One of my favorite news sites is CIO.com. I might not be a CIO, but it often covers very insightful articles about high level concepts.
The article I read today was named “Insecure Software’s Real Cost: Software and Cement” and written by David Rice. It was an excerpt from his book “Geekonomics: The Real Cost of Insecure Software”.
(ISBN-10: 0-321-47789-8 / ISBN-13: 978-0-321-47789-7).
Honesty forces me to say that I’m a sucker for morale tales, and I have to say that it was a while ago since I read a story that made such a nice reference to history in regards to modern technology.
Continue reading “What if our cement was as reliable as our software” →
What’s up in the experimental google labs? Check out the following experiment where your blend the search results to something more appropriate for your search.
This experiment lets you influence your search experience by adding, moving, and removing search results. When you search for the same keywords again, you’ll continue to see those changes. If you later want to revert your changes, you can undo any modifications you’ve made. Note that this is an experimental feature and may be available for only a few weeks.
So how does it work?
Continue reading “gBlender; blending the search results your way” →
Greenpeace has released it’s 6th edition of “Greener electronics Ranking”.
This Guide ranks leading mobile phone, game console, TV and PC manufacturers on their global policies and practice on eliminating harmful chemicals and on taking responsibility for their products once they are discarded by consumers. Companies are ranked on information that is publicly available and clarifications and communications with the companies.
Check it out here.
- 7.7 Sony Ericsson
- 7.7 Samsung
- 7.3 Sony
- 7.3 Dell
- 7.3 Lenovo
- 7.0 Toshiba
- 7.0 LG
- 7.0 Fujitsu-Siemens
- 6.7 Nokia
- 6.7 HP
- 6.0 Apple
- 5.7 Acer
- 5.0 Panasonic
- 5.0 Motorola
- 4.7 Sharp
- 2.7 Microsoft
- 2.0 Philips
- 0.0 Nintendo
Check out the full version here.
The SANS Top 2007 is a consensus list of vulnerabilities that require immediate remediation. It is the result of a process that brought together dozens of leading security experts. They come from the most security-conscious government agencies in the UK, US, and Singapore; the leading security software vendors and consulting firms; the top university-based security programs; the Internet Storm Center, and many other user organizations.
For the lazier amongst us, here’s a quick overview of the key points:
- Operating systems have fewer vulnerabilities that can lead to massive Internet worms.
- There has been a significant growth in the number of client-side vulnerabilities, including vulnerabilities in browsers, in office software, in media players and in other desktop applications.
- Users who are allowed by their employers to browse the Internet have become a source of major security risk for their organizations.
- Web application vulnerabilities in open-source as well as custom-built applications account for almost half the total number of vulnerabilities being discovered in the past year.
- The default configurations for many operating systems and services continue to be weak and continue to include default passwords. As a result, many systems have been compromised via dictionary and brute-force password guessing attacks in 2007!
- Attackers are finding more creative ways to obtain sensitive data from organizations. Therefore, it is now critical to check the nature of any data leaving an organization’s boundary.
The operating systems are more secure, yet the focus of malware is upon the clientside. The attackers have become more creative. Thinking about fast flux, the storm botnet, etc… Where the configurations aren’t that creative as the default configurations still provide “easy access” to the -outsiders-. Technology hasn’t been sleeping, your home has become wordly, but keep your security trend likewise. Don’t forgot that usb keys, (stolen) laptops, blackberries, … and so on, also contains sensible corporate data.
Don’t simply blame the vendor (f.e. Microsoft), but also blame yourself for not keeping up the pace!
ENISA released its latest position paper on “botnets”, you can read it here.
The motivation behind setting up a botnet has changed in the last few years; the people behind this threat are no longer teenagers playing games, but experienced criminals involved in online fraud and illegal activities. Why are such people interested in controlling so many computers?
- Distributed Denial of Service attacks (DDoS)
- Online fraud
- Further stealth attacks
- Malicious code distribution
- Click Fraud
- New business models
Source: Security4All (BennyK)
If you’d like to have a listing of all the packages installed on your ubuntu system, but you are unable to use the update manager. Then revert to the old-skool debian way:
dpkg --get-selections | grep -v deinstall
kvaes@ubuntu # dpkg –get-selections | grep -v deinstall
I’ve always been very interested in the workings of the Russian Business Network (RBN). So after reading a post on BennyK’s blog about a whitepaper of the RBN, I immediately started reading it.
SANS referred to a whitepaper from David Bizeul on the RBN. He spent the past three months researching the Russian Business Network (RBN). The 70-page paper is on David’s web site, or you can use the SANS mirror.
If you’re somewhat interested in the back office of malware setups, then this is a real MUST-READ for you!
The Secure Programming Council unveiled a proposed standard for companies to test their software developer’s knowledge of secure programming. The aim is to create a situation in which companies can ensure that their developers, whether in-house or outsourced, have a base
level of knowledge about wrapping security into software applications.
The council is rolling out its “Essential Skills for Secure Programmers Using Java/JavaEE” (pdf), the first of six standards initiatives. It plans to later add skills tests for C and C++, as well as languages .Net, PHP, and PERL.
The council is opening up the Java/JavaEE proposed standard for public comment via e-mail over the next 60 days. Some of the proposed areas of testing will include data handling, authentication, and session management and access control. For example, under the data handling task, Java programmers must be able to write programs that read input from interfaces, properly validate the data, then disseminate it. The programmers would also need to be familiar with such malicious-attack scenarios as cross-site scripting and SQL injections.
The skill testing is designed to not only ask developers whether they know what encryption is but whether they understand the differences between PKI encryption and other forms of encryption, said Ryan Berg, co-founder of Ounce Labs and a member of the Secure Programming Council’s Java and JavaEE steering committee.
More than 40 companies, government agencies, and security firms have participated in helping to establish the standards, largely coming from the financial services, manufacturing, aerospace, military, and outsourcing industries, said Alan Paller, director of research at SANS Institute.
“One large financial institution has told its developers that they had to pass the test by August 1, or they won’t touch a line of code,” Paller said. “The financial industry is taking the lead because they have the most to lose.”
SANS will administer the tests, which are scheduled to begin on December 5 in London and continue for the next eight months in cities through out the United States and Europe. Where the admission fee will be between $50 and $450, for participants ranging from students to employees of large corporations.
I must say that I can only applaud such an effort. Security shouldn’t be considered a “nice-to-have”, but a “must-have” within the development cylcle.
Check out GSSP @ Sans
Nine roles to rule them all
Meredith Belbin‘s book “Management Teams” presented conclusions from his work at at Henley Management College where he was studying how members of teams interacted during business games run. Amongst his key conclusions was the proposition that an effective team has members that cover nine key roles in managing the team and how it carries out its work. This may be separate from the role each team member has in carrying out the work of the team.
These roles are:
- Doing / Acting
- Thinking / problem-solving
- Monitor / Evaluator
- People / feelings
- Resource / Investigator
Continue reading “Belbin’s Team Roles” →
The papers are available free, and without registration, via the links below
The links below will lead you to a summary of each talk, and to a link for downloading the associated paper (PDF file). Note: Paper titles followed by “*” are not currently available for download — check back later for the latest downloads. Enjoy . . . !
Continue reading “LinuxDevices.com presents 28 papers about real-time & embedded linux” →