General information on Bugs!, software engineering, quality assurance and testing
  Testing Computer Software by Cem Kaner, Jack Falk and Hung Quoc Nguyen
is one of our all-time favorite computer books. As you might be able to tell from the cover shot, our 1993 Second Edition is well thumbed and slightly dog-eared but still
has enormous practical value to this day. Better than that, it’s an entertaining read on an otherwise rather dry and (dare we say it) boring subject. This classic tome
has been republished and reprinted by Wiley - grab yourself a copy while you still can (~$53 from Amazon) ... and protect the cover. Alternatively, try Cem Kaner’s 2003
book Lessons Learned in Software Testing.
Build Security In is a website devoted to helping programmers develop secure
code. It is a DHS and SEI initiative, meaning both funding and a solid pedigree.
Microsoft is changing Office to improve users’ ability to control access to documents etc. (digital rights management). Unfortunately, it appears that the Word functionality to password-protect document edits can be bypassed by editing the document file with a hex editor. “(When) you use the Password to Modify
feature, the feature is functioning as intended even when a user with malicious intent bypasses the feature,”
the technical support document explained. “The behavior occurs because the feature was never designed to
protect your document or file from a user with malicious intent.” This is surely one of the most blatant “It’s not a bug, it’s a feature” cop-outs we’ve ever seen!!
‘It’s the things that you don’t test that go wrong’ is a lesson from this story about NASA’s Huygen lander.
“We have a technical term for what went wrong here,” John Zarnecki of Britain’s Open University explained. “It’s called a cock-up.” The ground team didn’t have the budget to complete testing of the communications
systems before the probe was launched, relying on simpler in-flight tests later. An engineer’s nagging doubts
led him to insist on not just testing the Cassini’s radio receiver with a simple carrier, but simulating the data
modulation as well. His hunch paid off with the discovery of a subtle problem caused by Doppler shift differences between the carrier and the modulation. [Hinson tip: watch out for a future film of this
remarkable story, no doubt starring Tom Hanks or Harrison Ford ...].
Curious how to report Microsoft bugs? Try this site.
Testing is of course just one means of dealing with Bugs! but don’t forget the distinction between Quality
Assurance (meaning building and implementing structured and managed production processes so as to improve the quality of the product, also known as Right First Time or Continuous Improvement) and Quality
Control (meaning testing and identifying defective products, removing them from the production line before
they reach customers, also known as Break Fix mentality). ‘Right first time’ makes just as much sense for software as for hardware.
Simson Garfinkel summarized some of the worst bug-related incidents stretching back several decades.
Bruce Tognazzini collects details on well-known bugs. Read about 50 well-known bugs.
“I believe in bugs (I truly believe in bugs)” - a song by Ivor Cutler - is one of several bug-related tracks listed at artofthemix.org and “The Bug” is a novel by Ellen Ullman. Arthropologists presumably study bugs as in arthropods (a.k.a. creepy crawlies).
NIST Special Publication 800-64 explains Security Considerations in the Information System Development
Life Cycle. SP 800-42 is a Guideline on Network Security Testing.
Security-relevant Bugs! & vulnerability management
Secunia.com is arguably the official reference site for security vulnerabilities. Should you need
persuading that bugs are a serious security issue, just take a peek at Secunia or the Open Source Vulnerabilities Database and count the number of vulnerabilities announced in a day (pick a day, any day).
Hacking Exposed - Network Security Secrets & Solutions by Stuart McClure et al. is
another useful book on the subject of Bugs! with a particular emphasis on bugs that cause security vulnerabilities. Please visit our hacking links page for more information. (~$33 from Amazon)
According to a research project reported in Network World, “Vendors are making mistakes
when they write programs for Windows”. The project identified security vulnerabilities in mainstream Windows programs such as AOL Instant Messaging.
NIST’s National Vulnerability Database reports an average of 8 new security vulnerabilities every day, with
over 12,000 already listed. It’s not difficult to see that keeping track of new vulnerabilities, assessing
whether they are relevant, testing and applying patches to all relevant systems is no trivial matter for the average corporation. Any organization that lacks adequate IT resources must surely struggle.
Special Publication 800-40 on Creating a patch and vulnerability management system is yet another
outstanding document from NIST. It recommends creation of a Patch and Vulnerability Management Group, use of automated update facilities and tools (with due care given the associated risks), standardized IT
platforms and quality assurance techniques to improve the patching processes.
Patching
Users of Oracle systems should double-check that the patches they think they have applied have in fact
been successfully applied. Inconsistencies in the internal inventory of Oracle programs maintained by an
Oracle installation, for example, may result in relevant patches being missed. Given the number of patches released by Oracle, this is a serious concern.
Oracle released over eighty critical patches in January 2006, setting tongues wagging on the information
security circles. One commentator provided, tongue-in-cheek, a template for Oracle’s next press release
that might well have been useful when the software giant released a hundred more patches in October of
the same year. Beneath the humor, though, runs an undercurrent of discontent at the company’s tardy
response to notified vulnerabilities and the rather blatant marketing spin accompanying the company’s January announcement, just like so many before. Oracle, in turn, ‘fessed-up to their bug-fixing
shortcomings but whether the situation will ever be properly resolved remains in doubt. Other software vendors (yes, IsecT included!) face similar challenges.
A honeypot system running unpatched XP Home was compromised within ~15 minutes of web connection.
Get your patching processes up to scratch or face trying to explain to your stakeholders why you suffered avoidable information security incidents ...
Microsoft’s Security Program Manager Chris Budd explained Ten Principles of Microsoft Patch Management.
Chris clearly knows what he is talking about since Microsoft is rather well practiced at the fine art of patching ...
Kaseya, Patchlink Update, Ecora and Marimba are just some of the patch management products that help
corporations apply relevant security patches consistently throughout their IT estates [we have no experience of any of them, do not endorse them and have no opinion about their suitability for your requirements!]
The third issue of IN(SECURE) The Digital Security Magazine, carries an article on security vulnerabilities,
exploits and patches.
Microsoft’s HoneyMonkeys project is using XP PCs with various levels of patching to search for malicious
download sites. If an original unpatched XP PC is affected by malware on visiting a website, an XP SP1
machine is sent to the same site to see whether the SP1 patch fixed the vulnerability. If that fails, an SP2
machine is tried, and so on up to the most recent fully-patched version of XP. If the latest version is still
vulnerable, they are presumably facing a ‘zero day’ exploit, worth further examination. The project confirms
the importance of maintaining version currency to minimize the level of known vulnerabilities.
Microsoft Update is Microsoft’s consolidated Windows and Office automated patching system. Previously,
users had to check and update Windows and Office separately. The software also checks for driver updates (for some installed drivers, if not all).
Winpatch is a collection of scripts and utilities for patching Windows systems. Essentially, they check the
registry to see whether patches have been applied and if not they apply them.
HFnetChk Pro from Shavlik is a commercial product for checking Windows security including the patch status
. A cut-down version of HFnetChk is available for free from Microsoft (Microsoft Baseline Security Analyser).
Nicholas Weaver, a researcher at Berkeley, published a paper on Warhol Worms (referring to their ‘15
minutes of fame’) in 2002 and early in 2003, along came SQL Slammer, right on cue. Reaching its peak
multiplication rate just 3 minutes from release, Slammer was an amazingly efficient infection. “Companies
deemed bastions of security--such giants as Bank of America, American Express and Microsoft, under its year-old Trustworthy Computing initiative--found their internal networks deluged with data from the
Slammer attack.”
Origin of the term “bug”
The first documented use of the term “bug” is ascribed to an entry in a machine log for the Mark II
Univac in 1947. According to a story recounted by Rear Admiral Grace Hopper and noted in her lab notebook, a 2-inch moth was found to have crawled into the electromechanical computer system and
expired under a relay that actuated, thus affecting the operation of the system. Grace Hopper inspired a whole generation of IT folk and gave us this insightful comment: “
Some day, on the corporate balance sheet, there will be an entry which reads, ‘Information’; for in most cases the information is more valuable than the hardware which processes it.”
Poor quality telegraph operators were apparently known as bugs around the start of the 20th century. The mechanical semi-automated telegraph senders sold by Vibroplex and others to make it easier to send
accurate Morse code quickly are still known affectionately as bugs. It is conceivable that this contributed to
the use of bugs meaning errors. Yet another possibility is suggested by the phrase “Don’t bug me”, in other words don’t bother or annoy me, implying that bugs are annoyances.
Covert surveillance (bugging)
Worried about your cellphone being used to bug you? Or worried you might be paranoid for even
considering it? Read about the practical limitations on covert bugging using cellphones and the telltale signs if your phone really is being used as a bug.
Hardware bugs, as in covert transmitters designed to broadcast conversations or video, are available over
the counter from retailers in some countries, and under the counter or over the web elsewhere. For example, a cellphone that doubles as a bug (“spy phone”) was on sale over the Web for just $1,800
(curiously the original URL no longer works ...).
In the case of mobile phones with digital cameras, no PC connection is required: the user can simply
photograph secret diagrams, designs and machine tools. This is an update on the old trick of leaving a standard mobile phone on the table in the negotiating room while the owner goes to the bathroom, having
surreptitiously phoned a colleague or answer phone to record the conversation. It is technically possible
(though probably illegal) to jam or disable mobile phones using radio transmissions but procedural controls are generally cheaper and easier.
The IEE ratified standard 802.3af for providing power over Ethernet cabling. If 802.3af is widely adopted and
the facility is built-in to LAN equipment by default, covert LAN bugging devices (as well as legitimate LAN devices!) will no longer need to rely on battery power or be located near a mains power source ...
If you think covert video surveillance only happens in James Bond movies, discover the pros and cons of
various miniature cameras along with the techniques used to conceal them and detect them.
Related NoticeBored links collections
Secure software development, change management, integrity, incidents, confidentiality, general information security
NB: we do not necessarily endorse or agree with the third party websites accessible through the links. Use at your own risk. Please let us know about new or broken links.
|
