Security Flaws in Chrome

The techies (myself included) really jumped on Google's new browser, Chrome, as soon as it came out. However, maybe we should have waited to versions two or three. I say this due to the new security flaw (a buffer overflow) discovered in Chrome's "Save As" features. Researchers at the anti-virus company, Kaspersky discovered a bug in Chrome's rendering engine, WebKit. The security flaw becomes apparent when Java is installed. Since Almost all end-user systems have some form of Java installed, this basically means that just about everyone with Chrome is vulnerable. My rating... I would initially give Google 3 Samurai stars for meticulously studying security before release but I have to take one back since this discovery. Bottom line... until Google comes out with a fix, don't use the Save As feature unless you are on a trusted site.


UPDATE Sep 5 night GMT+3
I just read a more accurate story from ZDnet. Apparently, this wasn't the first security bug in Chrome. Not only that, Google has removed the link to download it it from their main Google splash page! That's a testament to the seriousness of the problem.
The ZDNET blog can be followed below.

Google Chrome vulnerabilities starting to pile up by ZDNet's Ryan Naraine -- [ UPDATE: See below for Google’s official response to these issues ] Security vulnerabilities in the new Google Chrome browser are beginning to pile up. Following our coverage of the carpet bombing combo threat and denial-of-service crashes, several readers have sent pointers to Chrome exploit code floating around the Web: First up is an automatic file download [...]

Security Experts Highlighted in Regional Newspaper

We're finally starting to form a Chapter in Dhahran of ISACA (previously known as the Information Systems Audit and Control Association) . below you will find a clip from an article from the Arab News.

New ISACA Chapter for Eastern Province
Molouk Y. Ba-Isa I Arab News — ALKHOBAR: The first organizational meeting of the ISACA Dhahran Chapter-in-Formation was hosted recently by Saudi Aramco. ISACA has a membership over 75,000 strong worldwide. Members live and work in more than 160 countries and cover a variety of professional IT-related positions — to name just a few, Information Security (IS) auditor, consultant, educator, IS security professional, regulator, chief information officer and internal auditor. Some are new to the field, others are at middle management levels and still others are in the most senior ranks. They work in nearly all industry categories, including financial and banking, public accounting, government and the public sector, utilities and manufacturing. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves.

...

Juniper STRM Faces Technical Challenges in EMEA

by Tech Samurai, June 24, 2008

(Riyadh) - Although the Q1 Labs QRadar (Juniper Security Threat and Risk Management - STRM ) tool looks promising, from a vision perspective, there are several items that, if not in the confirmed road map for delivery in Q408 or Q109, may cause issues on some major tenders that its OEM partners (including Juniper) may have in the Middle East in 2008. The appliance based STRM provides a visionary approach to forensics and security event and incident management. However, some of its most glaring technical short-comings combined with a finicky EMEA market makes its short term revenue prospects in the Middle East questionable.

Functional Issues
Reading logs in real-time from a remote file system - The Q1 vision seemed to be focused in the wrong direction to have missed the need to read log files from a local or remote file system. Only network-only environments expect the file source to exclusively be syslog whereas most enterprise applications write logs to disk. All major SEIM players support this.
Manually opening and adding items to an investigation case - It is really odd that Q1/Juniper doesn't have the ability to manually create investigation cases. Many of the challengers don't provide the ability to create cases automatically. But it appears that only Q1 Labs' STRM might be the only serious SEIM tool on the market that does not provide manual incident creation ability.

Product Support
Fully functional CITRIX Server and gateway log processor - EMEA customers rely heavily on CITRIX and, if not supported by Q408, EMEA customers would have a hard time justifying a purchase of STRM.
Fully functional SAP log processor - Several major and influential enterprises in EMEA rely heavily on SAP and, if not supported by Q408, EMEA customers would have a hard time justifying a purchase of STRM.

Copyright (C) 2008 Tech Samurai.

There's value in Preparing Presentations

For the past week, I've been absolutely swamped with preparing a presentation on SAP Network Interface Security Controls. Although I find the subject quite exciting... it really isn't that exciting to other people. So that that was my challenge.... I admit, I played the Ninja role when it came down to it. Although I had approached developing the skills of managing SAProuter and developing SAP architectures with admirable Samurai prowess, developing the presentation was just a get in and get out exercise.
However, it was good for me. I started developing the presentation only last week knowing that I'd have to present in front of 100+ security professionals this past Wednesday. I was too busy with operational problems and investigations over the last 4 weeks... so the non critical things got the least priority. But with only 6 days to actually work, I pulled it off! I believe I did a good job too. I made a boring topic somewhat lively. The cool thing was that I was able to tie in the previous three presentations delivered at this security forum into my own. The audience seemed to appreciate this. Not only was the presentation well received, I hope that it will help me in my career. I hope to deliver another similar presentation at the RSA Conference in October.

Thus... all in all, developing the presentation itself was a valuable experience and delivering it was actually fun. I'll wait to see how it turns out from a career perspective though.