There’s a really good paper that has won the first annual Security Best Practices competition held by FIRST (www.first.org ) and the CERT Coordination Center . The paper is from Taiwan, and shows a very interesting methodology of study, and more importantly a means to educate the human. As the paper says; “Social engineering concentrates on the weakest link of the computer security chain, which is also the most essential part of the security component: human.” You owe it to yourself to read it, and try to implement something educational within your organization. Your security patches will have no effect against a good social engineer.

Basically, if you need a job, or hate your current job, and have time to commit, and if you’re a professional, or just disciplined and care about every little thing you do..Or, if you just want to work with me.. :

Geneva Data, an Internet Security company is looking for PHP developer to work on a unique project in San Antonio, Texas.
We’re open to a full-time, part-time, contract, consulting or project work. We just want the most innovative local PHP programmer available (with experience.)

“Experience” means you can show us proof of your work … whether you have been in the workforce for 6 months or 60 years.

“Innovative” means that you’ve never encountered a problem that you couldn’t solve. We appreciate individuals who experiment with new technologies on personal projects. Creativity is a plus with us.

• MySQL and/or Linux proficiency is a further plus.

• Experience with Internet Security is a HUGE plus (you know how to use tcpdump etc).

• Local (San Antonio) or in-state (Texas) candidates preferred.

So, if this sounds interesting to you.. please contact me vid at phpcult dot com.

BlogSecurity, brings up an interesting point about blogs, and security. As vulnerabilities are found, patches are issued, but how does one educate the end user about these patches? I recently found an old old site of mine which I had put up to test a shared hosting provider, defaced. The reason? A vulnerable version of wordpress. I was able to patch the hole and fix the problem relatively easily, but what about joe blogger? He’s more passionate about politics than the blogging tool he uses, more than likely, he doesn’t even log in to the administrative interface, but uses a third party app to post to the blog. How do we let this person know that he’s vulnerable? Operating Systems have some version of “software update”. Desktop applications have a way of checking for “newer versions”, which can then help you decide if you want to upgrade or not.. but web based software normally doesn’t have anything like this.

SugarCRM seems to be the only thing that can check for newer version of itself, and then try to patch itself. So.. should non technical people be forced to use a hosted/managed service? (This is a dumb question.. please don’t answer it).. or should there be a standard way of letting package users about updates?

Example: Wordpress.

Everytime you post, when WP hits pingomatic, it should also hit automattic, and do a version check. Automattic should ping back by saying, your version is

a: current

b: old

c: Critically vulnerable

Based on these responses, the user is notified via email, for answer b. But for version C, wordpress goes into read only mode.. no new posts, no comments, until the user acknowledges the threat, and does something about it.

To make it extra annoying, we allow the user to say “OK, I’m aware of the bug, but I want to post anyway”, but right after the post, we go back to read only mode. So, the user can continue to use the software, but we now have a web version of the shareware snag screen. I’m not sure how well this will work, or if it’s even a good idea.

It would be impossible to implement this idea on the already insecure installs out there, so it would address the needs of the future, but not the existing vulnerable installations. I don’t think this alone will solve the problem, except maybe create a new one, until we figure out a sane way of doing this..

So.. I guess I’ll ask you guys what you think.. I have no clue, I’m going to go back to my corner now..:)