Dragan on Security

I invite you to answer poll question “Have you used penetration testing services” (column on the right of this blog). Possible answers are:

1. Yes
2. No
3. Have I used… what?
4. I provide those services

Thank you for voting.

Wikipedia article defines penetration test in this way:

A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. The intent of a penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered. It is a component of a full security audit.

See more here.

More than two years ago I wrote post on this blog with question in title: “Should We Teach Students How to Write Viruses?” That post outlines some reasons pro at contra and links to various Internet resources regarding this question.

I’ve added new poll to this blog with this question, today. Goal of this poll is to see opinion of visitors of this blog in regards to this very controversial issue. Before voting, it is recommended to read previous post on this blog and visit links which are mentioned at that post. Also, I recommend you to visit:

• Vesselin Bontchev ‘Should We Teach Virus Writing?
• Teaching students how to write malware
• Virus Writing 101

Your opinions are welcome. Thank you for voting.

There is new poll on this blog. Question is “Which antivirus software do you use?” and possible answers are:

• Symantec
• McAfee
• Kaspersky
• F-Secure
• AVG
• Avast
• Trend Micro
• NOD32
• Other
• None

Thank you for voting.

Recent poll with question “Will crisis in financial sector affect tech and security?” expired.

New question is related to long lasting rumors that some security software companies are connected to virus writers and use them as helpers to increase revenues. In my opinion, it is unlikely to believe in, but I would like you to say your opinion in poll on this blog.

So, question is: “Are software companies, which produce antivirus tools, connected to virus writers?”

Two simple answers are yes or no.

Thank you for your vote.

In this article I tried to explain why we should not believe Internet polls and explained some of ways to cheat them. Here is one more proof: Victoria Secret competition gets hacked.

How?

In the early hours of Oct. 21, Plunkett and his friend created a Perl script that could log 1,500 votes per second on the Victoria’s Secret Web site. Twelve hours later, Drexel had gone from 9,000 to 5.2 million votes.

The script took Plunkett all of three minutes and 30 computers to run.

It’s interesting to read.

Financial crisis is going to overflow from financial sector to real sector. It can result in slowdown and less spending for technology, higher unemployment rate etc. Results also can be in growth in the use of open source, cloud computing and virtualization technology as consumers cut back on their “discretionary” purchases while businesses, strapped for credit (because banks won’t have it to lend), decide to make the best of what they’ve got and squeeze the last possible drops of life from the hardware they have, while reducing costs on software as far as possible.

Security business will be certainly affected. Many managers consider this spending as something what does not give proper ROI (return of investment).  Effects of improper security processes, services and products are usually seen as only negative reference. Management will not prize people and teams responsible for security based on what could happen but not happened because you implemented proper security processes, mechanisms, policies, products, services. But, in case of security incident you will get negative publicity. It is role similar to goal keeper in football team.

Security researchers and developers will certainly face with cut of funds for this purpose in first sign of overflow of crisis from financial sector to, so called, real sector.

Is that good? Definitely it is not at all.

In vulnerable systems which are more than 90% systems in use at present, this will open new holes. Financial sector will be strongly affected. As result of ruined confidence to that industry, lack of proper security in future will continue derogation and eventually will result in lost confidence in sector. This is going to lead to new problems.

Some tradeoff should be found. That is tradeoff between necessary spending and mechanisms, products and services that can provide better security for less money.

Another view on result of economic crisis toward tech sector spending can be seen here. It says:

Meanwhile, for those aiming to start technology businesses, it might – ironically enough – be slightly easier than before to get venture capital cash. That’s because the people who have money need to find somewhere to invest it. Gold? Oil? USTreasury bonds? All are a rollercoaster right now. Finding a company with a really good idea and business plan – preferably not reliant only on advertising – looks, by contrast, like an excellent way to make money. After all, in 1976, when Apple was founded, US unemployment was 8.5% and inflation was 8.9%; at present the comparable numbers are 6.1% and 5.4%. But of course in 1976 the US was coming out of recession. Now? It’s anyone’s guess how bad it will get.

The squeeze will also push companies towards open-source models, since those don’t require expensive licenses as well as expensive support. That could be a threat to Microsoft and other big ones.
I would say that this is good chance for clever and bright people with good ideas to create next big things. Or said in different words: someone will take crisis as problem, somebody as challenge and opportunity. It is time to consider next big move.

As result of this crisis, we can expect not only problems but also some good outcomes. Every crisis teaches us something and makes us stronger.

So, go back question in title of post. Answer is: yes, it is almost certain now. We still don’t know level and impact. But, impact doesn’t have to be only negative. It can have positive outcomes as well.

Update on October 19, 2008: I’ve added question from title as poll with three possible choices as answers:

• Yes
• No
• I don’t know

I wish to hear your opinion on this topic.

New poll is active on this blog now. Question is: “How many security incidents you have experienced in last 12 months?”.

Available answers are:

• 0
• 1 – 5
• 6 – 10
• more then 10

Thank you for voting.

Poll “Primary motives for hacking are” which was open on this blog since December 21, 2007 to March 31, 2008 is closed now. Based on answers of visitors, who took opportunity to vote in the poll, main reason why hackers (malicious ones) are attacking is because they take it as intellectual challenge. Next reason is money etc.

Here is summary of results.

As it was said in introductory post for poll, it is based on Australian government Institute of Criminology i.e. its High tech crime centre classification. You can see paper (linked in blog post also) here.

There were polemic about definition of hackers and is that correct to say that hackers are malicious. Many people think that definition of hackers mean that they “wear white hat” i.e. hackers are not driven by malicious motives. However, crackers are ones who “wear black hat” i.e. they are supposed to be malicious, according that opinion. Also, some people mentioned that poll lacks precise definition of hacking and description of hacker and cracker difference for sake of this poll.

This poll is about public opinion – what people think about hackers and their motives, so it was left to opinions and thoughts of everyone and a little bit imprecise (intentionally). :)

You can look into Merriam-Webster’s dictionary definition of hacker – it may be interesting.

I’ve added a new poll to this blog. The aim of the poll is to see what is the structure of the blog visitors according their (your) individual opinion and experience in the field of security knowledge. There is no guidance and explanation of the given choices. You are the one who sets measurement units, decides and rates your own knowledge and experience according to it.

Question is: “Rate your computer security knowledge and experience”, and possible answers are:

• None
• Beginner
• Moderate
• Expert
• Guru

Vote and enjoy visiting often and seeing how others vote. Polls started today and it is planned to be open 3 months i.e. by end of June 2008.

An earlier poll “Hacking Motives” expired last night (March 31, 2008). I am going to discuss results in future post on this blog.

Poll “The Most Secure Operating Systems Family is?” has been closed on January 31st, 2008, after it was opened for voting more then 3 months, as planned. You had chance to vote for one of today’s popular (or less popular) operating systems.

Results of poll are here:

• Linux (24.44%, 110 Votes)
• BSD UNIX (23.11%, 104 Votes)
• Solaris (19.33%, 87 Votes)
• Mac OS X (17.11%, 77 Votes)
• MS Windows (16.00%, 72 Votes)

Total Voters: 450

In graphic presentation it looks like:

It is obvious that Linux funs were very eager to vote for their favorite. It is also obvious that majority of voters in this poll share belief that Unix-like operating systems are far more secure that Windows. Microsoft has pretty low reputation among people that took opportunity to vote in this poll.

Do not miss opportunity to vote in poll about primary motives for hacking.