Dragan on Security

After very good and successful book “Writing Secure Code”, written by Michael Howard and David LeBlanc, book “The Security Development Lifecycle” by Michael Howard and Steve Lipner came out. I’ve liked these books.

Details at: http://www.microsoft.com/mspress/books/8753.asp for The Security Development Lifecycle and http://www.microsoft.com/mspress/books/5957.asp for Writing Secure Code.

It seems yes according ArsTechnica. Interesting article can be found here.

Google already knows more about you than the National Security Agency ever will. But if you try to find more about Larry Page and Sergey Brin, the two former Stanford geeks who founded the company that has become synonymous with Internet searching, you will probably be surprised. There’s very little about Page’s and Brin’s personal lives.

Read article “Is Google Evil” on MotherJones web site.

Government controls held back cryptography in the past, but today, it’s usability that blocks adoption, a panel of experts said Thursday.

Read full article here.

Stealth malware researcher Joanna Rutkowska recently demonstrated a way to infect Windows Vista with a rootkit and introduced Blue Pill, a new concept that uses AMD’s SVM/Pacifica virtualization technology to create “100 percent undetectable malware.” Hardware virtualization, in her opinion, “has been introduced a little bit too early; before the major operating system venders were able to redesign their systems so that they could make a conscious use of this technology, hopefully preventing its abuse.” Blue Pill operates by creating a hardware virtual machine and moves the native operating system to this virtual machine, becoming a “hypervisor” itself. The native system doesn’t even realize it’s been moved to a virtual machine. Rutkowska explains that operating systems need to be aware of such virtualization and have their own hypervisor. In her opinion, “we need at least two to three years to implement a foolproof protection against hardware virtualization-based malware.” Her ideal solution would be “integrity checking of all system components,” but she realizes the difficulties involved. Blue Pill is an example of this undetectable, Type III, malware, which “does not introduce a single byte modification into kernel, or other processes’ memory.” The only chance for detection would be finding side effects. Rutkowska believes it is better to have “a good integrity-based scanner, even if it’s not capable of detecting Type III malware, rather than having a classic anti-virus product which only tries to find the known ‘bad things.’” Stealth malware can silently subvert an operating system without being noticed, so to Rutkowska, the most pressing concern is not the complete prevention of malware infections, but the ability to detect them.

Click here to view full article.

Source: ACM TechNews.

The U.S. National Institute of Standards and Technology (NIST) will aid the federal Election Assistance Commission (EAC) in its efforts to verify that electronic voting machines meet federal standards. NIST will assist the EAC in creating standards that vendors of e-voting machines must comply with, as they submit their products for testing with private laboratories. “NIST will address security and wireless access,” says Brian Hancock, director of voting systems certification for the EAC. Other standards exist such as for usability, performance, and accessibility, and NIST will also focus on these areas as well. Hancock says the EAC wants NIST to concentrate on developing tests, which will be carried out by private labs, that are transparent. Meanwhile, Ian Piper, a representative of the Election Technology Council of the Information Technology Association of America, who is also director of compliance for vendor Diebold Election Systems, says the EAC needs to make testing standards more consistent and stop changing requirements all the time. Over a third of U.S. voters will cast their ballots on e-voting machines this year, says EAC Chairman Paul DeGregorio.

For information about ACM’s e-voting activities, visit http://www.acm.org/usacm.

Click here to view full article.

Source: ACM TechNews.

ModSecurity is an open source web application firewall that runs as an Apache module, and version 2.0 offers many new features and improvements. Federico Biancuzzi interviewed Ivan Ristic to discuss the new logging system, events tracking and correlation, filtering AJAX or AFLAX applications, and just-in-time patching for closed source applications.

Read interview on SecurityFocus Web site.

Visit ModSecurity Web site.

After four years of intensive debate and security analysis, the U.S. government began rolling out biometric passports in August that contain an embedded RFID chip holding a digital photograph and the bearer’s personal data.

Read full article at internetnews.com.

The war of words continues between Microsoft and the top independent security software makers.

Read interesting article written by Ed Sutherland at internetnews.com.

Oracle users have been complaining for some time that they get too little information, but that changed this week with Oracle’s final quarterly Critical Patch Update (CPU) of 2006, which fixes more than 100 flaws.

The October update represents the largest number of flaw fixes in all of 2006.

The last update in July had 65 bugs, April’s update had 36 and January’s update fixed 82 flaws.

Of the 101 security fixes in the October update, 56 could potentially be remotely exploited without even a username or password. Oracle had not previously disclosed in its CPUs how many flaws were remotely exploitable.

“While existing CPU risk matrices made it possible to assess whether a specific vulnerability was remotely exploitable without requiring authentication on the targeted system, Oracle is now going to specifically identify this type of vulnerability,” Eric Maurice Manager for Security in Oracle’s Global Technology Business Unit wrote on Oracle’s security blog.

See post on Oracle’s security blog.