There's always a lot going on in the world of IT security. In any given week, I read about literally hundreds of vulnerability disclosures, high-profile security breaches, and changes in the security landscape for information technology. Press releases with a lot of spin on them, the boring minutiae of patch releases, and mind-numbing statistical analyses often dominate security news, but there are always a few gems worth the time of filtering them out of the mess. Here are my top 10 picks for the week ending September 15.
- Career: EC-Council University, a leading security professionals' education provider, is now offering a Master of Security Science (MSS) degree program. This degree, affectionately known as the Hacker Master's Degree, is described as the first of its kind in the world. Unlike many graduate degree programs, EC-Council's MSS course work is no ivory tower education. It requires both study at the university and concurrent practical experience working as a security professional in the "real world." You can't learn the necessary skills of a chief security officer out of a book, after all.
- Games: The Online Fantasy Football League suffers from an input validation error vulnerability. MhZ91 gets credit for this discovery. I'm reminded of Marvin Minsky's statement, "It's just incredible that a trillion-synapse computer could actually spend Saturday afternoon watching a football game." Worse yet, some of us are faking it with a fantasy football league — and suffering security issues as a result. Suddenly, blowing four hours on a World of Warcraft raid doesn't sound so bad.
- Government: For the second time in two weeks, China is accused of computer espionage. China, of course, denies the allegations — for the second time in two weeks. The victims include Germany and the United States, both of which confidently identify the attacks as originating with operations by the People's Liberation Army of China. In 2005, Time Magazine reported on the Pentagon's "Titan Rain" operation, an investigation of an epidemic of electronic espionage activity that was also traced back to China at the time. In the wake of the recent "cyber war" in Estonia, it's increasingly clear that cold wars have a new battlefront.
- Microsoft Windows: Vista Gadgets, those "mini-applications" that stack in a column on the right-hand side of your Windows Vista desktop, introduce some new vulnerabilities all their own to your computing landscape. Todd Manning offers a quick analysis of Vista Gadget Patches in MS07-048. A more exhaustive analysis of Vista Gadget vulnerabilities is available as a white paper from Portcullis Computer Security, "Next generation malware: Windows Vista's gadget API."
- Mobile malicious code: The term mobile code refers to code that's transferred across a network and executed on arrival without explicit instructions from the recipient. It's most often used to refer to virus and worm activity, which is sometimes collectively called mobile malicious code. The big news in mobile malicious code right now seems to be related to the Storm Worm, which was first identified as a spreading threat in January. Ironically, it is misnamed, as it isn't a worm at all. It is, instead, a self-propagating Trojan horse that shows some of the behavioral characteristics of a worm in its attempts to build a massive botnet. The Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) reported last month that simply scanning a Storm Worm-infected machine with a vulnerability scanner can cause the malware to launch a massive DDoS attack on the system where the scan originated. To add to the fun, the Storm Worm botnet might be the world's most powerful supercomputer. Cue jokes about a mobile malicious code supercomputer having a self-preservation instinct and eventually turning into Skynet.
- Open source: As planet-websecurity.org put it, QuickTime pwns Firefox with a new proof-of-concept exploit. The vulnerability itself, however, is apparently not newly discovered: It was first reported almost a full year ago. Unfortunately, the announcement of the proof-of-concept exploit misuses the term zero-day exploit, incorrectly identifying a proof of concept as a zero-day exploit (expect more on the term zero day in a later article here at the IT Security blog). Regardless of terminology malfunctions, his news highlights a growing concern of mine: While Firefox was initially a lightweight, fast-moving, relatively secure Web browser, development practice at the Mozilla Foundation seems to have deteriorated to the point that Firefox may become the next Internet Explorer in terms of security, stability, and performance, even if it never matches IE for market share. Perhaps a new cross-platform open source browser is needed to take up the slack.
- Security software failure: Vulnerabilities in security software crop up all the time, as anyone whose computer has been infected by a virus or worm that actually turns off Norton AV scanning can tell you. Code Audit Labs, Jun Mao of iDefense Labs, and anonymous researchers discovered that Trend Micro's ServerProtect software is subject to a boundary condition error vulnerability. To quote the advisory at securityfocus.com, "Trend Micro ServerProtect is prone to multiple remote buffer-overflow vulnerabilities because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer." Remember that nothing is immune to security vulnerabilities in the information technology industry — including your security software itself.
- Speculation: Bruce Schneier asks whether home users are a public health problem. Click the link, and enjoy the read. I'll let the inimitable Bruce Schneier — to IT security as Chuck Norris is to whuppin' butt — speak for himself.
- Vendor malfeasance: It seems like every time I turn around, some software vendor is intentionally circumventing the security efforts of its customers. While Microsoft by far gets the most press for its heavy-handed "we know what's good for you" tactics, it isn't the only vendor to mistreat its customers this way. This week, however, the booby prize for vendor malfeasance goes to Microsoft yet again, as Microsoft updates Windows without users' consent, even when the Windows XP Automatic Updates functionality is supposedly deactivated. In businesses where a careful, well-tested rollout of patches on the company's schedule is critical to maintaining system security and stability, this sort of software behavior is simply unacceptable, and it's drawing comparisons to Sony's various rootkit scandals.
- Web applications: Have you considered using Basecamp for your business? It's an online business toolset and tool-building service provider that employs David Heinemeier-Hansson (the inventor of the Rails Web application framework). Before making the decision to leverage the power of Rails, you might want to consider all the implications of the decision — including security. Security Basics mailing list member fukami has harsh things to say about Basecamp security. In fukami's own words: Don't use Basecamp if you care about security.
Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.