vet

I just wrote a post over at Computerworld entitled The Security of Web 2.0 - an Oxymoron. Then I find this story about Senators McCain and Schumer proposing legislation that will require sex offenders to register their IM names and email addresses. I need to read more about this bill. Like typical security legislation passed by our government, this one appears on the surface to be nothing but security theater and something else to boost Schumer and McCain’s appeal before the presidential elections.

Think about it. How difficult is it to create a different IM name or email address?

The registration provisions would make failure to notify the authorities of all e-mail addresses a felony punishable by up to 10 years in prison.

Uhhh, so? These perverts are already breaking the law and facing jail time and some serious nastiness in the big house (child molesters supposedly don’t fair well in prison - though I have no proof of that). What makes anyone think they are going to change their ways because of another law?

Don’t get me wrong. I am fully on board for catching these “people”. I have children and would unleash all hell if one of these sick, twisted individuals even came close to one of my kids. But another law on the books that effectively does nothing to help the situation is just words on paper. Just make the behavior illegal (which it is) and make the punishment such that if the perv is caught he never sees the light of day again (there are a couple of punishments that would fit that description - you decide which one is right for you).

Vet

CJ Kelly, a blogger at Computerworld, proclaimed yesterday that the Internet is safe from DDoS. She  says:

…maybe 5-8 years ago this was a possibility, but I don’t think it’s possible to do a large scale DDoS attack any more.

Man, I am so happy to hear this news. You can’t fathom the relief at hearing Ms. Kelly announce our new found safety. I am so indebted to Ms. Kelly for fixing the Internet yesterday right after she posted this announcement.

What was that?  What happened yesterday? Well, let’s see. A business web service provider called CrystalTech went down for four hours due to a DDoS attack (it happened the same day she wrote her post). I am glad that isn’t going to happen anymore.

Oh, and EveryDNS was hit hard last week with a DDoS attack that took them down for 1 1/2 hours. I am totally relieved that we won’t see that again.

I also seem to remember a company called Blue Security closing its doors in May because a nutty spammer decided to DDoS them and started causing trouble all over the Internet. Here’s a quote from the article:

The attacks not only disrupted Blue Security’s operations but knocked out the Web blog hosting service Six Apart and a handful of Internet service providers, including Tucows.

Man, I am so happy we are done with DDoS attacks.

OK, I guess that is enough. CJ Kelly’s post is nothing short of ridiculous. I mean, really. Does she write from a black hole where the only articles she can find to support her are Cisco press releases and product whitepapers? I’m not kidding. Look at her links to Cisco. It is friggin’ Cisco propaganda that she calls “informational pages”.

Holy crap, my head is about to explode.

Ms. Kelly, please do some research. Please read the news. If you are a “real world Information Security Officer” as it says in your CW bio, I beg you to better serve your company and the information security industry by informing yourself before you start writing.

Vet

There’s a new book now published by Syngress about Wireshark / Ethereal.  Larry Pesce from Pauldotcom helped write a chapter in the book.  Go check it out and buy a copy here.

Vet

I usually don’t post about my personal life, but I have to share some stuff from this weekend. 

First, my five year old son is in Taekwon-do.  Normally, a white belt would go to yellow tab, then yellow belt, green tab, green belt, and so on.  But with juniors, this group makes them go through degrees of white belt (black stripe, red stripe, blue stripe, and green stripe) before they can get the yellow tab.  Well, he’s been going for about 4 months now, and he finally got his yellow tab (first step towards black belt, is what they say).  So congratulations to my boy.

Second, I learned about some exciting stuff happening with my son’s Taekwon-Do class.  There is a “secret seminar” on December 9, and I have been given the lowdown by Mr. Howard, the owner and instructor at Global Taekwon-Do.  I don’t want to give out any details, but if this turns out to be as cool as I think it is going to be, then I recommend going out to the website in a couple of weeks.  I am excited about it.

Third, after I got over all the excitement of the Taekwon-Do stuff, we woke up this morning went to church, and my 2 year-old daughter fell in Sunday School and split her chin WIDE open.  My wife and I were trying to teach a class full of crazy 4 year olds, and they came in and grabbed my wife without telling me what was going on.  So here I was, wondering what was happening, and starting to freak out.  Finally, they came and told me, then found some other teachers to take our class, and off we went to the clinic.  She ended up having 5 stitches.

So here I am, trying not to cry and trying not to hit something at the same time while my little girl is screaming at the top of her lungs because the nurse and doctor are cleaning this gash, then putting other stuff to deaden the pain, then sewing it up.  It was horrible.  And the kicker is that neither one of my 5 and 4 year old boys have ever had a cut or broken bone (thank God), and my two year old daughter isn’t half their age and she’s already got 5 stitches to her name.  Well, at least it is under the chin and not out there for everyone to see. 

It may be sexist, but I don’t want my little girl to have any scars like that.  I don’t care if my boys have a couple of scars.  Scars just make men interesting, and it gives them plenty of material to make up cool stories (not that I would condone that - by the way, did I ever tell you about the time I stormed a bunker and jumped on a grenade to save 20 soldiers?).

And fourth and final, my Dallas Cowboys pulled out a win over the NY Giants.  That was awesome.

So anyway, crazy weekend.  Here’s to hoping for a quiet week!

Vet

My friend Martin McKeay posted a few days back about email privacy. Another friend, the great Alan Shimel, responded with some thoughts of his own. In light of these posts, I found interesting the following story from another friend (not a blogging buddy).

Here’s the story: My friend works at a rather large national sales-type company. He has worked there for about the last 10 years. Recently, the company cut quite a few staff in an effort to get rid of some bloat they had accumulated over the years. My friend was passed over by the cuts. He actually got a promotion out of it because he was placed in charge of a territory that was previously run by 5 sales managers and several account managers (so either they did have substantial bloat, or they are trying to kill my friend instead of firing him).

After my friend received his promotion and started to take over the operation of his new territory, his boss informed him that the IT department had been instructed to forward all emails of the previous managers to his inbox. This was done for obvious reasons, and my friend got ready for the deluge of emails. What surprised him was that he started recieving the emails of an additional 5 sales people that were now his employees, and he knew that neither he nor his boss had requested this to be done.

After scratching his head for a few minutes, my friend decided to check with his boss to see what was going on. You can probably see where this is going, but basically, they found that one of the previous managers that got the axe was spying on his sales people. According to my friend (and I believe him), this guy was a micro-manager from hell, and he would not let his sales people make any decisions without his explicit approval. He basically beat his employees into submission and made them little more than robots doing his will. But he was smart enough to keep this from his boss.

He made sure that his boss knew nothing about the emails being forwarded to him by going directly to a single IT person and asking to have this done. I have no clue about the company’s change management process (it is obviously pretty weak), but I guess this IT guy was either bribed or just charmed into doing this without ever letting anyone else know about it. And the IT guy could not really be held accountable after they discovered what had happened because he had taken an early retirement option that had been offered when the company was cutting back (they ended up letting 48 IT people go by either layoffs of early retirement).

So what are some lessons here? First, change management is important. This could not happen (or would be less likely) if the company had a strong change management process that made requests go through the system, and those requests were checked by more than just one individual. Second, system reviews are important. Even if something like this slips by, having a regular review of systems from someone outside this particular responsibility area would have likely turned up something fishy. Third, your privacy is never guaranteed, especially in email and in an employment situation. Though this was done incorrectly, and these employees (according to my friend) did not know they were being monitored, it is still within the rights of the company to check up on the employee’s corporate email.

Vet