Security Maxims

These security maxims were compiled by Roger Johnston, who's with the Argonne Vulnerability Assessment Team, the Nuclear Engineering Division of the Argonne National Laboratory, which is a division of the U.S. Department of Energy. He has a Ph.D. and also his CPP credential, which is Certificate of Protection Professional.

Here's the first three:

Infinity Maxim: There are an unlimited number of security vulnerabilities for a given security device, system, or program, most of which will never be discovered (by the good guys or bad guys). 

Comment: We think this, because we always find new vulnerabilities when we look at the same security device, system, or program a second or third time, and because we always find vulnerabilities that others miss, and vice versa.

Thanks for Nothin’ Maxim: A vulnerability assessment that finds no vulnerabilities or only a few is worthless and wrong.

Arrogance Maxim: The ease of defeating a security device or system is proportional to how confident/arrogant the designer, manufacturer, or user is about it, and to how often they use words like “impossible” or “tamper-proof”.

Bruce Schneier is also represented:

Schneier’s Maxim #1 (Don’t Wet Your Pants Maxim): The more excited people are about a given security technology, the less they understand (1) that technology and (2) their own security problems. 

Comment: From security guru Bruce Schneier.

Schneier’s Maxim #2 (Control Freaks Maxim): Control will usually get confused with Security.

Comment: From security guru Bruce Schneier. Even when Control doesn’t get confused with Security, lots of people and organizations will use Security as an excuse to grab Control, e.g., the Patriot Act.

AFP: Microsoft releases free computer security software

AFP: Microsoft releases free computer security software.

I've been using Microsoft Security Essentials (MSE) for over a month now, and it seems to work pretty well. It's getting good reviews from the security community, so I think it will be a permanent replacement to the Zone Alarm software I had been using.

You should enable the automatic update feature, since there is no reason to wait to install the latest patches for Windows, in my case XP. MSE also seems to be less of a burden to the processor than Zone Alarm, which seems to have gotten bloated in its maturity.

Oops! Mizzou sells phones without wiping memory by AP: Yahoo! Tech

Oops! Mizzou sells phones without wiping memory by AP: Yahoo! Tech .

I would guess that most cell phone users are not aware of how to do a factory reset. It would be worthwhile for the carriers to offer to service that would do this remotely.

Why is Rogue/Fake Antivirus so successful?

Why is Rogue/Fake AV so successful? .

This is today's diary entry from the Internet Storm Center from SANS.

It is obvious that the bad guys are making (serious?) money with this scamming scheme. There are couple of things interesting about rogue AV programs. First, the bad guys here do not use (in most cases) any sophisticated attacks on clients. They instead rely on visitors to wittingly install their "AV program". How do they do this? Through social engineering – they create web pages which are very authentic copy of legitimate screens in Windows operating systems. These web pages make visitors believe that their machine is infected with several malicious programs and that the offered "AV program" can help them clean it.

As it turns out, these scammers produce Web pages that closely resemble Windows' Security Center. But more importantly, security and privacy issues are not usually discussed in the popular media, so most Web users are caught unaware.

Google Safe Browsing Diagnostic Tool to check for sites serving malware

Find the Web sites that are serving or have served malware. It picked up the New York Times' recent hack.

http://www.google.com/safebrowsing/diagnostic?site= After the equal sign insert the URL of the site you wish to check.

Google Safe Browsing Diagnostic Page.

Health IT Standards Committee OKs guidelines for privacy, security of EHRs

healthit.hhs.gov: Health IT Standards Committee.

Scroll down to the links to the documents for the Sept. 15th meeting.

Adobe to Buy Omniture for $1.8 Billion - NYTimes.com. More Flash cookies?

Adobe to Buy Omniture for $1.8 Billion - NYTimes.com.

As soon as I read this headline, I thought about the problem of the proliferating, unmanageable Flash cookies.

From Wired.com's "You Deleted Your Cookies? Think Again.":

More than half of the internet’s top websites use a little known capability of Adobe’s Flash plug-in to track users and store information about them, but only four of them mention the so-called Flash Cookies in their privacy policies, UC Berkeley researchers reported Monday.

Unlike traditional browser cookies, Flash cookies are relatively unknown to web users, and they are not controlled through the cookie privacy controls in a browser. That means even if a user thinks they have cleared their computer of tracking objects, they most likely have not.

Bruce Schneier in his "Schneier on Security" blog also cites this.

Security Pros Are Focused on the Wrong Threats

Technology - Bits Blog - NYTimes.com.

The is an overview of the recently released biannual report from the SANS Institute, which provides training and support for computer security professionals.

Microsoft is doing a better job in providing patches for Windows, so while this was the major concern in the past, there are two more important security risks emerging: security weaknesses in programs that are not usually updated on a regular basis (Microsoft Office, Adobe's Flash Player & Acrobat, Java apps, and Apple's QuickTime); and, attacks on company Web sites using such techniques as SQL injection and cross-site scripting. For instance, flaws in the code might unknowingly provide admin rights so that malicious script can be run.

In the worst cases, hackers can gain sensitive customer data, or infect users' computers, making them zombies within a larger botnet.

JavaScript zero day threat found in Adobe Reader and Acrobat

I'm listening to Steve Gibson's Security Now podcast #195 where he alerts his audience to the JavaScript zero day threat found in Adobe Reader and Acrobat that can be used for a remote code execution exploit. He mentions that he can think of no reason why a PDF reader should require JavaScript, but I'm guessing that it's to support some of the multimedia functions which aren't used for the typical PDF file. I could be wrong.

Adobe addressed this problem on their blog on April 28 where they provide the temporary fix:

1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

Leo Laporte, the host of the podcast, says that he's happy with Foxit Reader, which "is notable for its short load time and small filesize." But alas, pshaw and regrettably, you also have to disable its JavaScript option.

Stolen NIH laptop with un-encrypted patient data

From WaPo:

A government laptop computer containing sensitive medical information on 2,500 patients enrolled in a National Institutes of Health study was stolen in February, potentially exposing seven years' worth of clinical trial data, including names, medical diagnoses and details of the patients' heart scans. The information was not encrypted, in violation of the government's data-security policy.