Threats of Using Outsourced Software

Self-efficiency in (quality) software programming for security reasons -- yeah, sure :

"The possibility that programmers might hide Trojan horses, trapdoors and other malware inside the code they write is hardly a new concern. But the DSB will say in its report that three forces — the greater complexity of systems, their increased connectivity and the globalization of the software industry — have combined to make the malware threat increasingly acute for the DOD. "This is a very big deal," said Paul Strassmann, a professor at George Mason University in Fairfax, Va., and a former CIO at the Pentagon. "The fundamental issue is that one day, under conditions where we will badly need communications, we will have a denial of service and have billion-dollar weapons unable to function."

The billion-dollar weapons system will be unable to function in case of an ELINT attack, not a software backdoor taking the statistical approach.

There's an important point to keep in mind, during WWII, the U.S attacted Europe's brightest minds who later on set the foundations for the U.S becoming a super power. Still, you cannot expect to produce everything on your own, and even hope of being more efficient in producing a certain product in the way someone who specialized into doing this, can. Start from the basics, what type of OS does your Intelligence angency use in order not to have to build a new one and train everyone to use it efficiently? Say it with me.. Moreover, the sound module in your OS has as a matter of fact already been outsourced to somewhere else, if you try to control the process with security in mind, vendors will cut profit margin sales, as they will have to pay more for the module, will increase prices slowing down innovation. But of course it will give someone a very false feeling of security.

Fears due to outsourced software? Try budgeting with the secondary audits "back home" if truly paranoid and want to remain cost-effective. While it may be logically more suitable to assume "coded back home means greater security and less risk", you'll be totally wrong. All organizations across the world connect using standart protocols, and similar operating systems, making them all vulnerable to a single threats of what represent today's network specific attacks. And no one is re-inventing the OSI model either.

You can also consider another task force, one that will come up with layered disinformation channel tactics when they find out such a backdoor, as detecting one and simply removing it on such systems would be too impulsive to mention.

Who's Who on Information and Network Security in Europe

A very handy summary of Europe's infosec entities and contact details that come as a roadmap for possible partnerships or analyst's research :

"This Directory serves as the “Yellow pages” of Network and Information Security in Europe. As such, it is a powerful tool in everyday life of all European stakeholders and actors in Network and Information Security (NIS). By having access to all contact data and entry points for all European actors in one booklet, available on your desk, the “arm length’s rule” of access to information is becoming concrete. I am confident that this device of compiled Network and Information Security stakeholders, contacts, websites, areas of responsibility/activity of national and European Authorities, including organisations acting in Network Security and Information, serves our mission to enhance the NIS security levels in Europe well."

Compared to China's information security market on which I've blogged in a previous post, Europe's R&D efforts are still largely de-centralized on a country level, but hopefully, with the ongoing initiatives among member states innovation will prevail over bureaucracy.

The Zero Day Vulnerabilities Cash Bubble

The WMF was reportedly sold for $4000, a Vista zero day was available for sale at $50,000, and now private vulnerability brokers claim that they beat both the underground and the current incentive programs, while selling vulnerabilities in between $75,000 - $120,000.

"The co-founder of security group Secure Network Operations Software (SNOSoft), Desautels has claimed to have brokered a number of deals between researchers and private firms--as well as the odd government agency--for information on critical flaws in software. Last week, he bluntly told members of SecurityFocus's BugTraq mailing list and the Full-Disclosure mailing list that he could sell significant flaw research, in many cases, for more than $75,000. "I've seen these exploits sell for as much as $120,000," Desautels told SecurityFocus in an online interview."

But the cash bubble is rather interesting. Zero day vulnerabilities are an over-hyped commodity and paying to get yourself protected from one, means you'll be still exposed to the next one while you could have been dealing with far more risky aspects of protecting your network, or customers. The (legitimate) business model breaks when every vendor starts offering a "bounty" for vulnerabilities while disintermediating the current infomediaries. It would be definitely more cost-effective for them, than improving someone's profit margins. Or they could really reboot their position in this situation by applying some fuzz logic on their own software at the first place.

Attack of the SEO Bots on the .EDU Domain

A university's Internet presence often results in very high pageranks for their site, therefore, if a malicious spammer would like to harness the possibilities of having the spammed message appear among the top 20 search results, he'd figure out a way to post direct http:// links on various .edu domains, especially on the wikis residing there. That's the case with PuppetID : Matias Colins -- of course collins is spelled with one L only --. Matias Colins is an automated attack script that's already hosting hundreds of spam pages on the .edu domain, mostly adult related, and it's worth mentioning that where access to a directory has been in place, the hosted pages blocked caching from any search engine, or hosted one on its own. Redirection is perhaps what the attacker is very interested in too. See how this berkeley.edu link - dream.sims.berkeley.edu/~tdennis/wp-content/animalsex.php - redirects to a site for whatever the page title says, and this is yet another one - oit.pdx.edu/jethrotest/mysqldb.php.

Here are two more examples of another bot using my blog post titles to generate subdomains or the like, and of bots abusing Ebay's reputation system by self-recommending themselves.