Spotting a security charlatan

The tell tale signs of technology and web falsehoods

Google’s Open Source Programs Manager, Chris DiBona recently pointed out how IT security industry charlatans keep making false claims to push the sales of their software products and consulting services.

“If you read an analyst report about ‘viruses’ infecting ios, android or rim,” says Chris,  “you now know that analyst firm is not honest and is staffed with charlatans. There is probably an exception, but extraordinary claims need extraordinary evidence.”

Sadly, the computer press tends to accept these extraordinary claims at face value and allows the charlatans to repeat their snake oil pitches without subjecting them to critical analysis.

Fortunately for those who care about the security of their home and business IT systems, there are ways to spot the charlatans and their dodgy wares.

The Big Target theory

When you read a claim that the Windows malware epidemic of the early 2000s was due to Microsoft being a big target as opposed to the tiny market shares of Apple and Linux, you can be sure they are the words of someone who is at best clueless selling a dubious product.

This theory is nonsense, as I’ve explained previously, and anyone who genuinely believes this has no experience in dealing with the poorly secured operating systems that were Window98, Me and the early versions of XP.

If you are confronted by somebody making this claim ask them why, now smartphones are outselling desktop computers, where is the widespread malware promised for mobile systems? It doesn’t exist for exactly the reasons Chris gives in his Google+ post.

Real Soon Now

The other key indicator is the “real soon now” claims – that a virus is about to burst onto the scene that will rub the smile off the face of smug Mac and Linux users.

Invariably the hysterical headlines are backed up with claims, almost always taken from a vendor’s press release, that a security company’s researchers have identified a threat that is about exploit wilfully clueless users.

Daring Fireball’s John Gruber has done an excellent job of dismantling this rubbish in his classic post “Wolf”.

His post was provoked by the ‘news’ that a wave of Apple malware was on its way. That was six months ago and we’re waiting. John tracked similar stories back to 2004, none of which came to fruition.

The modern snake oil men have an advantage in that tech journalists are desperate for page views and in many media organisations they no longer have the resources to critically analyse PR claims.

Sadly there are real security issues that home and business users need to be aware of. Of course, much of the solution for this doesn’t sell dubious antivirus or expensive consulting services.

In some respects, the proliferation of these stories is a reflection of the decline of the mainstream media business model.

As more ‘news’ stories become lightly rewritten PR spin, the less readers take those outlets seriously and once trusted journals of record become little better than online gossip rags.

Important issues, like information security, deserve more than repeating the lies of those who profit from fear, uncertainty and doubt.

Similar posts:

Avoiding industrial nightmares

How we can harden our computer networks from hacking attacks

The Iranian nuclear program is crippled by a virus that infects their control systems while a hacker claims a Texas waterworks can be accessed with a three word password.

Any technology can be vulnerable to the bad guys – obscure systems like office CCTV networks and home automation services can be as vulnerable as the big, high profile infrastructure targets.

While there’s good reasons to connect our systems to the web, we need to ensure our networks are secure and there’s a range of things we can do to protect ourselves.

Does this need to be connected?

Not everything needs a Internet or network connection, if there’s no reason for a device or network to be connected then simply don’t plug it in.

Keep in mind though that threats don’t just come through the web, both the Iranian malware attack and the Wikileaks data breach weren’t due to hackers or Internet attacks.

Get a firewall

No server or industrial system should be connected directly to the public Internet, an additional layer of security will protect systems from unwanted visitors.

All Internet traffic should go through a firewall that is configured to only allow certain traffic through, if the router or firewall can be configured to support a Virtual Private Network (VPN), then that’s an added layer of security.

Disable unnecessary features

The less things you have running, the fewer opportunities there are for clever or determined hackers to find weaknesses.

Shut down unnecessary services running on systems – Windows servers are notorious for running superfluous features – and close Internet ports that aren’t required for normal running of your network.

Patch your systems

Computer systems are constantly being updated as new security problems and flaws are found.

Unpatched computers are a gift to malicious hackers and all systems should be current with the latest security and feature updates.

This is a lesson the Iranians learned with the Stuxnet worm that was almost certainly introduced through an unpatched system – probably one running an early version of Windows XP or even 98 – which was vulnerable to known security problems.

Have strong passwords

Passwords are a key part of a security policy, they have to be strong and robust while being different to those you use for social media and cloud computing services.

It’s also important not to share passwords and restrict key log in details and administrator privileges to those who require them for their work.

With online services like social media, cloud computing and other web tools becoming a part of business and home life, we have to take the security of our systems seriously. Hardening them against threats is a good place to start.

Similar posts:

The digital inheritance

Our online possessions are valuable and now matter.

Our digital footprint – what appears about us online in websites and social media services – is becoming more important as we’re judged by what people find out about us on the web.

As what we store on the web becomes more important, the need to plan for what happens to that data when we pass away becomes more important. “Generation Cloud”, a survey in the UK by hosting company Rackspace and the University of London looked at how Britons were dealing with these issues.

Information left online can cause problems as social media sites will send suggestions and reminders which can distress others if the suggested contact has passed away.

Equally, a web site or Facebook page could even serve as a memorial. The final blog post of Derek K. Miller is a particularly touching memorial.

To create a “digital tombstone”, for your loved ones to remove inappropriate posts or just to access your digital personal effects like email or photos stored on a cloud service, they will need your passwords.

In the Generation Cloud survey, 11% of the participants planned to leave their online account details and passwords in their wills and half considered some of their ‘treasured possessions’ are stored online.

Once again we’re finding our online data has real value that’s worth passing down. It’s another reason to guard your data safely and not give it away lightly.

Similar posts:

What businesses should learn from Wikileaks

Cablegate forces us to question computer security and the stability of the Internet

The Wikileaks Cablegate affair has been entertaining us now for two weeks as we see diplomats and politicians around the world squirming with embarrassment as we learn what US diplomats really think about the foreign powers they deal with.

Both the leak of the cables and the treatment of Wikileaks and its founder, Julian Assange, by various Internet companies raises some important questions about the Internet, cloud computing and office security in the digital era.

Security

It’s believed the source of the leaked cables is Private First Class Bradley Manning, who is alleged to be responsible for leaking the Iraq tapes released by Wikileaks earlier this year.

The lesson is don’t give junior staff unrestricted access to your data, access to important information such as bank account details, staff salaries and other matters best kept confidential needs to be protected.

You can stop data leaving the building by locking USB ports, CDs and DVDs through either software or hardware settings on your computers and you should ask your IT support about this, keep in mind that locking down systems may affect some of your staff’s productivity.

Locking the physical means though doesn’t stop the possibility of data being sent across the Internet and access logs may only tell you this has happened after the fact. So it’s important to review your organisation’s acceptable use policy. Check with your lawyers and HR specialists that your staff are aware of the consequences of accessing company data without permission.

Incidentally, the idea that Pfc Manning was just one US Army staffer of thousands who were able to access these cables raises the suspicion that the information Wikileaks is now releasing was long ago delivered to the desks of interested parties in London, Moscow, Tel Aviv, Beijing and cave hideouts in remote mountain ranges.

Don’t rely on one platform

Wikileaks found itself hounded from various web hosting and payment providers. As we’ve discussed previously, relying on other people’s services to deliver your product raises a number of risks. Make sure you have alternatives should one of your service providers fail and never allow an external supplier to become your single point of failure.

Concerns about the cloud

This column has been an unabashed fan of cloud computing, but the Wikileaks saga shows the cloud is not necessarily secure or trustworthy. Not only is there the risk of a PFC Manning working at the data center compromising your passwords or data, but the arbitrary shutdown of Wikileaks’ services is a stark lesson of relying on another company’s Terms of Service.

Within most terms of service are clauses that allow the provider to shut down your service if you are accused of breaking the law or straying outside of the providers’ definition of acceptable use. As we saw with Amazon’s treatment of Wikileaks, you can be cut off at any time and without notice.

Amazon’s shutting down of Wikileaks is a pivotal point in the development of cloud services. Trust is essential to moving your operations to the cloud, and Amazon’s actions shown much of that trust may be misplaced.

Should you be considering moving to the cloud, you’ll need to ensure your data and services are being backed up locally and not held hostage to the arbitrary actions of your business partner.

Don’t put your misgivings in writing

So your business partner is a control freak? Great but don’t put it in writing.

Be careful of gossip and big noting

One interesting aspect of Wikileaks to date is how senior politicians like gossip and showing how worldly they are to US diplomats.

That’s great, but it probably isn’t a good idea to tell your best friend they should consider beating up your most important customer. As mentioned earlier, this little gem was probably on polished desks of the Chinese Politburo long before the cables found their way to Wikileaks.

Resist the temptation to gossip, remember your grandmother’s line about not saying anything if you can’t say something nice.

Ultimately what Wikileaks shows us is all digital communications are capable of being copied and endlessly distributed. In a digital economy, the assumption has to be that everything you do is likely to become public and you should carry out your business conduct as if you will be exposed on Wikileaks or the six o’clock news.

Wikileaks is a lesson on transparency, we are entering an era of accountability and the easiest way to deal with this is to be more honest and open. That’s the big lesson for us in our business and home lives.

Similar posts:

Other peoples’ platforms

The risks in the privately owned web range from obscure terms of service to arbitrary payment problems. This is why you need to control as much of your business’ online presence as possible.

“We have successfully established an online business, but we have run into problems with Ebay (indefinite suspension – unfairly I might add)” wrote Ralph*, an old client.

“We are pretty desperate, as this is now our sole business and we are now without an income.”

The Privately Owned Web

Ralph’s problem is typical of thousands of businesses that rely on one Internet service. Some months back we looked at “Nipplegate”, the story of a Sydney jeweller who had her Facebook page closed down because of her anatomically correct dolls.

All of these services are privately owned with their own terms and conditions along with their own corporate objectives. If you choose to use their product, you have to follow their rules – just like a shopping mall management can order you off their premises because they don’t like the colour of your socks.

The most glaring example of this is Wikileaks where Amazon, Paypal, Mastercard and Visa all threw the whistleblower site off their services for allegedly breaching their terms of services in various obscure ways.

The Terms of Service Trap

A business’ Terms of Service usually feature clauses wide enough to catch even the most honest and diligent business, this is by design as it gives management the excuse to throw anyone who makes their lives difficult, which is exactly what has happened with Wikileaks.

While Ralph’s problem is nothing like the scale of Julian Assange’s, all of these stories illustrate the dangers of relying on one service for your livelihood. Should that service change the way it operates, then any business that relies on that could be broke in hours, as many businesses that rely on Google search results have found.

Most of the Internet is not a public space, almost all of it is privately run along similar lines to that shopping mall or a walled estate.

Ralph and Julian Assange have shown us the limitations and risks of the privately operated web. As citizens and business owners we have to understand these corporations’ objectives are not always the same as ours and make judgements on how we live with the risk of finding ourselves in breach of a Term of Service in our business or personal lives.

We’re still in relatively early days of the net and all of us are still learning. One lesson is clear though, we can’t allow our livelihoods to be held hostage by a small number of big technology companies. Make sure you have alternatives to your online channels.

*Ralph is not his real name

Similar posts:

The strange story of the Stuxnet worm

A virus crippling the Iranian nuclear program could affect your business

The tale of the virus infecting Iran’s nuclear program is one of the fascinating stories of the computer world.

Whoever wrote the Stuxnet worm did a spectacular job in bringing together a number of security problems and then using two weak links — unpatched Windows servers and poorly designed programmable logic controller software — to create a mighty mess in the target organisation.

The scary thing with a rootkit like Stuxnet is that once it has got into the system, you can never be sure whether you’ve properly got rid of it.

What’s worse, this program will be writing to the Programmable Logic Controllers the infected computers supervise so plant operators will never know exactly what changes might have carried out on the devices essential to a plant’s operations and safety.

Damaging Iranian nuclear plants

A report on the Make The World A Better Place websites over the weekend indicates the Stuxnet Worm may have damaged the Iranian nuclear reactor program.

The story behind the Suxnet worm is remarkable. It appears this little beast is a sophisticated act of sabotage involving using a number of weaknesses in computer systems as detailed by Computer World in their Stuxnet Worm hits Industrial Systems and is Stuxnet the best Malware Ever articles.

The risk of unpatched systems

One of the things that leaps out is how servers running unpatched systems are an important part of the infection process. The Stuxnet worm partly relies on a security hole that was patched by Microsoft two years ago so obviously the Iranian servers were running an unpatched, older version of Windows.

This is fairly common in the automation industries. I’ve personally seen outdated, unpatched Windows servers running CCTV, security, home automation and dispatch systems. They are in that state because the equipment vendors have supplied the equipment and then failed to maintain them.

These companies deserve real criticism for using off the shelf, commercial software to run mission critical systems that it was never designed to do.

Commercial programs like the various Windows, Mac and other mass market operating systems are designed for general use, they come with a whole range of service and features that industrial control systems don’t need. In fact, the Stuxnet worm uses one of those services, the printer spooler, to give itself control of the system.

Securing industrial systems

These industrial systems require far more basic and secure control programs, a cheap option would be a customised Linux version with all the unnecessary features stripped out. In the case of Siemens, the providers of the PLCs supplied to the Iranian government, it’s disappointing such a big organisation couldn’t build its own software to control these systems.

Business owners, and anyone who has computer controlled equipment in the premises, need to ask some hard questions to their suppliers about how secure supplied computer equipment is in this age of networked services and Internet worms.

Similar posts:

  • No Related Posts

Protecting yourself from the Conficker worm

Nearly a year after it was identified, the Conficker computer worm continues to plague Windows users, infecting systems controlling everything from fighter planes to bus lane fines. We look at how to protect your computers from this threat.

Nearly a year after it was identified, the Conficker computer worm continues to plague Windows users, infecting systems controlling everything from fighter planes to bus lane fines.

The problem has become so great, a consortium of vendors have set up the Conficker Working Group to deal with the malware’s spread, and Microsoft are offering a $250,000 reward for the identity of the writer.

It’s not a problem that should be understated – the worm’s main use appears to be as a controller of botnets, networks of remote controlled computers used to launch attacks on other systems or to hide the tracks of scammers and password thieves.

Update your systems

Given the risks and embarrassment of being infected, avoiding this worm and others like it should be a priority for your business. First of all your Windows computers should have the latest updates as Conficker relies on some old security bugs that Microsoft patched last October.

Run an anti-virus

Naturally, you should be running an up to date anti-virus. Most widely used AV programs will do the job, including Open Source detectors like Clam AV and freeware programs.

Note though that the licences for freeware programs like AVG and Avast! are specifically for home use only. If you are running those on your office system, respect the developer’s right to make a living and buy a commercial licence, they are actually cheaper and more reliable than many of the better known brand names.

Restrict your users

Finally, make sure your users log on in Limited User mode. The reason why Windows computers are more prone to viruses than their Mac and Linux cousins is because most users run their Microsoft systems as the powerful Administrator mode which is the equivalent of leaving your car doors unlocked all night.

I’ve some instructions on setting up Limited User Profiles for Windows XP systems on the PC Rescue website. If you have an office with a Windows 2003 or 2008 server, your IT department or consultant will be able to do this through the network, which is a lot more secure way of doing things.

Be warned that some programs won’t work unless they run in Administrator mode. If you find this is a problem then you should consider replacing that software as the vendor has shown they are either incompetent or are prepared to put their customers at risk to save a few dollars.

Either way, you don’t need suppliers that have no respect for their customers.

Your computers are too important to your business and shouldn’t be exposed to these sorts of embarrassing and expensive risks. Get your IT people to make sure the office systems are locked down properly.

Similar posts:

  • No Related Posts