In 2003, Dan Geer called the combination of Microsoft’s market dominance and the flimsy security of its products a threat to national security.
Today, he’s calling the security holes in consumer routers a threat to critical infrastructure.
These two things are related in more ways than being utterances from the same person. These routers were designed to protect flimsy PCs from the horrors lurking on the Internet. In 2003, they were arguably adequate. But since 2003, Microsoft operating systems have improved dramatically from a security standpoint while routers have stood still. Many of them are still running on the same outdated Linux kernels and userspaces, just on newer, faster hardware. These routers are now less secure than the computers they are supposed to protect. This isn’t a knock on Linux; Linux has improved in the last 11 years too, but router makers generally haven’t incorporated those improvements. So these routers are easy to attack, easy to use to build botnets, and the user will never be the wiser since they keep the devices until they break. The only good news here is that many of them break after a year or two, and that’s supposed to be bad news.
Sadly, these problems are all solvable.
I’m catching up on reading. Next on my reading list is The Cuckoo’s Egg, (Amazon link), Clifford Stoll’s memoir of chasing down a computer hacker in the late 1980s. In it, he describes a very different world, ruled by mainframes and minicomputers, where Unix was something special, IBM still made PCs, but desktop PCs and Macintoshes only received occasional mention, and academia and the military owned the Internet, almost literally. And, oh, by the way, the Cold War was still raging.
The remarkable thing about this book is that it’s an approachable spy thriller, written in 1989, that explains computer security to an audience that had never seen or heard of the Internet. You don’t have to be a security professional to appreciate it, though it’s a classic in the computer security world–many people read it in the late 1980s and early 1990s and decided to get into the field. Read more
If there’s a theme I’ve heard over and over again this year, it’s that it’s time to pay attention to security in embedded devices like routers, other network equipment, televisions, and the other devices around us. This is the soft underbelly, and frankly, it’s probably a time bomb.
The astonishing thing is that we’re now protecting our computers with devices that have bigger security holes than our computers do. Read more
Did you know Adobe released three Flash updates this month? And that every last one of them was absolutely, positively necessary? (At the time. They’re cumulative.) Seriously, you need a computer to keep track of all this stuff.
Secunia PSI is a free program to keep track of these updates and pull them down and install them for you. I’ve written about it before, but not in any depth. I downloaded it to a machine that didn’t have it, and it scanned my system, found four out-of-date programs–it knows about 3,000 pieces of software–and updated three of the four without me doing anything at all. It’s dead simple. Download it, install it, accept the defaults, and let it run. If you can’t get by without the four horsemen of the security apocalypse (Quicktime, Flash, Acrobat, and Java), at least Secunia PSI will ensure you’re running the least insecure–I’m not calling any of those security nightmares any word that would suggest they’re good–version of each.
If you’re running Windows, go download it and install it, please. It’s not a substitute for antivirus software, but it’s a tool that can close the security holes that antivirus software can’t protect you against. Really, you probably need both.
Mozilla quietly released Firefox 19 this week. Its biggest selling point is a built-in PDF viewer (like Google Chrome does), which makes me more comfortable than having Acrobat Reader installed–Mozilla is generally faster at fixing security holes than Adobe. Besides that, the built-in reader is fast. No waiting for Acrobat to launch. Short documents like IRS form 1040 display very quickly, though it wasn’t so crazy about me throwing the 237-page NIST 800-53 (if you’d like some light reading) at it. I closed the tab and revisited it, and it loaded the second time.
So this is an update you want. You may be wise to wait a day or two for it to stabilize (Firefox 18 was rapidly updated to 18.0.1 and 18.0.2 after its release), but being able to ditch Acrobat Reader (or leave it installed but only use it when absolutely necessary) definitely is appealing. Update it this weekend, maybe.
This week Cnet interviewed Phil Lapsley, the author of Exploding the Phone, a book about the early history of phone phreaking.
Phone phreaking is absolutely fair game for the CISSP exam. I couldn’t tell you anymore how many phone phreaking questions I had to answer, but let me just say I’m glad I’d read those pages in the CBK about phone phreaking.
I’m a security professional by trade, with two certifications. I’m not responsible for defending your computer networks, but I want your networks to be secure. There’s a really simple reason for that. If your computer and your network is secure, then it isn’t attacking mine. Or anyone else’s.
Several fellow subscribers to a train-related interest group that I like got hacked recently, and have been sending out spam messages. They’ve received a lot of advice in the hours since. Some of it has been good, and some not as good. So I tried to think of some things that people could do in about 30 minutes to keep the crooks at bay.
Incidentally, the computer crooks won’t be going away. Computer crime happens because the criminals can make more money doing that than doing something legal. The only way to make it stop is to make it too hard, so that getting a real job becomes more profitable. You won’t solve that problem in 30 minutes, but if we all take that single step down that road, we’ll make the world that much safer. So, with that, let’s roll up our sleeves. Read more
Last week, Symantec issued a surprising report stating that religious web sites are more likely to harbor malware than sites that offer dirty pictures and videos.
I’m pretty sure there’s a reasonable explanation. Read more
Microsoft is making its updates to IE only available for Windows XP.
To which I say, what about all of those servers out there?Surely they include Server 2003 in this. But that’s a problem. Upgrading to Server 2003 isn’t always an option. Some applications only run on Windows NT 4.0, or on Windows 2000.
Unfortunately, sometimes you have to have a web browser installed on a server to get updates, either from your vendor or from MS. Windows Update, of course, only works with Internet Explorer.
An even better option is just to run as few servers on Windows as possible, since they insist on installing unnecessary and potentially exploitable software on servers–Windows Media Player and DirectX are other glaring examples of this–but I seem to hold the minority opinion on that. Maybe now that they wilfully and deliberately install security holes on servers and refuse to patch them unless you run the very newest versions, that will change.
But I’m not holding my breath.
Seeing as this used to be my big topic, I would be remiss if I didn’t mention that it’s now possible to remove Internet Explorer, Windows Media Player, and other components from Windows 2000 and XP using software from litepc.com.
I haven’t tested it, so I don’t know how much difference it makes, performance-wise. It made a large difference in Windows 98–removing IE caused system speedups of anywhere from 10 to 25 percent, which is more than you gain by upgrading your CPU a speed grade or two. This was mostly due to two factors: reduced memory consumption and inefficiencies in the FAT/FAT32 file systems. It’s been known for about 20 years that performance starts to degrade dramatically once you have more than 100 files in a program or operating system’s subdirectory (Microsoft even said as much in the DOS 5.0 manual).
Since most people run XP and 2000 with NTFS, and since systems with half a gig of memory or more are becoming commonplace, I don’t know if removing IE will make as much difference in this day and age. It certainly makes sense from a security standpoint though–rip out IE, Media Player and Outlook Express and replace them with third-party apps, and you’ve just eliminated most of the programs whose security holes affect desktop PCs. It comes at the expense of compatibility though. Some programs utilize Outlook Express and IE components–although some programs will install the missing DLLs.
But for special-purpose PCs, or other PCs that aren’t running any software that uses those programs, or PCs that are strapped for disk space, it makes sense to give it a shot.