Software Security Design Flaws

An IEEE report notes that "the security of many systems is breached due to design flaws" rather than a particular coding mistake or unique bug.

Read the report here (pdf).

The recent bug bounty trend reflects the common approach of picking things apart to find mistakes and bugs, whereas the IEEE wants to identify and improve poor design practices. By uncovering the top security flaws found in software, developers can learn to write better code and spend less time fixing security problems after the fact.

Changing accepted practices around software design sounds like a goal that's a bit big, even if it is warranted. Things typically roll out as soon as they work, not as soon as they're safe. Security is someone else's problem, unless you make security products. Will this attitude ever change?

Here are the top software security flaws they identified:

- Assuming trust
- Weak authentication
- Authorizing before authenticating
- Processing control instructions from untrusted sources (and keeping data and control instructions together)
- Failing to explicitly validate data
- Failing to identify and protect sensitive data
- Using cryptography incorrectly
- Failing to consider user experience; prioritizing security over the needs of the user
- Increasing the attack surface by using external components
- Using static security implementations instead of flexible ones

Security Researcher Discusses Cyber Arms Race

Cyber security researcher Mikko Hypponen talks about the cyber arms race at the Next Web conference, May 2016. He talks about a few specific recent events, among other things.

Cyber Crime Expert Discusses Today's Hackers (video)

Cyber crime researcher and writer Brian Krebs has a quick chat with CNN about global internet crime and the people behind it.

For The Record - NSA Leaks Tweets - June 2013

Although the Snowden/NSA/Prism leaks fall in line with things I'd normally tweet about, in this case I decided to keep my own to a minimum because of the predictable flood that would come due to the magnitude of the issue. I posted a total of 12 tweets over the last two weeks of June, starting the day of the first leak, linking to the original story.

June 06
Serious concerns: either the U.S. gov't hacked computers secretly, or the companies are lying (Guardian article) http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data

June 08
So many questions about U.S. hoarding data on innocent people, but we do know only a few senators saw this coming, the rest were too stupid.

June 09
Your government has enough info about you to successfully frame you for any crime, anywhere, any time. Have a nice weekend.

June 13
Once again, a key point missing from the NSA story is that databases get stolen. Huge danger when gov'ts compile data about innocent people.

June 15
Demand senator Lindsey Graham's email passwords, lol. He talks a mean game, now can he walk the talk? - https://secure.freedomworks.org/site/Advocacy?cmd=display&page=UserAction&id=1087

June 16
In case you missed it... The (supposed) PRISM logo used by the U.S. gov't is a stolen photo, lol - http://www.theregister.co.uk/2013/06/12/nsa_logo_scandal/

I wonder how many people in positions like Ed Snowden just keep their mouths shut and sell data to criminals and other countries.

Dear NSA: sounds like the terrorists have already won. They've got you spying on your own innocent citizens and lying about it under oath.

So... thousands of NSA "employees" (incl. subcontractors) CAN listen to phone calls any time they want, no warrant - http://news.cnet.com/8301-13578_3-57589495-38/nsa-spying-flap-extends-to-contents-of-u.s-phone-calls/

June 17
The world is right to be mad at the US, but don't lose site of the cyber criminals still stealing credit cards, identities, etc. Be safe.

June 28
NSA says anyone using encryption is suspicious. Which means lawyers/doctors/accountants using secure email with clients are terror suspects!

June 29
Next NSA trick? Since terrorists can write letters, the NSA will pretty much have to start opening, copying, and resealing all postal mail.

You Must Be Joking: "Security" Questions?

Over the past few weeks I've been checking to see if some websites are allowing more secure passwords.

As a side effect of this, I came across a variety of "security" questions to be used for secondary identification and/or password reset requests. You've probably seen many of these.

The problem is most of the questions are about things that are either already public knowledge, or things that could easily be found out!

Don't you think all of the following information could be found in about two minutes by anyone who wanted it? Couldn't a smart network admin come up with better questions that only you would possibly know the answer to?

• Your mother's maiden name
• Your father's middle name
• Your birth place
• Your high school
• Your high school mascot
• The street where you grew up
• Your favorite pet's name
• Your first job or employer
• Your first car (particularly obvious for young people, who may have only ever owned one!)

If everyone on Facebook knows the answer, maybe it's not a very good "security" question, lol.

URL Expander Add-on For Firefox

We all know that the shortened URLs found on Twitter and other sites can sometimes lead to malware, spamware, trojan, and hacking sites. Most of the time it is intentional, but it can also be accidental. By way of example, an official city tourism site that I follow on Twitter recently posted a bit.ly link that took me to a porn site! They were stunned when I brought it to their attention, and thanked me profusely.

I've always felt that posting links on Twitter and blogs is very helpful, and try to do it often for my followers. Knowing the risks of shortened URLs, I actually make special efforts to post links that I can embed directly without having to shorten. I want my readers to see clearly exactly where any click will take them. Of course the problem is sometimes I want to link to something with a web address that's a mile long. Blog posts are definitely annoying to link to. Most blog platforms turn the entire blog title into the corresponding URL for that post, resulting in extremely long addresses full of dashes, and sometimes adding the date to make it even longer.

There isn't really a solution to the underlying problem - some sites have short URLs and some have long ones. The best you can do is protect yourself when clicking on someone else's link.

Thus I recently installed a Firefox add-on called Long URL Please. It automatically reveals all shortened URLs on every web page, with no need to do anything. It works with all the typical shortener services. Some comments from users on the Firefox plug-in site mention slow load times and system hangs, but I haven't encountered either in the week I've been using it. It works fine, and has removed any concerns I used to have about shortened and masked links. I can finally tell which links go to affiliate sales pitches and which ones go to news stories and blogs, it's fantastic.

I recommend it or a similar add-on to make your online travels safer. (... and I naturally assume you are using Firefox in the first place!)

Stats: Javascript Enabled or Disabled

Another stat about the visitors to our highest traffic domains.


Javascript is generally enabled by default, but can be disabled within your browser settings. It is often used to determine which ads to show on a web page, set formatting and layout styles, and gather information about user activity.

So why would it be enabled or disabled?

Disabling it can considerably speed up web page load times, prevent piles of third-party advertisers from tracking things, and eliminate spyware & trojan risks.

Java is a two-way street, it sends data back to the server about the settings and usage of the browser and computer being used. Simply by looking at a web page without clicking on anything, Javascript is running.

"Java exploits" are currently being used quite often to piggyback trojans into computers. (Cell phones and PDAs are at risk too, because they are powered by Java and it can't be turned off. Blackberry/iPhone/cell hacking has become a new goldmine of identity theft because everyone stores all their phone numbers, contacts, emails, account logins, photos, and other personal info on them.)

We've also made the interesting observation that sites offering higher-ticket specialty products and services have noticably higher rates of Javascript disabled (upwards of 30%). Should we assume these people are more security-aware in general, and/or more tech-savvy?

Are the above stats surprising? Higher or lower disabling than you'd expect?