Adobe Systems, Microsoft, Mozilla, Apple, HP, Novel and other vendors are being tested by the Abyssec Security Team this month. This team will be tackling a detailed binary analysis as well as a zero-day flaw. Both of these issues have been constantly disrupting older versions of Adobe Reader and cPanel. The Security Team tests the programs by attempting to penetrate them in addition to using binary code. Abbysec strongly encourages computer users to download the latest and newest editions of security updates to prevent damages.
The main purpose for "Month of Bug" is to draw attention to lax security procedures. This motivates software makers to edit their programs quickly to adapt to the constantly changing dangerous virtual world. Month of Bug has been growing in popularity, however the last campaign took place a year ago. Some people argue if Month of Bugs have an impact on software vendors. Charlie Miller, a principal analyst security researcher, says, "If you can find so many problems with a product that you can release one a day for a month, there are some serious issues." Miller also stated,"The only thing I can see is it is a tool to highlight the skills of the Abysssec guys, which is fine, but I don't think there is a general security principal they are trying to make, or at least I don't get it."
I think Month of Bugs are a good way to point out inefficiencies. As a programmer, I would much rather have the Abyssec Team point something out to me then finding out after my programs have been infiltrated and risking the possibility of having the integrity or confidentiality of my program tampered. However, I feel like a programmer should be continuously finding ways to make their programs stronger.
Monday, September 6, 2010
Subscribe to:
Post Comments (Atom)
Posts
This blog post was really interesting to me because it made me realize just how important it is to constantly test for security issues. Due to the rapidly changing nature of technology, new ways to get past security controls are discovered every day. Not only do new technologies need to be properly protected, but even the security of old systems needs to be frequently evaluated. This just goes to show how essential white hat hackers such as the Abyssec Security team are. It is incredible, and kind of frightening, that they were able to find a problem per day for an entire month.
ReplyDeleteThis post also brought to my awareness the importance of software updates. A lot of times when I see the option to update my anti-virus software come up on my computer, I ignore it because it slows down what I’m currently working on and it takes a long time, but now I realize how crucial these updates are. This also goes for automatic updates of other programs on my computer, such as Adobe, and even Windows. It is important to let these update because often times the newer versions fix security vulnerabilities that were present in the old ones. As stated in the article I posted below, Adobe files are extremely vulnerable to hacking, but few users actually update their version. The second article posted below shows an example of the kind of vulnerabilities that can be fixed through updates. In this case, there was a problem with Microsoft Windows where a person could achieve an elevation of privilege in the system. This weakness was then fixed, and anyone who had automatic security updates on their computer would receive protection from it right away.
http://www.lexansystems.com/blog/
http://www.microsoft.com/technet/security/bulletin/ms10-047.mspx
I think this idea of Month of Bugs is good, and shows there is an underlying issue with some software. If this sort of campaign can take place and show so many flaws in only a few systems it worries me to think how many are unknown as of now, but will at some point be found. I also have to ask how software companies can put these software out on the market if there are so many penetrable places in them that could really upset the entire system? I agree that the programmer should be constantly looking for flaws in their own code, as well as the entire system to make sure some integrity can be captured, but if the underlying program is flawed there's bigger issues at stake.
ReplyDeleteI also agree with the above comment, that software updates have now become a little more necessary to me - especially when taking note of what these updates can protect you from. Often times I find myself ignoring them for the sake of time, but if their benefits are really what are portrayed in these two articles then they become almost a necessity.
The idea of "Month of Bugs" is a great way to educate and inform people about the ever changing world of computer problems. With all of the bugs that appear in every program, it's necessary to have companies check, fix, and try and prevent the bugs from happening. Customers deserve the right to know what a company is dealing with their software.
ReplyDeleteLike the other posters who commented, this also brought to my attention the importance of updates on anti-virus software. As a Mac user, I have always heard that it is more difficult for viruses to affect a Mac than it is a PC. I'm not sure if this is true, but it isn't an excuse for poor security just because it might not happen.
As all of the other commenters, I feel that "Month of Bugs" is a great idea to illustrate the severity and complexity of the constantly evolving world of viruses. On the other hand, I also agree with the statement made in the post by Charlie Miller when he said, "the only thing I can see is it is a tool to highlight the skills of the Abyssec guys." To me, this month of computer security awareness seems more like a chance for the Abyssec Security Team to show off their skills than a chance to truly improve information security.
ReplyDeleteMy reasoning behind this is that such a demonstration doesn't really show a lax in security procedures as it shows how viruses and hackers and always coming up with new ways to infect systems. It also shows how the points of attack on a system are nearly limitless, and that it is very difficult to create software with little to no security problems.
With that aside, I still believe that white hat hackers, like the boys and girls at Abyssec, are very valuable to the information security community. It is clearly better for these folks to recognize flaws in security than it is for other hackers with malicious intent to exploit the flaws.
All in all, this post was enlightening in that it really showed how vulnerable information can be, as well as how important the seemingly pesky software updates are to security and performance.