An Information Security Place

I just read this story over at SearchSecurity.com about the TJX breach.  It looks like someone is suing TJX because they didn’t release information about the breach soon enough.  The lawsuit also asks for TJX to provide credit monitoring, which TJX has said they won’t do.

A couple of things here.  Often this type of security issue is a catch-22 because you have to weigh public opinion with security reality.  If what TJX says is true about why they didn’t release info on the breach for a month, then I am OK with the delay (they say investigators asked them not to release the information at the start of the investigation, and they say it allowed them to figure out what happened and secure their system to prevent further breaches).  And if the proof holds up to this reasoning, then they can win that in court.

However, not providing credit monitoring could be a mistake.  TJX chairman Ben Cammarata says, “Based on the type of data involved in the breach of our systems, we don’t believe that such monitoring will be meaningful to customers.”  Uhhhh, do they know about this story??  Looks like some of the data stolen from TJX is being used to make fraudulent purchases.  And regardless, this is a public perception type of thing, Mr. Cammarata.  Even if the data was totally useless, it makes sense to dole out the funds to customers just to make them feel better, and to make them feel like you give a crap.

Of course, TJX may just be hedging their bets because these types of issues tend to blow over in a few weeks in the general public’s eye (I don’t think there are too many soccer moms reading my blog).  Of course, they could possibly loose the lawsuit and have to provide monitoring, and I think they will in the face of that story, if the case even makes it to trial.  They probably have good lawyers, and the whole thing will likely be settled out of court anyway.  Everyone involved will get 5 bucks, and it will be done.

So much for public disclosure laws.

Vet

There’s a new security blog out there, and it’s from the Great White North. It is called Security Views, and the guy who runs it is named Scott Wright.

I would like to welcome Scott to the fold. Good luck.

And of course, this post about a Canadian blogger would not be complete without a link to a clip from on of the greatest movies of all time, namely Strange Brew!

[ev type="youtube" data="A3DYbE44OIE"][/ev]

Vet

I apologize if you have made comments on some of my posts and have not seen them show up.  Akismet has had a few false positives over the last few days, and I am starting to get so much comment spam that I can’t catch them all.

Vet

I received an email from Thomas Frazier, Product Strategy Manager at Cybertrust, in response to my post regarding the Cisco / Cybertrust PCIDSS partnership. I have not had time to study the response closely, so I am merely posting it here now. I will read it more closely later and respond as I have time.

In regards to the Computerworld story, I would like to clarify some information that was not included in the story. Regarding the relationship between Cybertrust and Cisco, Cybertrust — like other security professionals — is the first to acknowledge that it is the implementation of PCI DSS that helps organisations achieve compliance, and not the products that are purchased. As the PCI DSS covers everything from building a secure network to maintaing a security policy to protecting cardholder data, it is important to place the Secure Store solution in the proper context. Large, medium and small retailers can use Secure Store reference architectures as a means to reduce the amount of remediation and assessment effort required to become compliant. Cybertrust has certified PCI assessors, myself included, around the globe who provide a consultative approach to PCI. We were engaged by Cisco based on our reputation in the PCI and compliance space. To my knowledge this is the only offering where extensive work has been done to align reference architectures against this standard. I believe that this initiative from Cisco was driven by the merchant and service provider community looking for help from the security industry in regards to PCI. Secure Store is Cisco’s response to that.

Vet

So Determina released an advisory about a bug they found in IE in Vista. They ran a simple ActiveX fuzzer against it, and it crashed. They were surprised that it worked, and so am I. However, that is not the whole story.

When they mentioned the problem to MSFT, they came to the conclusion that it is just a stability problem and not worthy of fixing in a security release. Determina agreed by this statement in the advisory:

We have confirmed that this issue can be used to cause the instance of Internet Explorer to exit when viewing the specially crafted Web page. We have confirmed that there is no possibility to use the bug to do anything beyond that, e.g. execute code.

As such it is more along the lines of a stability issue and would be treated along similar issues reported into Microsoft using the Online Crash Analysis system.

OK, this just befuddles me. Since when did people start ignoring the “A” in the CIA Triad? Availability is essential to security. I made this point in an email discussion thread I am currently involved in:

Microsoft complained that the flaws that flaws HD Moore found in IE were stability problems and merely resulted in crashes rather than actual vulnerabilities. Remember the CIA triad, people. Confidentiality, Integrity, and AVAILABILITY. If a company relies on web applications for its livelihood, you can bring said company to its knees if you make IE unavailable. It is still a security problem.

Any stability problem deserves to be classified as a security problem if the possibility of denying access to data or services exists. And there are many compnaies out there that rely on web services for their livelihood.

Microsoft, FIX IT!

Determina, go take a class in security.

Sheesh.

Vet

From SANS Newsbites Volume 9 Number 8. This goes to prove that this was probably the biggest issue of 2006 and will keep on being big in 2007.

Crazy stuff.

TOP OF THE NEWS
–Former Michigan County Treasurer Allegedly Embezzled State Funds to
Pay Nigerian 419 Scammers
(25, 24 & 17 January 2007)
Former Alcona County (Michigan) Treasurer Thomas Katona has been arraigned on nine felony counts of embezzlement and one felony count of forgery for allegedly embezzling state funds to the tune of US $1.2 million; some of the money was allegedly sent to 419 fraudsters in Nigeria. Authorities became aware of the situation when a local bank alerted them to unauthorized wire transfers Katona had directed. Bank officials had cautioned Katona on several occasions that he was falling for a scam, but he ignored their warnings. Katona also allegedly lost more than US $72,000 of his own money in the scam.
http://www.theregister.co.uk/2007/01/25/treasurer_accused/print.html
http://www.informationweek.com/showArticle.jhtml;jsessionid=UKVFNGXFCRYXIQSNDLPCKH0CJUNN2JVN?articleID=197000242
http://www.michigan.gov/ag/0,1607,7-164-34739_34811-160250–,00.html
[Editor's Note (Schultz): It is hard to understand how someone who ostensibly is an otherwise intelligent, responsible person could allegedly have fallen for such a scam in such a big way. This shows that despite the fact that 419 scams have lost much of their lustre, they nevertheless still pose a high level of risk.
(Liston): The common misconception is that 419 scams (and their ilk) are aimed at unintelligent victims. Mr. Katona, no doubt, saw the prospect of the 419 "windfall" as a way to cover up his alleged embezzlement, and let greed and desperation overwhelm common sense. Remember: scams are aimed at other human weaknesses -- not "stupidity."
(Grefer): FTC and State Department web sites provide additional guidance at:
http://www.ftc.gov/bcp/conline/pubs/alerts/nigeralrt.htm
http://www.state.gov/www/regions/africa/naffpub.pdf
(Shpantzer): These scams are profitable
http://www.theregister.co.uk/2007/01/02/money_launderer_caught/ and have resulted in domestic violence http://www.theregister.co.uk/2006/07/20/419_shooting/ and kidnappings/ransom/killings of those who travel to Nigeria to close 'deals' with the scammers.]

–Class Action Suit Files Against Chicago Board of Elections for Data Exposure
(23 January 2007)
A class-action lawsuit has been filed against the Chicago Board of Elections for sending out more than 100 CDs with sensitive, personally identifiable voter information to city aldermen and ward committeemen.
“The suit … alleges the board violated the Illinois Personal Information Protection Act” and seeks unspecified compensation for all Chicago voters whose Social Security numbers (SSNs) were compromised.
Other data on the CDs include dates of birth, addresses and phone numbers. The board is making efforts to get the disks back, but a board spokesperson maintains there have been no reports of associated identity fraud since the disks were sent out more than three years ago. The board is required by law to notify voters about the incident, but it plans to make the notification through advertising rather than by contacting each voter individually. The Personal Information Protection Act allows for this sort of notification; see Section 10 (c).
http://www.suntimes.com/news/politics/224519,CST-NWS-data23.article
Text of Illinois Personal Information Protection Act:
http://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=094-0036&print=true
[Editor's Note (Liston): It is interesting to see the government's response to its own error and contrast that with the what we can only assume would've been the reaction if this had been a private firm's mistake.
(Shpantzer): This mirrors this week's leak investigation of the entire Israeli population data being given to the political parties in Israel, per Israeli law, facilitating democracy and election fairness. Where else is this happening, and what's being done about this unintended consequence?]

–Data Stolen from TJX Has Been Used to Commit Fraud
(25 & 24 January 2007)
The Massachusetts Bankers Association says customer data stolen in the TJX computer intrusion have been used in fraudulent activity. Close to 60 banks in Massachusetts have been contacted by credit and debit card companies regarding fraudulent activity on compromised debit and credit
cards. Banks in other states, including Vermont, Wisconsin and New
Mexico have reported issuing new cards. Canadian cardholders have been hit by fraud as well.
http://www.forbes.com/feeds/ap/2007/01/24/ap3359602.html
http://www.forbes.com/feeds/ap/2007/01/24/ap3357843.html
http://www.freenewmexican.com/news/55831.html
http://www.theglobeandmail.com/servlet/story/LAC.20070125.WINNERS25/TPStory/National
http://www.postcrescent.com/apps/pbcs.dll/article?AID=/20070124/APC03/701240643/1888/APCbusiness

–Delay In Reporting Xerox Laptop Loss Leads To Damage To Employees
(22 January 2007)
A laptop computer stolen from a Xerox human resources manager’s car in August 2006 holds information belonging to an unknown number of Xerox employees; nearly 300 employees received letters notifying them of the theft four months after the fact. Some of the employees had experienced credit problems in the interim; for instance, one individual said several cell phone accounts were opened in his name in the fall of 2006.
A spokesperson defended the company’s decision to delay notification, saying they wanted to determine whether any personal information was on the computer.
http://www.kgw.com/news-local/stories/kgw_012207_news_xerox_theft.cde8339.html

Vet

I finally broke the 100,000 barrier on Technorati (see screenshot).

Man, I feel special.

Vet

[ev type="youtube" data="0OTgb3KO7QM"][/ev]

Seems like Cisco has partnered with Cybertrust in creating some kind of PCI-geared hardware package / solution. Cybertrust is supposedly giving this amorphous hardware blob (I guess a hardware package can be customized for each scenario) the PCI checkmark. OK, so which company is going to purchase this package for its stores and tell its auditors, “we’re PCI complaint because we bought this crap”?

From their news release:

Part of the Cisco PCI Solution for Retail, a set of recommended and audited network architectures that can be tailored for each retailer’s specific store footprint and application needs, Cybertrust has provided its PCI subject matter expertise to validate that the Cisco solutions are optimized for PCI compliance. The Cisco PCI Solution architectures provide guidelines that help retailers manage the complexities associated with the PCI Data Security Standard.

Rrrrriiiiight….

Computerworld Australia warns against this as well.

Vet

I just found this security blog because the author put me in her blogroll, and Technorati let me know about it. The blog is titled Princess of Antiquity. It looks like the author is a 17 year old student in the Phillipines. It is kind of a mixed perosnal / security blog, with a heavy emphasis on security. There is some good stuff in there, and coming from a 17 year old, I have to say that this young lady has no where to go but up. And since she is linking to my blog, you know she is smart!

On a side note, technology is amazing to me sometimes. Even though I know the Internet is world wide and people can check out just about anything from anywhere., it still floors me when someone rom the Phillipines can find my blog. Too cool.

Vet

Well, I am back from our annual sales kickoff meeting. The week was rough, but the content was great, especially the last day (we had a three of our top SE’s teaching our processes and how to be a more effective SE - the sales people were in there as well, so they got a good idea of what we have to deal with). I am more jazzed up now about working for Accuvant. The people I met were great. Everyone is stoked about 2007. I am convinced more than ever that this was a good move for me.

I know. Everyone is highly motivated by these meetings, and it will probably wear off. I agree to a point, but what you have to understand is that I have never worked anywhere that I felt like a part of something good. This is the first company that I am proud of being a part. It is a good feeling. Maybe that’s a little cheesy, but that’s the way I feel.

It was held at Copper Mountain in Colorado. Very nice location, but we never had any time to get out and enjoy it since we were in meetings the whole time. Oh well.

I could barely breath up there. I think it is somewhere around 9,500 feet where we were staying. Since I live in Houston, which is about 6′ about sea level, I was completely unprepared for the thin air. I had a headache the whole first day and was gasping for air all night when I was trying to sleep. That REALLY sucked. I got about an hour of sleep that night.

I got used to it the next day, but I was so friggin’ tired that I still don’t remember much of the day. I slept like a baby the second and third night, and I was fine just walking around. Next time I will be taking as much of this advice as I can.

Vet

I have been in Denver all week for Accuvant’s annual sales kick-off.  Today the SE’s and consultants were in a bunch of vendor mini-trainings for the SE’s.  Can you say death by PowerPoint???

Anyway, one of the vendors presenting is a well-known security vendor that has some products around web app security.  Up pops their obligatory reference slide of companies who use their products, and guess who is on the list?  Yep, you guessed it: TJX (read about TJX here is you are not aware of the story).

It was weird because the reference slide was all text and must have had about 30-40 companies listed, but my eyes were immediately drawn to TJX.  The presenter had paused to take a breath, and I said quickly commented, “I don’t think I would have TJX on my reference list.” 

Now understand that almost everybody in the room were SE’s, security consultants, security assessment people (pen tests, social engineering, etc.), and compliance people.  These people, including me, take pride in being up on current security issues.  The room went silent, and just about everyone looked at the slide.  The presenter just kind of froze.  Then a couple of chuckles were heard, and everyone was kind of like, “Holy crap.”  The presenter, after he unfroze, said that TJX probably had some of their other products and not their web app stuff.  Good recovery, dude.

Truthfully, the vendor in question has some great stuff, and they are one of our top partners.  But if they would have used this slide at a customer that was knowledgeable and up on events, they probably would have been screwed.

Vet

Michael Santarcangelo posted here about the launch of the Catalyst Community forums (I kissed Michael’s ass the other day,… uhhh, I mean I wrote about Michael the other day here). This is a small step in a much bigger project. Go see and join the forums if you are interested in security.

Martin wrote about it as well. Pay attention to his edit about the naming conventions.

Vet

I am attending the RSA conference in February as press because of my Computerworld blog. I applied at the RSA Conference site, and they accepted me. And like Martin has been posting, I have been getting multiple requests for interviews, breifings, etc. from security companies that are attending.

Well, today I received an email from a public relations firm that did not tell me who they represented. Here’s the text of the email:

Hi Michael,

I saw that you were attending RSA on behalf of Computerworld. I’m just curious – are you attending for content for your blog postings or are you acting in more of a reporter capacity for Computerworld at the conference and planning to write on hard news and discussions with folks who have a presence and activity at the conference?

I don’t know about you, but I was offended by this question. So, because I blog I am not legitimate? Here is my response:

It is for my CW blog and my personal security blog.

And though I may just be feeling defensive, and I also suspect you are not being purposefully belittling, many bloggers would take issue with the tone of your question. Blogging is a completely legitimate news source and is considered by many to be “hard news”. I think this is proved out by RSA accepting so many bloggers as press. And “discussions with folks who have a presence and activity at the conference” are excellent sources for blog posts. In fact, I am interviewing a couple of people for my blog, and these people are security professionals and security industry executive types.

Just because bloggers post their opinions (because we both know “hard news” reporters never report their opinion, right?) does not mean we are not a valid news source.

Any body else take this as I did? Am I being too defensive?

Vet

Looks like PirateBay.org is trying to buy a man-made island and start their own nation to avoid copyright laws.  That’s plenty clever.

Vet

Here’s Chris’ comment:

You are both way off-base! The reason Brian Smith was quoted in this article within this context is because Tippingpoint/3com are showing their honking M60 Security SWITCH at RSA! I think you guys are more interested in knocking the 3Com/Tippingpoint relationship than understanding what Brian was saying.

Chris,

I see what you are saying (from reading your post), and I agree that I may have read that wrong. But when I read “bump-in-the-wire”, I think hardware device. Even if it is super fast and doesn’t introduce any noticable latency, it is still a device to be managed.

Also, I am not really interested in knocking the relationship. Did I like the relationship when it started? No, I didn’t. I thought it made sense for 3com, but I did not like my IPS vendor being bought by 3com because I thought they would possibly screw up TippingPoint. I thought of (and still think of) 3com as a sub par enterprise switch company that is entering the game late and will probably not be able to make up the ground they have lost. And I BS you not when I talk about their attitude.

And as far as the switch they have coming out, you point out in your article that it is a year late. I spoke of “too late” in my post. That just makes me think again of their reputation.

BTW, it is good to hear from you again. I was wondering where you had disappeared to.

Vet

Alan Shimel posted about something said by Brian Smith, co-founder of TippingPoint and chief architect of 3Com, in an SC Magazine article. Here’s part of the excerpt Alan used:

Smith says he also plans to emphasize the benefits of
the bump-in-the-wire network approach to deploying security solutions.
Rather than embedding solutions into switchers and routers, Smith plans
to suggest overlaying solutions to allow for a more converged, cheaper
way to add intelligence to the network.”

Alan rightly points out that Mr. Smith may be smoking a big crack pipe. Alan then ponders the mystery by asking, “Do the Tipping Point people resent and hate their 3Com overlords so much that they refuse to see the natural evolution of converging security and network gear?” Alan, I may have an inkling to why Smith thinks this is the best approach. And if my suspicion is correct, then you are on the right track, but their resentment is not the reason. Let me ’splain.

When I was an infosec manager, I was a TippingPoint customer. When I bought the TippingPoint box, stand-alone devices were still all the rage. UTM and NAC were pretty much still new terms. But right about the time TippingPoint was bought by 3com, the convergence track had started to emerge. Cisco was really getting into putting different devices in their switches. Things were really starting to move in that direction, and 3com probably thought they should do the same.

But just in case things were not what they seemed, 3com decided to test the waters (conjecture on my part, but plausible conjecture nonetheless). So they surveyed their customers (or TippingPoint customers, at least). I received one of these surveys. Among other things, it asked if I would buy a 3com enterpise switch with a TippingPoint IPS blade integrated into it. Understand that I come from the network engineering world. I have installed and configured many a switch and router. And for the immediate 4-5 years before this survey hit my inbox, 3com had been about as present in the enterprise switch space as a woman at an ISSA chapter meeting. The biggest place you saw 3com was on a NIC or a little white 8-port hub in a room full of cubicles. So, I answered a definitive “not no, but hell no”.

To clarify (if the above didn’t explain it well enough), it was the 3com switch that threw me. I wasn’t unhappy with TippingPoint (except that they had been bought by 3com). I liked the box. It served me well. If I could get a TippingPoint blade for the 4506, I would have seriously considered it. But there was no way I was going to replace my Catalyst 4506 with a 3com switch, no way, now how.

Of course, I cannot answer for every TippingPoint customer who received the survey, but I can guess that many of them answered the same way. And this makes me wonder if 3com and TippingPoint are sitting in ivory towers and ignoring the trends because it doesn’t compute that people don’t like their switches.

And to add one more thing that may add some credence to my hypothesis: I also had a couple of 3com reps come out to visit me during the final months of my tenure as an infosec manager. When my boss and I told the 3com guys that we would not consider in any way replacing our current switching infrastructure with 3com because of our impression of 3com as a serious player, they were completely surprised by our attitude. Now maybe they had never received that reaction before because we were just a little more harsh and up front with our opinions. But my immediate opinion was that they really didn’t know they had that kind of reputation. Maybe it is just me that thinks this about them, but I don’t think so.

Vet

It is rare these days to meet a person with true vision. I mean a person who can just look at a topic and instinctively know what it would take to succeed in that arena. It is even more rare to find a person that is also passionate about the topic to which they are applying their vision. And the rarest find is a person who has all of the above AND the nerve and the fortitude to do actually try to do something with that vison and passion, all the while inspiring others to join up and do the same.

Well, my faithful readers, I have found one of these rare people. Many of you know Michael J. Santarcangelo, II. Known affectionately as Santa to some (play on the name for you thinking he’s fat and jolly and has a white beard and rosy cheeks and… you get the idea), Michael is founder of The Security Catalyst blog and podcast. Instead of writing a bunch of stuff about him, here’s his bio from the above site:

One of the top rated and most requested speakers on security issues and certification training, Michael is a coach, consultant, professional speaker, and leader active in reshaping the future of information security. His rare approach of blending multiple disciplines together allows him to connect with audiences around the world as he invites people to think differently. He brings this passion and energy to podcasting as the Security Catalyst and works to explain and demystify security so everyone is able to protect themselves.

Michael is the catalyst behind Security 2.0. In addition, he is the founder of the Catalyst Community, The Trusted Catalysts, Security School House (announced September 2006) and was the founding President of the Tech Valley (New York) ISSA Chapter. Michael holds a Bachelor of Science Degree in Policy Analysis from Cornell University.

Now, before you people start wondering if I have some unnatural attraction to Michael, let me state that I am writing this (and will be writing more) because I believe Michael knows the sad state security is in now days and really wants, even needs, to do something about it. How do I know? I’ll tell you how!

Michael has brought together a group of security professionals (including yours truly) to form a group called The Trusted Catalysts and the Catalyst Community. In joining The Trusted Catalysts, I have conversed with Michael via email and chat, and I thought he had a good vision. But then I actually got to talk to Michael on the phone yesterday, and it truly struck home just what Michael is all about. The guy had so much to talk about he seemed about to burst at the seams (I don’t mean that in a bad way - I asked him to explain what all he had in mind for the Catalysts, and I got it). He is a wealth of information and experience, and he wants to give that away. He’s not a selfish person who wants to be the one guy who knows it all and people have to come to. He wants to genuinely help the security community. I guess I stand corrected. That is the rarest kind of person.

I am saying all this because I want to give you a heads up if you don’t know about Michael and the Catalyst Community. You need to watch the Catalyst Community over the next year and the years to come. I think this community will grow, and I think it will become a tremendous force in the security industry within a few years. And with Michael’s vision and inspiration, it will be a truly positive force, unlike what one security focused organization has become - I won’t name names, but it starts with “(” and end s with “2″.

Thanks to Michael for his passion, vision, energy, candor, and unselfishness. I hope I didn’t embarrass you too much. And I like the hair (or lack thereof).

Vet

Update on the phishing email post below.  From Yahoo:

Thank you for informing us of possible abuse on Yahoo! Domains. We have investigated the site and taken the necessary action. We appreciate your concern and thank you for reporting this incident to Yahoo!.

The site is dead, so there ya’ go.  One down, with only 654 appearing in its place every second!  That’s not a real stat, BTW.
Vet

I received a phishing email via my blog email today. I haven’t seen this one. Be on the lookout:

I didn’t download the pictures. The link is pointed to http://customercarealert.com/bankofamerica.com.

Here’s what that site looks like:

Here’s what Bank of America’s site looked like when I pulled it up this afternoon:

Fairly similar.

Here’s what I came up with on the domain after a quick dns lookup:

and a quick whois:

I sent an email to the abuse addresses and I also forwarded it to antiphishing.org for the heck of it.

Vet

Either my toe post turned everyone off, or announcing I am a Cowboys fan must have made some people mad. Either way, my Feedburner subscriptions went from the 130’s (been there for a few weeks) to 112 yesterday and 99 today (reflects the previous day). Anybody else see anything like this, or am I just losing my readers?

Not feeling the love here, people.

***UPDATE*** Read comments to this post for an explanation of what is going on. Thanks to Eric over at Feedburner for a quick response!

Vet

Tim Wilson asks whether it just would have been easier to study than go through all the pain of hacking into the school’s grading system and trying change your grade (or someone else’s grade).

Here’s a quote from Tim:

I’m betting that these cases of grade-changing are only the tip of the iceberg.

If your bet is solid, Tim, then I would say it is probably easier to change your grade.  These idiots that caught seem like low-hanging fruit.  Even the class prez, who should have been smart enough not to do something so stupid, went about it all wrong.

A quote from this Dark Reading article:

A police report indicates that several witnesses saw Shrouder making the changes or heard him say he had done so.

Why in the world would he make changes in front of people or talk about it?  Maybe the witnesses were students whose grades he changed.  That could be the case, but he is still dumb.  Intelligence must be coupled with common sense in order for a hacker to be successful.  Book knowledge does not equal street smarts!

Vet

I found this post by Terry Sweeney, Editor in Chief, over at Dark Reading.  He is discussing whether or not you should send out fake phishing emails to your own users to find weaknesses in your security awareness training and anti-phishing methods (he is specifically talking about Core Systems’ product).  

Here’s a quote:

What the vendor doesn’t say is what you do once you’ve ensnared such users in your phishing net. Do you hoist them upside down like fresh caught marlin, then get your dockside souvenir photo snapped? Maybe feature the phished users in the company newsletter? Issue them a warning or something more draconian?

First off, security awareness testing has to be done.  How else can you figure out whether or not it is working?  And Mr. Sweeney, the argument of, “You cannot manage what you cannot measure” is still valid, no matter if you attempt to head it off by putting it in your blog post and sneering at it.

Second, as I said in my latest CW post, any security manager worth his salt is not going to use security awareness testing to incriminate users (unless the results uncover behavior that is unlawful or purposefully going against company policy).  It is simply there to test effectiveness of the training.  Employees should be coddled to some degree while this testing is going on (meaning, you should be there to hold there hand when they screw up during testing - you shouldn’t warn them ahead of time).

Third, what the security manager does with the product is not Core System’s concern.  I know that can be taken to the nth degree (hacking tools, etc.), but Core System’s is provinding a commercial product that has a legitmate purpose.  It is not there fault if ABC, Inc. uses it to fire all their stupid users.

Vet

Since Alan posted his sadness at the Pittsburgh Steelers loss of coach Bill Cowher, I guess I can post my depressed state over the Cowboys loss to Seattle on Saturday. I am not going to write forever about why they lost or who is to blame (mostly because this is supposed to be an InfoSec blog). It suffices to say that they have simply been beating themselves for the last 2 months.

But, I will always be a Cowboys fan. They are still the most succesful franchise in NFL history (eight Super Bowl appearances - more than any other team - and 5 wins - tied with the Steelers and the 49ers).

And while Romo did blow it, he still has a future with Dallas or any other team. He is very talented and just needs some experience (which he got plenty of this last season).

And while I am talking about the NFL… I know I listed a few things about myself that many others didn’t know (and probably didn’t really care about) when I got blog-tagged, but here’s one more. If you are a Super Bowl historian or just plain NFL fan, you probably know about this bit-o’-football-trivia (quoted from page 2 of ESPN’s Goats, Gaffes, and Blunders site):

Jackie Smith

A member of the Pro Football Hall of Fame and a five-time Pro Bowler with the Cardinals, Smith is most remembered for his infamous dropped TD pass in the 1979 Super Bowl while playing for the Cowboys. Dallas trailed Pittsburgh 21-14 in the third quarter, when Roger Staubach found a wide-open Smith, the team’s backup tight end who hadn’t caught a pass during the regular season, in the end zone. But he dropped the pass and Dallas settled for a field goal in a game it eventually lost by four points.

Jackie Smith is my third cousin.

Vet

Go read this over at Security Ripcord.  You won’t be sorry (thanks to Martin for pointing it out to me). 

Not sure why I didn’t have Cutaway on my RSS feed list, but that has been rectified.  Some good stuff over there.

Vet

Well, you are probably wondering why I have a picture of my feet on my blog. Well, it is really not my feet that are the subject of this post. Look at my left big toe. Look different than my right big toe? Maybe a little more colorful? That is what Taekwondo will do for you. I got it during a race we were doing (the instructor likes to incorporate some fun stuff in the training at the end of class). I won, by the way. I think it is sprained. It doesn’t really bother me too much.

Yep, I started Taekwondo last night. I have always wanted to take martial art classes. But growing up in a small town didn’t offer many perks like martial arts classes, and I just never had the funds when I was single or didn’t have kids.

My oldest son (5 years old) has been going for about 6 months now, and I am usually the one to take him and sit in the parent’s section and watch. So I figured, why not? I joined last night. I went tonight as well. My son is helping me learn the step sparring and the self defense moves.

I am having a great time, and I hope it will help me lose some weight. Maybe Mike Rothman and I can have a Biggest Loser contest! The loser (the one who loses LESS weight - not the Biggest Loser,…uhhhh, I’m confused) buys the beer at RSA.

I guess it should be light beer. *YUCK*

** Taekwondo Toe Update: The bruise is now moving up my foot. Not sure if that is a good or bad thing.

Vet

I usually don’t post about these things just because everyone else does.  Plus, everyone who is not under a security / IT rock knows about it.  But this is a big deal in the world of convergence and deserves my attention is some form.

Like Alan said here, I think this just means some of the other guys are going to get sucked up soon.  Barracuda has always seemed like an acquisition target to me.  And now that they have a pretty big database themselves, you might want to keep an eye out for that soon (just my opinion - I have no insider information on this, and I do not own any anti-spam vendor’s stock).  And the others are going to go soon as well.

Mitchell, keep up that blog!

Vet 

I wrote about the OLPC initiative over at CW.  I think there may be some serious security concerns with this project.  I am doing some more research to see what I can find.

Check out the post and let me know what you think.  If you know some stuff that I don’t , please fill me in.

Vet

Found it kind of interesting that Firefox 2.0 is beating out IE7.  Guess it makes sense with this being a security blog.

I also found it interesting that there are a high number of Firefox 2.0.0.1 users, and very few 2.0 users, which tells me that the people who have jumped to 2.0 are good about updating.  There are still a few on 1.5, but there are also still a lot on IE 6.

These are Jan 1-2 numbers, BTW.

Vet

Congratulations to my friend Mike Rothman at Security Incite for launching his new book and site, the Pragmatic CSO.

I highly recommend this book to CSO’s and security managers of any type.  It gives a good feel for the business side of securing a network.  I wish I had this before I decided to get out of security management.

Vet