I would love to extensively write about Shell Shock, the latest vulnerability-with-a-brand-name. I do have a few hours invested in it, but this is the sort of thing that can be difficult to approach.
If I were mitigating this on a gig, I likely couldn't mention much; certainly nothing that could identify the client in any way. Because ethics. I am fine with that. First off, it indicates that some organizations that I care about have matters in hand. Good on them; this is not a simple thing to do.
Secondly, I get to sit back and take notes on things like the ugly beginning of this thing, how rapidly the exploit attempts began, how rapidly affected systems could be identified (a shell is used in places which might surprise you), speed and completeness of vendor response, etc. This is good data to have, and if I were neck-deep in an operational security work flow, prioritizing systems by criticality, etc., I wouldn't have it.
That work is a sunk cost; it needed to be done in any event, for professional reasons, whether it ever provides any direct reward or not. That is just the nature of the business; you do not get paid for everything you do, but it still has to be done.
It Would Have Been a Busy Week Without Shell Shock
It has been difficult to post lately. There is so very much going on right now. Some of it is structural; this the end of a major part of the Conference Season, and there have been important results. Some is just in the nature of the weird little details that crop up now and then.
As an example of the weird little things, consider tamper-evident labels. These can greatly simplify the life of a security practitioner, from physical inventories (in combination with bar code scanners) to defending against hardware keystroke loggers (the variant that is placed inside the keyboard), and more. In 2008, I was recommending a line available from Grainger, but by 4/6/11, it had become unavailable.
TE Connectivity has a nice line, but at least some of it requires thermal-transfer printing, and lot sizes start at 10,000 units, depending on just what you are after. Good to be aware of, but I am not closer to finding an industrial supply house who can supply a useful product in lot sizes from the hundreds to the low thousands. I need to be, in that "No problem, go here" is a lot more useful than "I've been working on it".
So there you are, from broad strokes to one (there have been others this week) example of a weird little detail. I often think that weird little details are the more important, and I can offer Shell Shock as an example.
No comments:
Post a Comment
Comments on posts older than 60 days go into a moderation queue. It keeps out a lot of blog spam.
I really want to be quick about approving real comments in the moderation queue. When I think I won't manage that, I will turn moderation off, and sweep up the mess as soon as possible.
If you find comments that look like blog spam, they likely are. As always, be careful of what you click on. I may have had moderation off, and not yet swept up the mess.