Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Being Secure is Not Easy

Building a system that is secure is a difficult prospect, but it is something that most people would assume about the Space Shuttle, modern fighter aircraft, and nuclear power plants - that they are secure systems.

Well, they aren't.

Even though it operates probably the most tested, reviewed, bug free and analysed code base in existence, the Space Shuttle was only recently discovered to have a unique roll-over bug that would lead to an unknown condition if the Shuttle was in flight over New Year's Eve - New Year's Day.

Even though the ultra-modern fighters are only just entering service, a flight of F-22 fighters were forced to turn back to Hawaii after their flight computers exhibited chaotic behaviour after crossing the International Date Line.

Even though nuclear power plants are supposed to have their control systems isolated from external network influences (one solid SCADA design principle that should be applied), a US nuclear plant was manually shut down after two water pumps failed following an unknown spike of network traffic. While it was assumed that a faulty controller on another piece of equipment was at fault, the operators can not rule out external traffic influences (i.e. they don't know where it came from).

These incidents are excellent examples of the problem surrounding secure software development - with the improvement of development tools, developers are producing bigger and better disasters - a concept being promoted by Professor Ross Anderson from the University of Cambridge in the UK. Professor Anderson also believes that security engineers need to know how things fail, and to study history to learn from past mistakes (just like licenced engineers do).

While the above cases provide three excellent examples of unexpected failures, it appears that 'security' companies can have problems of their own that still have not been addressed even after many months of notification.

McAfee Labs have picked up on some of the problems associated with VeriSign's assurance Seal that appears on many websites to indicate that Verisign has validated the identity of that particular website (alongside the SSL certificate).

These are just a subset of the problems that S?nnet Beskerming reported to VeriSign in December 2005. Problems that included not only sites that could put a seal on their main pages that pointed to any other validated site record, but also the problem that it is possible to completely fake the record that it is being pointed at.

This can easily be achieved by setting up a fake page to look like the VeriSign record, but it can also be done using VeriSign's own results.

20 May 2007

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.