There used to be a time when people touted how secure Firefox was over Internet Explorer. Not any more! At least the folks over at Mozilla are kind enough about checking the status of your plug-ins. [ Go to their separate plug-in check page ]
If you’re interested in some of the vulnerabilities that are fixed in the recent Firefox update to version 3.6.9, head on over the Firefox Security Advisories page. Of critical note are the 10 critical vulnerabilities.
Critical: Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
Note: After being advised that my Flash plug-in was out of date, Flash didn’t update properly when I went to the Adobe site. I jumped over to IE, and downloaded and installed in the plug-in for Firefox manually. Make sure to read the Adobe install message before installing, as Adobe always wants to trick you into installing some type of additional product that you don’t want, by automatically selecting the check box option for installing one of its partner’s products. Keep in mind that IE and Firefox updates are not packaged together and need to be updated separately.
Do you ever get the feeling that the competition is one up on you? Are you always losing to the same competitor? Are you questioning how someone can possibly outbid you when you’re already submitting the lowest bid reasonably possible? If you answered yes to these questions, you might want to consider the computer security implications, including insider threat.
With the amount of information about hacking and social engineering available on the Web, it’s quite easy for an unscrupulous competitor or one of its employees to compromise one or more of your company’s computer systems for the sole purpose of gather information to under bid your company on contracts. This can be accomplished by hacking into your Web servers, sending employees email that will install Trojans, directing employees to Websites that will install Trojans or obtaining physical access to your computer systems or network. With access to databases, emails, spreadsheets, documents and even contents stored on copier hard drives, it’s easy to understand how a competitor might be able to take advantage of the situation and put you out of business.
As every computer security professional will tell you, user awareness is the key. Make a video, enter the contest and get a chance to win some cool prizes:
- Two (2) tickets to see Snoop Dogg in concert
- Opportunity to meet with Snoop’s management or agent
- A $1,000 travel stipend, awarded in the form of airline vouchers
- Hotel accommodations for two days and one night
- A super cool Toshiba laptop
Visit the site: http://www.hackiswack.com/
The most important concept to understand in computer security is compromise vector. It is the key concept to understanding everything there is know about computer security and hacking. Once you get your mind wrapped around the concept, you will view computer security from a completely different perspective.
Simply put, compromise vectors are the various avenues of attack that can be used to compromise systems, information and credentials. When a vulnerability is announced, the most important thing for people to ask themselves (or a computer security professional) is how the exploit associated with the vulnerability applies to the hardware, operating systems and applications they use or manage, or to other system to which they connect. Some compromise vectors are obvious, others are not so obvious, but know that there are no “secret” compromise vectors – just variations and combinations of known techniques that tend to surprise those who don’t think like the most devious of hackers. In some cases, a vulnerability may be of no significance because it’s technically impossible to exploit the vulnerability given the compromise vector requirements.
Anthony M. Freed posted an interesting discussion he had with Larry Clinton, Internet Security Alliance (ISA) President and CEO. This is probably the most intelligent and grounded perspective on computer security I’ve read in a long time.
We are extremely fortunate Mr. Clinton has set aside some time from his very busy schedule to offer some insight into the critical role ISA plays in shaping the future of cybersecurity.
via Infosec Island
There are a lot of really smart people in Internet land and I think it’s important to understand everyone’s perspective on computer security to see the big picture. Each of us has something to contribute to the discussion. No single person can have enough knowledge to solve the world’s computer security crisis by himself, but by sharing ideas and working together, we can collectively make a difference to make computing secure.
Mac users like to say their computers are more secure than Windows-based computers. I’m not saying all Mac users say OS X is more secure than Windows, but I’m sure everyone knows somebody that does. I usually keep my mouth zipped when someone states it, because it’s pointless to argue with someone that believes their operating system is less exploitable just because another operating system is more exploitable. Apple’s Security Update 2010-005 provides all the evidence that’s needed to set the record straight once and for all.
Mainstream media is filled with stories that cybersecurity personnel are in demand these days, which is convincing some people to consider a career in computer security. But what type of jobs are available and what might interest someone like you? Computer security jobs can be broadly categorized into these general areas:
Securing systems. A person is responsible for implementing security check lists, applying security patches, managing permissions to specific resources and checking log files. System and network administrators typically do this as part of their regular duties for the equipment they manage.
If you answered “no” to this question, you’re in good company. Pretty much everyone that knows anything about computer security shares this view as well. And as we all know, if everyone (95-99%) believes something is true, it must be true, right?
As you might have already guessed, I’m in the minority that says that it is possible. I don’t hold it against you that you don’t believe it’s possible. Being quite honest, I expect you to not believe it’s possible. Why? Because given current computer technology and security paradigms, it’s impossible. But I’m not talking about making current computing technology secure, I’m talking about starting from scratch with a clean sheet of paper. If you’re interested in how it might be possible to engineer a computer that is 100% secure, please read on.
There is a classic tale that originated in India about a number of blind men that wanted to know what an elephant looks like. Each man touched a different part of the elephant’s body and therefore had a different mental image of the elephant. (Wikipedia: Blind Men and the Elephant) What does this tale have to do with computer security? Not all computer professionals have the same perspective or knowledge when it comes to computer security.
When people choose a computer profession, they usually specialize in a one or two areas – system administration, networking, programming, database management, security, etc. While it’s possible for someone to have a good working knowledge of other areas, to truly master one particular area means that a person has to sacrifice their knowledge in other areas. This includes specializing in certain vendor specific operating systems and/or applications. Not only that, some people have no interest in one or more of the other areas or vendor products, and as a result, have little or no knowledge about certain areas or products.
The first time I discussed writing a book about the shortcomings of computer security with one of my bosses, we were having lunch in a Chinese restaurant eating won ton soup. After describing the book’s contents, a look of concern washed over his face.
“Are you sure writing a book is a good idea?” he questioned.
“What do you mean?” I asked.
“Some of what you know is very dangerous in the wrong hands.”
I paused for a moment to think about what he said. “What do you mean by dangerous in the wrong hands? Hackers already know a lot of this information.”
“No,” he said shaking his head, “not all hackers know what you know and on top of that, you’re telling them how and why it’s possible to avoid detection. Don’t you see a problem with that?”
“That’s definitely an issue, but don’t you think it’s a bigger issue that people don’t know the truth? Don’t you think people need to know that all of this computer security we rely on only works against amateurs?”
My boss put down his chopsticks and spoon, wiped his mouth and mustache with his napkin and placed the napkin beside his bowl. “Just be careful what you write [ Mister Reiner ],” he said with a stern look. “You don’t want to be responsible for creating an army of super hackers.”
Bill Mullins has an interesting post on his blog that brought back the memory of this lunch with my boss. I’m siding with Bill of course. It’s ridiculous for someone to suggest that Bill is part of the malware problem.