August 14th, 2006

Great debate podcast : NAC v SNF

Posted by Richard Stiennon @ 10:15 am

Categories: Podcasts, Secure Network Fabric, Security, Security blog

Tags:

Here it is: the great debate over NAC, Network Admission Control, captured in a podcast.  I take on two vendors and another industry analyst to tear into NAC and reveal the weak under belly of a technology that in it’s practical applications is just access control. It’s more phantastical elements, denying access to devices that are not healthy, are what I object to.  Listen to the debate here.

August 11th, 2006

Happy Birthday Blaster. Death knell for NAC?

Posted by Richard Stiennon @ 8:44 am

Categories: Podcasts, Secure Network Fabric, Security, Security Industry News, Security blog

Tags:

I remember the events of August, 2003 very clearly.  The Pentagon had called on me that July to defend my prognostications on re-active vs proactive security measures. At the showdown (chronicled here by Ellen Messmer ) I remember thumping the podium and berating the vendors that were aligned against me for doing nothing to stop the impending onslaught of attacks against a recently revealed Microsoft RPC DCOM vulnerability.  Sure enough, on August 11, 2003, a worm was released that wreaked havoc on the Internet and corporate networks alike.

But this outbreak was different than Code Red, Nimda, and SQL Slammer, all of which breached the corporate firewall. Blaster spread mainly over port 445 which by then was blocked by a lot of firewalls.  But corporate networks became infected anyway. The culprit was infected laptops brought in by employees and contractors.  (Thanks to the  Securosis blog for pointing out that today is the anniversary of Blaster also, that Microsoft’s just released patches address a very similar vulnerability that could lead to a similar outbreak.)

How did the security industry respond to the threat from infected laptops? Cisco led the way by announcing a grandiose scheme labeled Network Admission Control.  In a terrific example of design by press release they roped the major anti-virus players into announcing that their products would comply with Cisco NAC. 

It has taken three years but there is finally a debate over NAC and its various interpretations.  A couple of items coming out of the Black Hat conference last week question NAC on technical grounds.   I, of course, have been whining about NAC for some time. My latest in a column over at CIOupdate.  

Well that column incited a response from  NAC vendor StillSecure  which in turn sucked in a couple of wordsmiths (Chris Hoff of RationalSecutity blog fame , and Mike Rothman of SecurityIncite)  and now we have the makings of a debate.  I was feeling like the lone voice shouting into the wind until Mark Bouchard chimed in.  The debate became real last night thanks to Martin McKeay of the Network Security Blog and Podcast. He corralled four of us into a joint Skype call and we took off the gloves for about 45 minutes.  Martin is still cleaning up the audio file. As soon as it is available we will each be posting it in our separate forums.

August 4th, 2006

The Tao of security blogs

Posted by Richard Stiennon @ 8:22 am

Categories: Podcasts, Spyware

Tags:

Richard Bejtlich heads up the consulting and training firm TaoSecurity. He also maintains the TaoSecurity blog at taosecurity.blogspot.com.  I interviewed him for the latest Meet The Bloggers ThreatCast because he is the first that I have talked to yet that, in a sense, leveraged his blogging into a career. Of course he has written a couple of books as well and he credits the books with leading to more business for either his classes or his consulting but the blog plays a part as well.

 Richard’s consulting practice and blog focus on discovering the internal threat, a topic that is getting increasing exposure of late. I am surprised the Vontu’s, Reconnex’s, and Tablus’s have not discovered him. He preaches their gospel.

Hear what Richard Bejtlich has to say here.

Theme music for IT-Harvest ThreatCasts used with the permission of Hyperion Records

August 1st, 2006

Meet Martin McKeay

Posted by Richard Stiennon @ 9:53 am

Categories: Podcasts, Spyware

Tags:

Anyone who has Googled "security + blog" will have noticed Martin McKeay’s blog site at www.mckeay.net.  I am not sure how he got to the exalted number two position but it probably has something to do with being one of the first to set up a security blog. In case you are wondering the ThreatChaos blog is relegated to the second page of results falling ignominiously behind the ARRP’s Social Security Blog, and a broken link to Larry Seltzer’s blog.

Marty is a security practitioner but blogs most often about privacy issues. He is also one of the first security podcasters. Listen to today’s ThreatCast to hear what he has to say on blogging, ATT and the NSA, and the recent move on the part of the Census to collect geo-location data.  This is the second in a series of "Meet The Bloggers" podcasts I am doing.  Next up: Richard Bejtlich of  the TaoSecurity blog.

Theme music for
IT-Harvest ThreatCasts
used with the permission of Hyperion Records

July 31st, 2006

Speaking of SPACs. St. Bernard Software goes public

Posted by Richard Stiennon @ 11:45 am

Categories: Podcasts, Spyware

Tags:

You may have missed it last week but a security company went public on Thursday. Without an IPO.  Saint Bernard Software, a San Diego based provider of web filtering and spam blocking software is now traded under the symbol SHQC.  How did they pull this off without an IPO?

Well, it is thanks to a strange little financial vehicle called a SPAC.  A Special Purpose Acquisition Corporation is set up as a so called blank check company and goes public based on a very loosely worded prospectus that identifies what kind of acquisition the new company is going to make. Presumably investors buy the highly speculative stock on the hopes that the company will make a wise purchase and the stock will take off.  In this case an ex security operations guy from Sun Microsystems, Humphrey Polanen, put together his SPAC, Sand Hill IT SecurityAcquisition Corp, in April of 2004 and spent 18 months looking for a suitable acquisition.  Their spin is that they looked at over 800 security companies before selecting St. Bernard as the best possible acquisition. My analysis is that this was probably more of a financial decision than a technology decision. The SPAC has brought $24 million to St. Bernard which is already a healthy little company serving the small to medium business market.  With a few acquisitions (using the newly gained currency of publicly traded stock) St Bernard can now add products and services that they can sell into their existing strong position in SMB.

Good luck to the newly public St. Bernard.  I am hoping more security start-ups look at reverse mergers such as this one as a way to go public. It is not as flashy as the traditional IPO and the VC’s do not get out at the top but it is less disruptive for management, and less painful for the employees.

July 26th, 2006

Proof of concept code available for critical Microsoft vulnerability

Posted by Richard Stiennon @ 11:22 am

Categories: Podcasts, Spyware

Tags:

Makes you wonder sometime if the crackers are working on the exploits even while Microsoft is working on the patch. The mailslot vulnerability was only announced last Tuesday with a patch. Proof of concept code usually portends a new worm. This one will be a good indicator of just how fast a majority of Windows machines are actually updated.

Note:  If you are traveling in Southern Ontario, and looking for Internet access, the Chatham-Kent public libraries are closed on Wednesdays. Try the SouthKent ISP in Blenheim. They have two workstations available. Wifi?  Forget about it.  

July 21st, 2006

Securing Microsoft Zune

Posted by Richard Stiennon @ 2:33 pm

Categories: Podcasts, Security blog, Spyware, marketing

Tags:

This is your big chance Microsoft. You are working on yet another platform, the engineering team is assembled, the first news is out. Now is your chance to do something smart. Design a new OS for a new platform.  Start with a clean sheet, at least clean of any Windows code.  Just think, if you do that you won’t suffer the embarrassment of asking all your customers to download critical security patches every 2nd Tuesday.  If you have $40 billion in cash lying around to buy back MSFT stock you really don’t have to worry about the cost of designing and writing some new code.

And besides, Windows Media Player embedded in an MP3 player?  You expect people to use that? Yuck.  

July 18th, 2006

IT security research tool launched

Posted by Richard Stiennon @ 2:10 pm

Categories: Podcasts, Spyware

Tags:

It has been well over 6 years since I was involved in the launch of a web based tool. That must have been the end of July 1999 when we launched i-gift.com, an Isiah Thomas backed venture, which was a financial transaction site for fulfilling gift certificates for shopping malls. Today we launched IT-Harvest’s Knowledge Base tool set.  We have been populating the data base  and building the tools since January.  There are 830 security vendors, 1,600 security products, and 2,200 security people in the data base.

You can see a stripped down version of the tool here. Subscribers have much more in-depth views including charts, spreadsheets, and maps. See for instance this result for "Security Companies in Florida" We are working on exposing the mapping function (in compliance with Google’s use policy).

This is intended to be a tool for anyone who is researching the IT security space. Analyst firms, such as IT-Harvest, use it to create comprehensive market studies, VC’s use it for due diligence, security vendors use it to size the market they play in and their relative position.

We can play "stump the chump" now. Let me know what security companies we have missed! I have been estimating that there are 1,500 world wide. This data base has  622 US companies in it, 218 outside the US.  Which country do you think has the second most?  Canada! with 36.  I know we have hardly begun to touch AsiaPac.

California has by far the most security companies in it - 211.  The top five regions in the US look like this:

• California    211
• Boston        63
• DC               52
• NYC            49
• Texas         36

So, check out the site. Let me know what you think.

July 17th, 2006

McAfee Accidently Fixes EPO

Posted by Richard Stiennon @ 6:24 am

Categories: Podcasts, Spyware

Tags:

Last Friday McAfee had to apologize to its customers because six months ago they "inadvertently repaired the flaw after an engineer made other changes to its software" according to  its chief security architect, John Viega.  The flaw was in McAfee’s popular ePolicy Orchestrator but effects the corporate Anti-Virus component as well.

At the upcoming Black Hat convention in Las Vegas at least one organization, Matasano Security, is going to reveal serious flaws in management clients that enterprises deploy widely. Products sold by IBM, CA, and Oracle can be everywhere and usually do not get evaluated by hackers and security researchers because they are not freely downloadable. But their pervasiveness and the lack of scrutiny is leading to a major risk.

Last week’s revelation by McAfee highlights the risk from security software as well.  

July 13th, 2006

Meet the Security Bloggers

Posted by Richard Stiennon @ 11:28 am

Categories: Podcasts, Spyware

Tags:

This week marks the first installment of a series of podcasts I am producing called “Meet The Security Bloggers”.  I asked Adam Shostack and Chris Walsh to be the guinea pigs for the first one and it turned out really well. These guys write for EmergentChaos, a blog that Adam started. When he got it to a certain point of maturity he decided to open it up to a few other bloggers and it became “The Emergent Chaos Jazz Combo of the Blogosphere”.  Adam is now a security guru for Microsoft which we will try not to hold against him, after all it is a good sign that Microsoft is bringing on such great talent. Chris is a security practitioner in Chicago. 

Listen to their thoughts on blogging in the security space. The reason I am doing this is that security is easily differentiable from the rest of tech blogging and I am exploring the idea that blogging is having an impact on the way people get information. In particular I would put forth the idea that traditional tech reporting and analyst firms are no longer the primary source of knowledge in IT.

Tune in each week as I bring you others from the security blogging world!  And by the way, you can now subscribe to the IT-Harvest Threatcasts through iTunes.  I have no idea how to show you a link to that. Just open your iTunes application and search on "threatcast". 

Theme music for IT-Harvest ThreatCasts used with the permission of Hyperion Records