Becoming an unwitting accomplice to the development of armies of botnets so large that they are legitimate threats to critical infrastructure.  The capability to inject web application vulnerabilities are pervasive and these companies’ CISOs (if they even have a CISO) have virtually no regulatory stick to enact change for the better.

By Larry J. Hughes, Jr. (larry.hughes@infosecintrospect.com)

What exactly is a security bug?

Virtually everyone vaguely familiar with the Internet — indeed, computers — has a vague sense of the term. After all, security bugs cause security problems, and we all know what those are.

Techies, of course, have a superior sense of the term. Yet none that I’ve asked to date — admittedly a fraction relative to the qualifying population — have given me a good definition. By that I mean one that is both (a) comprehensive enough to satisfy techies, and (b) understandable enough to satisfy laity.

This lack of a good definition bothers me, though not for the reasons you might think. I understand that security bug, like security itself, is an abstraction, and that abstractions are defined mostly by group-think.

What bothers me is that in in the course of pushing security bugs, and more generally security vis-a-vis technology to the forefront of our online consciousness, we have objectified it to it’s logical extreme without ever having defined it. I want to go on the record as saying this is dangerous.

Over time I’ll have a lot to say about why it’s dangerous. Meanwhile, I’ve broken ground for what I think is a good definition of security bug at http://en.wikipedia.org/wiki/Security_bug.

By Larry J. Hughes, Jr. (larry.hughes@infosecintrospect.com)

I recently purchased a home safe by Sentry. I have no illusions about it being theft-proof. I mainly want something reasonably childproof, fireproof and waterproof.

It came with the kind of installation instructions I hate most - ones with words. This one had plenty. Since I was forced to read several pages worth of six-point font, I decided to don my naive user hat and keep score.

• Nowhere does it explicitly state that the instructions apply to at least four different models. I deduced it after finding four candidate starting points, including the one on a separate sheet labeled “Attention!” My safe bears no visible model identifier. (Maybe it was on the box the delivery fellow hauled off.) Anyway, mine is the “advanced” electronic model due to it having a dual-function prog/enter key vs. the single-function prog key.

• One of the four candidate starting points ominously states “Changing the combination voids your warranty.” One of the four tells you (correctly) that you must remove a set screw before first use.

Continue Reading »

By Kurt Seifried (kurt@seifried.org)

An interesting month, earlier in the month we have a report that a judge has ok’ed “roving” wiretaps, which use a person’s cell phone as a bug to transmit everything it hears to law enforcement. Oh, but it gets better; this has been going since at least 2004.

To top things off we have Apple Computers Inc. “Security Update 2006-008″ from earlier in the week. This flaw allows an attacker to create Java applets that can use the built in iSight camera on an Apple computer to take images and upload them to a server.

Stop for a moment and look around. How many devices are there in the room with built in cameras and microphones, and the ability to communicate with other devices?

Continue Reading »

By Kurt Seifried (kurt@seifried.org)

A week ago I read an article with the title “BEA adopts virtual strategy with VMware” that changed my world, and just might change yours.

For those of you living under a rock, or chained to an old mainframe in the server room VMware is a suit of software tools, and now an OS in it’s own right that can run other operating systems within virtual containers. They have since been pushing hard into the application space. Application vendors such as Oracle and BEA largely view operating systems as a necessary evil. They generally don’t care what operating system you run the software on, insomuch as they have to support it, and that’s a pain in the *&%. Until now.

Continue Reading »

By Emerson Tan (et@c4i.org)

Whilst doing my regular troll through the morning’s information detritus, I stumbled upon an article in the “The Register” on the new Biometric Passports that the US Dept of State is insisting that countries issue if they are to remain part of the US Visa waiver program. The first part of the article [1] seems to give it all away:

“But unlike the RFID passports the USA is now issuing, the Irish ones lack a security feature preventing them from being skimmed, or read surreptitiously.

Continue Reading »

I have had 2 conversations with CISOs in the U.S. this week about projects to align their orgs with ISO17799, to culminate in 27001 certification.  27001 has been slow going in the states, but it looks to be on the rise and I think we are at the beginning of a wave of activities to use the ISO framework and map it to government-driven standards.