Category: security

Unprotected computing practices

The news that many medical computing systems are infected with malware doesn’t suprise those working in the field

A US study finding malware is rampant on medical equipment shouldn’t come as a surprise to those running industrial computer systems in their businesses.

It’s notoriously difficult to update medical equipment or other sensitive systems as a security patch could have unintended consequences. Unlike a home or business computer, these patches have to be thoroughly tested beyond the precautions vendors take.

So it isn’t surprising that these systems aren’t kept up to date although some equipment suppliers are more tardy than they should be in updating the servers they supply.

A few years ago I came across CCTV systems running on the original version of Windows 2000 which were hopelessly compromised. This is an unacceptable situation for the customer and was more the result of vendor carelessness than any concern that customers could be affected by these unsecured machines.

Not having the latest software patches creates a weakness in any computer device as most common way viruses find their way onto networks is through systems not being updated – Australia’s Defense Signals Directorate rates unpatched systems as being the number one cause of corporate security breaches.

This is what caught out the Iranian nuclear program with the Stuxnet worm as the Siemens SCADA devices used by the Iranians were running older, unpatched versions of Windows. The designers of Stuxnet took advantage of a number of known weaknesses in the software and were able to damage the equipment being controlled by the systems.

Obviously systems should be patched wherever they can be and there’s no excuse for not patching most office and home computers. It’s also worthwhile carrying out a number of other security steps to ensure an infected computer can’t damage your network or catch a virus through your Internet connection.

The survey looking at these medical systems is a good wake up call to all of us that we need to take computer security seriously in our businesses.

Posting without permissions

Facebook’s groups feature can be dangerous if you don’t check before adding people.

A client of mine once had a angry worker scream at him when she found out he’d posted photographs of all his staff on the company’s website.

“My ex is a psycho, he doesn’t know where I live or work. If he finds this, he might come around here and kill us all,” she cried.

The photos went down immediately and Kevin made sure he got explicit consent before he posted any details of his staff onto the website.

It was a valuable lesson on why you shouldn’t just post people’s details online without first asking them. We all have reasons why we’d like to keep certain facts out of the public light.

A Texan gay choir’s organiser posting the details of members onto Facebook is another reminder of why it’s a bad idea to put someone else’s details online without asking them first.

For two members of the Queer Chorus at the University of Texas, having their sexual orientation pasted on their Facebook feeds caused terrible damage with their families and it should serve as lesson to every manager, business owner or community group leader that this stuff matters.

One of the worrying features with Facebook is how other people can add you to groups without your permission – almost certainly a recipe for misunderstanding and mischief.

What’s even more unforgivable with Facebook’s conduct is the privacy settings for those groups overrides an individual’s own privacy settings.

As one of the victims said in the Wall Street Journal of when his father saw the status update, “I have him hidden from my updates, but he saw this,” she said. “He saw it.”

So even though both the individuals had chosen to lock their profiles away from public view, Facebook and the organiser of the group decided they knew better.

We shouldn’t let the administrator of the Facebook off the hook on this lapse, Christopher Acosta decided to make the group open and public. “I was so gung-ho about the chorus being unashamedly loud and proud,” he’s quoted as saying.

That’s nice when you have a tolerant family and you’re from a liberal community but for others that ‘transparency’ can lead to damaging family relations for years, if not lifetimes. In some communities the consequences could be far worse.

“I do take some responsibility,” says Mr Acosta. Which is a nice way of accepting you might have screwed somebody’s life up by doing something you didn’t understand.

Ultimately responsibility lies with the person who presses the button which causes the email or status post to be published. In this case Christopher Acosta was responsible.

To be fair to Mr Acosta, the ability to add people to Facebook groups without their permission is a deeply flawed as are those groups’ setting overriding an individual’s privacy preferences.

Facebook have to understand there are real life consequences to ‘transparency’ which can ruin careers and even cost the lives of people. The damage to families and communities can be immense.

Coming from a secure upper middle class white background, Mark Zuckerberg probably doesn’t quite understand the risks his company’s policies pose to people in vulnerable situations, hopefully some of his older and wiser advisers will explain why ‘transparency’ and ‘openness’ are not always a good idea.

Securing your online passwords

On ABC Sydney we look at how you can make your passwords move secure

Every Internet user has to struggle with the burden of passwords as we’re expected to remember dozens of log in details for various websites and computer networks.

As we’re seeing though, passwords aren’t that effective with universities and private companies being hacked on a regular basis. The problem is so bad banks are considering moving to fingerprints to replace PIN and password logins.

Even if passwords are going to become irrelevant as we move to biometric logins like fingerprints and iris scans they aren’t going away quickly, so how do we protect our important online accounts?

Use different passwords

One of the key ways to protect yourself is not to use the same passwords for every site. Some critical sites, like your online banking and email, need protecting with strong passwords while others like social media sites don’t require such tough security.

As we’ve seen with various security breaches, most notably the continual Sony hacks of 2011 and the deeply embarrassing Stratfor leaks, even the strongest passwords are useless if some dill leaves them on an unprotected server.

Use strong passwords

For the sites that matter, make sure the passwords are strong. You’ll find how to make memorable, easy to use and strong passwords on the Netsmarts site.

You don’t need to use strong passwords on every site, for some websites that require registration to access you might want to fall back on the much maligned password or 12345 for those publications.

Change default passwords

Most of the hacks on university and corporate networks happen because the default passwords on servers aren’t changed. This was also how News International workers broke into British mobile phone message banks.  When you get a new phone or tablet computer, make sure you change the basic passwords that have come with the device and any associated service.

Update your systems

One of the biggest vulnerabilities for home and business computer systems is unpatched systems. Malicious websites, viruses and various tricks use known weaknesses in computer systems to bypass security measures. This applies to Apple Mac users as well.

Consider two factor authentication

Two factor authentication involves having double security, this could be a password linked to a SMS or a special one-off code. Services like Gmail offer this as do many corporate networks and banks.

Be careful linking social media services

A bigger risk than hackers is phishing where someone tricks you into giving away your password. This has become very common in hijacking social media accounts.

If you’ve linked various social media services together then one being compromised can mean bad guys have access to all of your accounts, so be cautious about what applications you allow to connect with your Facebook page or Twitter account.

For businesses

Cyber security is critical for business, it’s been estimated that one in six companies who’ve been compromised will fail as a result of the breach and a credit card lapse can be expensive as well as embarrassing.

The Australian government’s Defense Signals Directorate has an excellent guide to securing computer networks. The DSD’s research shows that just following four basic rules will prevent 85% of attacks.

We should also keep in mind no security system is perfect. Just as your car doors or home can be broken into by a determined thief, the same is also true with computer networks, a skilled operator with enough time and resources can beat even the toughest cyber security regime.

ABC Nightlife Computers: The state of tech

July’s ABC Nightlife tech looks at viruses, online frauds, security and social media

Join Paul and Tony Delroy to look at some of the trends and events that are affecting how you use phones, computers and internet in your home or business.

A lot’s happened in the tech world over the last few weeks – Facebook has gone from the web’s golden business to being shunned, new tablet computers have been launched and we’ve had a virus threaten to knock people off the Internet.

If you missed the show, you can listen to it online through the Nightlife website. Some of the topics we looked at included;

  • So what was the DNS Changer Trojan? Did the FBI really take over a criminal computer network?
  • Could a virus really damage computers and bring the Internet to a halt?
  • Is it true the US, Israel and North Korea are using viruses to attack other countries’ computers?
  • Should we worry about viruses on smartphones and tablet computers?
  • What about virus hoaxes? There’s a good one going around about Facebook at the moment?
  • Both Microsoft and Google have launched new tablet computers, will they knock off the iPad?
  • Microsoft’s tablet is going to run the new Windows 8 operating system, how does that look?
  • Facebook seems to have gone from hero to zero since they launched on the stock market. What happened?
  • There’s been some pretty serious Facebook privacy changes recently, what should people watch out for?
  • Microsoft have had some big security updates this week, what are they.

For the Microsoft updates we mentioned, the major security updates can be downloaded from the Windows Update page or the Automatic Updates in Windows Vista and 7.

Windows 7 and Vista users should also disable the desktop widget feature, Microsoft have two fix it tools available for download and users should run both.

Listeners questions included the following problems;

Alternatives to Outlook Express

George was looking at upgrading to a new version of Windows that doesn’t have Outlook Express included but still wants a computer based email client rather than trusting a cloud service.

Some of the alternatives include;

Antivirus programs

Margaret asked about antivirus options for Macs, there’s a couple of free antivirus programs designed for the Apple Mac

For Windows users, the easiest free anti-virus to use is Microsoft Security Essentials.

Microsoft Silverlight on Android

Accessing Microsoft Silverlight based services like NineMSN on Google Android devices can be a problem as Jason found.

Unfortunately at this stage there’s no clear solution for playing Silverlight sites on Android devices as Moonlight, the open source Silverlight player has been abandoned.

Next Nightlife spot

Our next Nightlife tech spot will be on August 6 and we’ll decide the topics closer to the dates. Watch the website for details over the next few weeks.

Dealing with the DNS Changer Trojan

On Monday computers infected with the DNS Changer Trojan will stop surfing the net. Make sure you aren’t infected.

On Monday, thousands of computers around the world will be cut off the web as the servers behind the DNS Changer Trojan Horse are shut down.

The DNS Changer did exactly what the name says – it changed a computer’s Domain Name Service (DNS) settings so that all web traffic went through servers belonging to the virus writers.

Eventually the writers were caught and the computers were seized, in order to avoid disruption the servers were left running but they will be shut down on Monday.

On Monday, those computers still infected won’t be able to surf the net until the problem is fixed.

How Do I Know I’m infected?

As part of the Shutdown, the DNS Changer working group was set up. On their site they have a  detection tool website that will tell you if your computer is infected.

How can I fix the problem?

The easiest fix is with the Microsoft Malware Scanner which will check your computer for the DNS Changer virus along with other malware. If the scanner detects a problem it will remove the virus. IT Queries also have instructions on Removing A Trojan.

To prevent further infections, it’s necessary to install an up to date anti virus. A good free one is the Microsoft Security essentials tool.

The DNS Changer Trojan was very effective malware and it illustrates why computer users need to be careful of where they go on the mean streets of the Internet.

702 Sydney Mornings Technology

On this show we look at how to avoid malware and protecting your digital legacy

On 702Sydney Mornings this month with Linda Mottram, we’re looking at the continued story of the Flame and Stuxnet worms along with some trickery from the North Koreans who tried to shut down South Korea’s Incheon International Airport with a computer virus.

To help you avoid being infected there’s a detailed description on the Netsmarts website on setting up your computer to avoid being infected.

We’re also looking at protecting your digital legacy in an era when social media services like LinkedIn and Facebook can keep your memory alive long after your passing.

Join us on 702 Sydney from shortly after 9.30am. We’ll probably take some calls on 1300 222 702 and we’d like to hear your views, comments or questions.

Taxing the Internet laggards

Should users of old software pay more?

Online retailer Ruslan Kogan is never short of a good stunt to promote his business. His latest, a tax on users of Internet Explorer 7 has given him worldwide attention.

Ruslan touches on a real problem for web designers, e-commerce shopkeepers and the online community in general – that Microsoft’s older versions of their Internet Explorer web browsers don’t conform with standards.

This means IE6 and 7 don’t display pages the way other browsers do meaning designers have to spend extra time catering for the people who won’t move to new versions.

For those who insist on using the older versions of Internet Explorer, they are also taking a risk as these products are far less secure than the newer editions.

It’s in everybody’s interests to have the latest browsers and security patches, so both Windows and Mac users should be making sure they have the latest updates on their computers.

Even with the latest updates, it’s worthwhile using a different web browser to the one that comes with the system. That’s why Opera, Mozilla Firefox or Google Chrome are the better options for web browsers.

Ruslan Kogan’s right in forcing users to move onto modern software, it’s a media stunt that might do some good.

Security and convenience

Good security is always inconvenient. We have to learn to live with it.

“Your security advice is too difficult, I don’t want to log in when I start my computer or have to mess around when I have to install new software,” a lady told me on the weekend.

Security is always inconvenient. It would be far more convenient if car doors weren’t locked and starting them was a matter of flicking a switch.

Of course we know if that was the case, most cars would be stolen within hours of buying them.

We accept the inconvenience of car keys because we know the cost of having a vehicle stolen is way higher than the occasional frantic search for lost car keys.

Right now we don’t value our data, computers or smartphones the same way.

This is changing and as we start using our phones as electronic wallets we’ll start valuing our passwords and online security more than our car keys.

 

Security and cloud computing

Understanding risks with online computing is the best way to manage it.

Last Friday cloud accounting service Saasu ran their Cloud Conference looking at the business benefits of online computing and business automation.

Among the topics discussed was the security of cloud computing with Stilgherrian giving an excellent overview of the state of information security.

Stil’s message is clear; online security is everyone’s problem – if the bad guys want to target you for whatever reason they will.

As a business owner, it’s essential to take basic precautions. This is something I’ve covered before and something Stil raises in his presentation by pointing out that Australia’s Defence Signals Directorate lists 35 mitigation strategies based on the security breaches they examined in 2010.Stilgherrian's recommendations on securing computers

Of those thirty-five, the top five would prevent 85% of security breaches. The top one – keeping your applications up to date – would avoid almost every PC malware attack along with Apple Mac’s Flashback worm.

In answering my question about how Saasu and other cloud computing users can protect their system, Stil also raised a good point about using virtual machines for web browsing and even purchasing a computer just for business accounting and banking use so the services can’t be compromised.

Related to this topic is an ongoing discussion on the Reddit forums between posters claiming to be malware writers and botnet operators.

While it’s risky to trust everything you read on Reddit, the tips are worthwhile, particularly the advice to “disable addons in your browser and only activate the ones you need.”

By reducing the number of programs running on your computer or the add ons in your web browser, you lessen the risk of being infected. Again this would have protected the victims of the Flashback worm.

The security of our systems is our own responsibility, just like our home and office security.

Cloud computing is no different to other computing – the basics of information security, or #infosec, are the same regardless of whether you’re using software on your computer or the cloud.

Used responsibly, cloud computing is no less or more secure than any other computer or smartphone use. We shouldn’t underestimate the risks, or get hysterical about the threats.

Malware’s third party path

How to take care in a changing world of cybercrime.

One of the few constants with computer security is that threats are constantly evolving.

Malware – malicious software like computer viruses, worms or Trojan horses – are the most common security threat the ordinary technology home or business users will encounter on their PC, laptop or smartphone.

During the big computer virus epidemic of the early 2000s the main target were Windows 98 or XP machine running Internet Explorer as these were so easy to infect.

Today, it’s harder to infect Windows systems and the malware writers have become more sophisticated in the tools and methods they use to catch victims.

Right now, we’re seeing the malware writers focusing on  weaknesses in third party software such as Java, Flash and Microsoft Office.

Mac users have been affected by the Flashback worm which used flaws in the Java computer program and now Adobe have released an emergency update to their Flash application to fill a security hole that could affect all operating systems.

Along with being more sophisticated in their methods, today’s malware writers are also more organised with real criminal objectives as opposed to the earlier generations that were derided as “script kiddies”.

So there’s real risks in not taking basic steps to protect your computer system.

Have the latest updates

When your system asks you if you want to install updates, do so. Both Macs and PCs have an automatic update function which you should enable and pay attention to.

Individual software packages like Java, Flash and Microsoft Office have their own update reminders which you should also pay attention to.

Sometimes though the malware writers distribute fake updates to fool people into installing their software so if you are suspicious about an update, check online to see if you have the latest version.

Run computers in Restricted User mode

One of the big weaknesses for all systems is there is a tendency to run as an Administrator. In older Windows systems this gives almost complete control over the system and can still create problems in newer systems as well as with Mac or Linux systems.

Every user should be run as a Restricted User and this can be set up in the Windows Control Panel or Mac Preferences.

Have an antivirus

While the antivirus industry loves flogging overpriced and overfeatured software that generally slows your computer down as much as it protects the system, it’s still worthwhile having.

For Windows users, the free Microsoft Security Essentials is fine for most users. For Mac users, the free ClamAV or Sophos Anti-Virus for Mac are good choices.

Use a third party browser

Generally using the built in web browsers – Internet Explorer in Windows and Safari on the Mac – tends to amplify security risks. So use a third party browser like Firefox, Google Chrome or Opera.

Be careful

Malware writers, like all crooks and conmen, try to exploit human weaknesses so their tricks often appeal to our greed, fear or lust.

Try to avoid websites offering pirated software, movies, music or pornography and never click on emails or pop up adverts that claim you’ve won the lottery or been infected with a virus.

Cybercrime is real and growing although we should keep in the threat in perspective and not fall for the hysterical headlines we often see in the media.

The risks are going to continue to evolve as the crooks move onto trying to exploit weaknesses in smartphones, social media platforms and cloud computing services.

Despite this, most people won’t be affected by malware or other computer crime by being careful. Just don’t count on being lucky.

Are we prepraed to embrace risk?

The world is a dangerous place, can governments protect us?

It’s safe to say the Transport Security Administration – the  TSA – is one of America’s most reviled organisations.

So it’s notable when a former TSA director publicly describes the system the agency administers as “broken” as Kip Hawley did in the Wall Street Journal on the weekend.

 More than a decade after 9/11, it is a national embarrassment that our airport security system remains so hopelessly bureaucratic and disconnected from the people whom it is meant to protect. Preventing terrorist attacks on air travel demands flexibility and the constant reassessment of threats. It also demands strong public support, which the current system has plainly failed to achieve.

The underlying question in Kip’s article is “are Americans prepared to accept risk?” The indications are that they aren’t.

One of the conceits of the late twentieth Century was we could engineer risk out of our society; insurance, collateral debt obligations, regulations and technology would ensure we and our assets were safe and comfortable from the world’s ravages.

If everything else failed, help was just an emergency phone call away. Usually that help was government funded.

An overriding lessons from the events of September 11, 2001 and subsequent terrorist attacks in London and Bali is that these risks are real and evolving.

The creation of the TSA, along with the millions of new laws and billions of security related spending in the US and the rest of the world – much of it one suspect misguided – was to create the myth that the government is eliminating the risk of terrorist attacks.

It’s understandable that governments would do this – the modern media loves blame so it’s a no win situation that politicians and public servant find themselves in.

Should a terrorist smuggle plastic explosive onto a plane disguised as baby food then the government will be vilified and careers destroyed.

Yet we’re indignant that mothers with babies are harassed about the harmless supplies they are carrying with them.

It’s a no-win.

This is not an American problem, in Australia we see the same thing with the public vilification of a group of dam engineers blamed for not holding back the massive floods that inundated Brisbane at the end of 2010.

While we should be critical of governments in the post 9/11 era as almost every administration – regardless of their claimed ideology – saw it as an opportunity to extend their powers and spending, we are really the problem.

Today’s society refuses to accept risk; the risk that bad people will do bad things to us, the risk that storms will batter our homes or the risk that will we do our dough on what we were told was a safe investment.

So we demand “the gummint orta do summint”. And the government does.

The sad thing is the risk doesn’t go away. Risk is like toothpaste, squeeze the tube in one place and it oozes out somewhere else.

While Kip Hawley is right in that we need to change how we evaluate and respond to risk, it assumes that we are prepared to accept that Bad Things Happen regardless of what governments do. It’s dubious that we’re prepared to do that.

Ending the era of Mac complacency

Does the Flashback bug end the Mac’s virus free status?

The news that the Flashback Trojan has infected an estimated 600,000 Apple Mac computers has been greeted with joy by the dozens of industry experts that have predicted a virus holocaust for smug Mac users for nearly a decade.

While the Flashback malware – the earlier versions could be described as a computer Trojan Horse while the later editions are more like a computer worm – is a real risk to Mac users and it’s important to take this risk seriously.

The Netsmarts business site looks at how Mac and Windows users can protect themselves from Flashback and its variants.

One of the key things in the advice is to make sure anybody using the computer has limited rights; as a Managed User on the Mac and as a Limited User in Windows. This dramatically reduces the opportunity for bad things to happen while online.

I’ve discussed previously while user privileges are one of the reasons why the Mac has historically been less prone to infection to virus infections than their Windows cousins.

Microsoft made the decision in the 1990s not to tighten Windows’ security settings and their customers paid the price for the next decade. This was compounded by some poor implementations of various technologies in Microsoft Windows.

This isn’t to say the Mac, or any other computer system, doesn’t have security bugs. Every operating system does and it’s a conceit of everybody immersed in new technologies, be it cloud computing back to horse drawn chariots, to believe their products are magically infallible.

Part of the crowing from the security experts and charlatans who’ve been desperately predicting a “Macapocalypse” for nearly a decade overlook this.

Even with the proven problem of the Flashback virus, its unlikely we’re see the deluge of malware like that of the early 2000s simply because the Mac OSX, Windows 7 and all the other mobile and computer operating systems don’t have the structural flaws that Windows 98, ME and early versions of XP had.

Much of the Mac versus PC argument in security is irrelevant anyway; the main game for scammers and malware writers has moved to social media services like Facebook and this is where computer users need to be very careful.

However the stereotype of the “Smug Mac” user was true, one caller to my radio show claimed he didn’t have a problem with spam because he had a Mac. Nothing could convince him that email spam wasn’t related to the type of computer you used.

To be fair to Apple they never made the claim their computers were invulnerable to malware, apart from the odd dig at Microsoft. Their users did it for them.

That type of smug Mac user are those who do need a wake up call. For the industry though, it’s business as usual although some will be feeling a little smug their hysterical predictions of the last decade came true in a small way last week.