Is Outsourcing a Security Risk?

The world has a new culprit to blame for the rising tide of software vulnerabilities — code outsourcing.

The trend to outsource the coding of applications is now a major contributor to making business software more vulnerable, a survey-cum-report has claimed.

According to analyst group Quocirca, which surveyed 250 IT directors and executives in the U.S., the U.K. and Germany for Fortify Software, ninety percent of the organizations that admitted to having been ‘hacked’ had outsourced more than 40 percent of their applications to third parties.

But the rush to benefit from the speed, convenience and lower cost of outsourced applications was leaving security as an afterthought in an alarming number of cases. Sixty percent of respondents reported not mandating security from scratch, while 20 percent of those surveyed in the U.K. failed to accommodate security at all in the outsourced applications.

So what’s behind this risky attitude? The report mainly blames the way companies have become enamored with relatively poorly-understood Web 2.0 technologies, and the parallel rush to use service-oriented architectures (SOA) to open up software to much-loved partners.

As to outsourcing itself, according to Fortify, the problem here is that the client company has no visibility on the coding behavior of the company carrying out the work, no matter how good the relationship appears to be.

Read the rest of this story…

Posted in Coding, Internet, Security, Software | No Comments

Vista Security Is Annoying by Design

If you’re running Windows Vista, you’re familiar with User Access Control (UAC). It’s the security subsystem that pops up those irritating dialog boxes asking whether you really want to install software, or modify system files, or write to the Registry.

UAC may be Vista’s most-hated feature, but as it turns out, it may also be its best-designed. As reported by Ars Technica, UAC was created with a very specific purpose in mind: to annoy you.

Ars picked up this tidbit at the recent RSA 2008 security conference in San Francisco, where David Cross, Microsoft’s product unit manager for Windows security, discussed the company’s security directions post-Vista. “The reason we put UAC into the platform was to annoy users. I’m serious,” Cross is quoted as saying.

More cynical observers will note that this is a longstanding Microsoft business strategy. But in this case, believe it or not, it actually makes some sense.

Before Vista, most Windows users did their day-to-day computing with full Administrator access to their PCs. This gave them — and by extension, the software they used — total control over the system, including the ability to modify critical system files.

Read the rest of this story…

Posted in Internet, Security, Windows | No Comments

Hackers Increasingly Target Browsers

Threats against browsers are getting more sophisticated and branching out into such exotic areas as gaming, experts told attendees at the recent RSA Conference 2008.

New attacks from games and virtual-world Web sites can deliver bot-like control of browsers to attackers, said Ed Skoudis, a security consultant with Intelguardians, speaking at RSA. All that’s needed is for the infected image of an avatar to appear. “The character walks into view of the screen, and I take over the box,” he said.

Compromised browsers can act as a stage to launch further hacking of computers, Skoudis said. An attack could shut off corrupted machines’ keyboard and mouse control, making it more difficult to stop. Or a compromised browser could escalate a machine’s network privileges, and even change time stamps in registries to mask the attacks from later forensic investigation, he said.

Browser attacks can be layered so an infected site might divert a browser to another site that barrages it with a broad spectrum of attacks, seeking vulnerabilities to take advantage of, said Rahit Dhamankar, head of security research for TippingPoint Technologies.

Such Web-based attacks can even be more effective than individuals banging away at machines, Dhamankar said. At a recent hacking contest, participants tried to compromise laptops running Vista, Mac and Ubuntu Linux operating systems for an entire day without success. The next day those same machines were allowed to browse the Internet and became infected by Web sites they visited, he said.

Read the rest of this story…

Posted in Coding, Internet, Privacy, Security | No Comments

Turn Off or Disable User Account Control (UAC) in Windows Vista

User Account Control (UAC) is a new security feature in Windows Vista that requires all users to log on and run in standard user privileges mode instead of as administrator with full administrative rights, thus prevent unauthorized or accidental changes that could destabilize the computers or allows virus and malware to exploit the system-level privileges provided to the local administrator to attack the network security, compromise computer safety and privacy, and damage files and settings in the network. However, in a lot of cases, administrator rights are needed by end-users to perform certain tasks such as install or update programs and perform typical system-level task. Beside, many software applications also need administrator privileges to run properly without conflicts, as they are designed to write to system locations during normal operation, and computer in locked-down state in which users operate in standard user mode severely limits user productivity.

In Windows Vista, as and when standard end-user requires administrator privileges to perform certain tasks such as attempting to install an application or write to registry, Windows Vista will prompt a UAC credential prompt to notify the user that a credential of administrator user account is needed for authorization or permission, thus reduce the chance user can accidentally make modifications to vista system files or settings and eliminate the ability for virus or malware to invoke administrator privileges without a user’s knowledge. Even for domain or local administrator, with UAC turns on and enable, most applications, components and processes will run with a limited privilege, but have “elevation potential” or Administrator Approval Mode where administrators must give consent through a User Account Control consent prompt.

However, these security clearance and prompting processes may felt by a lot of users as too troublesome, and sometime annoying especially when you’re the only single user who uses the computer, and has all the latest anti-virus and anti-spyware utilities installed and updated. User Account Control is enabled by default in Windows Vista, so you will have to turn off and disable the User Account Control. However, Microsoft recommends that users do not turn off UAC for security reason.

There are a few ways that you can use to turn off the UAC, but most home and personal users should find method to disable UAC via Control Panel easiest to do.

Read the rest of this story…

Posted in Internet, Software, Windows | 1 Comment

Tuning The Windows Vista Firewall

At first glance, the Windows Vista firewall is disappointing to say the least. On the surface, it looks like a Windows XP leftover. In fact, the firewall’s user interface in Windows Vista is nearly identical to the interface found in Windows XP. There aren’t even any new configuration options available.

The problem with the firewall’s user interface is that it is easy to assume that the configuration options shown within the user interface are the only options available. However, you can actually gain much more control over the Vista firewall by configuring it using Group Policy Editor.

To do so, open Vista’s Group Policy Editor and load the local security policy. Next, navigate through the console tree to Local Computer Policy | Computer Configuration | Windows Settings | Security Settings | Windows Firewall with Advanced Security. When you select the Windows Firewall with Advanced Security container, you will see a summary of the Windows Firewall configuration, as shown here:

Read the rest of this story…

Posted in Internet, Networking, Privacy, Security, Windows | No Comments