Archives
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
Categories
- Congress
- Defense
- General News
- Health
- Health IT
- Homeland Security
- IBM suspension
- Industry
- Info Security
- Intelligence
- International
- IT management
- Law
- OMB
- Oversight
- Policy
- Politics
- Privacy
- Procurement
- Program Management
- Project management
- Risk management
- Security
- Spending
- State and Local
- Technology
- Telecommunications
- Tip Thursday
- Virtual World
- Web
- White House
- Wireless
- Workplace
What's happening in the federal IT community
By Friday, April 18, 2008 | 9:29 AM
Last week at the RSA Security Conference, several interesting workshops explored aspects of criminal hacking. One of them, conducted by Charlie Miller, examined the incentives for finding and disclosing vulnerabilities in enterprise software.
Imagine you are a Romanian software engineer with time on your hands, and you are able to find an unpatched vulnerability in an enterprise software program. The good news is that you can sell the information about the vulnerability for several times your monthly salary.
The bad news, for almost everyone else, is that you can get much more for it on the black market than from the two other legitimate buyers. Neither the manufacturer nor legitimate firms such as iDefense and Tipping Point, who package vulnerabilities for testing use by corporate computer security departments, will pay as much.
Tipping Point's Zero Day Initiative encourages vendors to patch their software via transparency. One of the pages, Upcoming Advisories, provides a list of known, unpatched vulnerabilities from major vendors. The vendors have been notified but have not issued a patch.
A recent look showed 34 "high severity" vulnerabilites that have been pending for over 8 months on average since Tipping Point notified the vendors. Obviously, room for improvement! We'll talk more about why vendors are slow in a later post.
Comments
Good article!
What I find even more disconcerting and
worrisome is that government agencies and their
contractors are particularly slow to implement
known fixes to security vulnerabilities. ICANN
is one good example as is my own home state, Texas. (I can provide examples if requested).
Yet there are solutions to these vulnerabilities
this article listed as the 34 "high severity"
vulnerabilities that government agencies are
exposing us all to. One has to wonder why
this lack of proper responsibility continues
and has for years now...
Regards,
Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
Abraham Lincoln
"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt
"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng. INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@ix.netcom.com
My Phone: 214-244-4827