Tag Archives | Security

Is Your Software Secure? Who Knows?

Posted by David Worthington on April 24, 2009 at 4:56 pm

For a story I wrote for SD Times, I asked leading software makers to tell me about the processes they use to develop secure software–and found that most were unwilling to discuss the subject. Some companies will provide specious reasons for not being transparent, including the notion of providing customers with “security through obscurity,’ but I believe that many are simply fearful of appearing disorganized and unconcerned.

How software is designed affects your safety, financial security, and privacy. Poorly-designed software has reportedly enabled foreign intelligence agencies to violate vital infrastructure in the United States (and presumably elsewhere), and it enables those with the know-how to get at your personal information on your own computer.

Consensus is that it is more effective to design software to be as secure as possible as early as possible in its development life cycle. Microsoft and other leading software companies have changed how they develop software to make security a requirement; consequently, vulnerabilities in Microsoft software are down dramatically.

Microsoft now shares its blueprint for developing software with its customers, and has begun to provide developers with free security tools that it uses internally. It did so because its knows that hackers are targeting applications that run on its platform, including third-party ones, as its hardens Windows with additional security.

If Microsoft is rising to the challenge, the other major software makers must be too, right? Wrong. I contacted over 20 leading companies including Apple, IBM, Nokia, Yahoo, only to be largely ignored. Include open source groups in that count. If those companies won’t be transparent, how can you trust the software that powers your cell phone, or stores your financial information?

Believe it or not, I am being told that many companies, including competitors, are asking Microsoft for advice or are simply copying its methods. That’s both encouraging and disappointing.

Some of those companies may be doing the right things, but I’m not encouraged by their silence. Software makers may do security testing after software is developed, or in bits and pieces, lacking a unified, company-wide strategy. However, security cannot be an afterthought, and there is no excuse for the industry to continue place its customers at risk.

No comments

Don't Be Like Salma Hayek!

Posted by Harry McCracken on April 23, 2009 at 7:03 pm

Selma HayekPoor Salma Hayek. She may be a gorgeous, accomplished, award-winning actress, but she’s apparently not very good at keeping her online accounts secure. A post at Electronic Pulp reports that pranksters have figured out how to get into her e-mail at Apple’s MobileMe service by using the “Forgot Password?” feature to reset her password. And they’ve been sharing stuff they’ve found (nothing scandalous).

Could this have been prevented? Did Salma do anything wrong? Did Apple? If the reports are true, the answers are yes, yes, and yes.

Continue Reading →

18 comments

Enough Already: Stop Malware, Spyware, and Trojans

Posted by Steve Bass on April 23, 2009 at 3:51 pm

Steve Bass's TechBiteThey’re out to get you: Sleaze balls writing devious, sneaky programs that load you system with junk. I’ll show you a few quick ways to protect yourself from Windows Trojans that want your credit card number, malware that slows your system, and spyware that tracks your keystrokes.

Over the years I’ve played with at least 3 million security programs–Norton, McAfee (the program that AOL uses), Kaspersky, Spyware Doctor, Vipre, Avast, AVG, and Trend, to name just a few. They all give adequate protection. (I know, I didn’t mention your favorite. Get over it.) While all these tools do the job, there are differences: For instance, I think Spyware Doctor reports too many false positives and AVG, a former favorite, gets bigger with each iteration.

If you’re comfortable with your existing protection program, and confident it’s protecting you, (read: you haven’t been infected recently), stick with it.

However, I often get e-mails asking if it’s a good idea to switch products.

Continue Reading →

7 comments

How to Improve E-Voting? Take It to the Cloud

Posted by David Worthington on April 20, 2009 at 6:24 pm

State governments in the United States must maintain servers year round for tallying votes during a matter of hours on election day, and many have a mixed record accomplishing even that task. A CNET article published today suggests that cloud computing provides a better alternative, and I agree.

For starters, I am more confident in cloud providers hosting sensitive election data than I am in a governmental IT department doing so. Data centers are built to be redundant and physically secure, and some are staffed with personnel trained in industry security standards. It would be impractical and cost prohibitive for a state to take those steps.

More importantly, virtualized server images that run on cloud services like those offered by Amazon.com are most  likely to be configured correctly; more servers that meet the same rigor can be spun up as demand peaks. There are companies that make a living out of selling certified images for that lock down access in virtualized environments hosted in the cloud.

Independent audits have uncovered security holes when local governments have set up their own servers. That is unacceptably risky.

Cloud infrastructure providers like Amazon make it possible for states to use the exact same databases and servers that they would use if they were tallying the results themselves, so the data remains interoperable with their existing voting systems. Even though the data is not physically controlled by a state when it’s hosted by someone else, it remains the property, of the state as cloud providers do not customarily control customers’ intellectual property.

So what does this all mean? If vote counting goes to the cloud, the state departments responsible for elections are then free to focus their efforts on providing accurate, accessible and reliable voting machines on election day. States can save taxpayers money and allay fears about stolen elections by using cloud computing to provide capacity on demand for tallying votes on election night, and do so with confidence. The time to make the switch is now.

One comment

Hey Mikeyy! You're Making Twitter Miserable!

Posted by Harry McCracken on April 13, 2009 at 2:10 am

mikeyThis has not been a good weekend at Twitter, where a series of worms has been annoying the heck out of people by infecting their accounts and sending out fake tweets under their name. The first one promoted a Twitter-like site called StalkDaily; others make reference to Mikeyy, who’s supposedly StalkDaily’s 17-year-old proprietor and the perpetrator of at least some of the worms. Twitter says they’re on the case, but as I write this, the fraudulent Mikeyy-related Tweets are still coming fast and furious, including ones with links which, if clicked, infect the viewer:

Mikeyy Tweets

The attacks leverage a JavaScript cross-site scripting vulnerability, so you’re probably at risk no matter what browser and OS you use. Here’s some advice on avoiding the worm(s) and getting rid of them if you’ve been infected. (Sounds like the single most important piece of advice is to use Twitter via a third-party client like TweetDeck or Tweetie rather than at Twitter.com itself.)

If Mikeyy is real, is seventeen, and is behind these attacks, he’s like a lot of seventeen-year-olds I’ve known–really smart and really dumb at the same time. Here’s hoping he doesn’t get away with it. I’m not sure what the proper punishment is, but more and more, I think that the Internet needs some sort of virtual stockade to enable the painful public humiliation of those who screw it up for the rest of us:

stockade

2 comments

Security for Less!

Posted by Harry McCracken on April 10, 2009 at 5:32 pm

ZoneAlarm Internet Security SuiteEconomic meltdown does have its downsides, but here’s one plus: massive discounts by companies hoping to attract a little attention in dire times. Check Point, the company behind the ZoneAlarm line of security software, is planning a one-day sale on its ZoneAlarm Internet Security Suite. The firewall/antivirus/antispyware package, which normally sells for $49.95, will sell for $9.95–but only for 24 hours starting next Tuesday, April 14th, at 6am PT. Check Point says it’ll donate 50% of profits to tech nonprofit TechSoup, and that the whole stunt is timed to tie in with Microsoft’s Patch Tuesday.

If you’ve got one or more Windows PCs and aren’t running current security software, it’s a deal.

4 comments

U.S. Power Grid Compromised by Cyberspies

Posted by David Worthington on April 8, 2009 at 9:19 pm

Foreign intelligence agents critically infiltrated systems that operate critical U.S. infrastructure, and left behind malicious software that could disrupt and endanger the day-to-day lives of Americans, the Wall Street Journal reports.

The paper cites anonymous current and former U.S. intelligence officials in its report. The spies are reported to have been agents of China, Russia, and various unnamed other countries. The officials said that the intruders was a mission to map the U.S. electrical grid and other critical infrastructure, and to cultivate the capability to disrupt that infrastructure during a crisis. I’m certainly not surprised, and U.S. agents have probably done the same thing to other countries.

In my reporting for SD Times, I have spoken with companies that develop software according to the US National Security Agency’s Common Criteria Evaluation Assurance Level (EAL) program. EAL is an initiative operated by the National Security Agency to help industry create secure software, and classify existing software. The program is a relatively new public initiative that was born out of the “orange book,” the U.S. military’s once closely guarded guidelines for software security.

To date, only Green Hills Software, a company that develops a specialized operating system called Integrity, has received an acceptably high score on the EAL to address the problem. The NSA is also sponsoring secure programming classes at public universities.

Why is the NSA involving itself in the private sector, you may ask? It needs help. In a recent interview, Rex Black, president of Rex Black Consulting Services, explained to be how software engineers are essentially playing a game of multidimensional chess against hackers.

Black said that a big part of the problem is that modern operating systems (and that includes open-source ones) are constantly evolving and contain tens of millions of lines of code. It is only a matter of time until a defect slips by and is discovered by cybercriminals–or spies – even when the best development practices are followed.

And the technological environment in which an operating system exists is constantly in flux, making it nearly impossible to foresee threats that do not presently exist, but might exist in the future, Black said.

People involved with the EAL effort have told me just how poor the state of infrastructure security is. But fear not, in my research, security industry executives and an NSA official have assured me that President Obama “gets it.”

The reality is that there is an infrastructure crisis, and the WSJ’s hacking report, while troubling, is only a symptom of what ails us. The American Society of Civil Engineers has spent much of the past decade grading the nation’s infrastructure, only to be ignored.

This year, the engineers give the U.S. an overall grade of a D, and estimate that it will take an investment of several trillion dollars to bring states up to code. The stimulus package only goes a small way toward meeting those needs.

It’s time for the U.S to get serious about infrastructure, and yes, it costs money to do these things. That could even require –gasp~-a tax hike to pay for our safety. The work needs to be done, and is long overdue.

7 comments