Sunday Jul 24, 2011

CVSS Worksheet

Common Vulnerability Scoring System (CVSS) is commonly used to rate security vulnerabilities. It helps system administrators prioritize response to security holes. Oracle provides CVSS ratings and base scores for most vulnerability fix announcements. You can calculate the score for a vulnerability using NIST CVSSv2 calculator. To use the calculator one must be familiar with CVSS v2.0 guide.

Here is an attempt to provide a simple, intuitive and illustrated worksheet to calculate CVSS v2 base score:

You can access the standalone CVSSv2 Worksheet here.

Monday Jul 28, 2008

Notes from the 20th FIRST conference in Vancouver

I was at 20th FIRST Conference Vancouver last month. Forum of Incident Response and Security Teams is a community of folks who work behind the scenes to keep the world running - from people securing your banks to people protecting your national infrastructure. Here are pointers to some of the interesting topics from the conference:
  • Fast Flux networks Fast Flux nets are where compromised computers are used to temporarily host malware.

  • A talk on "Applied Security Visualization" demoed state of art of network visualizations and tools. There is a live CD project called DAVIX which aggregates the tools.

  • An interesting demo was of "RFID hacking" - where Adam Laurie demonstrated duplicating company badges and electronic passports with gadgets that cost less than $100. He could take his scanner near a passport with RFID (aka E-passport) and display holder's information including passport photo

  • A Keynote presentation from former security chief of OLPC (One Laptop per child) talked about features of OLPC as something as a great advancement in security - for eg. the ability that only a open dialog box can open files! (BTW, that sounds very similar to what we call in the UNIX setuid - that only password command can change passwords)

  • A presentation about Mozilla development process talked about how testing is done: they are always running enormous number of test suites against the latest tree. They don't rely on the developers to do the testing for changes.

  • Honey spiders - that crawl spam and phishing sites in search of malware and execute or analyze them.

  • Atanai Sousa showed how a phishing malware operated in Brazil, giving insight into how the spyware and malware have an upper hand in capturing your bank passwords weather you type them or use any other practically useless mechanisms invented to circumvent keyboard spys.

Overall it was good listening to stories direct from people in the battleground, to get an understanding of real world problems and threats they face. It also gave a good opportunity to meet product security folks other companies and CERT folks from around the world - many whom we communicate over email daily.

Monday Jun 04, 2007

Desktop Two dot Oh

After listening to Prof. John Maeda recently, I had a look at his laws of Simplicity. As I had noted earlier in the story of OpenGrok, it is difficult to make things simple. Maeda's work provides a set of tools achieve simplicity in a more methodical way.

These laws are generic and I can see how they can make a difference to day-to-day things. I am interested in using them for software. Also because principles of Security intersect with Simplicity. Since simple things are considered more secure than complex things.

My eyes then turned towards the Gnome JDS desktop I was using and that seemed like a good subject to experiment with laws of Simplicity. At first each window has three boxes to represent itself! One on desktop as the window itself, again on the window list in bottom panel and again in workspace switcher. That lends to first law of reduction. There is also the "launch" main menu, that could be reduced too, since there are hundreds of applications and 90% of the time I only use few applications: terminal, browser, mail client...

That raises a question, do we really need a 200 megabyte desktop that comes with 100 tiny applications? or just a browser kiosk that can also run one or two other applications... I would call that Desktop 2.0, just like network is the computer, browser is becoming the desktop.

sayings of an hearer


« April 2014