Poetic Weekly Security Review

I do these every once in a while.

Enjoy

--

The Air Force, it seems,
wants its own net of bots
how many you ask?
The good colonel says "lots!"

The best defense is offense
to defend, they'll attack
After the DDoS
you'll get your game console back

Seems NATO's on board
the Baltics are chuffed
the Cybersecurity center
means attacks will be stuffed

If your cable's from Charter
they'll know you surf porn.
Want your privacy back?
Get Obama on the horn

Speaking of privacy,
can you say P-R-N-G?
if you're running Ubuntu
I've pwned your root key

The free email archival
from NSA -- quite a mess
they got knocked off the air
'cos of bad DNS

Seems virtualization security's
not Simon's problem to fix
beyond hypervisors
they simply don't mix

Troubled by compliance?
governance giving you fits?
risk management efforts
driven by auditor twits?

Fear not my good lemmings
I've the answer, you see
close your eyes, send a check
Behold: GRC!

Check Point launched ForceField
sandboxed browsing - how zen
I installed it, went browsing
but it broke VPN

Nessus licensing changed
not that much of a hassle
though some might have to pay
for the  coolest new NASL?

Dave & Busters suggests
that you eat, drink, and play
Three dudes from east europe
took that quite the wrong way

Yahoo's in turmoil
Ichan wanted a "yes!"
HP spent near twelve billion
and they bought EDS

HSBC lost a server
Oh what could be finer
than your banking details
floating 'round China

Oh rootkits, we love thee
Where are you hiding them then?
In software, in firmware?
Oh, look! SMM

Don't forget IOS,
there's a rootkit there, too
pwnage of routers
means no sleep for you!

Intrusion tolerance solutions?
What's that you may query?
It's admitting that losses
are real, not theory 

New PCI -- deadline's coming,
what will you do,
to comply with the new stuff
in version 1.2?    

And finally,
I'm bullish on Google, I am
except when their mailer
starts sending me spam 

Poetic Virtual Security

I was at Starbucks with my four year old.  She was laying down the Dr. Seuss
with aplomb so I was inspired to dig deep and show her how the old man can
ebb and flow.

I swear to $diety that upon hearing this she rolled her eyes and said something like "Dad, you had me at 'virtualization.' "  At that point she quickly pointed to my iPhone and asked if I would purchase the latest Hannah Montana song on iTunes...<sigh>

You can see more of my poetic ramblings here (scroll down after the jump.)

---

When debating the future of secure virtualization
It's wise to reflect on its very creation

Some say poor code is the reason it's here
while others use doubt and (un)certainty's fear

Economically speaking the V-word's a boon
operationally, though, it showed up too soon

Duties, once separate, are now all a-blended
one moat, lots of castles -- the model's up-ended

Competency and skillsets come into play
Who owns the stack?  Well, that's hard to say

Can an admin whose mad skillz focus on the OS,
really be trusted to manage this mess?

The virtual sysadmin owns the keys to the kingdom
but it's hard to fix hosts when you can't even ping 'dem!

Operational silos have now become worse
since the virtual admins control all the purse

The network and security wonks try to fudge it
but switches and firewalls just don't get budget

Security, network, storage, and host
if you push the wrong button it all becomes toast

Our current security solutions don't cope
but the dealers keep pushing their VirtSec straight dope

I don't want to come off like a VirtSec despiser,
but to protect our crown jewels it's all HYPErvisor

Don't worry my friends, no need to be scared
your whole infrastructure will be VMware'd

...or Xen'd, or sPath'd or perhaps Hyper-V'd
virtualization, I'm told, will solve everyone's need

Organizational issues are really what matter
there's no real need to make our vendors much fatter

Focus first on improving your present situation
like assessing your risk and host segmentation

Get a grip on the basics and work up from there
don't give into the hype, doubt, confusion or fear

That's it boys and girls till I rhyme once again
Stay happy, stay secure, and now...

EOM

Poetic Weekly Security Review

Security-related news from the week...

Two hundred grand
is what you'll pay,
for that illegally-scored music
says the RIAA.

Big data breaches make a really bad rap,
Think ABN Amro, eBay and the GAP.
Retailers recovering from a big breach black eye
Tell the Payment Card Council
"We hate PCI"

The Representative's children
download images of lust
He thrilled some high schoolers
with an eyeful of bust!

The Feds were determined
to save Arnie's day...
nuked ca dot gov
and the 'Net went away

Extra screen RC toys,
says the ole TSA
next thing you'll know
they'll take your Webkinz away

The poor DHS
they're feeling quite small
They DDoS'd themselves
with a big "Reply-All"

Microsoft's looking
to increase their wealth
by putting online
your records of health

You'd think that a government
like that of Big Mass.
wouldn't send out my social
and show their incompetent ass

The experts are puzzled
they say "Storm's a bot!"
The one thing they're sure of
is something it's not.

It's not easy to corner
it's causing us fear
for the nextgen of malware
is already here

The Great Firewall of China
Oy!  Vadda mess!
Now it turns out
they block RSS!

The House Committee on Commerce
probes the wiretapping NSA
While the Air Force tried bombs
to make enemies gay?

And finally a comment
on Ex-czar Richard Clarke
whose ideas on security
leave our rights in the dark

We don't need any more laws
to control what you can't,
stick to fiction my friend
I'll take care of the rants

/Hoff

More Security Prose - Weekly Security Review

This week in security,
it's time to review.
What new vulnerability
are you subject to?

Let's scan Full Disclosure
and find us a bug.
Some new crafty malware
from a cyber-crook thug?

What poor security choice
has some CSO made?
First the VA, then Pfizer, 
now A-mer-iTrade?

All things virtual are scary
vulns are real, take a look
and the TSA's profiling
your choices of book

Some MIT looney
with a fake bomb on her chest
almost got lit up
by New England's best

Compliance and legal
are all such a mess
Sarbanes-Oxley and HIPAA
PCI's DSS

Raytheon bought Oakley,
Shimel got GoogleJacked
while some poor Joe from CITI
had his LimeWire hacked

Peer to Peer and those BotNets
will be our dear network's death
The next malware vector is
ye olde PDF!

Maynor's been holed up
with guns, pills and code
Now the statutes are lifted
he's blowing his load

Curphey's gone Blue
Ptacek's gone MIA
Newby's gone English
Mogull's rejoined the fray

McAfee's Dewalt
went on a tirade
seems that cybercrime's
bigger than the world's whole drug trade

De-perimeterization,
the Jericho way
doesn't mean sell your firewall
on Craigslist or eBay

To model or measure
metrics or SWOT
Just don't define Lindstrom
as something he's not

Rothman's now helping
Grandma secure her kit
from malware like trojans and botnets
and shit

Pescatore says we need Security-three-point-oh.
InfoSec costs too much and has nowhere to go
He casually proffers his bold Gartner bet
by the year 2010 we'll be ahead of the threat.

That's it boys and girls
till I rhyme once again
Stay happy, stay secure
and now...
EOM