sec links for 2009-11-16

0day vulnerability in SMBv1/SMBv2 in Windows OS products (including 7) has been released. While this sounds like other recent similar vulns (MS09-050, MS08-067), there are differences. First, this latest one sounds like a response attack from a malicious server rather than a direct attack (meaning yes, your web browser can be tricked to making an outbound call to a malicious SMB server if your egress filters suck). Second, so far the result is “just a DoS.” Best to keep an eye on this one.

Philosecurity makes a good point about the role of airport security identification checks during inter-state travel. Does showing a “valid” ID while traveling inside the country add any security at all? My opinion is summed up by saying this whole modern concept (post 9/11) of airport security is stupid. The reasonably preventable problem from 9/11 is the taking of the cockpit (or more accurately, the taking over of flight pathing) on large aircraft. That should never have happened. That cockpit needs to be absolutely secured long enough to make emergency landings. Sure, you can still concoct film-script scenarios, but all of them are far more involved than bashing through a door by force.

Rich Mogull has two pieces that are great to read together. First, about getting tried of the “security is failing” chants. Second, about the problem of the anonymization of [cyber] losses. There are no big answers here, and some of his points are arguable, but the end conclusions I feel are sound: we’re not dying, our bank accounts are not empty, and economics plays a huge role in security. I feel a lot of the activity in metrics and risk management of the last couple years are geared towards reducing the stress of the first article, and removing the anonymity of the second article (thus paving the way for more resources for security), as opposed to many of the activities that are trying to play catch-up and stop-all directly against insecurity.