The Security Catalyst

Here is a list of things to do:
* subscribe with the RSS 2.0 feed(s) to your right
* Call the listener feedback line: 206-339-9361
* If you liked the show, tell a friend; if you didn’t, tell me!

Subscribe in iTunes using this link (Click Here Now)

Subscribe or RATE THE SHOW in Yahoo Here. Please take the time to rate the show for the series as well as the specific episode.

Take the 2006 Security Spending Survey RIGHT NOW. DO IT.

==>Download or listen to Security Catalyst #10 here (28 minutes long) < ==

On This Episode
The Windows WMF “Zero-Day Exploit”
We quickly explain the concepts behind “zero-day” attacks and exploits and the describe the current problem, as well as immediate steps you should take to protect yourself and your organization.

Here are some links with detailed information you can use to help protect yourself:
F-Secure Weblog
Workaround, Protections Emerge for WMF Exploit
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution - MICROSOFT
US-CERT: Vulnerability Note VU#181038

The Proposed SONY-BMG Settlement
The proposed settlement for CONSUMERS is interesting - and we take a look at the impact this may have to the long-term health of SONY-BMG, as well as what it may mean as a trend for corporate accountability.

2005 in Review - and what to do with this knowledge!
Rather than just recap some of the top trends, we go a bit deeper and look at what it means for those of us in the trenches - and what we might be doing about it next year. Even though some of the trends are negative, the results I found to be quite promising — especially as we look forward to an exciting and productive 2006.

Have a safe and Happy New Year!

The Register has posted its 2005 Security Year in Review here: http://www.theregister.co.uk/2005/12/27/security_review_2005/

I’d say it jibes pretty closely with the kind of year I’ve seen as well. Since beginning with the University where I’m currently employed, I’ve seen our name in local newspapers multiple times for cracked servers, including machines that I, myself, discovered were compromised.

Additionally, f I had a dime for every phishing scam e-mail I’d received this year, I probably wouldn’t need to be employed any longer. Ever.

I also tend to agree that the future looks like more of the same. As processor power gets cheaper, and script kiddies learn HTML, PHP, and Java with their mother’s milk, it’s easy to envision a time when legitimate traffic will be unable to find time on the network between spam, worms, and phishing attacks.

I recently bought a cordless phone handset on eBay that interoperates with a multi-handset base that I already have. It was advertised as used, but in good working order. It arrived intact in the mail, about eleven days after I had paid for it. It was shipped without the battery installed, about as I would expect.

Here’s the interesting thing. Despite being shipped without a battery, after charging, it showed that it had about ninety calls stored in it’s Caller ID memory. The last one recorded was from about November 1st, presumably about the time the handset was taken offline, and conceivably, when the battery was removed.

While I don’t think this particular information represents a dramatic leak of someone’s personal information, it does stand as a good reminder of the various ways to inadvertently compromise your own privacy with the devices you might be selling.

We’ve heard plenty of stories of hard drives, laptops, even full PC’s being resold over the internet loaded with personal data about someone. The story I tell you now, however, should be a reminder to consider everything a potential risk, that needs serious thought before you allow it to leave your personal sphere of influence.

Here is a list of things to do:
* subscribe with the RSS 2.0 feed(s) to your right
* check out the message board @ Security Synergy (registration required)
* add yourself to the security catalyst map
* Call the listener feedback line: 206-339-9361
* If you liked the show, tell a friend; if you didn’t, tell me!

Subscribe in iTunes using this link (Click Here Now)

Subscribe or RATE THE SHOW in Yahoo Here. Please take the time to rate the show for the series as well as the specific episode.

Take the 2006 Security Spending Survey RIGHT NOW. DO IT.

==>Download or listen to Security Catalyst #9 here (34 minutes long) < ==

On This Episode
SPENDING SURVEY PRELIM RESULTS
* 8 people have responded so far
* NO ONE has a budget that is shrinking, and the bulk are expanding by some level
* Compliance continues to be a driver, which really isn’t a big shock
* Trend is suggesting an increase in firewalls/ips, messaging security, organizational development.
* The biggest decrease is also in FW/IPS - i’m initially thinking this is due to lumping the two together. If you are in this situation, I would enjoy an email or phone call with some insights and experiences

Story #1 — Security Still Tops IT Spending
The big take-away from this is the spending for security continues to be the same (while others shrink) or increases. We’ll discuss how you can use this information to bolster or improve your own efforts.

Story #2 — MS Patch Cleans Up After Sony Rootkit
It may seem like the story that doesn’t end - and for good reason. After the recall is over and people think they are secure again because no-one is talking about it, we will still be faced with this issue. It is a big deal that MS has offered a patch for this, and you seriously need to consider installing it. Consider it preventative.

We’ll discuss why this is important and how to explain that importance to others.

Story #3 — Email Spills Corporate Secrets
Email has become a tool that we cannot live without; at the same time, we explore how our greatest strength is sometimes our greatest weakness. We have suspected for a while that users have been using email for more than business purposes and maybe leaking our private, confidential information. One study reveals the shocking proof.

We take a look at why, and talk about what steps you should be taking now - or planning for next year - as well as key ways to explain this concept to others. Understanding on this issue is important - after listening, you will be better prepared for these conversations.

The following track from the podsafe music collection of podshow was used during episode 9.
BAJA TAXI

A story here proposes, largely jokingly, the idea of adding “Homo sapiens” to a widely-recognized list of the most significant vulnerabilities impacting computers and the networks which connect them.

Even though this is a joke, I wonder if a certain value might not be had by listing it in this fashion, on a widely-used and well-known list like that one. As we’ve already talked about here, the human factor is already one of the weakest links in the security chain, and as computing becomes more and more ubiquitous, the risk is just going to increase.

Although most company policies have a basic nod to this area, is it time to revamp these policies, paying specific attention to the risks associated with social engineering, and increase the training around these issues? I think it is, and I think that listing it in the SANS Top 20 list is actually quite appropriate, and no laughing matter.

Thanks to the DC303 list to calling my attention to this.

Things to do:
* subscribe with the RSS 2.0 feed(s) to your right
* check out the message board @ Security Synergy (registration required)
* add yourself to the security catalyst map
* Call the listener feedback line: 206-339-9361
* If you liked the show, tell a friend; if you didn’t, tell me!

Subscribe in iTunes using this link (Click Here Now)

Take the 2006 Security Spending Survey RIGHT NOW. DO IT.

Learn more about the CISSP this Wednesday at 9pm EST on a FREE teleconference. Send an email to cissp - at - michaelangelogroup.com if you would like to attend.

Download or listen to Security Catalyst #8 here (28 minutes long)

This is my first mobile show - produced on the road in a hotel near the BWI airport in Baltimore. No music this week, as I don’t have a mixing board with me. I’ll be back this weekend and moving forward on the plaxo update, spending survey and more insider stories for you!

On this show
Phishing with Senator Schumer
Schumer warns on holiday credit scams

Good news in identity theft (for a change!)
ID theft fears overblown, study says

Protecting yourself from trojan horses and social engineering this holiday season

This Slashdot story tells of researchers who are requesting an exemption from the DMCA. Specifically, they are requesting the ability to circumvent digital protections built into spyware, adware, and other forms of malware.

I’m of the opinion that this sort of research is vital to forwarding our knowledge of this area, and that companies who have something far from your best interest at heart are hiding behind the DMCA to obfuscate their attacks on your privacy and security, and make their infringements more difficult to prevent.

Thoughts?

Security Catalyst announces the 2006 Spending Survey for Information Security. Here is your opportunity to get involved and be part of the solution. For your time, I’ll be compiling the results and sharing the trends and information on the next few weeks of podcasting — making sure you have the key insights and information you need in order to be successful in your career!

Click here to take survey

Independence - and now Security, Explained.

Things to do:
* subscribe with the RSS 2.0 feed(s) to your right
* check out the message board @ Security Synergy (registration required)
* add yourself to the security catalyst map
* Call the listener feedback line: 206-333-1936
* If you liked the show, tell a friend; if you didn’t, tell me!

Download or listen to Security Catalyst #7 here (28 minutes long + a 3 minute song)

We continue our drive for a tighter format - we kept it to about 30 minutes! Thanks to Matt and Josh for pre-production planning. On today’s show, we take at look at three “Current Affairs” and then address them in three ways:

* Why is this important
* What should you do about it (or what am I going to do about it)
* How can you explain this to someone else?

On Today’s Show

Story #1 - FTC Study on Spam
FTC Study Concludes Masking, Filtering Stop Spammers
FTC Study Concludes Masking, Filtering Stop Spammers

Story #2 - Compliance boosts Tech Spending
Sarbanes-Oxley Compliance To Boost Tech Spending

Story #3 - Cybercrime
Expert: Cyber-crime Yields More Cash than Drugs

Your feedback is needed!
I am evaluating Plaxo (with the help of others) to determine if this is safe to use, or if it provides a security risk. I need your help!
If you use Plaxo and love it, I want to hear from you - and why.
If you don’t use Plaxo, I’d like to know why?
And if you’re not sure, let me know what questions or concerns you have, so I can address them in the next week.

The following track from the podsafe music collection of podshow were used during episode #7.
BAJA TAXI

What to Do With Michael

Today Microsoft announced the public Beta of its OneCare Live service for consumers. OneCare features an advanced firewall, antivirus, and PC health tools (i.e. backup). Microsoft intends to charge for this service starting next year. Also over the next few months a limited Beta of the enterprise version of OneCare, called Microsoft Client Protection is expected to be released. A target ship date for this product has yet to be released, but could be expected late in 2006 to 2007. Pricing on either product hasn’t been disclosed, but the consumer version will likely be priced below offerings from competitors Symantec, McAfee, and Trend.

From a trusted friend,
My take: I have been using OneCare for a few months now on two different machines and have followed reviews by other testers. The product was a bit unstable when it first shipped, but overall I’ve been fairly impressed. The interface is fairly straightforward, being intended for the most basic of users and it doesn’t seem to be a resource hog. Microsoft hasn’t been very open regarding its plans for either the consumer or enterprise markets. On the consumer side, I believe Microsoft could break even charging $10/month for the client and the residual impact to its image (slowing security related migration to Apple/Linux) would far outweigh the possible benefits of competing directly with established players. On the enterprise side, I’m not as sure what the initial benefit is to Microsoft. The desktop security market is around 95% penetrated, so moving into this market for its own sake doesn’t seem to make much sense. My guess is that the company is looking down the road in hooking the security client into larger plans for enterprise management. While initial feedback on deploying the Microsoft client inside the enterprise was fairly negative, we’ve heard more positive feedback lately. It seems like if Microsoft discounts the product when bundled with other sales (making it significantly less expensive then competitors), CIO’s may go for it and I don’t think Microsoft faces the same reputability challenge in the SMB market (which may be it’s first target). For Windows environments this may make updating the security client easier as it would be accomplished as part of the Windows Update Service.

I think the real value for enterprise users in the looking at what Microsoft is doing is in thinking about what the enterprise architecture will look like a few years down the road. Policy enforcement and role/identity based management are quickly getting more attention as a result of compliance and this could accelerate architectural changes that have a disruptive effect on the security industry and move us away from the firewall methodology of the past few years.

What do you think?