Some governments around the world, frightened by the interception of two bombs directed to the United States, decided to introduce stricter security measures for air transportations. To my sincere disappointment, the decisions made illustrate the complete helplessness and lack of "security thinking" of the tops.

In particular, the following additional measures were put in place:

As a precaution Britain said it was banning air passengers from taking large toner cartridges onto planes as hand luggage, while Nigeria said it would improve the scanning of cargo bound for the United States.

Okay, the terrorists will never be able to bring bombs on board inside toner cartridges anymore. They have nothing to do but use laptops, smartphones, pocket radios, Kens and Barbies and electric guitars for this purpose. The terrorists originating from Nigeria will just buy two tickets, from Nigeria to, say, Moldova (to bypass improved cargo scanning), and, further, from Moldova right to the United States.

Germany said it had suspended passenger flights from Yemen, and was considering expanding a cargo flight ban to other unnamed countries.

Wow. If Moldova won't accept flights from Nigeria, I know the country to use instead ;).

Britain said it was also banning all air freight sent from Somalia, adding to a ban on Yemen cargo flights imposed at the weekend.

Just another shot at the sky.

All the above cases share the same problem. There is a number of holes in the fence the attackers can reach the rancho through. Having caught the attackers by the hand getting through one of that holes, the government patches it... but does not consider the other holes, even though they are pretty close to the patched one. Disallowing to bring cartridges on board with a hand luggage, as well as rejecting flights from Yemen and Somalia, will change nothing. There is nothing that stops terrorists from simply using hand stuff of other kind and different countries to reach their goals. This is so obvious that I tend to think that either the governments have nothing to oppose to the terrorists with, or... well, nevermind.

Thanks to cracksinthepavement.com for the picture.

Big Red Brother (and his buddy) are Watching You

What would you say about the software that silently installs another piece of software from third-party vendor to your computer, which, in turn, collects information regarding your computer's security features (the presence and version of firewall, anti-virus software etc.) and requires Internet connection (!) to be available?

The software is called Adobe Flash Player extension for Firefox; the silently installed third-party tool is McAfee Security Scan Plus. That's it -- having installed a minor extension to a browser, you get a system-wide trojan curios piece of software installed to your PC.

Leaving aside the moral and legislative aspects of such scheme (and please don't say it's just business -- similar schemes were neglected even by Russian gangsters in 1990ths), just wish to warn you to be careful with these. Nobody knows what exactly information collects and sends out the installed tool, neither what is the purpose of collecting such information.

Intro

Good evening,

My name is Innokentiy Ivanov, I am the manager of EldoS SecureBlackbox product – a comprehensive library of security-related software components. For six years we helped thousands of our customers all over the world to successfully integrate security features into their software products.

Unfortunately, in our work we faced with quite an unpleasant fact. It turned out that the heads of many companies and separate software projects have a kind of superficial understanding of data protection and information security problems. In particular, they suppose that adding third-party security components is enough to make their product secure. They delegate the task of implementing security features to the ordinary programmers, in the belief that this task is no more complex than any other basic subtask of the project. They are wrong. Integrating security features to a project requires a good understanding of this task and certain level of skills in information security field. The developer responsible for adding security to the project should clearly understand what exactly security problems he has to solve, and which ways of solving them are the optimal ones. If the person responsible for security in your project does not have such skills, you have a chance to get the illusion of security.

The purpose of this blog is the consideration of the most typical mistakes and misconceptions related to integration of security features to software products. I hope it will be useful to the managers of the products containing security modules, as well as to the developers responsible for implementing those modules in robust and safe way.

So, let's start building safe and secure world.