I’ve Got A Secret…

OK, so it’s not me, it is now well known that there is a(nother) flaw in DNS. The flaw was due to be ‘revealed’ next month at a security conference, but someone else reverse-engineered the threat based on the small amount of information that was leaked out and let the cat-out-of-the-bag. (There was another one as well this week, relating to WiFi devices… so, in case you were wondering, these things are a regular occurrence.)

So, the question is should such information be made public and if so when? In this case, at least it was a friendly hacker who pieced together the information and then went public with it. Of course there might be some other cyber-criminals who have also done this - perhaps we won’t know (until its too late).

The reason that the vulnerability wasn’t publically released was to give various vendors time to patch their software and for users to deploy it. More often than not the vulnerability is public (or is being sold in the underground economy) before a fix is available and this tends to act as a catalyst for a fix to be made rapidly available. Of course, having a fix available and having users deploy it are very different things.

Companies need to consider whether to have someone watch for these vulnerabilities and patches. This usually falls to someone in an IT department - and while it was popular a few years ago, it seems to have waned. As with most threats, this is something which SMB/SME also needs to be aware of and can appear to be a huge effort. In fact CERT (www.us-cert.gov) has a great site and even has an RSS feed on the latest activity. It does take time (and effort) to be able to separate the wood from the trees as far as your organization is concerned, but the effort is worth it.

On balance it is better to know about potential problems before they occur (even if there isn’t an immediate fix available): Forewarned is forearmed.

July 24, 2008 | Filed Under security | Leave a Comment 

Open Source… Opens Security Holes?

One of the things I talk about to customers is the potential issues with Open Source and security. It seems that others are also concerned and Fortify have been analyzing the problem.

They looked at a number of Open Source packages available and for a couple of the most popular found that they were vulnerable to SQL injection attacks as well as Cross Site Scripting. Open Source is a good thing, don’t get me wrong, however security is not necessarily at the forefront of the developers’ minds when they are developing functionality. With access to the datacentre information over the web, these applications represent real risk when it comes to data loss and general IT security. Perhaps we need to give Open Source applications a security rating?

There has yet to be any cases of popular Open Source applications being deliberately compromised by cyber-criminal gangs - but we do known that their operations are becoming increasingly more sophisticated in their approaches - and perhaps they have already done this, and we just plain don’t know about it…

So, if you are going down the Open Source route this is another case of ‘buyer beware’… except of course it’s ‘free’…

July 22, 2008 | Filed Under Application, data-loss, security | Leave a Comment