New Articles for This Topic
Last Update Date: Tue, 14 Mar 2006 12:57:59 -0500 (EST)
- http://www.esj.com/security/article.aspx?EditorialsID=1656
"Building Better Applications: Beyond Secure Coding"
Enterprise Systems (03/28/06); Schwartz, Mathew
In the face of mounting security breaches, regulatory requirements, and
audits, more companies are working to educate their developers about secure
coding, with the goal of creating software with as few vulnerabilities as
possible. The premise is that improved training will lead to applications
with secure data encryption, strong passwords, and complete input
validation. Bad code accounts for as many as 80 percent of the security
problems in existence today, wrote security consultant Bar Biszick-Lockwood
in an IEEE report. As part of an IEEE group commissioned to study secure
computing, however, Biszick-Lockwood found that most security problems
emerge from constrained budgets, unreasonable deadlines, and a lack of
support from executives, rather than inadequate training. Bad code is more
often indicative of business problems than a flawed development team. The
data breach notification emails that customers receive with alarming
frequency speak more to a basic misunderstanding of the business value of
security at a decision-maker level than to an error in a specific
application. Executive education is the first place to start when trying
to develop a culture of secure computing, says Herbert Thompson of Security
Innovation. Since selling executives on the value of an education program
can be tough, developers can use a calculus that identifies potential flaws
at each stage of development, weighing the cost of fixing bad code before
it is released compared with fixing it after the release. With senior
management on board, development teams must then adjust their thinking to
account for what constraints need to be built into the application from the
outset, rather than simply focusing on the application's core
functionality. Once a project is completed, companies must subject their
code to rigorous security testing just as they test for functionality,
attacking it as a hacker would. - http://infoworld.com/article/06/05/19/78509_HNholesinapproach_1.html
"Researchers: Spend to Protect Against One Attack, Not Many"
IDG News Service (05/19/06); Kirk, Jeremy
In a scholarly paper to be presented in June at England's University of
Cambridge, a research team from Florida Atlantic University will make a
strong and somewhat unusual mathematical case for how companies should
spend their IT budgets. The researchers studied how firms can assess their
vulnerabilities, determine the risk, and figure out the damage potential.
The paper places threats into two categories: distributed attacks, which
appear in the form of viruses, spyware, and spam, and focused attacks by a
hacker. What the researchers determined, through risk analysis and
equations, goes against apparently intuitive computer security efforts.
Instead of spending evenly to protect against all attacks, it is not
automatically the correct approach if one type of breach could create
numerous times more harm than another type. While the "eggs in one basket"
effort may worry IT administrators, the research paper reveals that with
restricted budgets, compiling defenses against one attack may be the
smartest way, as focused attacks have typically proven to create more
economic damage than distributed attacks. "We're proposing that companies
should look at vulnerabilities of a system, and if they are in
high-vulnerability and high-loss scenario, they really, really should spend
the most money on targeted attacks trying to prevent hackers," professor
Qing Hu said.
New Topics
New Articles for This Topic
Last Update Date: Sat, 29 Oct 2005 23:04:10 -0400 (EDT)
- http://www.acm.org/technews/articles/2005-7/1109w.html#item6
"Homeland Security's Vague Cyber Plan"
The Department of Homeland Security has released the latest version of the
federal government's cybersecurity proposal, and is welcoming comments on
the plan through Dec. 5, 2005. Although the draft National Infrastructure
Protection Plan is supposed to offer more detail than the preliminary ... - http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci11714
"Scientists Band Together for TRUST-worthy Research"
SearchSecurity.com (03/07/06); McKay, Niall
The Team for Research in Ubiquitous Secure Technology (TRUST) initiative is
performing a key role in the nation's effort to safeguard its digital
infrastructure from cyber criminals. Funded by $19 million from the
National Science Foundation, and led by the University of California,
Berkeley, TRUST brings together computer security leaders from universities
across the country to build better systems and develop better policies for
government and business. In fact, policy changes can determine the
effectiveness of technology, particularly with regard to the use of
publicly available information such as Social Security numbers to partly
authenticate an individual, according to Fred Schneider, chief scientist of
TRUST. Schneider, who is also a professor of computer science at Cornell
University, adds that storing large amounts of information on individuals,
often without their consent or knowledge, is another issue that needs to be
addressed as a matter of policy. Among other projects, TRUST participants
are focusing on language-based security to develop "security grammar" for
computer programming languages, as a way to warn systems and users before
they run software executables and worms downloads. Participants from
Stanford University have developed software for the U.S. Secret Service
called PwdHash, which is designed to prevent a cyber attacker from
intercepting messages in a public key exchange and substituting his own for
the requested one. Experts from Carnegie Mellon, San Jose State, and
Vanderbilt universities and several small liberal arts colleges are
involved in TRUST, which is also receiving assistance from companies such
as IBM, Cisco Systems, and Microsoft. - http://www.infoworld.com/article/06/03/13/76377_HNgpghole_1.html
"Security Hole Found in Crypto Program GPG"
IDG News Service (03/13/06); Niccolai, James
Developers of the open-source GnuPG encryption software say the program has
a security flaw that may enable an attacker to sneak malicious code into a
signed email message. GnuPG, also known as Gnu Privacy Guard, is an
open-source version of the PGP encryption program used for encrypting data
and creating digital signatures. The GnuPG team discovered the flaw when
they were testing the patch for a previous vulnerability reported last
month. "Someone who's able to intercept the message as it's transmitted
could inject some data, and then the person who verifies the signature
would be told it's a valid, unaltered message," says Secunia CTO Thomas
Kristensen. "That's one of the main purposes of the program, so it's quite
significant." Secunia ranked the flaw as "moderately critical." It
affects all versions of GnuPG prior to 1.4.2.2, and users are being warned
to upgrade their systems immediately to that release. - http://www.eweek.com/article2/0,1895,1936666,00.asp
"VM Rootkits: The Next Big Threat?"
eWeek (03/10/06); Naraine, Ryan
Researchers at Microsoft Research and the University of Michigan have
partnered to develop prototypes for virtual machine-based rootkits that
significantly push the envelope for concealing malware and that can
maintain control of a target operating system. The proof-of-concept
rootkit, called SubVirt, exploits known security flaws and drops a virtual
machine monitor (VMM) below a Windows or Linux installation. The rootkit
is impossible to detect once it is put into a virtual machine because it
can not be seen by security software running in the target system. The
prototype will be presented at the IEEE Symposium on Security and Privacy
later this year. It was created by Microsoft's Cybersecurity and Systems
Management Research Group, the Redmond, Wash., unit responsible for the
Strider GhostBuster anti-rootkit scanner and the Strider HoneyMonkey
exploit detection patrol. "We used our proof-of concept [rootkits] to
subvert Windows XP and Linux target systems and implemented four example
malicious services," the researchers stated in a paper describing the
attack scenario. "[We] assume the perspective of the attacker, who is
trying to run malicious software and avoid detection. By assuming this
perspective, we hope to help defenders understand and defend against the
threat posed by a new class of rootkits," says the paper. The SubVirt
project implemented VM-based rootkits on two platforms and was able to
write malicious service without being noticed, according to the group.
New Topics
New Articles for This Topic
Last Update Date: Thu, 14 Jul 2005 09:41:16 -0500
- http://www.eurekalert.org/pub_releases/2005-06/ns-ttc062205.php>
9. RESEARCHERS BEGINNING TO FOCUS ON TRUE COST OF CYBERCRIME
With Internet-related crime becoming more common, researchers at Carnegie
Mellon University, the University of Cambridge and the University of
Toronto are trying to uncover its true cost to business and the public.
Among other things, researchers have discovered that even a disclosure of
vulnerability costs software firms money in reduced stock prices, even
though the disclosures and attendant patches increase customer security in
the long run. Researchers also found that the price tag of denial of
service (DoS) attacks can extend beyond the immediate service outage
through long-term reductions in site traffic, but that businesses sometimes
greatly overestimate the costs of such attacks. Read more: - http://www.acm.org/technews/articles/2005-7/0801m.html#item4
"Router Flaw Is a Ticking Bomb"
Former Internet Security Systems (ISS) researcher Mike Lynn was so
perturbed about a flaw in Cisco Systems' Cisco IOS that he defied mandates
from Cisco and his employer to keep it secret and disclosed the
vulnerability at last week's Black Hat conference. The significance of the ... - http://www.acm.org/technews/articles/2005-7/0912m.html#item4
"Mac Community Must Wake Up to Security"
Many Mac users operate under the false assumption that they are immune to
the security threats that plague Windows users, but although Macs are
targeted less frequently than Windows-based machines, they nonetheless
contain significant vulnerabilities. One problem is the dogmatic faith ... - http://www.sdmagazine.com/documents/s=9863/sdm0509a/0509a.html
"False Protection"
Software Development (09/05) Vol. 13, No. 9, P. 34; O'Connell, Laurie
The software designed to bolster enterprise systems against malware and
other cyberthreats has itself become a ripe target for hackers, and
analysts such as Cigital CTO and author Gary McGraw say security software
providers' failure to be software security practitioners is chiefly to
blame. "Vendors have to engineer security into the development application
lifecycle, get developers to have core responsibility, and give them the
tools to do it," says Yankee Group analyst Andrew Jaquith. He suggests
that security software developers perform design reviews early and
regularly; run nightly regression tests and frequent code base reviews;
maintain focus on privilege levels and authorization management; study
component authentication; unearth buffer overflows; and conduct checkpoint
reviews with security-savvy personnel. Jaquith also recommends that
developers test for functions the application is not supposed to carry out.
Furthermore, he advises developers to base their choice of vendor or
software security system on hard evidence of best practices and an
exhaustive technique for spotting and fixing problems encountered by staff,
clients, or third parties. Another way to boost security is to fortify the
patching infrastructure and analyze security products' auto-update
components. An organization's general security can also be shored up by
deploying a diverse assortment of anti-virus products from multiple
vendors, as well as multisourced solutions from varying code bases. - http://www.acm.org/technews/articles/2005-7/0926m.html#item15
"Basic Training for Anti-Hackers"
The threat of terrorists penetrating computer networks and wreaking havoc
prompted the creation of the Cyber Security Boot Camp, an intense 10-week
summer program hosted by the U.S. Air Force and Syracuse University in
which participating college students study and practice hacking so that ... - http://www.acm.org/technews/articles/2005-7/0930f.html#item15
"Destructive Power of Mobile Viruses Could Rise Fast, Experts Say"
As the interconnectedness central to the dream of the digital home rapidly
becomes a reality, a host of security and privacy concerns arises. The
same Web cams that alert users to suspicious activity within their homes
can also be used by hackers seeking to break in to determine if anyone is ... - http://www.acm.org/technews/articles/2005-7/1021f.html#item3
"Sue Companies, Not Coders"
While some have called for holding individual programmers accountable for
security vulnerabilities in the codes they write, a more sensible approach
would place the responsibility on their employers, writes Counterpane
Internet Security CTO Bruce Schneier. The reason for this is incentive, ...
New Topics
New Articles for This Topic
Last Update Date: Fri, 20 Aug 2004 15:56:34 -0500
- http://www.acm.org/technews/articles/2004-6/1008f.html#item15
"Security Flaws in Popular Chess Web Site Found by University of Colorado Team"
University of Colorado at Boulder students hacked the 30,000-plus-member
Internet Chess Club as part of research funded by the National Science
Foundation. With guidance from University of Colorado at Boulder computer
security researcher John Black, two students reverse-engineered the service ... - http://www.acm.org/technews/articles/2004-6/1013w.html#item2
"The Quest for Secure Code"
Poor software quality is responsible for every one of the SANS Institute's
top 20 Internet security vulnerabilities, yet universities still fail to
teach proper coding techniques and government remains cowed by industry
lobbying efforts. SANS Institute research director Alan Paller says ... - http://www.acm.org/technews/articles/2004-6/1103w.html#item13
"When Hackers Attack"
College and university IT administrators are learning to deal with hacker
intrusions aggressively, implementing tough password-change policies and
stepping up efforts to educate users. When Purdue University IT officials
discovered their network had been hacked by someone using about 100 stolen ... - http://www.acm.org/technews/articles/2004-6/1115m.html#item2
"Study: Supercomputer Clusters Shortchange Security"
U.S. capabilities in decryption and other narrow fields are threatened by
the fast rise in clustered supercomputing, warned the National Research
Council at ACM's SC2004 supercomputing conference. Clustered systems now
make up 296 of the 500 fastest supercomputers, but are not as good as more ... - http://www.acm.org/technews/articles/2004-6/1119f.html#item9
"New Security Standards to Strengthen SCADA"
National Institute of Standards and Technology (NIST) engineer Keith
Stouffer reports that Supervisory Control and Data Acquisition (SCADA)
systems critical to U.S. infrastructure are increasingly susceptible to
cyberthreats due to their growing linkage with IP networks. Stouffer also ... - http://www.acm.org/technews/articles/2005-7/0107f.html#item6
"Is Your Wireless Network Secure?"
The University of Missouri-Rolla chapter of the ACM's Special Interest Group
on Security, Audit, and Control (SIGSAC) carried out an audit of the
Rolla community's wireless networks, and determined that 56 percent
of the 589 recorded networks were totally insecure, according to ... - http://www.acm.org/technews/articles/2005-7/0114f.html#item7
"Torvalds Criticizes Security Approaches"
Linux creator Linus Torvalds criticized parts of the process in which
potential Linux kernel security problems are divulged to fellow kernel
users during a recent mailing list discussion among developers that focused
on creating a security contact point people can employ when such issues ... - http://www.acm.org/technews/articles/2005-7/0119w.html#item15
"Machine Wars"
The battle between hackers and system administrators is increasingly
reliant on automated tools: Bot software is so pervasive that newly
connected PCs are subjected to attack within 15 seconds, while the CERT
Coordination Center has stopped counting the number of annual hacking ... - http://www.dailypennsylvanian.com/vnews/display.v/ART/2005/01/19/41ee10da2de56
Internet Explorer use poses security risk
Penn State U. urges students and staff to find alternatives; many not concerned by threat
- http://www.acm.org/technews/articles/2005-7/0124m.html#item16
"Enemy at the Gates: The Evolution of Network Security"
Enterprise network security may be cheaper, simpler, and more readily
available, but the threat of security breaches continues to keep pace with
new defensive technologies and products as hackers prove more crafty,
intelligent, and aggressive than originally assumed. Furthermore, the ... - http://www.acm.org/technews/articles/2005-7/0218f.html#item5
"Software Firms Fault Colleges' Security Education"
In a panel session at the Secure Software Forum on Feb. 14, software
companies such as Oracle and Microsoft laid a lot of blame for flawed
software on a lack of education in secure programming for computer science
graduates. The software industry is a target of criticism for some ... - http://www.computerworld.com/securitytopics/security/hacking/story/0,10801,100051,00.html?from=story%5Fkc
Search Engines Give Hackers a New Tool
Malicious coders use Google, other sites to find IT flaws on Web
- http://www.acm.org/technews/articles/2005-7/0323w.html#item2
"Supersmart Security"
University of California-Berkeley computer science professor and
ACM President David Patterson describes computer security problems
as "glaring" because security measures follow an outdated
prevention-oriented rather than repair-oriented model. The ... - http://www.acm.org/technews/articles/2005-7/0323w.html#item15
"How to Save the Internet"
CIO Magazine has tapped key figures in the information security community
to suggest "Big Ideas" for dramatically improving the security of the
Internet, excluding technological band-aids and "generic truths" such as
user education. The results are diverse and intriguing: National Security ... - http://www.acm.org/technews/articles/2005-7/0325f.html#item2
"War of Words over Operating Systems' Safety"
Recent reports on Linux-based Web servers, the open-source Firefox Web
browser, and Apple's Mac OSX operating system raise doubts about their
security, which experts contend is still better than their Microsoft
equivalents. Symantec's biannual Internet Security Threat report issued on ... - http://www.acm.org/technews/articles/2005-7/0401f.html#item4
"Kevin Mitnick and the Art of Intrusion--Part 1"
Hacker-turned-security-consultant Kevin Mitnick, who has compiled stories
of exploits in his book "The Art of Intrusion" as a guide to hackers' goals
and attack strategies, notes that the companies he offers his services to
are too concerned with regulation compliance and making money to fortify ... - http://www.acm.org/technews/articles/2005-7/0408f.html#item11
"Lessons in Cybersafety"
The current Internet structure makes security breaches inevitable since it
assumes reasonable behavior, warned Harvard Law School Internet and society
executive director Jonathan Zittrain. Because attackers use the same
information avenue machines receive legitimate input from, there is always ... - http://www.acm.org/technews/articles/2005-7/0413w.html#item5
"Diffie: Infrastructure a Disaster in the Making"
Whitfield Diffie, Sun Microsystems' chief security officer and co-creator
of the Diffie-Hellman key exchange, says in an interview that his biggest
concern is the proliferation of Windows systems into critical
infrastructure, which could result in major failures in the event of an ... - http://www.acm.org/technews/articles/2005-7/0425m.html#item14
"Cyber Security Has Its Limits"
The recent intrusion into Carnegie Mellon University (CMU) business school
computers illustrates that not even top IT security institutions can
completely guard themselves against cyberthreats and that an entirely new
way of designing systems is needed, according to security and privacy ... - http://www.acm.org/technews/articles/2005-7/0429f.html#item19
"Does Trusted Computing Remedy Computer Security Problems?"
Rolf Oppliger and Ruedi Rytz with the Swiss Federal Strategy Unit for
Information Technology weigh the benefits and drawbacks of trusted
computing, and conclude that the technology is unlikely to completely
inoculate PCs against the threat of malware. Trusted computing initiatives ... - http://www.acm.org/technews/articles/2005-7/0504w.html#item1
"Computing Officials Worry That Proposed Federal Database Could Be Hacked"
The U.S. Department of Education is considering a "unit record" database
listing information on individual students, but technology experts are
worried about the database's vulnerability to hacking, a pressing concern
in light of recent intrusions into college and company servers. Purdue ... - http://www.acm.org/technews/articles/2005-7/0511w.html#item4
"Internet Attack Is Called Broad and Long Lasting"
A 2004 penetration of a Cisco Systems network that led to the theft of
software for many of the computers tasked with regulating the flow of the
Internet was recently revealed by federal officials and computer security
investigators to be one salvo in an extensive series of breaches that ... - http://www.acm.org/technews/articles/2005-7/0516m.html#item1
"Researchers Reveal Holes in Grid"
Researchers from MIT's Computer Science and Artificial Intelligence Lab
(CSAIL) and Lincoln Laboratory published a paper last week detailing how a
simple computer worm could trigger a cascade failure in a grid or cluster
environment by exploiting a vulnerability in the Secure Shell (SSH) remote ... - http://www.acm.org/technews/articles/2005-7/0527f.html#item18
"Security: More Than Good Programming"
A new BZ Research survey of 383 software development managers lists a
variety of reasons as to why software applications are so riddled with
security holes. Poor programming practices, poor design and architecture,
and a lack of developer security training were cited by more than 50 ... - http://www.acm.org/technews/articles/2005-7/0608w.html#item8
"Security Breaches Challenge Academia's 'Open Society'"
Carlson Companies data privacy manager Jay Cline reports that U.S.
universities are advising students, alumni, and employees to keep an eye on
their personal accounts because of security breaches, which are only now
coming to light because of the California Security Breach Notification Act, ... - http://www.acm.org/technews/articles/2005-7/0608w.html#item12
"Q&A: Ex-eBay Security Chief Sees a Safer Internet in the Future"
Former eBay security chief and onetime chair of the President's Critical
Infrastructure Protection Board Howard Schmidt is generally optimistic that
the Internet's security will improve, and attributes this to a shrinking
gap between the identification of security issues and industry's response ... - http://www.acm.org/technews/articles/2005-7/0615w.html#item1
"Are Security Threats Really Overhyped?"
Gartner principal analyst Lawrence Orans and Gartner vice president John
Pescatore recently released a report of the top five most "overhyped IT
security threats." The list includes attacks on IP telephony and mobile
devices, because warnings about such attacks are significantly ahead of any ... - http://www.acm.org/technews/articles/2005-7/0701f.html#item19
"The Answer Is 42 of Course"
Independent security consultant Thomas Wadlow writes that the role people
play in online security makes absolutes irrelevant, and he advises
companies to base the defense of their security systems on the fundamental
question of how the network can be designed so that is it "safe enough." ...