Phishing is up, Phishing is down, says SC Mag - which is it? And...much ado about SSL..

 With a few minutes to kill before hosting the board meeting for my condo, I decided to leaf through last month's print edition of SC Mag that has been sitting on my counter since its conference last month here in NYC.   While (Editor in Chief) Ilena Armstrong deserves credit for some definite layout and content improvements over the past few years, I'm sad to say that by page 13, I was confused over how to digest conflicting information.    

 A graph on the bottom corner of page 10 cites an RSA report that showed a sharp spike in phishing activity in August, while on page 12, a news brief mentions a recent X-Force security report that asserts phishing attacks in spam declined from 0.5 percent in 2008 to .01 percent in the first half of 2009.  HOWEVER . . . in that same X-Force report (and SC Mag's summary of it), states that "between 2008 and the first half of this year, the number of new malicious web links rose by 508 percent."  

So — let me see if I got this right -- according to the report, there has been a decline in phishing attacks in spam but within that smaller sample, the amount of malicious links in phishing emails has gone up by...508%?

As someone who regularly churns out similar stats trumpeting the growth of young companies, I can tell you that when you see a stat about 508% growth in one year, that context is everything.  If 500 percent of those links never see the light of day, then what is the relevance of the number?   While doing some last minute research, I found yet another SC Mag phishing story based on a MarkMonitor report, which also revealed an uptick in phishing.  While the reporter acknowledged the conflicting information, I still walked away confused, and unable to draw my own conclusion.

While it is easy for bloggers to bash the media (click here to read Mr. Preach Security Raf Los' thrashing of a Slate.com reporter), there is a wider problem of sifting through a greater volume of "legitimate” information, which without proper context can be misleading, inaccurate, or in SC Mag's case, contradictory.     

On a related note, last week there has been quite a buzz about a so-called flaw in SSL that allows malware to be injected into HTTPS traffic during a time when some applications require the authentication process be "renegotiated."   Now, crypto has never been my strong suit, but I did speak with a couple of folks about this who have been working with SSL a long time and are frustrated with the media coverage playing up the protocol’s “flaw.”

  My understanding is, that the vulnerability - while valid - is NOT an issue with the protocol itself but in the authentication “renegotiation” process between SSL and the application that allows for the possibility of a man-in-the-middle attack.

Apparently, some feel that it might be much easier (emphasis on the MUCH) to eliminate the vulnerability from the application side, rather than re-do SSL.

Researchers are stepping up to comment on the various ways the vulnerability could be exploited. Frank Heidt, CEO of Leviathan Security Group was quoted in a recent  IDG News story was quoted as saying  “Many high-profile banking and e-commerce Web sites will not return this 302 redirect message in a way that can be exploited, but a "huge number" of sites could be attacked “

So how bug a deal is it, really?  Is there some sort of rating system we can attach to this to provide a clear level set of the likelihood and outcome other than FUD-ish references to the potential for great harm?  

A special thanks to Lynn Terwoerds, former Microsoft security strategist and security architect at Barclays for her crypto-for-dummies schooling.    Kudos to Kelly Jackson at DarkReading for  providing a balanced view, at least compared to other stories I read about it.

Funny that for an industry that preaches risk management, there are few shades of gray in security.  The take-away, as far as I'm concerned, is that reality is subjective and context is everything.  And while that might seem like a no-brainer, that context piece is what often gets lost in translation, and the result is all kinds of backpedaling and level setting on the back end.

It reminds me of the whole “building-security-in-rather-than-bolting-it-on” conundrum, except applied to communication.  Maybe this is a big deal, maybe it isn’t – two weeks after the disclosure its still not clear.  If many banking or e-commerce sites are immune, than who isn't and what are the possible outcomes?

If it’s too soon to say, then that should be clear.  But the buck needs to stop somewhere, or we can go on spinning indefinitely.  

So.. Is phishing up, or down?  If the answer is both, then why?

Inquiring minds want to know....

Mean people suck...

Over the years, I have come to define myself as a security person that does PR, as opposed to a PR person specializing in security.  At the end of the day the distinction might be of no consequence (except maybe to me), but one of the ways it manifests itself is in the kinds of things I blog about.

For example, you won't find me weighing in on what the components of what a "social media press release" should be, sharing the latest Twitter PR strategies (Twitter gets on my already frayed nerves), or whatever.  While these things may be the tools of my trade, I find myself more interested in some of the more meaty security issues -- from metrics to secure coding, ethics to education, compliance, crime, privacy...in fact, I am fascinated with the whole notion of risk management and everything it encompasses.  As pathetic as it sounds, it's true.

That said, PR is my game, and I've been in it long enough to know that we are the bastard step-children of communications.  We put ourselves out there constantly chasing stories, slinging angles, pitching and yakking up a storm.  When we screw up there are usually several witnesses, and as a result, we become an easy target.  The way I see it, a good PR person is like a good sales person -- while some may find us indispensable, people love to hate us.

So the other day a press release I wrote for one of my clients caught the eye of a blogger that he shortlisted as one of three to publicly skewer.  Now, I have been guilty of ridiculous spin in the past.  My claim that the company's announcement “continue(d) to demonstrate its ability to innovate and successfully execute on its vision” might not be news, if that's enough to set off his gag reflex, then...wow.

Maybe I am totally desensitized - it's possible.  But I did catch the shimmer of ignorance in the ooze of his condescension, bright enough that in his plea for "business owners" to "please do everyone a favour and tell your marketing team to stop spurting stupid," to me is...lazy.  Any PR person who issues a press release that said "business owners" haven't approved are usually, shortly thereafter, out of a job, or if they are on the agency side, a client.

But journalists have been cringing over press release drivel since day one.  Scapegoating "marketing" for that drivel is like blaming the hand for what the mouth does.  Like a security practitioner who shows up for a Proof of Concept unprepared and blames the vendor for having a crappy product.

But that never happens, does it...?

I have seen journalists go way farther then he did - get personal, or so mean that they ended up looking worse then whatever it is they were railing against.  This guy did neither, and to his credit he spelled my client's name right, which like my last name, people seem to inherently misspell.  I did, however, reply, though I stuck to the high road and am guessing he could care less.

Having placed this in perspective, I do believe there is a bigger moral to this story.  A moral that is not easily solved but understanding it explains a lot. People tend to define themselves in two ways - by what they are, and what they're not.   That's why corporate "silos" are erected in the first place - to distinguish "us" from "them."  It's also why there is often tension after the walls are knocked down.  And this is not limited to the workplace either.  Our entire political, social, and economic worlds are framed this way.  And when something "they" do has a negative impact on "us," and "we" react, well, that's when things start to get interesting.

And let me tell you, it's been an interesting week.  People have been not getting along around me and yesterday, I wanted to throttle this crazy woman on my condo board who likes to spend her evenings drinking and sending out group emails.  Ironically enough the topic of this latest set of bizarre communications was about a potential (physical) security violation but, at the end of the day the issue wasn’t so much about security, just another case of misdirected scapegoating - to the extreme.  I was embarrassed.

Unfortunately, I wasn’t quite so Zen about this situation but it literally hits me where I live.  She ended up making herself look so bad that the situation sort of took care of itself, but not before I totally "bit," getting more and more riled with each email (My bad for letting her get to me.)

The point, now that I think about it, is that mean people suck.  Mean people that spew their meanness all around them, unsolicited, suck worse.  They are my “them,” and they are everywhere.  With the holidays coming up, they will be in full effect, and while I would like to say I have compassion for them, I’m not so sure that’s true.  Maybe at a distance…

Happy Thanksgiving.