- Email: [email protected]
Disclosure and non-disclosure
FEATURE where the cheaper options are poorer than what your organisation does at present. It allows service providers to reduce the amount of site visits, and allows them to concentrate on providing the services you’ve purchased. Finally, this offers the very real opportunity – given suitable backing from providers and major client sectors alike – to focus the attention of organisations back on managing risks and removing the black art surrounding information risk/ security management. The security industry may not like it, but to be able to quantify what we do and show benefits to business from good management is a necessary part of our evolution.
About the author Des Ward is an information risk and security professional with over 15 years
Continued from page 2…
Disclosure and nondisclosure
A
s anti-malware researchers continue to debate the ethics and dangers of public versus private disclosure of vulnerabilities, two firms have shown very different approaches to the issue.
French company Vupen claims to have found two important vulnerabilities in Microsoft Office 2010, which was launched in June. The firm says that it, “successfully created a code execution exploit which works with Office 2010 and bypasses DEP (Data Execution Prevention) and Office File Validation features”. The exploit involves a memory corruption flaw in Excel. The company then announced that it had found a second flaw, this
July 2010
experience and clients ranging from HM Government through to ISPs and FTSE 100 financial institutions. His experience spans IT security through to risk assessment and compliance programme management, as well as implementing policy and governance frameworks to comply with standards such as ISO/IEC-27001:2005, Security Policy Framework and PCI-DSS. He is currently the programme lead for the creation of the CAMM framework.
3.
4.
5.
References
media_undertaking_redacted.pdf> ‘Data Protection Principles’, ISO/IEC-27001:2005, COBIT Online, ‘About the PCI-Data Security Standard’, ‘CMMI Model Download’,
1. ‘FSA fines Norwich Union Life £1.26m for exposing its customers to the risk of fraud’, 2. Enforcement Notice,
6.
time in Word and that it confidently expects to find more. What’s causing a slight stir is that, as well as not disclosing details of the flaws to the public, Vupen also chose not to tell Microsoft. The problem, it seems, is that Vupen feels that a simple thank you from Microsoft isn’t adequate recompense for finding the flaws. According to reports from Heise Security, Vupen’s CEO, Chaouki Bekrar, believes that Microsoft and other commercial software vendors are benefiting from the work of security companies and should be willing to pay for the information. That doesn’t mean that Vupen is keeping the information all to itself. It operates what it calls a “private responsible disclosure policy” as part of its Threat Protection Programme, under which its government customers receive a full analysis of the vulnerabilities and guidance on how to protect themselves.
Anti-malware firm Comodo took a very different approach recently. It passed on details about a security weakness it had found involving SSL certificates from VeriSign. While it gave out very few details, Comodo said: “Using publicly available information, Comodo found that a VeriSign customer account of a major financial institution can be easily accessed without authentication. Comodo believes that the vulnerability is not limited to this single account.” The firm passed the information to VeriSign via an independent third party – a practice laid down by the Vulnerability Disclosure Guidelines of the Common Computing Security Standards (CCSS) Forum, an organisation that Comodo was instrumental in establishing. “When we uncovered this serious
7. 8.
Continued on page 20…
Network Security
19
CALENDAR
Continued from page 19… security vulnerability, we knew we had to do the right thing to notify VeriSign immediately to correct the design problem,” explained Melih Abdulhayoglu, chief executive officer and founder of Comodo. “With millions of customers’ financial transactions at stake, we wasted no time to help correct the problem even though it wasn’t ours to begin with.” Since the initial disclosure, Comodo said that VeriSign had taken some steps to address the problem – although the fix may be only partial so far. Comodo believes that more needs to be done but says that VeriSign’s response has been encouraging. VeriSign has announced changes to its certificate management portal, including the removal of some features that were publicly assessable and limiting the amount of information that can be discovered through search engines. It has also placed restrictions on how certificates are revoked.
Software flaws set to double
T
he number of vulnerabilities in commonly used software is set to double, according to a report from Secunia. And Apple is leading the way in bug-ridden software.
The Secunia Half-Year Report 2010 concludes that the software industry is consistently failing to tackle the problem of security vulnerabilities. The firm studies 29,000 products on a regular basis. It found that security vulnerabilities capable of affecting the typical end user almost doubled in the years 2007-2009, rising from 240 to 420. In the first six months of 2010, Secunia found 380 – 89% of the 2009 total. That has led the firm to assume that, by the end of the year, the number of vulnerabilities will reach 760. Apple has switched places with Oracle to take the top spot. Microsoft 20
Network Security
has been consistently third since 2007. HP is fourth and Adobe fifth, though the latter is seeing the sharpest climb. These vulnerabilities do not translate directly into exploits. Many of the security issues that Secunia has identified have yet to be exploited by malware or hackers. However, the rise in the number of issues does suggest that security is still a little-regarded part of software development. The report is available at (PDF):
EVENTS CALENDAR August 8-11 Latincrypt 2010 Location: Puebla, Mexico Web: cti.cs.buap.mx/latin/
August 10-11 National Conference on Information Assurance Location: Rawalpindi, Pakistan Web: www.ncia2010.com
Twitter told to tighten security
August 15-19
T
Location: Santa Barbara, California, US Web: www.iacr.org/conferences/crypto2010/
witter has been told by the US Federal Trade Commission (FTC) to tighten its security, following the first action ever taken by the government body against a social networking service.
The FTC’s investigation of Twitter’s security practices followed a couple of high-profile breaches of user accounts, including those of Barack Obama and Fox News. The FTC has decided that the social networking service’s security procedures are inadequate, especially when it comes to internal access to users’ data. As a result, Twitter has to agree to an independently audited information security programme, to be assessed every other year for the next 10 years, and for the next 20 years it is banned “from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of non-public consumer information”. While it sounds strange, that latter part of the order legally assigns the FTC the ‘civil penalty authority’ allowing it to fine Twitter up to $16,000 for every future breach. Twitter said it has already implemented the necessary measures as a result of internal reviews. In any case, most commentators note that the embarrassment caused by compromised accounts is probably more of an incentive than any slap on the wrist from the Government.
CRYPTO 2010
30 August-3 September Trustbus 10-7th international conference on trust, privacy and security in digital business Location: Bilbao, Spain Web: www.isac.uma.es/trustbus10/
September 7-9 SecureComm 2010 - 6th international ICST conference on security and privacy in communication networks Location: Singapore Web: www.securecomm.org/
September 21-22 The Summit on IT Governance, Risk and Compliance Location: Boston, US Web: www.misti.com/default.asp?page=6 5&Return=70&ProductID=6742
September 27-29 6th Annual IT Security Automation Conference Location: Baltimore, US Web: scap.nist.gov/events/
July 2010
About the author Des Ward is an information risk and security professional with over 15 years
Continued from page 2…
Disclosure and nondisclosure
A
s anti-malware researchers continue to debate the ethics and dangers of public versus private disclosure of vulnerabilities, two firms have shown very different approaches to the issue.
French company Vupen claims to have found two important vulnerabilities in Microsoft Office 2010, which was launched in June. The firm says that it, “successfully created a code execution exploit which works with Office 2010 and bypasses DEP (Data Execution Prevention) and Office File Validation features”. The exploit involves a memory corruption flaw in Excel. The company then announced that it had found a second flaw, this
July 2010
experience and clients ranging from HM Government through to ISPs and FTSE 100 financial institutions. His experience spans IT security through to risk assessment and compliance programme management, as well as implementing policy and governance frameworks to comply with standards such as ISO/IEC-27001:2005, Security Policy Framework and PCI-DSS. He is currently the programme lead for the creation of the CAMM framework.
3.
4.
5.
References
media_undertaking_redacted.pdf> ‘Data Protection Principles’,
1. ‘FSA fines Norwich Union Life £1.26m for exposing its customers to the risk of fraud’,
6.
time in Word and that it confidently expects to find more. What’s causing a slight stir is that, as well as not disclosing details of the flaws to the public, Vupen also chose not to tell Microsoft. The problem, it seems, is that Vupen feels that a simple thank you from Microsoft isn’t adequate recompense for finding the flaws. According to reports from Heise Security, Vupen’s CEO, Chaouki Bekrar, believes that Microsoft and other commercial software vendors are benefiting from the work of security companies and should be willing to pay for the information. That doesn’t mean that Vupen is keeping the information all to itself. It operates what it calls a “private responsible disclosure policy” as part of its Threat Protection Programme, under which its government customers receive a full analysis of the vulnerabilities and guidance on how to protect themselves.
Anti-malware firm Comodo took a very different approach recently. It passed on details about a security weakness it had found involving SSL certificates from VeriSign. While it gave out very few details, Comodo said: “Using publicly available information, Comodo found that a VeriSign customer account of a major financial institution can be easily accessed without authentication. Comodo believes that the vulnerability is not limited to this single account.” The firm passed the information to VeriSign via an independent third party – a practice laid down by the Vulnerability Disclosure Guidelines of the Common Computing Security Standards (CCSS) Forum, an organisation that Comodo was instrumental in establishing. “When we uncovered this serious
7. 8.
Continued on page 20…
Network Security
19
CALENDAR
Continued from page 19… security vulnerability, we knew we had to do the right thing to notify VeriSign immediately to correct the design problem,” explained Melih Abdulhayoglu, chief executive officer and founder of Comodo. “With millions of customers’ financial transactions at stake, we wasted no time to help correct the problem even though it wasn’t ours to begin with.” Since the initial disclosure, Comodo said that VeriSign had taken some steps to address the problem – although the fix may be only partial so far. Comodo believes that more needs to be done but says that VeriSign’s response has been encouraging. VeriSign has announced changes to its certificate management portal, including the removal of some features that were publicly assessable and limiting the amount of information that can be discovered through search engines. It has also placed restrictions on how certificates are revoked.
Software flaws set to double
T
he number of vulnerabilities in commonly used software is set to double, according to a report from Secunia. And Apple is leading the way in bug-ridden software.
The Secunia Half-Year Report 2010 concludes that the software industry is consistently failing to tackle the problem of security vulnerabilities. The firm studies 29,000 products on a regular basis. It found that security vulnerabilities capable of affecting the typical end user almost doubled in the years 2007-2009, rising from 240 to 420. In the first six months of 2010, Secunia found 380 – 89% of the 2009 total. That has led the firm to assume that, by the end of the year, the number of vulnerabilities will reach 760. Apple has switched places with Oracle to take the top spot. Microsoft 20
Network Security
has been consistently third since 2007. HP is fourth and Adobe fifth, though the latter is seeing the sharpest climb. These vulnerabilities do not translate directly into exploits. Many of the security issues that Secunia has identified have yet to be exploited by malware or hackers. However, the rise in the number of issues does suggest that security is still a little-regarded part of software development. The report is available at (PDF):
EVENTS CALENDAR August 8-11 Latincrypt 2010 Location: Puebla, Mexico Web: cti.cs.buap.mx/latin/
August 10-11 National Conference on Information Assurance Location: Rawalpindi, Pakistan Web: www.ncia2010.com
Twitter told to tighten security
August 15-19
T
Location: Santa Barbara, California, US Web: www.iacr.org/conferences/crypto2010/
witter has been told by the US Federal Trade Commission (FTC) to tighten its security, following the first action ever taken by the government body against a social networking service.
The FTC’s investigation of Twitter’s security practices followed a couple of high-profile breaches of user accounts, including those of Barack Obama and Fox News. The FTC has decided that the social networking service’s security procedures are inadequate, especially when it comes to internal access to users’ data. As a result, Twitter has to agree to an independently audited information security programme, to be assessed every other year for the next 10 years, and for the next 20 years it is banned “from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of non-public consumer information”. While it sounds strange, that latter part of the order legally assigns the FTC the ‘civil penalty authority’ allowing it to fine Twitter up to $16,000 for every future breach. Twitter said it has already implemented the necessary measures as a result of internal reviews. In any case, most commentators note that the embarrassment caused by compromised accounts is probably more of an incentive than any slap on the wrist from the Government.
CRYPTO 2010
30 August-3 September Trustbus 10-7th international conference on trust, privacy and security in digital business Location: Bilbao, Spain Web: www.isac.uma.es/trustbus10/
September 7-9 SecureComm 2010 - 6th international ICST conference on security and privacy in communication networks Location: Singapore Web: www.securecomm.org/
September 21-22 The Summit on IT Governance, Risk and Compliance Location: Boston, US Web: www.misti.com/default.asp?page=6 5&Return=70&ProductID=6742
September 27-29 6th Annual IT Security Automation Conference Location: Baltimore, US Web: scap.nist.gov/events/
July 2010