Incite 1/11/2012: SpoilsportBy Mike Rothman
The winter holidays aggravate me. They are a consumption binge, and I know we all want a healthier global economy (which includes folks spending money they don’t have on things they don’t need) but it still irks me. I grew up modestly in a single-parent home, and we did stuff, but not a lot. We didn’t have the fancy things, which forced me to go out and earn whatever I’ve gotten.
I remember being ecstatic one Hanukkah when I got a plastic briefcase-type thing to bring my books to school. We didn’t get 8 gifts or have a big-ass tree with all sorts of goodies under it. We got one thing and it was fine. I know how hard it was for my Mom to even provide those little things, and how hard she worked. That awareness has always driven me.
I’ve been very fortunate, and we can provide plenty of gifts to our kids over the holidays. And we do. And the grandparents do. And they get lots of stuff from their cousins. The list goes on and on. But in the back of my mind is a fear that the kids don’t appreciate what they have. We have had to threaten to take all the stuff out of their room more than once, when they act like spoiled brats.
I do try to lead by example. They see that I work a lot, but I’m not sure they understand that just working hard might not be enough. That they’ll have to find their talent, be persistent, and have a little luck, to achieve and earn everything they want. Though at times we get a glimmer of hope that despite their very comfortable lifestyle the kids have some perspective. When we got back from our holiday trip, the Boss sat down with XX2, who had a pretty interesting question.
XX2: Mom, am I spoiled?
The Boss (TB): You tell me? Do you think you are spoiled?
XX2: Yes. I have everything I need, and get pretty much everything I want, so I guess I am spoiled.
Win! Of course just because one of three understood, at that moment in time, that she has it pretty good, doesn’t mean she won’t be squealing like a stuck pig the next time we won’t buy something she wants when she wants it. But at least we can remind her of this conversation to introduce some perspective.
It’s a fine line, because I work hard and have earned a certain lifestyle. I shouldn’t have to sacrifice having some nice things to make a point to my kids. But ultimately it’s our responsibility as parents to make sure they understand that the world is a tough and unforgiving place. Which means at times I need to be a spoilsport and say no, even when I get the cute pouty face. But that’s a lot better than allowing my kids to be soft, spoiled, and unprepared to deal when they leave the nest.
Photo credits: “spoiled” originally uploaded by Kim ‘n’ Cris Knight
We’re plowing through the latest Quant project on Malware Analysis. Here are the posts over the past week:
You can find all the posts on the Project Quant blog. We are also finishing up our Network-based Malware Detection series. You see a trend here? Yep, it’s all malware, all the time. Here are the posts so far in that series, which we will wrap up this week.
In case you aren’t interested in our Heavy RSS Feed, where you can get all our content in its unabridged glory.
Incite 4 U
The Sound of Inevitability: Kevin Mandia says if you are targeted by an advanced attacker, you will be breached (pdf). That’s not when, not if. And he should know – his firm spends a lot of time doing high-end breach response. If the effectiveness of targeted attacks by knowledgable attackers is approximately 100%, do you just accept this as an inevitability? Or do you ratchet up protections to make it harder for attackers? Those are the basic questions – they are the two most common CEO responses to this type of choice. Do you just accept this as part of the business landscape – cost of doing business – or are you determined to be a faster than the other
gazellescompetitors for the lionsattackers to eatfocus their intensive and persistent efforts on. Or maybe you can compartmentalize damage – knowing some user will inevitably click an email link with targeted malware – to just the mail server or select employee systems? It’s a worthwhile read: he lists all the data we repeatedly say you should keep – but which companies don’t have, can’t find, or take a week to recover. Breach preparedness drills? Anyone? – AL
Brute force still works: King Krebs does some very interesting research into how the bad guys are defeating tests to figure out whether forms, etc. are being filled out by bots or other automated mechanisms. Basically, they’ve built sweatshops where all folks do is fill out CAPTCHAs and respond to other tactics to bypass bot detection tests. Even better, these folks have basically built a multi-level marketing scheme to get other folks to fill out the CAPTCHAs. The folks at the top of the pyramid can make real money, while folks at the bottom might make $3/day. Not unlike other MLM schemes, I guess. It’s just interesting to see tried and true business models applied to computer crime. What’s old is new again… – MR
Nothing to see here. Really! Last week I got a call from a reporter at a major publication I have worked with in the past, to ask about some Symantec source code hackers claimed they stole from the Indian government and then posted online. Normally when something like this happens and the vendor denies it’s a big deal it is really A BIG FRIGGIN’ DEAL!!! This time? Not so much. Mike Lennon digs in, and it seems clear the risk to Symantec and their customers is remarkably low. We walked through the issues and in the end I told the reporter, “well, all news is a story, but this won’t affect anyone… not that it won’t hit some headlines.” He decided not to cover it, then, as expected, a bunch of other people did and it was much ado about nothing. You don’t even need to bleed to lead – a paper cut will cover it these days. – RM
Survey for attitude adjustment: Help Jack Daniel and some other smart guys track the attitudes of security folks. I love this type of data because it gets at motivation, given security employment is booming, and drivers for happiness – particularly because most security folks I know are pretty grumpy. Once these guys publish the data, we can all share our respective misery. – MR
Reverse Social Engineering (or Deterrent 101): Evidently Israeli credit card data was stolen by an attacker believed to be from Saudi Arabia, and used for fraudulent purchases. Some Israelis decided to respond by hacking Saudi citizens’ credit card data. Regardless of whether you believe the Saudi attack or the Israeli response (or both) was government sanctioned or not, embarrassing information disclosures are most effective against those with something to hide. Why will the Israelis response be effective? It’s not because they won’t use the credit cards for fraud, but because they will publish what public officials purchased. You know, things like Internet gambling and p0rn, which will go over pretty well in a radical Muslim environment. Political embarrassment trumps identity theft every time! If the sheer amount of money spent on retrofitting 747’s with gold-plated toilet seats – something Saudi royalty has been known to do every couple years – was made public, it could cause serious political and religious unrest because the bills would focus attention on a lifestyle outside normal citizens’ comprehension. My guess is that last year’s unrest in Egypt is in the minds of Saudi government officials, and they have strong motivation to find “0xOmar” and stop the attacks. – AL
Password resolutions for 2012: Yup, it’s New Year resolution time. I know, you want to lose weight. Be nicer. More patient. OK, that’s me, but I’m sure you have some thoughts on the next 12 months as well. From a security standpoint, in light of the idiocy of most passwords clearly demonstrated by Steve Ragan’s analysis of the STRATFOR passwords. Maybe we can get our dimwit users to use better passwords this year. But as Rob G points out, better doesn’t necessarily mean longer passwords – it means unique passwords. I like to use both vectors, leveraging a password manager to manage passwords which are both unique and complex. Is it a cure-all? No, but I can remove another low-hanging fruit. – MR
The pain of the masses: Like many of you, I dread the calls to fix family and friends’ computers. It isn’t that I don’t enjoy working with technology, but many of these systems are… shall we say… jacked up beyond belief. I don’t expect everyone to be a security expert, but we live in a society where you need a the technical equivalent of black belt and a shotgun just to walk out your front door to get some groceries. So when a good friend called because he was getting all sorts of pop-ups that he was ‘infected’, I knew how I would be spending the next few hours. The good news is that he knew enough to call me right away. The bad news is he had a nasty scareware infection backed by a full root kit (I lost the name of that one). This was on Windows XP, which is now 10 years old and impossible to defend, but it’s hard to tell someone to pony up for a new computer or OS when the one they have now (otherwise) works fine. Anyway, we cleaned it well enough that he could get some important things finished and the Windows 7 upgrade is next on the list. Why write about it here? Because it’s the third of these I have personally dealt with in the last 3 months, and I know all of you have done the same. But you have to keep fighting the good fight, however frustrating. It’s good to remember how full of virtual fear online life is for people who don’t breathe security… and it’s our job to be help give them back a little safety when we can. – RM