As I saw the Welcome to North Carolina sign, I started to relax. About 4 hours earlier, we waved to our girls as they left for this summer’s sleepover camp expedition. The family truckster was loaded up with the boy and XX1’s friend from GA, and it took a few hours but I was getting into a driving rhythm. The miles were passing easily with Pandora as my musical guide. So I thought nothing of it when my phone intruded, showing a (610) number. I figured it was the camp just giving us a ‘heads up’ that XX2 was doing great her first day away from home. I was wrong.

“Hi, Mr. Rothman? This is the Health Center at camp.” Oh crap. All sorts of bad thoughts went flying around my head. “Not to worry, it’s not an emergency.” OK, so no broken bones or stitches within the first few hours. What’s the issue then? Why did you interrupt my Pandora? Don’t you know I’m in a driving rhythm here? “We have [XX2] here and we found a few nits in her hair. We have a no nits policy, so you’ll have to pick her up and get her cleaned up before she can stay at camp.” Huh? She didn’t complain of her head being itchy. We had just been on the beach for a week, not in the wilderness. And did this nurse not hear that we just entered North Carolina? Which is not exactly close to Southern PA.

It would take us at least 7 hours to get back to camp, and the friend needed to be home that night. Turning tail was a non-starter. This was a frackin’ mess. The Boss was distraught. I was trying to keep the van on the road, and we had a daughter in the health center. So we pulled over the car and activated the Bat Signal. Of course, we didn’t call the Caped Crusader – we called Super Grandma.

We sent the girls to camp in Southern PA because it’s within driving distance of the Boss’s family in MD. So Super Grandma (and Papa too) jumped in the car and headed North to pick up XX2. She handled it like a trooper, though she was a little confused as to why she had to go home if her head wasn’t itchy. That kind of logical analysis under fire was pretty impressive in a 7-year-old. And she was already politicking to stay at camp for two extra weeks because she had such a great time in the 3 hours she was with her bunk. Her biggest concern was that she wouldn’t be allowed back to camp. I guess our acclimatization concerns were a bit misplaced.

Meanwhile, we were working the phone to find a service that could clean her up quick and get her back to camp ASAP. Did you know there are tons of folks that will clean head lice from your kids, dogs, uncles, or anyone else who seems to get it? I had no idea, but there are a ton of them. I guess you don’t learn that until you have to deal with it. One service wanted our 7 year old to douse her head in olive oil and wrap it in a shower cap for a week after the treatment. Yeah, right. That would work pretty well at camp. So we went with someone who could show up at 7am the next morning, clean her up, and get her back to camp.

Which is exactly how it turned out. There were no nits after all. $300 later, we discovered I genetically disposed XX2 to a dry scalp, and that combined with sand residue from a week of being buried at the beach (which is hard to remove, no matter how many times you wash and brush) can look like nits. So she is back at camp, and she acted so mature throughout the whole boondoggle that we decided to extend her stay at camp from two weeks to a month. So it was a very expensive drive home, all things considered.

And as a bonus we learned more about head lice than any human should know. But all’s well that ends well, and this ended well. Now we get to spend a solid 3 weeks with the boy, with the express goal of expanding his food palette. That poor kid. He says he doesn’t miss his sisters, but after 3 weeks of Mommy Food Camp, I’m pretty sure he’ll be the first one on the bus to camp next year. But we’ll get to that installment of As the Incite Turns later this summer. I know you can’t wait.

• Mike

Photo credits: “nit” originally uploaded by pshab

Incite 4 U

1. Scareware is good business: We Mac boys got all fired up about the unsophisticated MacDefender scareware a few weeks ago. You could get the feel that scareware was a big business, but you didn’t know how big. Thanks to some crack detective work in the Ukraine (h/t Brian Krebs) in conjunction with the FBI, we have an idea now. And it’s big business. A conventional security start-up with a revenue ramp to $72 million and 960,000 customers in a matter of months would earn a multi-billion valuation and a VC funding frenzy. Even better, they leverage commercial attack kits like Conficker to accelerate distribution. They probably even have fancy titles like “VP of (Social) Engineering” and “Head Phisherman.” Of course, the downside of this business is a few years in a Gulag, but the economics are staggering. In geographies where monthly salaries are in the hundreds, you can understand why competent computer folks take this path. – MR
2. Secure code metrics: DHS/Mitre proposing a security scoring system is a good thing. Having been a development manager for over a dozen years, I know metrics are important. I also know they must be used carefully. The main problem is that they are tangential indicators – they don’t definitively tell you something, but they suggest trends. Root causes are hard to identify, and you typically need to contrast different metrics in order to get any idea what is really going on. The biggest advantage of metrics, for me, was that they provided warning flags when something was going wrong. Then I could investigate other metrics, interview developers and customers, and figure out where I needed to make changes. And I am just talking about metrics that relate to quality and productivity – security metrics are even more elusive. Despite the squishiness of the ‘science’, I recommend you at least read the document to see if you can leverage some of this work. There will be growing pains, and it is tough to build data collection into development systems and processes, but you need metrics to successfully develop secure code. – AL
3. Enough with the Lulz: I’m sitting here running through my feeds and it’s hard to find anything other than LulzSec articles. Which is frustrating, especially when Citibank lost $2.7M. Here’s the thing – if you work in security and approved of LulzSec’s tactics, it’s time to revisit your ethics. If you fell for their “we’re doing this to show how bad security is, so people will make it better” line, you should revisit your skepticism. These were a bunch of vandals out to have some fun, and they clearly didn’t care who got hurt in the process. Their only goal was fun, they only care about themselves, and they didn’t teach anyone anything. Just like the bullies in high school. Like Spafford says. – RM
4. Lulz and the Bad Guy Code of Ethics: Fellow ATL security guy Dave Maynor of Errata Security goes on a bit of a rant about how LulzSec really shows the epic FAIL of the security industry. I agree with Rich above – I’m sick of all Lulz, all the time – but Maynor has a point here. He comes clean and admits that he amends pen tests based on customer worries. I also agree with Shrdlu that a real no-holds barred pen test isn’t likely practical in most corporate organizations. So where is the middle ground? It’s in managing expectations. If culturally you aren’t allowed to really test, using live ammo and few rules, then it needs to be clear that you may get value from the test, but it’s not necessarily representative of what an attacker will do. So what’s the point? Most organizations treat pen tests another checkbox exercise for compliance. They want a checkmark, so give it to them. But at the same time, make sure you are monitoring the hell out of your environment (per Bejtlich) and ready to React Faster and Better. – MR
5. Damage trolls: Speculation that Sony ‘cut corners’ when protecting user data has resulted in (predictably) yet another lawsuit. This will be very difficult to prove, as there is little accurate public data about some aspects of the breach. There is an implication of sloppiness: the data was accessed through a test network, and secondly, they managed to pull 100M user accounts out the front door. Hacked the network, hacked the database, sucked the data out undetected. Three strikes. I imagine tort vultures – I mean attorneys – will subpoena policies and procedures documents, but I’ll bet there are a bunch of assessment scans, audit reports and SIEM logs saying they were “secure” (whatever that means). It’s hard to see this as anything more than an attempt to embarrass Sony into coughing up a settlement fee, so I really don’t expect this lawsuit to have any positive impact. Probable impact: more breached firms “lawyer up”, disclosing as little information as they can, and rewriting those terms of use policies nobody reads. Basically, same old same old. – AL
6. This isn’t a spy novel, folks: We’ve all read the books and seen the movies. Some foreign intelligence agency plants back doors in hardware bound for unsuspecting US customers. Usually it’s some “god code” that lets them shut down our defenses so they can walk right in like aliens attacking New York or LA. But that’s just paranoid fiction, right? Wrong. It’s been rumored for a while that someone in China added some extra firmware to some fake Cisco hardware a while back (I have no real confirmation), and now we find out the US Navy bought 59,000 counterfeit chips for weapons systems. One article claims they had back doors pre-installed, but no other source makes that claim – still, not knowing your supply chain is always a concern. – RM
7. pcAnywhere’s revenge: This one cracked me up. CEO makes a presentation to the board, but the fired IT manager remote controls in, shuts down the machine and reboots it to a picture of a naked woman. Sounds like a vintage 1995 pcAnywhere attack. Of all the things this idiot attacker can do, he decides to show nudity during a board meeting by controlling the CEO’s computer? How’s that for Lulz? Crap, half those board members probably have more revealing stuff in their browser caches. And this guy also accessed email and had passwords. But he went straight for the sophomoric pranks. For his community service, maybe he’ll show some kids how to do the “flaming poop” front door attack or maybe even break out the whoopie cushion. – MR