Often we don’t know we are in danger until we get clobbered. We have all had that feeling in the pit of our stomachs after something heavy falls where we were standing a few minutes ago. In the middle ages ignorance of disease killed many and the same is true of most in the modern world of computer security.

Now there is an even more dangerous exploit for jpg files.  Details can be found here.

I have seen an example of this exploit in action.  In the demo I got from our security team, displaying the custom crafted jpg image caused the workstation to reboot.

If you didn’t take the last reminder to patch seriously, I urge you to get it now.

Now I have heard it all!  Terrorists, Hurricanes and now JPEGs can be used to attack your computer!

To see what I am ranting about check out the article.

I just finished reading an upcoming article from Forbes Magazine (unfortunately you will have to register to read it before the September 20th pub date) about the belief that terrorists are turning to hacking as their next major vehicle to do damage.

In the article they point out things like, “The FBI says the cyberterrorism threat to the U.S. is “rapidly expanding.” “Terrorist groups have shown a clear interest in developing basic hacking tools, and the FBI predicts that terrorist groups will either develop or hire hackers,” Keith Lourdeau, an FBI deputy assistant director, told the U.S. Senate earlier this year.”

The article also mentions a company that I have had dealings with in my consultant travels.  Invensys makes valves and regulators and such.  Exactly the kind of equipment that a bad guy would want to manipulate.

Scary, but maybe I’m not too old to get back in the service after all…

The Software Development Life Cycle (SDLC) is a well established and well thought out concept.  There are books and experts and cool slides galore that talk about it and how security should fit into it.  The problem that I see is that the process as most people think about it isn’t cyclical enough.

Most of the treatment of the subject shows the process ends on acceptance of the product.  This means that it is in general use, the major bugs that will be fixed have been and the users are active with the application.  This status remains until the application is either revised or retired.  You can’t live that way anymore.  If you have an application that is waiting for a revision in the future or making its way to retirement, I would be willing to bet that it has already outlived any security analysis done during its construction.  How many new threats exist today that weren’t around when existing applications were being developed.  How many measures were taken as fully adequate just a year ago that we now see still leave us in the lurch against a determined attack?

If you have an application in production that hasn’t been revised for security in some time you may want to at least take a mental inventory.  The C levels in your company won’t understand that your application was secure when you released it.  They will only see that it was not secure when it was attacked.

I am listening to the Don Kiely interview on Dot Net Rocks and thought that it was worth pointing the security minded toward.  I have known Don for a while from conferences out and about, but hadn’t realized how much he has delved into the Least Priviledge issue until listening to Carl and Rory discuss it with him on the show.

Also highlighted was Ted Neward’s article on least priviledge located on theServerSide.Net which though short has spawned some comments that show the mood on the subject.

Even if you don’t take the advice at least know the issue.

If you haven’t used it yet then you should get to know this tool.  If you have then you should be happy to know that the final 1.0 version of AuthDiag is now available at http://download.microsoft.com/download/6/c/9/6c96682c-8449-4112-a089-3b98c0035d0c/AuthDiag.msi

When you are using Windows Authentication for a web site it can be mind numbing to figure out what is causing access denied problems, especially if you aren’t a security expert.  While it is an unsupported tool, it usually provides enough to get you past your access control configuration issues.

This link is to the i386, 32 bit version of the application.  If you need a 64 bit version (there are different installers for AMD and Intel 64 bit chips) drop me a line and I will hunt down the URLs for you.