Dragan on Security

Microsoft recently started The Security Development Lifecycle blog. There is also good book about SDL.

The information security guru Bruce Schneier gave a joint BCS and London School of Economics public lecture as part of this year’s 50th anniversary celebrations.

Interesting quotes:

‘Hacking has changed from a hobbyist pursuit to a criminal pursuit. There are lots of ways to make money criminally on the net. A lot of this we’re seeing from lone criminals, and also moving up to organised crime.’

and

Legal agreements may protect against misuse, but the control and oversight of information security becomes one step removed. For example, Paris Hilton had her phone book and text messages posted on the internet after the information was stolen; not from her phone, but from T-Mobile’s central systems.

Read article here and listen to the full lecture here.

Sounds unbelievable but read: Microsoft admits Vista failure, Abandoning the Vista Ship and Commentary on Vista Security and the Microsoft Monopoly.

Help Net Security is an online portal that covers all the major information security happenings. The portal has been online since 1998 and caters a large number of Information Technology readers specifically interested in computer security. Besides covering news around the globe, HNS focuses on quality technical articles and papers, vulnerabilities, various vendor advisories, latest viruses, malware and hosts the largest security software download area with software for Windows, Linux, Mac OS X and Windows Mobile.

This is long article but worth of reading:  OmniNerd - Articles: 2006 Operating System Vulnerability Summary.

If you haven’t time to read complete article, read:

Closing

     While there are an enormous variety of operating systems to choose from, only four “core” lineages exist in the mainstream - Windows, OS X, Linux and UNIX. Each system carries its own baggage of vulnerabilities ranging from local exploits and user introduced weaknesses to remotely available attack vectors.

     As far as “straight-out-of-box” conditions go, both Microsoft’s Windows and Apple’s OS X are ripe with remotely accessible vulnerabilities. Even before enabling the servers, Windows based machines contain numerous exploitable holes allowing attackers to not only access the system but also execute arbitrary code. Both OS X and Windows were susceptible to additional vulnerabilities after enabling the built-in services. Once patched, however, both companies support a product that is secure, at least from the outside. The UNIX and Linux variants present a much more robust exterior to the outside. Even when the pre-configured server binaries are enabled, each system generally maintained its integrity against remote attacks. Compared with the Microsoft and Apple products, however, UNIX and Linux systems tend to have a higher learning curve for acceptance as desktop platforms.

     When it comes to business, most systems have the benefit of trained administrators and IT departments to properly patch and configure the operating systems and their corresponding services. Things are different with home computers. The esoteric nature of the UNIX and Linux systems tend to result in home users with an increased understanding of security concerns. An already “hardened” operating system therefore has the benefit of a knowledgeable user base. The more consumer oriented operating systems made by Microsoft and Apple are each hardened in their own right. As soon as users begin to arbitrarily enable remote services or fiddle with the default configurations, the systems quickly become open to intrusion. Without a diligence for applying the appropriate patches or enabling automatic updates, owners of Windows and OS X systems are the most susceptible to quick and thorough remote violations by hackers.

Identity theft is a growing problem and fight against it is very important. One possible idea and question is: Can the speed at which user types be used to determine whether he/she is allowed to view bank account details or use other online services?

This is mechanism that, if proves as correct with acceptable accuracy, can help in antiphising battle as additional authentication layer as it is unlikely that an attacker will be able to properly repeat typing style and timings of original user.

My graduate student did some work in this area and developed application which hasn’t been proven as highly reliable, but was able to perform additional level of authentication coupled with other methods. It helped to increase level of protection for password based systems.

BioPassword is new security company and software based on the idea of keystroke recognition. According this company, they already have solutions for banking and finance, eCommerce, healthcare, digital rights etc. They also got awards for this.

There are open issues with this method still: What about if you’re trained as typist? Also, do you type the same way as others who learned the same way? Can we assume that the same user will type same every time? His mood, circumstances in which he types and other conditions that are not under control, can affect this lot. Also, the system would need to be recalibrated every time you changed your password. With a fingerprint, for example, that only happens once.

If you ask me, I wouldn’t want to automatically block users. From experiments my graduate student have done with this method up to now, the false-positive/false-negative ratio would have to be jiggered properly and also it is not method that we can use with high confidence still. But if they (BioPassword company) can get it working right, it’s an extra layer of authentication.

Google AdSense program offers possibility for Website owners, who have high visibility and number of visitors, to earn money based on clicks on Google Ads. More details about Adsense here.

However, on occasions it seems to me that this widely used service is going to be indicator of strange movement on many Web sites. There are a lot of Web sites that are created just for one purpose: to get money from AdSense program. There are books on this topic and many articles that try to give advices how to get maximum (money) from this service. Those are usually worthless Web sites with many keywords, links and pages that are just grabbing content from different Web pages and combining them. It usually leads to huge rubbish storages.

This leads to situation where these sites with AdSense attract attention have good position on searches, but more and more people don’t like it at all. It can show kind of flippant approach to creating Web locations.

Also couple of interesting occasions happened related to this service. It is pretty easy to get someone’s account disabled. You need to make fraud clicks on his page with Google Ads. Much more: you can use automated tools to do this. There are tools for this and some hackers offer different services intended to hijack other’s Google AdSense accounts, to get someone’s account disabled and to “help” website owners to increase revenue.

Jennifer Slegg says in her blog:

“In various webmaster forums, more and more publishers are reporting that they have seen their publisher IDs changed on their AdSense accounts, and a couple cases of it happening to Yahoo Publisher Network accounts.”

As far as I know, AdSense does not offer publishers any tools or whatever that would alert them to any problem with there being an AdSense publisher ID switched.

Also, there are cases when AdSense code that is dedicated for one site, appears on another site(s). Motives are different and usually fraudulent. Some kind of “white list” of URLs would be useful as well, where publishers submit the only URLs where their AdSense code should be appearing. That way, publishers who are worried about someone putting their AdSense code on a site they do not control would be alerted when their publisher ID suddenly starts appearing on spammers black list. This is necessary feature, especially as publishers are becoming more and more paranoid, as time passes, of being suspended for someone doing something completely out of their control.

I would suggest avoiding using Google AdSense program if you haven’t really huge number of page impressions and also ways to protect yourself from hacking your account or misuse of you AdSense code. Usually you can’t expect to earn important amount of money from AdSense if you strictly follow rules and haven’t significant number of visitors. Otherwise, you risk that your site will be just seen as kind of inefficient way to earn money.

Michael Howard and David LeBlanc have written new book Writing Secure Code for Windows Vista™. Microsoft Web site says about this book:

The definitive guide to developing more-secure software applications for Windows Vista

Get the definitive guide to writing secure code and developing more-secure applications for Windows Vista—straight from the experts. Security is one of the greatest enhancements in Windows Vista, and developers will be urged to write more secure code on the platform to support a growing customer base. This reference delivers the straight scoop from the authors who wrote the immensely popular, award-winning book Writing Secure Code. Developers get first-hand insights into design decisions and practical advice for solving real-world security issues. The book covers new features, including ACLs and BitLocker™, as well as enhancements to familiar concepts, such as firewalls and authentication. In addition, there are plenty of code samples in C# on the Web. Designed to complement and extend Writing Secure Code, this book is essential for developers of Windows Vista.

Michael Horward is proven author of good books related to secure programming. I’m going to read this book, as I’ve read previous two books “Writing Secure Code” and “The Security Development Lifecycle” and liked it a lot.

Here is Michael’s blog post about this book and book page on official Microsoft Web.

This is great news that many computer network and security administrators will welcome and which will make their life easier. By end of March 2007 GFI Software, well known company that develops network security, content security and messaging software, announced new version of its network security scanning product: GFI LANguard Network Security Scanner (N.S.S.). This security scanner is a solution that addresses the three pillars of vulnerability management: security scanning, patch management and network auditing through a single, integrated console. By scanning the entire network, it identifies all possible security issues and using its extensive reporting functionality provides you with the tools you need to detect, assess, report and remediate any threats.

According to the company, GFI LANguard N.S.S. 8 scans the entire network for over 15,000 vulnerabilities, identifies all possible security issues and provides administrators with the tools they need to detect assess report and remediate any threats before hackers do.

Having to deal with problems related to vulnerability issues, patch management and network auditing separately, at times using multiple products, is a major concern and big headache for administrators. Not only do they have to install, learn to use and manage multiple solutions but their time is mostly spent analyzing huge logs, trying to understand where the problems are instead of actually addressing the threats that may be present in their network. Using a single console with extensive reporting functionality, GFI LANguard N.S.S.’s integrated solution helps administrators address these issues faster and more effectively.

Apart from more extensive vulnerability scanning capabilities, GFI LANguard N.S.S. also has a performance enhanced scanning engine, additional patch management functionality and a highly intuitive graphical threat level indicator. This improves usability and decreases negative performance impact that many security tools have on systems and networks. The latest version has received a variety of patch management improvements including added support to rollback Microsoft patches as well as technology to automatically download new Microsoft security patches when made available. It also supports scanning for vulnerabilities on the newest Microsoft operating system Windows Vista.

GFI LANguard N.S.S. consists of five main components, which are:
• Management console
• Attendant service
• Status monitor
• Patch agent service
• Script debugger.

Management console is used to:
• Launch network security scans and patch deployment sessions
• View saved and real time security scan results
• Configure scan options, scan profiles and report filters
• Use specialized network security administration tools.

Attendant service - This background service runs all scheduled operations of GFI LANguard N.S.S. including scheduled network security scans and patch deployment operations.

Status monitor is used to:
• Examine the security threat level of your entire network
• Monitor the status of scheduled scans, software-updates and patch deployment sessions
• Stop scheduled operations that have not yet been executed
• Supervise the status of your patch auto download queue.

Patch agent service - This background service handles the deployment of patches, service packs and software updates on target computers.

Script debugger - This module allows you to write and debug custom scripts using a VBScript-compatible language. Use this module to create scripts for custom vulnerability checks through which you can custom-scan network targets for specific vulnerabilities.

As part of the launch, GFI LANguard N.S.S. 8 also includes a ReportPack add-on with over 30 customizable reports, which automatically generate graphical IT and management-level reports based on data collected during security scans. This is very useful solution for administrators as well as other IT staff.

You can find details about the new released version of GFI LANguard Network Security Scanner (N.S.S.) here: http://www.gfi.com/news/en/lanns8.htm.  

Find out more about GFI LANguard Network Security Scanner and download your free 30-day trial today, here: http://www.gfi.com/lannetscan/. Note: This is sponsored post.

ITSecurity has published great and useful list of 103 free security apps for Mac, Windows, and Linux. This list is divided to groups for Antyspyware, Antivirus, Rootkit, Web utility, Intrusion Detection System (IDS), Virtual Private Network (VPN), Temporary files, Wireless, and Encryption.

In my opinion, this list can be much better, but it is still useful.

List is here.