CPI Meeting

Notice of CPI Members Meeting

Plan to Attend

Wednesday, June 20, 2007

7:30 a.m.

Larry Casey

University Of Minnesota

Labor Education Services

Carlson School of Management

Best Value Contracting 

Plumbers and Fitters Hall

1470 Industrial Road NW

Rochester, MN 55901

RSVP don@constructionpartnership.com

Construction Partnership Inc.

3014 Allegro Park Lane SW Suite 100

Rochester MN 55902

(507) 288-6466 – (507) 287-6515 Fax

Don De Keyrel, Executive Director

This weeks tip

How Security Problems Happen  

As computers and web-based software have become deeply integrated into our daily lives, so has a consciousness of security issues and the vulnerability of digital information. Even in the past few months, a number of high-profile breaches of computer security have been widely reported.

How do attacks happen? Although specifics vary, a surprising number of security breaches come through the same pathways -- just as a large number of residential burglars enter through the front door.

A new report from the SANS Software Security Institute has just been released analyzing the top security vulnerabilities reported during 2006. The report identifies three main programming errors which were responsible for most breaches. Even non-programmers can learn something from this report.

Error 1: Accepting input from users without validating it. If you sell your car to a dealer, he's probably going to pop the hood and make sure the vehicle contains an engine before he writes you a check. In the same way, a web-based application needs to ensure that any data it receives is safe before it uses it. In a simple case, attackers (usually automated software rather than actual human beings) can manipulate an insecure contact form on your website into sending spam. More serious attacks could result in exposing an entire database of customer information to the world.

What can you do? If you're responsible for having a website or application developed, discuss the security implications with your programmers and be sure they have a good understanding of how to handle these issues.

Errors 2 and 3: Buffer and integer overflows. In plain English, a buffer is a bucket of computer memory that's intended to hold a certain amount of information. If an attacker force-feeds more data than expected into a buffer, he can sometimes manipulate the computer into executing additional code. Similar attacks can be made by forcing the value of an number to become larger than the software is equipped to handle. Most of these kinds of attacks occur on system-level software that the average user has little control over.

What can you do? Immediately apply software patches as soon as they're released. Don't ignore that Windows Update icon that says you have updates to install. Install antivirus software and keep it up to date.

These measures will not make your software invulnerable to attack. Even well-designed programs can fall prey to a determined attacker, just as a well-secured home may be burglarized. But you should still lock the front door.