sudo

Isto é pilhado descaradamente do blog Hugo Ferreira, mas não resisti pois esclarece uma dúvida importante :-)

Segurança no software

"...the new revision of the IEEE’s Software Engineering Body of Knowledge (SWEBOK) will include software security as a fundamental concern in software engineering.

The SWEBOK is intended to document a common understanding of software engineering, and to act as a map to everything that anybody who designs, builds and tests software should know and understand.
...

The security updates in V3 of the SWEBOK look like they will wire security into requirements, design, construction, testing, maintenance, configuration management, software engineering management and processes, tools and methods, and software quality. Everywhere really. This is exactly right."

do blog Building Real Software

síto do SWEBOK

Application Security Trends 2011

Muito interessante:

Denim Group Provides Guidance on Application Security Trends for 2011

A lista:

1. Mobile application security concerns will dominate headlines

2. Moving to the Cloud places enterprises at the mercy of corporate terms of service rather than the Constitution and Bill of Rights

3. Developing applications for the Cloud will present new security threats previously not considered.

4. The Payment Card Industry will continue to drive application security investment

5. Introduction of malware into iTunes / Droid Apps stores

6. Demand for application security talent will jump dramatically; the supply for said talent will grow at a slower rate

7. Utility systems will accelerate Smart Grid adoption with little or no attention paid to security.

8. Candidates for the next big application breach? The mid-size enterprise.

relatório da OCDE sobre "Reducing Systemic Cybersecurity Risk"

Um novo relatório da OCDE sobre “Reducing Systemic Cybersecurity Risk”. É sobre ciber-segurança mas tem uma visão ampla, incluindo aspectos legais, políticos, educação etc. Sob o ponto de vista técnico não parece tão interessante.

http://www.oecd.org/dataoecd/3/42/46894657.pdf

Investigador de segurança desaparecido

Uma fonte habitual deste blog é o blog Zero Dat da ZDNet. No início era actualizado por Ryan Naraine, depois creio que a equipa aumentou para três pessoas e, desde há uns anos, que eram dois, ele e um Dancho Danchev. Este último é búlgaro, vive na Bulgária e, segundo o blog, está desaparecido desde Agosto ou Setembro. O post sugere que as suas actividades no domínio da segurança possam ter sido incómodas ao governo ou a algum gang de ciber-crime. Lembra o (fantástico) livro "Fatal System Error" (Joseph Menn, 2010).

O post:
We need help with the strange disappearance of Dancho Danchev

cross_fuzz e vulnerabilidades no DOM

Foi disponibilizado um fuzzer que visa encontrar vulnerabilidades no DOM. O autor diz que já encontrou muitas vulnerabilidades nos browsers actuais.

January 01, 2011  

Announcing cross_fuzz, a potential 0-day in circulation, and more  

I am happy to announce the availability of cross_fuzz - an amazingly effective but notoriously annoying cross-document DOM binding fuzzer that helped identify about one hundred bugs in all browsers on the market - many of said bugs exploitable - and is still finding more. The fuzzer owes much of its efficiency to dynamically generating extremely long-winding sequences of DOM operations across multiple documents, inspecting returned objects, recursing into them, and creating circular node references that stress-test garbage collection mechanisms.

CDNs e DDoS - parte da solução ou do problema?

Content Delivery Networks (CDNs) are commonly believed to offer their customers protection against application-level denial of service (DoS) attacks. Indeed, a typical CDN with its vast resources can
absorb these attacks without noticeable effect. This paper uncovers a vulnerability which not only allows an attacker to penetrate CDN’s protection, but to actually use a content delivery network to amplify the attack against a customer Web site. We show that leading commercial CDNs – Akamai and Limelight – and an influential research CDN – Coral – can be recruited for this attack. By mounting an attack against our own Web site, we demonstrate an order of magnitude attack amplification though leveraging the Coral CDN. We present measures that both content providers and CDNs can take to defend against our attack. We believe it is important that CDN operators and their customers be aware of this attack so that they could protect themselves accordingly.

Notícia na IEEE Spectrum
Artigo

privacidade oh privacidade

"Os EUA invocam a luta contra o terrorismo para terem acesso a estas informações - não só as que constam dos bilhetes de identidade portugueses, como também as da base de dados de ADN, sediada no Instituto de Medicina Legal, em Coimbra, cujo software foi instalado pelo FBI norte-americano."

http://dn.sapo.pt/inicio/portugal/interior.aspx?content_id=1747387 

P.S. O site do MJ deixa-nos muito mais descansados: 

"O único “equipamento” especificamente obtido para a Base de Dados foi um programa informático – programa CODIS –, aliás cedido gratuitamente pelo FBI."
http://www.mj.gov.pt/sections/informacao-e-eventos/arquivo/2010/3-trimestre/direito-de-resposta-do/