Some large corporate network has been targeted for attack by "the hacking community." Reports show that they have been conspiring on numerous chat rooms across the Internet. The encoded discussions have not been deciphered, but the traffic analysis points to something rather big. It could be a network-based attack. It could be a physical or an inside attack against some particular, but as yet unknown, large corporation. Your company is a large corporation. What will you do?

This ran through my mind as I was listening to the "9/11 Commission" last week, and the questions posed to Dr. Rice. I also thought about it as I read Technical Cyber Security Alert TA-04-11A, telling us TCP is broken, so we should run for the hills. (Okay, it doesn't really say that, but as reported by InfoWorld it sounds like it.)

Just like when the Department of Homeland Security raises or lowers the Threat Advisory (it is "yellow" as I type this), your best bet is to stay the course and continue to make sure you seem to be on the right course. You also need to be able to distinguish between useful and useless information. Or, in Dr. Rice's parlance, recognize what is "actionable."

For an interesting "alternative history," see the April 9. 2004 Easterblog.

I noticed InfoWorld's online special report E-mail is broken. While there is nothing new in the suggested solutions, I welcomed the reminder of Jon Postel's RFC 706, "On the Junk Mail Problem."

Almost a year ago, I wrote a column entitled Spam Control. I thought I would give a brief update. I am assuming you have read the previous column.

First, I am very happy with the results. Almost no spam gets through to me. By "almost" I mean 1 in 200 or better. Those that do get through are often borderline spam. For example, because I occasionally write for Information Security, my e-mail address there receives a bunch of unsolicited press releases. I also sometimes get really short e-mail addresses that looks to me like someone wasn't really sure how to use his bulk e-mail software. But mostly, I get no spam.

Since that column, I've made the following changes:

• I've taught SpamAssassin with a bunch of "spam" and "ham." I've cut back dramatically on the number of regular expresses I use for spam-blocking in PostFix tables. In other words, I am depending on SpamAssassin more. (The long regular expressions caused my e-mail server to sink into an abyss of stalled processes once or twice.)
• I've set PostFix to remove anything with a very large spam value, and to hold anything marked as spam, but with a lower value.
• Occasionally, I use IMAP to pull down the headers on all the "held" e-mail. Usually, it is a less-than-a-minute process to pull down and visually scan the headers.

  As you can see, you'd not need to know anything about me or my "ham" to quickly scan these, mark and delete them, and update the server. As I said, a minute or less a day.
  

  In the example, there is one e-mail message that was from someone I knew. Was it spam? It had all the characteristics. And it was forwarded a bunch of times. So, I did notice it and I read it. But, it was one of those "pass this on to everyone you know" sort of e-mails. So, well-done, SpamAssassin.

  I don't use any (to speak of) anti-spam processing on my desktop. And my set-up will scale. I am not doing anything that you could not do in a very large organization.

  Yes, it does remind me that I said I would test out Secluda's InboxMaster. Maybe next week. Really.

  Comment on this.
  [/e-mail/] permanent link

This was on an ISP's newsgroup. This captures the spirit that many people have when implementing security solutions. It brightened my morning in a strange sort of way.

I don't know what kind of protection I'm getting, but at least it's not interfering with anything I want to do.

Chicka Boom, Chicka Boom....don'tcha just love it?

• To never embarrass me.
• To follow my agenda.
• To abide by my definition of what is right and just.
• To follow my schedule.
• That I will triumph in this world.

He does promise...

• To glorify the Son (through me or in spite of me).
• To be with me always, even to the end of the age.
• That I already stand before Him as a righteous son, because of someone else's payment and someone else's righteousness.
• That all things work for good for those who love God (not that all things are good).
• That He will triumph.

  Comment on this.
  [/theology/] permanent link

The Fox News Network headline said, "US Prepares for Possible Terror Attack Using Livestock." Now, anything having to do with terrorism demands some attention. But, I admit that what first came to mind was the scenes from Monty Python and the Holy Grail with the French catapulting livestock -- cows, chickens, etc. -- down on King Arthur and his knights.

Then I got to thinking... If livestock was some how infected, would that really be considered terrorism? Terrorism, by definition, is meant to cause terror. Infected bovine in the UK caused problems in that segment of the economy, as people who didn't understand "mad cow disease" avoided beef. Given all of the sources of food the US has, I don't think such an attack would cause terror. But, then people do talk about cyber-terrorism.

Andy Briney's Information Security March 2004 column echos things I tell students in my classes. I point out that if all we needed to do was to secure the network, all we have to do is make sure that our network has no contact with the outside. The things that keep us up at nights and make our jobs interesting -- one hopes -- is the more difficult problem of securing the business, which he discusses. Further, the security manager has to be a "grown up" since he or she is up against this security axiom: There are few forces in the universe stronger than the desire of an individual to get his or her job accomplished. (See security axioms.)

In his logoff column in Information Security magazine, Andy Briney opines that "As long as it remains a black art, security will be the enterprise's black eye." He writes, "Twenty years after Cohen wrote these words ["Current systems offer little or no protection from viral attack -- the only provably 'safe' policy as of this time is isolationism," in Computer Viruses: Theory and Experiment], we still haven't got a clue how to stop viruses ..." He then goes on to state a number of other things that I also believe fairly miss the mark.

Read his column. My letter to him:

I'm having a hard time matching your observations with the real world. For example, it seems to me, AV is the one thing we can do fairly well. You say "we still haven't got a clue how to stop viruses..." Really? No clue? I think you are overboard on the exaggeration scale.

I don't think our profession is "struggling to gain respect, credibility and funding." There are solutions -- old solutions -- for current problems. Our jobs might be frustrating because enterprises focus on what I've called the Primordial Security Policy (in NetSec Letter #17), namely "Allow anyone 'in here' to get out, for anything, but keep people 'out there' from getting 'in.'" They forget that securing the business is shorthand for maximizing the business while minimizing the risks. And this is always a compromise. They want it all, or -- since you were in a cliche mood -- they want to have their cake and eat it, too.

Is that a problem? A huge one. Is it fixable? I don't know. Is it because we lack technology or process? Not at all. Funding will always be an issue, because it is a business decision requiring comparing cost vs. benefit. But the security practitioner remembers that it is not about *security*. It is about securing *business*. That, too, requires compromise.

"Of course you know, this means war." That's a line spoken by Bugs Bunny, in many a Warner Brothers' cartoon. It came to my mind as I read Marcus Ranum's "Watch Tower" column in the April 2004 Information Security magazine. The column's title is "Myths of Cyberwar." Marcus discusses why "Cyberwarfare simply isn't an effective form of warfare." Check it out.

So, how did you observe National Cyber Security Day? Or, like me, did you not even know about it? It was April 4. 2004. I noticed this article while browsing the latest news at InfoWorld. The article quotes Alan Pallar of the SANS Institute as saying, "I didn't even know. I'm embarrassed. ... It is so ineffective at anything other than having meetings. ... It's hard to even guess what's going on."

Think about this statement. "I don't think I need objective, outside counsel." Doesn't it call to mind the same problem back-handedly pointed out in this?

I think the brain is the body's most important organ. But, then, look what's telling me that.

The National Cyber Security Partnership Task Force today issued a report on applying security across the software development lifecycle. They probably had a deadline to get it out, but was no one wary about issuing the report on -- what is in the Unites States -- April Fool's Day?

It does not seem to be a prank. Check the press release out at here. The report is here.

Quoting from that page, the task force met to discuss "how to achieve meaningful and measurable vulnerability reductions through collaborative standards, tools and measures for software; new tools and methods for rapid patch deployment; and best-practice adoption across the entire critical infrastructure." Now, granted that reads as if created by a random phrase generator. But there are some very bright folks on the task force, including my old boss, Steve Lipner of Microsoft. So, I think it is worth a read. Which I will do today.