Posts Tagged ‘Mozilla’
Tuesday, January 29th, 2013
 Technology companies claimed half the slots on Ponemon Institute’s annual top 10 list of the most trusted companies for privacy. Hewlett Packard ranked second, Amazon, third, IBM, fourth, eBay ninth and Intuit tenth.
American Express (AMEX) continued to reign as the most trusted company among the 217 orgazations rated.
New tech entries on Ponmon’s top 20 most trusted list included Microsoft at 17, and Mozilla at 20.
In addition to ranking the most trusted companies, the Ponemon study reported that only 41 percent of consumers feel they have control over their personal information, down from 45 last year and an overall drop from 56 percent in 2006.
Identity theft a top concern
The survey also noted that identity theft is a top area of concern among consumers with fifty-nine percent of the respondents indicating that fear of identity theft was a major factor in brand trust diminishment, while 50 percent said notice of a data breach was a factor.
That could give impetus to the changes in U.S. immigration law proposed by a bipartisan group of Senators this week, although it’s identity card idea is already meeting with opposition from some.
The Ponemon rankings were derived from a survey of more than 100,000 adult-aged consumers who were asked to name up to five companies they believe to be the most trusted for protecting the privacy of their personal information.
Consumer responses were gathered over a 15-week period concluding in December 2012 and resulted in a final sample of 6,704 respondents who, on average, provided 5.4 discernible company ratings that represent 25 different industries.
Tags: Amazon, American Express, ebay, Hewlett Packard, IBM, identity theft, Intuit, Microsoft, most trusted companies, Mozilla, Ponemon Institute, privacy
Posted in Amazon, Internet/New Media, IT, Studies, surveys, reports | No Comments »
Tuesday, February 7th, 2012
 More than 70 Web firms urged the U.S. Congress to step back, take a breath and reassess its approach to crafting new intellectual property laws.
The firms, including Mozilla, WordPress, Reddit, Startup Weekend, Cheezburger Network, O’Reilly Media and Twitpic, say that, “ align ourselves with the more than 14 million Americans who joinedus in opposition to the Stop Online Piracy Act (SOPA) and the PROTECT IP Act (PIPA).Together we participated in the largest online protest in American history (currently estimated atmore than 115,000 websites) because we believe these bills would have been harmful to freespeech, innovation, cyber security, and job creation.”
It adds, “Now is the time for Congress to take a breath, step back, and approach the issues from a freshperspective. ”
Perhaps the key point the firms make is that, “Finally, any future debates concerning intellectual property law in regards to the Internet must avoid taking a narrow, single-industry perspective.”
The SOPA and PITA laws came on the heels of powerful lobbying efforts by the movie and music industries as attempts to stop piracy. The bills were widely seen as over-reaching and full of potential for abuse that could comprise the Internet.
A massive online reaction by Web companies, the social media sphere and freedom of information advocates halted progress of the bills, at least temporarily.
Full letter.
Tags: Cheezburger Netwrok, intellectual property laws, IP laws, Mozilla, O'Reilly Media, PITA, Reddit, SOPA, Twitpic, U.S. Congress, Wordpress Foundation
Posted in Government/Defense, Internet/New Media, IT, Legal | No Comments »
Friday, September 30th, 2011
By Allan Maurer
 Google’s Chrome browser is poised to grab the number 2 browser rank from Mozilla’s Firefox, and I’m not surprised.
Do you use Mozilla’s Firefox browser or Chrome? I switched to Firefox from Microsoft’s Internet Explorer years ago, because at the time Firefox was faster and its add-0ns made lots of online tasks quicker and easier. Now, however, I find Firefox seems to have bloated to the point where it has as many, if not more problems than Explorer.
Not infrequently, when trying to reopen it, Firefox delivers that “Firefox is still running” message that more often than not requires restarting a computer. It is certainly slower than Chrome and will just freeze up for a second or two at times for no obvious reason.
I still like it’s add-ons and changing browsers can be a pain once they’re set up to suit me – particularly if you work online as I do.
Chome may overtake Firefox by December
Apparently, I’m not the only one doing more of my work (and play) via Chrome rather than Firefox (though I still haven’t switched entirely, despite considering it). StatCounter, the Irish firm that tracks browser use, shows that Chrome is on track to surpass Firefox by December.
In the first week of September (2011), Chrome boasted a 23.6 percent share of the browser market, while Firefox had 26.8 percent. Internet Explorer, for all its faults, still the dominant browser (and according to recent tests, the most secure, h’mmm) had 41.7 percent. Now that Explorer has adopted many of the best features of both Firefox and Chrome, it may be time to give it another try. Is it still suffering from the bloat that slowed it down and caused browser crashes?
Still, Chrome is gaining users so quickly, it wouldn’t be surprising to see it overtake IE. It gained eight percentage points since January, up 50 percent.
Fireforx and IE both dropped 4 percentage points in the same period – obviously losing them to Chrome.
If these trends continue unabated, Chrome will pass Firefox by December.
So just what the heck happened to Firefox, anyway?
Even going by the different numbers measured by Net Applications, which pegs Firefox at a 22.6 percent share and Chrome at 17.8 percent, the pace of Chrome gains means it would bypass Firefox by mid-2012. Net Applications figures include the massive Chinese market.
So just what the heck happened to Firefox, anyway? Among other things, it seems to update every week or so, generally disabling a handful of incompatible add-ons every time (including a security plug-in). Lately, it will just stop loading new sites while I’m working. Earlier this week I had to grab the urls and move them to Chrome when it did that.
A Google search showed that others were having similar problems. Chrome, on the other hand, updates silently and without causing any troubles – so far.
At our recent Digital East conference in Tysons Corner, VA, one app development expert noted what should be obvious: software products have work well and if they don’t, people find something else – fast.
I’m not crazy about everything in Chrome. I’m used to finding the new tab button on the right, not the left, and I haven’t mastered all its eccentricities yet, although I will in short order if I finally make Firefox (or Explorer) my secondary browser and use Chrome as my primary one. I just hope they don’t, over time, junk it up to the point where it’s advantages disappear as they have with Firefox.
Tags: Allan Maurer, Chrome, Chrome overtaking Firefox, Firefox, Google, Internet browser wars, Internet Explorer, Microsoft, Mozilla, Net Applications, StatCounter, which browser is best? whatever happened to Firefox? IE more secure
Posted in Internet/New Media, IT, Viewpoint | 8 Comments »
Friday, January 14th, 2011
 By David J. Maloney
Controversy has sprung up around the concept of bug bounties recently. This most notably occurred when Barracuda Networks announced their Bug Bounty program. They joined the ranks of companies like Google and Mozilla. This practice involves the offering of monetary rewards to security researchers who privately disclose vulnerabilities back to the vendor.
The researcher is paid according to the severity of the security vulnerability disclosed. There seems to be some contention that, while this was okay for Google and Mozilla, a security vendor such as Barracuda has no business doing such a thing. Rather than steep ourselves in that controversy, let us take a look at the practice of the Bug Bounty itself.
What it isn’t
To begin our analysis of these bug bounty programs, we will identify what they are not. The first and foremost thing a bug bounty program is not, is a replacement for a proper Security Development Lifecycle (SDL). The practice of an SDL has been a fairly recent development. It has been heavily pushed by Microsoft to address the development practice shortcomings that resulted in so many security vulnerabilities in the past.
An SDL involves including Security concerns into every phase of the System Development Life Cycle (SDLC). This means security should be considered and discussed everywhere from the Requirements Phase all the way to the Sustainment or Servicing phase. For more information on Security Development Lifecycle, I would suggest consulting some of Microsoft’s writings on the subject (e.g., www.microsoft.com/security/sdl/ ). They have freely available materials on the MSDN, as well as books on the subject.
The Bug Bounty concept is also not new or revolutionary. Mozilla and Google have been carrying out such programs for many years. In fact Netscape initiated “Bugs Bounty” program in 1995 (see: web.archive.org/web/19970501041756/www101.netscape.com/newsref/pr/newsrelease48.html) .
In addition, security company TippingPoint began its Zero Day Initiative (ZDI) in 2005 (see: www.informationweek.com/news/windows/security/showArticle.jhtml?articleID=192300822) .
The ZDI paid researchers to perform responsible disclosure to their third party vulnerability brokerage. This was to help foster and encourage responsible disclosure and control the flow of vulnerability information. On an even more simple and benign point, bug trackers have existed for quite some time on the internet. While they did not strictly reward disclosers in a monetary sense, they often credited those who found bugs in software. They also served to keep bug finders and researchers involved in the process of improving software.
Bug bounties are not a source of increased risk from Black Hat or malicious hackers. If you are a major software company or vendor such as Google, Microsoft, Mozilla, etc, you are already a target. Malicious hackers are already chewing away at your products looking for any weakness they can exploit. Some of them will sell these vulnerabilities on the black market, others will write malware, or carry out attacks on your customers based on these discoveries.
Addressing the issue proactively
These people are already making money by discovering these vulnerabilities and not disclosing them to you. By offering a monetary reward for responsible disclosure, you are not somehow inciting them to target you more. What you are doing, is incentivizing legitimate security researchers to focus their efforts on your products, and taking a responsible disclosure approach. In theory, this means that it is more likely that a legitimate researcher will discover the same flaws as the malicious hackers and report them to you, the vendor.
This gives you an opportunity to address the issue in a more proactive manner, and shorten the duration of exposure of these malicious activities. The idea that being more open and transparent exposes you to greater risk is nothing more than the old “security through obscurity” idea. Anyone who still espouses this philosophy has failed to learn some very important lessons in the past 20 years.
The final thing that bug bounties are not is right for every company. Information Security is not just about finding vulnerabilities and technical flaws. At its heart, Information Security is Business Security.
Business Security centers on the concept of Risk Management. When deciding whether a bug bounty program is right for your company, you need to evaluate the risk. This involves, among other things, a cost/benefit analysis. What is the potential cost of running such a program?
Cost of not running suuch a program?
What is the potential cost of not running such a program? What is the benefit that is derived from this program? The answers to these questions are different for every company. In addition to the risk analysis for the company as a whole, these decisions apply on a more granular level. You must make decisions on what products are to be included in this program.
The cost/benefit equation will be different between a system that is designed to store or transit sensitive data and one that performs a trivial maintenance task. These answers are not always obvious at the vendor level though, which is why a Bug Bounty program is far from a magic bullet. There are many other things that need to be in place.
An SDL should be a top priority if it is not already in place. A relationship needs to be maintained with your customers so that you understand how your product is being used. Your customers may also have IT Security teams that perform internal assessments.
You should have channels open to these customers to allow them to easily report any findings back to you, as well as a process for working with them to assure their concerns are addressed. In short, a Bug Bounty program is not a magic solution to the security dilemma.
Look for part Two: What it is, Monday.
David J. Maloney is a professional Security Engineer and Penetration Tester. He also acts as an independent security researcher in his spare time. He is a founding member of Hackerspace Charlotte and writes a small security blog at http://cosine-security.blogspot.com
[wpsqt_survey name="s001"]
Tags: Barracuda Networks, Black Hat, Bug bounties, Charlotte, David J. Maloney, Google, Hackerspace, Microsoft, Mozilla, NC, SDL, SDLC, Security, Viewpoint
Posted in Business advice, Columns, IT, Security, Viewpoint | No Comments »
Tuesday, November 30th, 2010
By Anthony Haywood, CTO, Idappcom
 Anthony Haywood
In the last year there have been a number of organisations offering rewards, or ‘bounty’ programs, for discovering and reporting bugs in applications. Mozilla currently offers up to $3,000 for crucial or high bug identification, Google pays out $1,337 for flaws in its software and Deutsche Post is currently sifting through applications from ‘ethical’ hackers to approve teams who will go head to head and compete for its Security Cup in October. The winning team can hold aloft the trophy if they find vulnerabilities in its new online secure messaging service – that’s comforting to current users. So, are these incentives the best way to make sure your applications are secure?
At Idappcom, we’d argue that these sorts of schemes are nothing short of a publicity stunt and, infact, can be potentially dangerous to an end users security.
One concern is that, by inviting hackers to trawl all over a new application prior to its launch, just grants them more time to interrogate it and identify weaknesses which they may decide is more valuable if kept to themselves. Once the first big announcement is made detailing who has purchased the application, with where and when the product is to go live, the hacker can use this insight to breach the system and steal the corporate jewels.
A further worry is that, while on the surface it may seem that these companies are being open and honest, if a serious security flaw were identified would they raise the alarm and warn people? It’s my belief that they’d fix it quietly, release a patch and hope no-one hears about it. The hacker would happily claim the reward, promise a vow of silence and then ‘sell’ the details on the black market leaving any user, while the patch is being developed or if they fail to install the update, with a great big security void in their defences just waiting to be exploited.
Sometimes it’s not even a flaw in the software that can cause problems. If an attack is launched against the application, causing it to fail and reboot, then this denial of service (DOS) attack can be just as costly to your organisation as if the application were breached and data stolen.
A final word of warning is that, even if the application isn’t hacked today, it doesn’t mean that tomorrow they’re not going to be able to breach it. Windows Vista is one such example. Microsoft originally hailed it as ‘it’s most secure operating system they’d ever made’ and we all know what happened next.
A proactive approach to security
IT’s never infallible and for this reason penetration testing is often heralded as the hero of the hour. That said technology has moved on and, while still valid in certain circumstances, historical penetration testing techniques are often limited in their effectiveness. Let me explain – a traditional test is executed from outside the network perimeter with the tester seeking applications to attack.
However, as these assaults are all from a single IP address, intelligent security software will recognise this behaviour as the IP doesn’t change. Within the first two or three attempts the source address is blacklisted or fire walled and all subsequent traffic is immaterial as all activities are seen and treated as malicious.
An intelligent proactive approach to security
There isn’t one single piece of advice that is the answer to all your prayers. Instead you need two and both need to be conducted simultaneously if your network’s to perform in perfect harmony:
Application testing combined with intrusion detection
The reason I advocate application testing is, if you have an application that’s public facing, and it were compromised the financial impact to the organisation could potentially be fatal. There are technologies available that can test your device or application with a barrage of millions upon millions of iterations, using different broken or mutated protocols and techniques, in an effort to crash the system.
If a hacker were to do this, and caused it to fall over or reboot, this denial of service could be at best embarrassing but at worst detrimental to your organisation.
Intrusion detection, capable of spotting zero day exploits, must be deployed to audit and test the recognition and response capabilities of your corporate security defences. It will substantiate that, not only is the network security deployed and configured correctly, but that it’s capable of protecting the application that you’re about to make live or have already launched irrespective of what the service it supports is – be it email, a web service, anything.
The device looks for characteristics in behaviour to determine if an incoming request to the product or service is likely to be good and valid or if it’s indicative of malicious behaviour. This provides not only reassurance, but all important proof, that the network security is capable of identifying and mitigating the latest threats and security evasion techniques.
While we wait with baited breath to see who will lift Deutsche Post’s Security Cup we mustn’t lose sight of our own challenges. My best advice would be that, instead of waiting for the outcome and relying on others to keep you informed of vulnerabilities in your applications, you must regularly inspect your defences to make sure they’re standing strong with no chinks. If you don’t the bounty may as well be on your head.
Anthony Haywood’s computing history began during the first computer revolution in the early 1980’s. Writing programs for the Sinclair ZX80 and the Texas Instruments TI99/4A. During the early 1990’s Haywood worked for Microsoft in a cluster four team supporting their emerging products. Shortly after the release ofWindow 95, Haywood was invited to join NetManage; a highly successful silicon valley based company providing internet technologies, which led to his joining Internet Security System (ISS).
Leaving ISS in 2002, Haywood founded his first network security company Blade Software, pioneering the development of the ground breaking “stack-less” network security assessment and auditing technology. It was this technology that became the foundation for the companys’ IDS and Firewall Informer products, winning the coveted Secure Computing “Pick of Product” award for two years running, with a full five star rating in every category.
In 2004, Haywood founded his second network security company “Karalon”. It was during this time that Haywood developed a new network based security auditing and assessment technology. In 2009, he joined Idappcom Ltd. Haywood is currently the Chief technology Officer for the company and is guiding its future development of advanced network based security auditing and testing technologies.
Tags: Anthony Haywood, app security, Google, Idappcom, ISS, Microsoft, Mozilla, there is a bounty on your apps, Viewpoint
Posted in Columns, Internet/New Media, IT, Security, Viewpoint | No Comments »
|
|
|
