Open Source is NOT Bug Free


There are those in the open source software fan world that suggest that open source (and typically free) software is best because since the source code is available, people can look for bugs and fix them, resulting is bug free software.

The reality is not quite so simple.

While this statement is technically true, it is not true in practice.  Time and time again we run into very popular open source software with bugs – software like Open SSL which is installed on millions of computers.

That also does not mean that open source software is bad or overly buggy. It just means that it is software and all software needs to be validated.

AND, it also means that even if software is tested, it is not bug free.

OK, with that preamble, what are we dealing with today?

Google has an internal hacking team called Project Zero and they try to hack all kinds of software – including but not limited to Google’s own software.  This week team member Andrey Konovalov was playing with the USB drivers in the Linux kernel.

When someone mentions the words BUG and KERNEL in the same sentence, it should get your attention.  The kernel is the most privileged and most sensitive part of any operating system.

Andrey identified 14 bugs in the USB drivers that have been assigned bug ID numbers so far.  He has also requested another 7 numbers for additional vulnerabilities that he has identified.  On top of this, he says there are probably another 20 that have not been fully researched yet.  That puts the number of likely bugs in a very sensitive part of the Linux OS at around 40.

And remember, this is just in one part of the operating system.

So the next time someone tells you that open source means bug free, you can pull out a copy of this post.

Also, it is important to remember that Linux is an INCREDIBLY popular piece of open source software, used by hundreds of millions of people (It is the core of all Android phones).  If it is not bug free, is it reasonable to think that some other piece of open source software used by 10s of people IS bug free?  I don’t think so.

So, like with everything else, Caveat Emptor is appropriate response.

Information for this post came from Bleeping Computer and The Register.

Facebooktwitterredditlinkedinmailby feather

What Do You Get for $7.55 Billion?

This year the TSA’s performance is better than last year.

Last year, it has been reported, TSA checkpoints failed to detect contraband 95% of the time.

That means for $7+ billion, TSA agents only stopped 5% of the stuff that was not supposed to be allowed on board.

This year, according to reports, the number is in the neighborhood of 80% failure, meaning that the bad guys have a 4 out 5 chance of getting contraband on board.

That makes me feel safer, for sure.

The briefing, before the House Committee on Homeland Security, was classified. I think the bad guys understand that their odds are good in getting stuff through the checkpoints.  The reason the hearing was classified, no doubt, is they probably discussed what types of things were least likely to be detected and techniques that they used.

This year, instead of using specially trained red teams during the test, they used secretaries and clerks.  You would think that might improve the odds of getting caught, but apparently not.

Rep. Mike Rogers told TSA administrator David Pekoske that “this agency that you run is badly broken”.

That would qualify as an understatement.

Of course, none of this is news to those of us in security.

Going back to when Mary Schiavo was the Inspector General of the Department of Transportation, corruption, fraud, incompetence and abuse in the DoT was being exposed.  Schiavo had over 150 convictions during her 6 years as IG.

TSA “red teams” have been trying to sneak stuff through checkpoints for 15 years.  In 2015, the TSA screeners failed in 67 out of 70 tests, according to leaked reports.

This years is a tad bit better, but still, the odds of getting contraband through – including guns and explosives – is insanely high.

It might also be useful to understand that the so-called “9/11” security fee that is added to every airplane ticket has been mostly diverted to other purposes and is not used to pay for or improve security or buy new screening devices.

Because the 9/11 fee is being diverted to items like building the border wall, security at airports is being degraded.  DHS Viper teams that use dogs to secure transportation facilities are being cut from 31 teams to 8 teams, for example.

I think I am going to drive on my next trip – it might be safer.

Information for this post came from ABC.

Facebooktwitterredditlinkedinmailby feather

PwC Study Shows Firms NOT Prepared for Cyber Attacks

Despite the constant news reports of cyber breaches, PwC says that business leaders are not taking this to heart, which means that your data is still at risk.

Price Waterhouse Coopers surveyed 9,500 executives in 122 countries and came up with the following –

  • 44% – almost half  – say that their firms have not created an overall cyber security strategy.
  • 54% – more than half – do not have an incident response program.  This means that they likely will look a lot like Equifax after their breach – a bit of a pinball in a pinball game as they bounced from one screw-up to another.
  • 48% have no employee awareness training.  This stat is amazing.  Given that people are at the root of most breaches and the affordability, even for small companies of cyber security training, that almost half of the companies do not train their employees is unbelievable.
  • 39% are very confident in their cyber attack attribution capabilities.
  • 40% say that an attack against their automation and robotics would disrupt operations and 39% say it would result in the loss of company or sensitive data.
  • 32% say an attack would produce a decline in product quality
  • 29% say an attack would result in a damage to physical property
  • 22% are concerned about harm to human life.  While this seems alarming, we have seen this when an attack takes out infrastructure.
  • Only 44% – less than half – say that their boards actively participate in their overall security strategy;  the rest still think it is an IT problem.
  • For consumers, more think that their email will be hacked (45%) than a flight will be cancelled (36%).
  • And, last (there are more in the report) 10% think that their information is secure.

What is your response to these questions?  Are you and your company ready for an attack?



Information for this post came from Mediapost.

Facebooktwitterredditlinkedinmailby feather

Trump Organization Hacked 4 Years Ago (And Didn’t Know It)

Reports are coming out that the Trump organization suffered a hack, Bigly, as the President would say, around four years ago and, we assume, did not know about it until a week ago.  The only alternative explanation is that they did know about and chose to let the hacker stay inside their network for four years.  Either explanation is problematic.

What happened?  The heart of any Internet based corporate world is DNS or the Domain Name System.   DNS is where you define every web site in the organization and all of the parameters of those sites.  If a hacker controls your DNS he or she can shut down access to your web servers or point them to a different place (such as to porn sites as we have seen in the past).

Apparently, based on reports shown to the media, hackers took over the Trump organization’s DNS and added hundreds of sub-domains under a variety of Trump domains.

These roughly 250 sub-domains were all hosted in Russia.  The Mother Jones article below provides a link to a list of those domains.

These domains were pointing to one of 17 IP addresses owned by the Petersburg Internet Network, known for hosting a lot of cyber criminals.

Two weeks ago a researcher came to Mother Jones with this information;  The anti virus firm Kaspersky (who has been in the news lately) said that many of those sub-domains were, in fact, serving up malware.  Last week a researcher tweeted about it.

Trump said that the domains were not CURRENTLY serving up malware (which appears to be true) and they have no association with those sub domains.  If that is true, then the only reasonable explanation is that they were hacked and didn’t know it.

I am sure there will be more about this in the news.

Information for this post came from Mother Jones.

Facebooktwitterredditlinkedinmailby feather

Trouble in Paradise

A couple of weeks ago I wrote about yet another breach at a law firm.  This time the firm was Appleby, a law firm based in Bermuda and home to the rich and famous – especially those that are looking for tax shelters and the similar.  Most of these tax shelters are legal but the optics of using them are terrible.  For many of the rich and famous, they don’t want the NOT rich and famous to know what they are doing.

So imagine what happens to a law firm (or any firm) that caters to those people who is hacked and threatened with disclosure.  They likely have some unhappy soon-to-be-ex-clients.

Well at least some of the 13 million plus hacked documents are now public and it paints an unflattering picture.  Likely legal, but very unflattering.

The hack is being called the Paradise Papers.  In sheer size, it is the number two breach, only surpassed by the Panama papers hack in 2016, which revealed 2.6 terabytes of data.  The Paradise Papers hack revealed 1.4 terabytes of data.

Among what was disclosed is:

  • Millions of Pounds from the Queen of England’s private estate has been invested in a Cayman Islands fund which makes questionable investments.
  • Extensive offshore dealings by Donald Trump’s cabinet members, advisors and donors, including substantial payments from a firm co-owned by Vladimir Putin’s son-in-law to the shipping group of US commerce secretary Wilbur Ross.
  • How Twitter and Facebook received hundreds of millions of dollars in investment that can be traced back to Russia.
  • The tax avoiding Cayman Islands Trust managed by the Canadian Prime Minister Justin Trudeau’s chief moneyman.
  • A previously unknown $450m offshore trust that has sheltered the wealth of Lord Ashcroft.
  • Aggressive tax avoidance by companies like Nike and Apple.

And on and on.

As I said, I assume that most of this is legal, but as people like President Trump and Prime Minister Theresa May have been talking about closing tax loopholes, the optics of this could not happen at a worse time.

According to reports, this does not appear to be state sponsored; just a hacker out to do a little “social justice”.

The message is that any business that stores sensitive information (and apparently the information stolen goes back 70 years) probably ought to look at how you are protecting it and improve that security – unless you want to be the next P papers – Pentagon Papers, Panama Papers, Paradise Papers ……..

I assume that there will be a large exodus of clients from this firm.

Information for this post came from The Guardian.


Facebooktwitterredditlinkedinmailby feather

NY Introduces Tough New Cyber Security Bill

New York already has one of the toughest cyber security regulations in the country, but it only applies to financial services firms like banks, mortgage companies and investment advisors.

After the Equifax breach, New York Governor Andrew Cuomo proposed that they add credit reporting agencies to the list of companies covered by the New York regulation called DFS 500.

This week New York Attorney General Eric Schneiderman proposed tough new legislation that would increase the coverage of New York law to all companies who handle non-public information of New York residents.  Schneiderman says that the update is needed.

The Stop Hacks and Improve Electronic Data SecuritY or SHIELD Act was introduced in both legislative houses.

Schneiderman said that his office received notice of 1,300 breaches in 2016, a SIXTY PERCENT INCREASE over the previous year.

Some business officials wondered how it would be enforced on out of state companies, but a similar requirement currently exists in a number of other states.

The law has modest penalties – up to $5,000 per violations or $20 per failed notification, up to $250,000.  Compare this to the new data privacy law in Europe which allows for fines of 20 MILLION Euros or more.

For small businesses of less than 50  employees and some other requirements would only have to implement security appropriate for the size of the company and the risk.

The law also says that companies that obtain independent certification of their security practices and achieve high marks would be immune from enforcement actions.  This is a great incentive to conduct annual cyber risk assessments.

The Business Council of New York State, a trade group of over 2,000 businesses said that businesses are not bad actors and are interested in protecting their customer’s data.   If that is true, they should be conducting an annual independent third party risk assessment anyway and if their program comes away with high marks, they have immunity.  So, if the do protect their customer’s data effectively, they have nothing to worry about from this bill, even if they do get breached.

Schneiderman has a reputation of being tough on companies that get breached and hackers who breach companies, so this new bill is not unexpected.

Information for this post came from

The text of the bill can be found here.

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed