Tag: security

GitHub compromise : lessons to learn

GitHub has been compromised.  That, by itself, is important enough – with millions of projects and developers using it.  But there is more to it.  Have a look at these links:

There is more coverage all over the web, but I’m sure you know how to find your way around.  Now, to the lessons that we can learn from what happened.

  1. “Don’t panic” in big friendly letters, courtesy of Hitchhiker’s Guide to the Galaxy.  It’s obvious something out of the ordinary happened in GitHub’s routine life.  While they regained the clarity of mind pretty fast, they were caught off-guard.  Don’t panic is the first rule of panic situations.
  2. Pay attention!  Given the size and active lives of both GitHub and Rails, it’s difficult to pay attention to every little detail.  But you should always weight the “large number of installations” or “large user base” considerations.  Even if there is an issue with a documented feature.  We’ve seen examples of this again and again – something that was a part of original functionality once in a while is turned into a malicious attack vector.  Your answer shouldn’t be the simple “check your code”.
  3. Stay transparent.  As you can see from a few comments in the above links, the actual compromise is not the biggest deal.  People in general and software developers in particular are very much used to security issues in every software.  It happens.  The bigger deal is, of course, how you handle that.  When you obviously have a problem, don’t try to hide it or misinform people who rely on you.  Say it loud and clear.  Or you will lose trust.
  4. Mind the stack.  Today’s computing world is rather complex.  Most projects rely on third-party libraries, tools, and solutions.  And that’s a good thing.  But when you do that, don’t treat the third-party item as a black box.  That is especially frequent in Open Source Software development.  It’s easy to trust something that is open.  It’s free, it’s open, it’s secure and reliable.  Not always the case.  And sometimes it is the case, but you need to read the documentation and think carefully.  As much as you are concerned about the security of your own code, there is no guarantee that the libraries, framework, or even the language compiler that you are using are secure.  Keep that in mind.

With all that, what’s my attitude to GitHub now?  It’s still the same.  I love the service and I trust the company.  Everybody makes mistakes.  Not everybody learns from them.  When things like that happen, I’m always willing to give a second chance (and sometimes even the third).  Maybe I’m just hoping that when I screw up people won’t just turn away.  Maybe I’m just an optimist – who knows.  But GitHub still provides the service that I enjoy using.  No matter the compromise, I (or any of my projects) haven’t been affected.  And I think that GitHub will learn from this experience.  So I don’t see any reason to change my attitude.

Winning The War On Terror

Cyprus Mail recently covered the security measures that are being taken in London for the preparations for the 2012 Olympic Games in London.  Here are a few quotes:

SNIPERS in helicopters will patrol the skies over London
[…]
based on HMS Ocean, the largest ship in the Navy, anchored in the Thames
[…]
Fast jets will also be located just outside London
[…]
Rapier air-defence missiles will be located in London
[…]
1,000-strong quick reaction force will also be on stand-by
[…]
About 7,500 armed forces members will work as security guards
[…]
Royal Marines will be based on HMS Ocean
[…]
They will also patrol along the Thames.
[…]
HMS Bulwark and Royal Fleet Auxiliary Mounts Bay will patrol off Weymouth
[…]
Special forces will also be placed on high alert, as well as military explosive disposal teams and units with dogs to search vehicles and buildings.
[…]
The venue security allocation has also been dramatically increased by £271 million to £553 million after the number of security guards was revised up to 23,700, more than double the original estimate of 10,000.

Winning The War On Terror, aren’t we?  I understand the need for security and all, but aren’t that going a bit too far?  Ships, jets, helicopters, snipers, special forces, dogs, patrols, tens of thousands in personnel, over half a billion in funds… When and how will we come to our senses again?

Home security exhibition in Cyprus

A lot has been said about the growing crime levels in Cyprus lately. Even though it is still safer than pretty much any other country in the world (no hard data here, just the feeling), Cyprus can’t pretend that nothing is happening. It was only a matter of time until the security business would pick up. And now, obviously, it did. Cyprus Mail reports the first home security exhibition is to take place in Pafos.

FOR THE first time in Cyprus, security companies from all over the island will gather together in Paphos to participate in a security exhibition which will take place this month. Organised by Peyia neighbourhood watch, the event will showcase everything from cameras and alarms to lights and movement sensors.

According to Peyia Neighbourhood Watch, this is the first event of its type and has the full support of the police. The aim of the event is to highlight the various options available on the market for preventing burglaries and thefts.

Instead of having the security arms race, I’d much prefer things went back to “normal”, the way they were 10-15-20 years ago.

Microsoft vulnerability, now served with plain text files

It is the year 2011 and we learn that even opening plain text files in Microsoft Windows is not as safe as you thought.

The vulnerability could allow remote code execution if a user opens a legitimate rich text format file (.rtf), text file (.txt), or Word document (.doc) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

You’ve got all your buzz words here: remote code execution; legitimate rich text, text, or Word document; network directory; local user rights, etc.  It’s good to know that it’s fixed.  Yet it’s still worrying as to what else is there …

Interview with Kevin Mitnick

Slashdot runs the questions and answers with the world most famous hacker Kevin Mitnick.   While most of his adventures and opinions are well covered on the web and in the books, you might still be surprised by some of the answers.

Here is his take on the involvement of anti-virus and other security companies in the creation of viruses and other malware.

Cybersecurity Companies?
by bigredradio

Kevin, do you suspect any collusion on the part of cybersecurity companies such as Kapersky Labs or Avast! and virus creators? If there were not so many exploits in the wild, would there be a billion-dollar anti-virus industry?

KM: I don’t know about Kaspersky but I think it’s ludicrous to assert that any anti-virus company would be involved with malware creators. These are large companies and the risk of being involved in this type of unethical behavior is too great.

And here is his opinion of what the future has for us.

cybersecurity
by Anonymous

What cybersecurity threats do you see as the most dangerous to the Internet now?

Re:cybersecurity
by zero0ne

What threat do you see as the most dangerous in 2, 5 and 10 years?

KM: Malware is probably the most substantial threat. Not only because it is so prevalent and being crafted better to avoid detection, but also because a large majority of internet users are oblivious to the dangers involved with clicking unknown links, authorizing Java Applets, opening attachments from people they don’t know, and are easily fooled by average phishing attacks. People are still the weak link, and even intelligent ones make poor decisions. Case in point, the recent spearfishing attacks on Google and RSA, which proved highly effective.

Looking into the future is difficult as technology progresses so rapidly. In the next few years, as more and more corporations move towards cloud computing, these servers loaded with information are going to be the new playground for hackers. Layers of security need to be applied in any cloud-computing environment to minimize the risk.

With the recent hacks on Certificate Authorities, I would count on SSL becoming obsolete in the future and being replaced with a new, more robust secure standard, since the “web of trust” is no longer a feasible model.

With the proliferation of consumer devices coming onto the market that are internet-ready, I would expect to see more attacks at the heart of these new technologies. New devices, especially those branded by names like Apple, Microsoft, and Google, always tend to draw the attention of hackers from all over the world.