RE: Why Easy To Use Software Is Putting You At Risk
- From: "Al Sutton" <asutton@xxxxxxxxxxxxxxxxxx>
- Date: Fri, 24 Feb 2006 09:33:26 -0000
Craig,
Let me clarify, when I said "Developers can add verification code before
they send code to libraries", I was implying that if a developer is using a
routine which has certain limitations (such as a routine taking source and
destination buffers & a copy length where the length can not exceed the
destination buffer length) they can build in parameter verification before
calling the routine if they're not sure what will happen.
The verification code need not be at every routine call, it may be higher up
the call chain. The only variables within systems can be considered input,
it can be input as the result of a database query, a query to another device
or system, or data fed in by a user. Verification can take place at these
points of input to make sure the data is valid for the entire call chain.
Whilst source code scanners are useful for simple logic errors, I fully
agree that compilers introduce a level of uncertainty which makes source
code testing not sufficient (Memories of a assembler that "optimized" out
some place holder strings designed to be modified by another part of the
proprietary OS I was involved in writing come to mind, what fun that was
;)).
Black box testing can be used to eliminate many of the variables you
mention. If you run your tests against the compiled form of the
application, on the hardware you are going to deploy to, your tests (if
complete) will show up any hardware, OS, or compiler introduced problems as
issues, they may not pinpoint where the problem is, but they should show the
application is not behaving as it should.
I accept that very little is perfect and will last forever without a
problem, but in IT at the moment we seem to have problems getting things to
be problem free in a known environment out of the box, which is a long way
short of other disciplines.
Al.
-----Original Message-----
From: Craig Wright [mailto:cwright@xxxxxxxxxxxxx]
Sent: 24 February 2006 05:06
To: support@xxxxxxxxxxxxxxxxxx; dave kleiman; Darren W Miller
Cc: defendingthenet; security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: Why Easy To Use Software Is Putting You At Risk
Why the following is wrong "Developers can add verification code before they
send code to libraries"
The assumption is made that all libraries may be mathematically checked for
completeness and accuracy. Taking the assumption of perfect hardware aside
(i.e. forget Intel Pentium errors). Assuming that all compliers have been
created and mathematically proven (as none have been as yet - I would love
you to prove this point wrong - honestly I have been looking for one since
the 80's and I am still looking for one).
Assuming the perfect world for all other components (which is not the case).
Code is complied by higher level languages to another form. To do this it
uses a parser. The idea (and this is I know simplified immensely) is to take
the high level language and create a context-free grammar (CFG). CFG's are
similar though more complex to finite automata and trickier to construct.
CFG's have an issue in that complex algorithms (i.e. code) create ambiguity.
Ambiguity results as there are generally several ways to create the same
string from a grammar. Such strings have several different parse trees and
thus several different meanings.
In some instances the result may be undesirable for certain applications
where a given programme should have a unique interpretation. When a grammar
generates some string ambiguously it is known that the grammar is ambiguus.
An example includes the following grammar;
<EXPR> -> <EXPR> + <EXPR> | <EXPR> x <EXPR> | (<EXPR>) | a
The grammar prior to this expresses the string "a+axa" ambiguously. It leads
to multiple parse trees. (check if you like).
We could in theory have all code developed alone the lines of a Chomsky
normal form (look this up yourself if unsure). The issue is the cost. The
process involved with the computational analysis from all stages of the code
would have the resultant effect that we would still be coding at similar
levels to the 70's now (if even this far is doubtful).
The finite automaton called a pushdown automata are nondeterministic finite
automata with the addition of a stack. The context free grammar required to
either push or pop the symbol in the stack is computationally infeasible
without creating ambiguousity.
I have not even got to the Church-Turning thesis and Alan Turning's model,
but I will jump ahead and let you read this off line.
A basis in determining decidable language needs to follow. Than we get on to
Turing-recognisable languages. Some of the issues here are the
computationally insolvability of what you are proposing. Please see the
"Halting problem" for proof of this claim.
If you believe that these issues are decidable and determinate, please have
a look at the "Post Correspondence Problem" or PCP. Solve this and you WILL
be famous. There is mathematical proof in pure maths that a PCP is
undecidable. So if you do manage this feat you also take down the pillars of
science and maths at the same time. Good luck.
Finally you have to look at Pspace completeness and EXPTIME in respect to
their effects in space complexity.
Simple answer is the let all code be good argument is flawed. I do agree
that there are FAR too many unbounded buffers and race conditions in code
and there is little excuse for this. At the same time it is not possible to
completely remove error (at best) or ambiguity. Yes Microsoft has something
to answer for, but Linux is just as bad at the moment.
Here finishes lecture 1 on the theory of computation ;)
Regards
Craig
[1] Post, E., L., A variant of a recursively unsolvable problem,Bull. of the
Am. Math. Soc., 52, 1946.
[2] Ehrenfeucht, A., Karhumaki, J. and Rozenberg, G., The (generalized) post
correspondece problem with lists consisting of two words is decidable,
Theoret. Comput. Sci.,21, 2,1982.
[3] Vesa Halava, Tero Harju and Mika Hirvensalo, Binary (Generalized) Post
Correspondence Problem, TUCS Technical Report No. 357, August 2000. [PS
file]
[4] Y. Matiyasevich and G.Senizergues, Decision problems for semi-Thue
systems with a few rules, Proceedings, 11th Anual IEEE Symposium on Logic in
Computer Science, 1996. [PS file]
-----Original Message-----
From: Al Sutton [mailto:asutton@xxxxxxxxxxxxxxxxxx]
Sent: 24 February 2006 8:33
To: Craig Wright; 'dave kleiman'; 'Darren W Miller'
Cc: 'defendingthenet'
Subject: RE: Why Easy To Use Software Is Putting You At Risk
Hi,
I too am very open to being proven wrong, but as a scientist I need solid
proof which involves cold hard facts, not statements such as "I can't go
into all the details for various reasons.".
I've been involved in many development projects, and at the end of the day a
product ships with bugs from a library then it's the developer who is
responsible for their choice of libraries. The attitudes Darren describes
are typical in Development, the "If it ain't in my code it ain't my problem"
is one of the most fundamental problems of current development mentality.
How many architects do you know that would design for the side of a hill
without making sure the hill could support their design?, or design an
extension to a house without ensuring the house was sound?, the same is true
of code, if you're writing software you need to make sure your libraries
support it securely, if not, then you're not doing your job. Developers can
add verification code before they send code to libraries, and if they have
concerns of a library this is what they should be doing (after all why
rewrite a string copy routine when you just need to check that the length of
your copy is less than the length of your destination buffer?).
My view is that the original paper was FUD, intended or not, that's how it
appeared, that's how it read, and it it walks like a chicked and clucks like
a chicken people are going to call it a chicken.
Al.
-----Original Message-----
From: Craig Wright [mailto:cwright@xxxxxxxxxxxxx]
Sent: 23 February 2006 21:10
To: dave kleiman; Darren W Miller
Cc: Al Sutton; defendingthenet
Subject: RE: Why Easy To Use Software Is Putting You At Risk
Hello,
Dave stated; "Craig.. And be gentle Craig will pick apart opinions and bring
back factual information without batting an eye."
True and I am always open to being proved wrong. The thing is that I have to
be PROVED Wrong. Opinion and anecdotal evidence is not proof. Validated
points and correctly collected statistical data are.
As much as many people find this difficult to believe (even my wife) I enjoy
being proved wrong. It is both a learning opportunity for my self and a
demonstration that others are engaging in serious peer review processes
outside of academe.
In the past 20 years I have performed close to 5,000 engagements. At the
moment I am conducting one of the largest vulnerability and risk assessments
ever conducted in Australia in association with the Attorney Generals CNVA
programme.
The first issue to address is yes you found a vulnerability and it was
exploitable. What is the risk? The impact threat vectors and other analysis
factors need to be considered. Vulnerabilities do not matter by themselves.
They create a risk potential. When you understand this you will both serve
your clients more effectively and also add value in a manner they will
understand. You need to sell to management. They understand finance and
risk. Vulnerabilities are FUD. They do not help.
As for engineering something not to fail. This is where I have an issue with
people who think they are engineers. Engineering is the process of building
something to a set specification. An example is giving a 95% Confidence
Internal of a 5 year expected life. It involves the analysis and design of
hazard functions and survival processes.
Regards,
Craig
PS this is about as nice as I get unless people actually seek to open their
minds and learn.
-----Original Message-----
From: dave kleiman [mailto:dave@xxxxxxxxxxxxxxx]
Sent: 23 February 2006 4:25
To: 'Darren W Miller'
Cc: Craig Wright; 'Al Sutton'; 'defendingthenet'
Subject: RE: Why Easy To Use Software Is Putting You At Risk
Darren,
I am going to explain this to you, since you are new here on this forum, or
at least I have only saw one or two of your posts go by recently. I am not
the form moderator, nor do I have any influence over the posts that make the
forum.
First, I wanted to give you a friendly heads-up, because you are throwing
"articles" out to this forum and they are your opinion.
Secondly, I am a nice guy :), maybe you are taking this personally, but you
need to read through the archives, this s what we do here debate!!
"""I don't have the time to keep this discussion (if that I what we are
actually having) going for an infinite amount of time""" You posted this to
a Security Discussion board, that is what we do here.
Do not get me wrong you have the right to post almost anything you want
pertaining to security, but if throw your opinion out here, expect to have
to defend it, and back it by fact. Because it is going to get torn up by the
professionals.
I have seen threads, that is what you started a thread, go for 20-30 days.
See "Forensic/Cyber Crime Investigator" in the archives, it went from
mid-Jan until Feb 15th, and I thought Craig was going to kill me on that
one, but that is how this forum goes, you make a statement expect educated
well-informed/experienced responses, a lot of them you will not agree with,
but will not be able to tap dance away from.
Craig.. And be gentle Craig will pick apart opinions and bring back factual
information without batting an eye. He and I have gone toe-to-toe on many a
subject on this and other discussion forms.
Darren, I know you are used to posting articles at CastleCops were the home
user is the basic audience and nobody is retorting, but when you step into
this arena you will see some serious professionals in varying fields and
they will not let misinformation slide. You of course do not have to respond
to the responses, but expect even heavier discussion when you post and
disappear.
By the way if you were to post this at a higher level forum such as
pen-test, they would eat your below write-up for breakfast. But since you
left it off post, I did the same....however I know Craig loves pen-testing
so he may not.
Dave
-----Original Message-----
From: Darren W Miller [mailto:Darren.Miller@xxxxxxxxxxxxx]
Sent: Wednesday, February 22, 2006 20:06
To: Craig Wright; dave kleiman
Cc: Darren W Miller
Subject: RE: Why Easy To Use Software Is Putting You At Risk
Gentlemen,
I don't have the time to keep this discussion (if that I
what we are actually having) going for an infinite amount
of time. But let me give you a couple high-level examples
of what I am talking about here. The key word is
high-level, I can't go into all the details for various reasons.
In the last 3 months I have performed 5 assessments. Phase
I of these assessments involved penetration testing of
external public facing systems. Out of the 5, we achieved
total systems penetration / compromise of 4. All 4 of
these systems were web based services. All 4 of these
systems were compromised by exploiting "custom" code or
modules. During post-assessment meetings the developers
(who were independents) were present. When they were shown
what modules were used to achieve the compromise everyone
one them blamed it on other external modules they used (or
re-usable code / modules,) and that they had no idea these
bugs existed. They further explained that some of the
source code, at least the ones they had access to, were so
extensive and complex that they probably would never had
found the bugs. One gentleman even stated that it was not
up to him to make sure code developed by others is secure
even if he is using that code. That did not go over well
in the meeting, trust me
AS far as "engineering something not to fail", I don't
even think that is possible at this point in time. Or ever
will be. Quite frankly, if someone were to tell me that a
particular system, any system, was fail-proof, I'd say
that they were off the wall. Let me just include a couple
bullet point items that may fall into this category of
"complex systems" and security:
1) Compromise of internal network systems using citrix as
an entry point. End users thought that the citrix remote
desktop profiles were secure because of how they were
setup but never realized that flaws in something as simple
(or complex) as ms-word would allow an isolated compromise
to lead to additional systems compromise.
2) System A interacts with System B which interacts with
system C. End users are aware, to an extent, about the
flaws in system A & B and their interaction, but not aware
of much regarding system C. In fact, they were not even
aware there was a system C. That interaction with system C
resulted in a security breach. In this case, complex
systems interacting with other complex systems, some of
which were unknowns, leading to security breaches.
3) IT department decides to increase the over all security
of authentication methods so increase complexity rules and
other related items such as aging.... However, they have
poor auditing measures internally and have know idea that
there are 150 user accounts for people who no longer work
for the company. Even though authentication measures /
procedures have been changed on the system, these
particular accounts will not have them applied until the
next time they are used. Several of these accounts are
compromised because they don't meet even basic complexity
rules for passwords. However, the end user thought that
the system would take care of this and force all accounts
to abide by the same rules immediately. Did not happen.
Here is the bottom line. Either I did a really poor job at
trying to get my message across in a high-level way, or I
am just being totally misunderstood. I would suggest it's
a little of both based on this dialoged.
Note: One final point. I would rather you not make the
statement that I am using FUD as a selling tool. The fact
is that is not true and is not my intention. If either of
you new me personally you would know that. I would never,
and have never, made that kind of assumption without
knowing for sure. Quite frankly, I'm not sure I would make
that kind of statement about anyone, even if I knew for
sure that is what they were all about.
Regards,
Darren W. Miller
-----Original Message-----
From: Craig Wright [mailto:cwright@xxxxxxxxxxxxx]
Sent: Wednesday, February 22, 2006 5:41 PM
To: dave kleiman; security-basics@xxxxxxxxxxxxxxxxx
Cc: Darren W Miller; defendingthenet
Subject: RE: Why Easy To Use Software Is Putting You At Risk
Hello
Here I have to state that I agree 100% and categorically with Dave.
FUD - Fear Uncertainty and Doubt is a common tool used by
vendors to sell security. It is also one of the greatest
threats to security today.
It makes people inured to security in the long run (i.e.
cry wolf) and in the short term results in a lot of
technical solutions that generally fail to address the issue.
NASA uses hazard and survivability models to determine
risk. They do not engineer to not fail - they just reduce
the probability of an incident. What needs to be
remembered that is that 1 in a million occurrence happens
all the time in the real world. Even a 1 in a billion
occurrence will happen daily somewhere in the world.
Welcome to the world of risk.
So as to the original post, how would complex software
make you less risk prone?
Regards,
Craig
-----Original Message-----
From: dave kleiman [mailto:dave@xxxxxxxxxxxxxxx]
Sent: 23 February 2006 2:23
To: security-basics@xxxxxxxxxxxxxxxxx
Cc: Darren.Miller@xxxxxxxxxxxxxxxxxxx; 'defendingthenet'
Subject: RE: Why Easy To Use Software Is Putting You At Risk
Inline....
-----Original Message-----
From: defendingthenet [mailto:mlapidus@xxxxxxxx]
Sent: 20 February 2006 14:35
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Why Easy To Use Software Is Putting You At Risk
Title
-----
Why Easy To Use Software Is Putting You At Risk
Can Easy To Use Software Also Be Secure
----------------------------
Anyone who has been working with computers for a long time
will have noticed
that mainstream operating systems and applications have
become easier to use
over the years (supposedly). Tasks that use to be complex
procedures and
required experienced professional to do can now be done at
the push of a
button. For instance, setting up an Active Directory
domain in Windows 2000
or higher can now be done by a wizard leading even the
most novice technical
person to believe they can "securely" setup the operating
environment.
Where does it claim that it is "securely" setting up AD in
the wizard?
This
is actually quite far from the truth. Half the time this
procedure fails
because DNS does not configure properly or security
permissions are relaxed
because the end user cannot perform a specific function.
Sounds like you have had this problem a few times, maybe
you should not use the wizard, or attempt AD setups.
Do you understand how to "securely" setup AD, for your
comments here, I would say no.
Instead of using the "sky is falling routine" suggest how
to do these things securely instead of syaing "look how
terrible this is"
If It's Easy To Develop, Is It Also Secure
--------------------------------------------------
One of the reasons why operating systems and applications
"appear" to be
easier to work with then they use to is developers have
created procedures
and reusable objects to take care of all the complex tasks
for you.
Are you referring to shared code? In case you do not know
what that is, it is code that is shared by apps for the
same routines.
For instance, back in the old days when I started as a
developer using assembly
language and c/c++, I had to write pretty much all the
code myself.
Are you suggesting your code was more secure back in the
"old" days, when security was not a concern in coding?
Now everything is visually driven, with millions of lines of
code already
written for you. All you have to do is create the
framework for your
application and the development environment and compiler
adds all the other
complex stuff for you. Who wrote this other code? How can
you be sure it is
secure. Basically, you have no idea and there is no easy
way to answer this
question.
Secure Environments Don't Exist Well With Complexity
----------------------------
The reality is it may look easier on the surface but the
complexity of the
backend software can be incredible. And guess what, secure
environments do
not coexist well with complexity. This is one of the
reasons there are so
many opportunities for hackers, viruses, and malware
to attack your
computers. How many bugs are in the Microsoft Operating
System? I can almost
guarantee that no one really knows for sure, not even
Microsoft developers.
However, I can tell you that there are thousands, if not
hundreds of
thousands of bugs, holes, and security weaknesses in
mainstream systems and
applications just waiting to be uncovered and maliciously
exploited.
How Reliable and Secure are Complex Systems?
----------------------------------------------------------
Let's draw a comparison between the world of software and
security with that
of the space program. Scientists at NASA have know for
years that the space
shuttle is one of the most complex systems in the world.
With miles of
wiring, incredible mechanical functions, millions of lines
of operating
system and application code, and failsafe systems to
protect failsafe
systems, and even more failsafe systems to protect other
systems. Systems
like the space shuttle need to perform consistently, cost
effectively, and
have high Mean-Time-Between-Failure(MTBF).
*All in all the space shuttle has a good record.*
One thing
it is not though
is cost effective and consistent. Every time there is a
launch different
issues crop up that cause delays. In a few circumstances,
even the most
basic components of this complex system, like "O" rings,
have sadly resulted
in a fatal outcome. Why are things like this missed? Are
they just not on
the radar screen because all the other complexities of the
system demand so
much attention? There are million different variables I'm
sure. The fact is,
NASA scientists know they need to work on developing less
complex systems to
achieve their objectives.
Ok now you have stepped out of bounds, first of all I love
NASA and have the utmost respect for them and all the
astronauts who have braved the frontier.
However, the record of the shuttle is 110+ scrubbed
launches. That is more than the number of launches. You
can do the math for the rest, but it does not add up to a
good record, you might have to use one of those "complex
systems" though to run calc.
So your saying a more simplistic system would create a
better record, maybe they should try fly the Kitty Hawk to
the moon.
I am just going to stop here and say Hogwash.
My advice to you is stop selling fear and your opinion,
and start selling solutions to problems. Next time tell us
how to fix your proposed problems.
Respectfully,
______________________________________________________
Dave Kleiman, CAS,CCE,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE
www.SecurityBreachResponse.com
This same principal of reducing complexity to
increase security,
performance, and decrease failures really does apply to
the world of
computers and networking. Ever time I here associates of
mine talk about
incredibly complex systems they design for clients and how
hard they were to
implement I cringe. How in the world are people suppose to
cost effectively
and reliably manage such things. In some cases it's almost
impossible. Just
ask any organization how many versions or different brands
of intrusion
detection systems they have been through. As them how many
times the have
had infections by virus and malware because of poorly
developed software or
applications. Or, if they have ever had a breach in
security because the
developer of a specific system was driven by ease of use
and inadvertently
put in place a piece of helpful code that was also helpful
to a hacker.
Can I Write A Document Without A Potential Security
Problem Please
-----------------------------------------------
Just a few days ago I was thinking about something as
simple as Microsoft
Word. I use MS-Word all the time, every day in fact. Do
you know how
powerful this application really is? Microsoft Word can do
all kinds of
complex tasks like math, algorithms, graphing, trend
analysis, crazy font
and graphic effects, link to external data including
databases, and execute
web based functions.
Do you know what I use it for, to write documents. nothing
crazy or complex,
at least most of the time. Wouldn't it be interesting that
when you first
installed or configured Microsoft Word, there was an
option for installing
only a bare bones version of the core product. I mean,
really stripped down
so there was not much to it. You can do this to a degree,
but all the shared
application components are still there. Almost every
computer I have
compromised during security assessments has had MS-Word
installed on it. I
can't tell you how many times I have used this
applications ability to do
all kinds of complex tasks to compromise the system and
other systems
further. We'll leave the details of this for another
article though.
Conclusion
----------
Here's the bottom line. The more complex systems get,
typically in the name
of ease of use for end users, the more opportunity for
failure, compromise,
and infection increases. There are ways of making things
easy to use,
perform well, and provide a wide variety of function and
still decrease
complexity and maintain security. It just takes a little
longer to develop
and more thought of security. You might think that a large
part of the blame
for complex insecure software should fall on the
shoulders of the
developers. But the reality is it is us, the end users and
consumers that
are partially to blame. We want software that is bigger,
faster, can do just
about everything, and we want it fast. We don't have time
to wait for it to
be developed in a secure manner, do we?
You may reprint or publish this article free of charge as
long as the
bylines are included.
Original URL (The Web version of the article)
------------
http://www.defendingthenet.com/NewsLetters/WhyEasyToUseSoft
wareIsPuttingYouA
tRisk.htm
About The Author
----------------
Darren Miller is an Information Security Consultant with
over seventeen
years experience. He has written many technology &
security articles, some
of which have been published in nationally circulated
magazines &
periodicals. If you would like to contact Darren you can
e-mail him at
Darren.Miller@xxxxxxxxxxxxxxxxxxxx If you would like to
know more about
computer security please visit us at
http://www.defendingthenet.com.
-----------------------------------------------------------
----------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec
management education and the case study affords you
unmatched consulting experience.
Tailor your education to your own professional goals with
degree customizations including Emergency Management,
Business Continuity Planning, Computer Emergency Response
Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
-----------------------------------------------------------
----------------
Liability limited by a scheme approved under Professional
Standards Legislation in respect of matters arising within
those States and Territories of Australia where such
legislation exists.
DISCLAIMER
The information contained in this email and any
attachments is confidential. If you are not the intended
recipient, you must not use or disclose the information.
If you have received this email in error, please inform us
promptly by reply email or by telephoning +61 2 9286 5555.
Please delete the email and destroy any printed copy.
Any views expressed in this message are those of the
individual sender. You may not rely on this message as
advice unless it has been electronically signed by a
Partner of BDO or it is subsequently confirmed by letter
or fax signed by a Partner of BDO.
BDO accepts no liability for any damage caused by this
email or its attachments due to viruses, interference,
interception, corruption or unauthorised access.
Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential.
If you are not the intended recipient, you must not use or disclose the
information. If you have received this email in error, please inform us
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the
email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You
may not rely on this message as advice unless it has been electronically
signed by a Partner of BDO or it is subsequently confirmed by letter or fax
signed by a Partner of BDO.
BDO accepts no liability for any damage caused by this email or its
attachments due to viruses, interference, interception, corruption or
unauthorised access.
Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential.
If you are not the intended recipient, you must not use or disclose the
information. If you have received this email in error, please inform us
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the
email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You
may not rely on this message as advice unless it has been electronically
signed by a Partner of BDO or it is subsequently confirmed by letter or fax
signed by a Partner of BDO.
BDO accepts no liability for any damage caused by this email or its
attachments due to viruses, interference, interception, corruption or
unauthorised access.
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
- References:
- RE: Why Easy To Use Software Is Putting You At Risk
- From: Craig Wright
- RE: Why Easy To Use Software Is Putting You At Risk
- Prev by Date: RE: PC Anywhere and security
- Next by Date: RE: Why Easy To Use Software Is Putting You At Risk
- Previous by thread: RE: Why Easy To Use Software Is Putting You At Risk
- Next by thread: RE: Why Easy To Use Software Is Putting You At Risk
- Index(es):
