Cyber attack on Europe exposes big flaws in Internet security September 12, By Ken Dilanian A major cyber attack in Europe that apparently was launched from Iran has revealed significant vulnerabilities in the Internet security systems used to authenticate websites for banking, email and e-commerce around the world. The attack over the summer wrought havoc in the Netherlands, where the Justice Minister warned the public last Sunday that the only secure way to communicate with the Dutch government was with pen, paper and fax machine. The digital assault compromised a Dutch company called DigiNotar, which issues digital certificates, small pieces of computer code that assure browsers that a website is what it appears to be. The certificates also encrypt communications between the user and the site so that they can't be intercepted.
And nearly without fail, the security press parrots this information as if it were newsworthy. The reality is that these types of vulnerability count reports — like the one issued this week by application whitelisting firm Bit9 — seek to measure a complex, multi-faceted problem from a single dimension.
The result offers almost no insight into the quality and integrity of the overall product, and in all likelihood leads to erroneous and — even humorous — conclusions. The Bit9 report is more notable for what it fails to measure than for what it does, which is precious little: Be legitimate, non-malicious applications; Have at least one critical vulnerability that was reported between Jan.
The report did not seek to answer any of the questions that help inform how concerned we should be about these vulnerabilities, such as: Was the vulnerability discovered in-house — or was the vendor first alerted to the flaw by external researchers or attackers?
How long after being initially notified or discovering the flaw did it take each vendor to fix the problem? Which products had the broadest window of vulnerability, from notification to patch?
How many of the vulnerabilities were exploitable using code that was publicly available at the time the vendor patched the problem? How many of the vulnerabilities were being actively exploited at the time the vendor issued a patch?
Which vendors make use of auto-update capabilities? The reason more security companies do not ask these questions is that finding the answers is time-consuming and difficult.
I volunteered to conduct this analysis on several occasions over the past five years. A while back, I sought to do this with three years of critical updates for Microsoft Windows, an analysis that involved learning when each vulnerability was reported or discovered, and charting how long it took Microsoft to fix the flaws.
In that study, I found that Microsoft actually took longer to fix flaws as the years went on, but that it succeeded in an effort to convince more researchers to disclose flaws privately to Microsoft as opposed to simply posting their findings online for the whole world to see.
I later compared the window of vulnerability for critical flaws in Internet Explorer and Mozilla Firefox, and found that for a total days in or more than nine months out of the yearexploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet.
In contrast, I found that Firefox experienced a single period lasting just nine days during that same year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to fix the problem.
For one thing, Adobe appears to have had more windows of vulnerability and attack against flaws in its products than perhaps all of the other vendors on the list combined. Adobe even started this year on the wrong foot: This happened again with Adobe Reader for 20 days in June, and for 22 days in September.
Just yesterday, Adobe issued a critical update in Reader that fixed a flaw that hackers have been exploiting since at least Oct.
True, not all vendors warn users about security flaws before they can issue patches for them, as do Adobe, Microsoft and Mozilla: In many ways this information makes these vendors easier to hold accountable. Google and Mozilla, on the other hand, have helped to set the bar on delivering security updates quickly and seamlessly.
The same is true when Mozilla issues patches to Firefox. A study released earlier this year found that the average Windows user has software from 22 vendors on her PCand needs to install a new security update roughly every five days in order to use these programs safely.
But security companies should focus their attention on meaningful metrics that drive the worst offenders to improve their record, making it easier for customers to safely use these products.Chinese manufacturer a response to tom zaffiri and his article on craftsmanship networks and connectivity keeping people in touch SZ DJI Technology A short summary of romeo and juliet Co the flaws of the internet security Ltd.
Security buying guides. many of which belong to AT&T U-verse customers. IoT-focused The beliefs of the wicca religion security company Armis Labs . The top 10 internet security threats are injection and authentication flaws, XSS, insecure direct object references, security misconfiguration, sensitive data exposure, a lack of function-level authorization, CSRF, insecure components, and unfiltered redirects.
The internet of connected things (IoT) has transformed the way everyone interacts with their home, but manufacturers are not putting enough efforts into making them secure.
Most manufacturers and some immature organizations overlook the security concern – the security flaws is a good sign. In August a security flaw offered unrestricted access to user passwords, while some of the Chrome extensions available through Google’s Chrome store have been found to contain malware.
A Closer Look at the Internet of Things and IoT Security Flaws Description The consensus that devices, software, and network connections in the IoT are based on largely unsecured, bargain-basement technology is a huge concern.
Jan 04, · Details have emerged on two major processor security flaws this week, and the industry is scrambling to issue fixes and secure machines for customers.
Dubbed “Meltdown” and “Spectre,” the.