Monday, June 18, 2007

Recent Security Events

It has been a while since I last wrote a blog entry, so I'll summarize some recent events:

* It was revealed that the TJX / Marshalls hack involving over 45 million credit card numbers occurred due to the fact that they were using WEP, a protocol that the security community has been known to be broken since 2001 (see page 219 of my book, and Slashdot for more info). Don't forget to get credit monitoring if you have ever shopped at a TJ Maxx or Marshalls department store! A group of banks has organized a class-action lawsuit against TJX, the criminals have gone on million dollar shopping sprees, and the FTC investigation is in progress.

* In Bruce Schneier's May CRYPTO-GRAM, he asked the question of whether or not we should have a security industry. While this might sound odd at first, if hardware and software products were designed correctly (securely), we perhaps wouldn't need additional hardware and software to secure our systems, nor an industry that produces such additional hardware and software. Applying his argument to programmers, writing secure code could be part of every programmer's job, and we hopefully shouldn't need so many "software security" experts in some hopefully not-too-far future. The goal would be to, as per Bruce's suggestion, "make IT products and services naturally secure out of the box." Of course, we may potentially need a few specialists to advance the "state-of-the-art," but largely I'd love to see safety and security be a regular part of every software engineer's job. "Foundations of Security: What Every Programmer Needs To Know" makes a contribution to move the world in that direction by making security part of every programmer's job.

* I helped co-author and publish a paper entitled "The Anatomy of Clickbot.A." (The paper is mentioned on Google's Blog and also got some press coverage.) It is a good read if you want to learn more about botnets.