Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News

      Default, Dear Brutus, Is in Ourselves

      By
      Peter Coffee
      -
      January 5, 2007
      Share
      Facebook
      Twitter
      Linkedin

        Reading through the updates on the latest PDF-related security flaw, I found one key observation about the pathway to exploits with full access to local file systems. Quoting CTO Jeremiah Grossman at White Hat Security, a CNET story noted that

        “For an attack to work, a malicious link has to point to an existing PDF file on the Web or on the target system. PDFs are abundant on the Net and finding one on a local system also isn’t hard: a sample PDF file comes with Acrobat Reader and is installed in a predictable location on PCs. [emphasis mine]“

        Again and again, attackers find their job made much easier than it ought to be by the plethora of junk–sample scripts, sample data, administrative tools, whatever–that applications install in predictable locations on people’s machines. We once saw one of our own international eWEEK “OpenHack” challenges won, at the last minute, by an attacker who was too tired to look up the default admin ID and password to an entry point he’d found on the system–and who just tried the most likely string, something <sarcasm>obscure</sarcasm> like “admin” I think it was–and got in.

        For some time, it’s been part of my product review strategy to change every single default value when installing things, intending to expose any unknowingly hard-coded directory paths or other values that ought to be subject to user control. Now, that’s not just a matter of being deliberately severe with a product: It’s a matter of making life more difficult for attackers, so that naive attack strategies don’t find you to be a soft target.

        Address Space Layout Randomization in Microsoft’s Vista applies the same idea of making life more difficult for the bad guys at the lowest level of the machine, but it takes deliberate effort to do the same at higher levels as well. If we fail, as Shakespeare might have said, “default is not in our stars, but in ourselves.”

        Avatar
        Peter Coffee
        Peter Coffee is Director of Platform Research at salesforce.com, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

        MOST POPULAR ARTICLES

        Android

        Samsung Galaxy XCover Pro: Durability for Tough...

        Chris Preimesberger - December 5, 2020 0
        Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
        Read more
        Cloud

        Why Data Security Will Face Even Harsher...

        Chris Preimesberger - December 1, 2020 0
        Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
        Read more
        Cybersecurity

        How Veritas Is Shining a Light Into...

        eWEEK EDITORS - September 25, 2020 0
        Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
        Read more
        Big Data and Analytics

        How NVIDIA A100 Station Brings Data Center...

        Zeus Kerravala - November 18, 2020 0
        There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
        Read more
        Apple

        Why iPhone 12 Pro Makes Sense for...

        Wayne Rash - November 26, 2020 0
        If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
        Read more
        eWeek


        Contact Us | About | Sitemap

        Facebook
        Linkedin
        RSS
        Twitter
        Youtube

        Property of TechnologyAdvice.
        Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

        © 2021 TechnologyAdvice. All Rights Reserved

        Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

        ×