Google Updates Chrome Browser

Google has released a new version, 9.0.597.107, of its Chrome Web browser, for all platforms (Mac OS X, Windows, and Linux).    This update fixes 19 identified security vulnerabilities.  More details are in the Release Announcement on the Chrome Releases blog.  WIndows users can obtain the new version via the built-in update mechanism (Help / About Google Chrome). Linux users should be able to get the new version using standard package update tools (e.g., apt-get, synaptic).

Because of the security content of this update, I recommend that you install it as soon as you conveniently can.

Does Your Company Leak?

Probably it does.   The most recent issue of The Economist has a briefing article on the new challenges involved in keeping corporate information secure.  As we saw in the WikiLeaks affair, the economics of leaking data have shifted a great deal in favor of the leaker.  Information that, in an age of paper records, would have taken days or hours to photocopy, and a truck to move around, now can leave the building on a USB drive the size of a pack of chewing gum.

Companies these days are also generating a lot more data, much of it in a form that is difficult to track.  (The research firm IDC estimates that, by 2020, the amount of data created each year by companies will increase to ~35 zettabytes.   One zettabyte  is 10²¹ bytes.)  When computers were first used in business, they typically dealt with structured data in databases.  In addition to whatever physical security the system might have had, the average worker probably had no idea how to access the data on an ad hoc basis.  Today, sensitive information is in E-mails, spreadsheets, word processing documents, and even calendar entries.   Even some very sensitive data gets there, not necessarily due to malice or even carelessness, but because people want to work with the data, and naturally prefer the tools that are familiar.  In addition, many employees, particularly the younger ones, are very familiar with consumer digital gadgets, like the iPhone, and want to use them for work.

As I’ve noted before,  the traditional security model of a defensive perimeter separating the “inside” network from the outside world is getting badly frayed.  Security vendors are offering several types of new tools to help firms manage their confidential data.

One is the content management system.  This works something like the layered classification used by the military, assigning levels of confidentiality to different bits of data, and specifying who can access them.   This approach has two significant drawbacks:.  First, it is difficult even to identify, much less classify, all the potentially sensitive unstructured data in the firm.  Second, it is major challenge to define access levels so that employees have all they need to do their jobs, but not more.

Another type of system is called data loss prevention.  This attempts to look at all data that is (potentially) leaving the firm, and block sensitive material.  Such a system might, for example, block Social Security numbers or credit card details.  It may be of some value in preventing employees from doing thoughtlessly stupid things, but it is a very weak reed against a malicious attempt.  Suppose the Social Security number is expressed in words?  or in Russian words?  The fundamental problem here is very similar to that encountered in some early attempts, a couple of decades back, to detect and block computer viruses.  Some techniques attempted to establish a class of “safe” material (for example, plain ASCII text).  The developers quickly discovered that there was really no good way to define what was safe, if the player on the other side was sufficiently malicious and clever.  More recently, we have seen work that shows how malware can be coded to resemble ordinary language.

A third type of system is based on network forensics, although a better term might be anomaly detection.  This attempts to take note of unusual behavior by applications or users (for example, someone downloading 250,000 diplomatic cables from SIPRNet).  When used by network administrators who know what they’re doing and paying attention, this type of tool probably has the best potential.

But there are other forces at work, too.  Many businesses are getting very involved in what are sometimes called “systems of engagement”, to facilitate and streamline the firm’s interactions with customers, suppliers, and the world at large.  (Think, for example, of the number of firms that invite you to become their “fan” on Facebook.)  This means that the push for security can only go so far.

Trying to prevent leaks by employees or to fight off hackers only helps so much. Powerful forces are pushing companies to become more transparent. Technology is turning the firm, long a safe box for information, into something more like a sieve, unable to contain all its data. Furthermore, transparency can bring huge benefits. “The end result will be more openness,” predicts Bruce Schneier, a data-security guru.

In the end, companies will have to decide how open they want to be, and try to devise systems and processes to go so far, but not farther.

Firefox 4 Beta 12 Released

The folks at Mozilla have released the latest beta version, 4.0b12, of the Firefox 4 browser.  This updated beta fixes more than 600 bugs; the developers also claim to have fixed the memory leaks that plagued earlier betas.  (So far, my limited testing does seem to show a definite improvement there.)   The new beta also fixes one very common complaint.   In earlier betas, hovering the mouse over a link displayed the link in the location/address bar (where you would type in a URL); however, the display was grayed out, and so dim  that I didn’t even notice it the first two or three times I used the beta version.  Now, the link is displayed at the bottom left corner of the browser window, close to its previous position in the status bar.  This is a useful change; I always try to encourage people to look at the link before they click on it.

This is still pre-release software, so I don’t recommend using it for critical applications, although it is stable enough to use for ordinary browsing.   You may experience difficulties with some add-ons; please report these, using the built-in feedback tool, to make things better for everyone.  Full details of the changes and new features are in the Release Notes ; installation binaries for all platforms (Linux, Mac OS X, and Windows), in numerous human languages, can be downloaded here.

New BITS from Intel

Intel has announced the availability of a new BIOS Implementation Test Suite (or BITS), a bootable environment that runs before the loading  of an operating system (such as Linux or Windows), and allows testing of a machine’s BIOS and its initialization of Intel processors and hardware.

BITS can verify your BIOS against many Intel recommendations.  In addition, BITS includes Intel’s official reference code as provided to BIOS, which you can use to override your BIOS’s hardware initialization with a known-good configuration, and then boot an OS.

BITS is, essentially, a modified GRUB2 boot loader, which adds many commands to probe and manipulate the hardware configuration.

The current version of BITS focuses primarily on CPU configuration and power management. BITS supplies general tests and functionality for all Intel x86 platforms, as well as additional specific support for Intel® processors based on the microarchitecture code name Nehalem and newer, which includes Intel Core i7, i5, and i3 desktop and mobile processors, and corresponding Intel Xeon server processors.

It can be installed to a bootable USB drive; instructions for setting it up are contained in the package, which can be downloaded here (ZIP’d archive).  Source code is included.

 

Turing’s Patterns in Nature

The “Wired Science” blog at the Wired site has an interesting small slideshow of images related to the mathematician Alan Turing’s only paper on biology.  The paper, “The Chemical Basis of Morphogenesis” [PDF], was published in 1952, in the Philosophical Transactions of the Royal Society. Series B, and shows how patterns, such as spots, stripes, and spirals, can be generated from a uniform initial state by a reduction-diffusion process.  As Turing was careful to say (from the abstract), the paper did not propose any new biological mechanisms, but suggested how the process of development might account for the variety seen in nature.

The purpose of this paper is to discuss a possible mechanism by which the genes of a zygote may determine the anatomical structure of the resulting organism. The theory does not make any new hypotheses; it merely suggests that certain well-known physical laws are sufficient to account for many of the facts.

Although I have read a good deal of Turing”s work in computer science (as we now call it), I had not run across this paper before.  It is a great example of the originality of Turing’s work.

 

Windows 7 SP1 Glitches

In a not entirely surprising development, the folks at the SANS Internet Storm Center are getting a number of reports of problems with Service Pack 1 for Windows 7 and Windows Server 2008 Release 2.  The most common problem areas are:

– Whitelisting / Blacklisting: Whitelisting software may not have checksums yet to verify all the files that are modified by the service pack. Same for anti-virus: Some anti virus products monitor system files for changes and may sound an alert or block the installation of SP 1

– Firewalls: Third party firewalls may find that some of the low level hooks they use have changed.

– Disk Encryption: In particular full disk encryption that modifies the boot process may find that some of the changes it did are undone by the SP install

– Custom hardware: If you are using drivers other then those that are included in Windows 7 (or 2008 R2), be careful.

There is more detail in the SANS article, and at this Microsoft TechNet page.