Sourcefire Razorback

I had meant to post this some months ago when fall seemed far away, but the announcement (timed for Black Hat) of Sourcefire's brand new thing aka Razorback caught my interest. The meaty articles are still somewhat lacking, but this brief markety bit on Dark Reading makes it sound worth a look. And true to form from the people who brought you Snort, the new 'mean pig' logo is just cool. Now if only one of the guys I used to work with would volunteer to help me get it up and running...

Windows XP SP2, Thanks for the Memories

So this week brought the last security patches for Windows XP SP2. Interesting that XP SP3 will be supported until 2014. The 2020 date was somewhat misleading but is explained here:
http://www.zdnet.com/blog/bott/xp-in-2020-not-even-close-read-the-fine-print/2270

Hard to believe XP came out in 2001 and SP2 came out in 2004. Time to think about Windows 7, and the pain of getting rid of, replacing or re-writing those legacy apps. As I heard someone say the other day, the only constant is change.

From the mildly interesting department...

After having an internal DVD writer drive that burned mostly coasters, I broke down and bought a new one even though it is only a few times/year I burn DVDs for photo backup or new OSen to try. The Lite-On drive I bought features a new technology called 'smart-erase'. Supposedly it makes sure data is not recoverable. Seems like a good idea, but I wondered if it has been tested by any 3rd parties.

A few Google searches found nothing except a markety spiel from the CompUSA website:
"But what makes the Lite-On Internal DVD Writer stand out from the crowd is its unique feature: SmartErase. SmartErase is an advanced technology to give users the ability to permanently erase the data on DVD±R (DL) and CD-R discs that can withstand any recovery attempt. Thanks to SmartErase, users now can rest assure that their private and sensitive data is securely erased and cannot be recaptured."

While not widely known in InfoSec circles, I choose to believe that CompUSA has long been known for the accuracy of security information about the products they sell. Who says ignorance is not bliss.

This got me thinking a bit about encrypted USB devices, primarily flash drives. If you haven't checked out TrueCrypt, I would recommend you do. If it is good enough for Bruce Schneier, it is good enough for me. That is all. Good night.

References:
CompUSA Quote
Image: Lite-On Corporation Smart-Erase
Special un-kudos to Lite-On for not replacing the Joomla favicon for their site. While it isn't hard to figure out which CMS a website is using (hint: view source + Google), why make people work for it?

InfoSec quotes from unexpected sources

I was sorting some old textbooks recently, and found my Pascal book from way back when at Calvin. Yes, children, that was before Java and C++ were the standard languages kids learned. The photo is of Swiss-born Niklaus Wirth who created Pascal.

I decided I could recycle the COBOL book from Grand Valley, but the Pascal book has some good history in the first chapter with cool old photos of things like the ENIAC, and quotes from the past and present spread throughout. This one gave me pause:

"It became increasingly apparent to me that, over the years, Federal agencies have amassed vast amounts of information about virtually every American citizen. This fact, coupled with technological advances in data-collecting and dissemination, raised the possibility that information about individuals conceivably could be used for other than legitimate purposes and without the prior knowledge or consent of the individuals involved."
- President Gerald R. Ford,
quoted in Pascal Programming and Problem Solving by Sanford Leestma & Larry Nyhoff

Photo of Niklaus Wirth from http://en.wikipedia.org/wiki/Niklaus_Wirth

Adobe Auto Updater

Lo and behold what is that on my home PC? Adobe launched their new auto-updater on the IT equivalent of Tax Day which (sometimes) sadly comes every month, yes I mean Microsoft Patch Tuesday.

A post on the Adobe Acrobat blog tells the tale.

I suppose I should give them some kudos as between Adobe Reader and Apple Quicktime from people who know things I don't the OS isn't the favorite attack surface for the bad guys/gals any longer. Javascript 'enhanced' PDF anyone? Enjoy the extra 'goodness'...

However I am just trying to figure out if this updater needs local admin perms, and if it does how can this be done with group policy without being an AD ninja.

Stoppin' the Badness

Last night I went to a security solutions event, BlueCoat and SourceFire were the vendor presenters. BlueCoat has a pretty cool product that is a 'hybrid web gateway' in market-speak. Basically it is a SaaS Internet filter/proxy appliance that taps the Internet habits of ~67 million users worldwide to decide what is good and what is 'badness' as the BlueCoat guy called it. There's a hilarious cartoon intro to the product online. Nice to see a company that can harness the power of humor instead of staying boring 100% of the time.

Apparently over the last 3 years BlueCoat has been building their user base for this cloud based crowd-sourcing of web traffic and then uses a combination of automated analysis, threat history, and some human analysis where needed to analyze what sites or parts of sites should be blocked. They also have a free version of the proxy software for home users called K9 that uses the same back end database/threat list:
http://www.k9webprotection.com/

The presenter shared how when he put the software on his 13 year old son's new laptop that within 2 days he heard the software make a barking sound (without warning him in advance that he had gone big brother) and then waited for the explanation. He said 1st his son threw a friend under the bus, but then did fess up.

The SourceFire preso was also interesting, some talk about security needing context and some current threat discussion. SourceFire's IDS/IPS seems to have a good product and interface, at least when compared to the only IDS/IPS I have experience with which is Cisco Intrusion Manager Express (IME) for which I have feelings between apathy and distaste (1).

References:
1. The head of IT at Davenport was the first person I heard use the phrase 'between apathy and distaste' speaking about how users felt about their email system before moving to Google Apps.

Lesser of Two Weevils?

With thanks to Master & Commander for the post title, I am thinking today about client protection suites. So you have your pick of all the usual suspects for antivirus/antispyware and add in the network protection features like firewall and maybe host IDS/IPS. Stir it all up and you have some good complexity going for the average small/medium shop.

If you accept that most of the solutions are relatively equal in their (in)ability to protect you from what my co-worker Matt likes to call 'goodness'. [Goodness (n.) - all the crap you get from surfing the web such as drive-by downloaders, droppers, keyloggers, bots, etc.]

Now look at the extra PITA of a management interface learning curve and how to make sense of the reporting options and find the glitches. Tired yet? Me too. Now think about switching to Microsoft Forefront Client Security 2010 and the integration with WSUS for easy updating. Plus what I have seen of Microsoft's free home av/as client Security Essentials (and before that OneCare) I believe they are getting enough data from home users to be able to do as well (arguably) as McAfee, Symantec and the rest of the usual suspects.

Pretty tempting, one ring to rule them all. To me it seems like a no brainer, provided there is a 3rd party scanning engine on the web security gateway/email filter (i.e. Kaspersky or another) to get a 2nd opinion on what is good or bad.

Now if only they would announce the RTM date for the 2010 client I could try to forget all that I know about big yellow client stuff. I could use that brainspace for other things like homebrew trivia or homework stuff.

Weevil image courtesy of Rentokil.com and their awesome blog post: I can has bugs?
Anybody in the pest control biz who loves lolcats has to be good.
http://www.rentokil.com/blog/