Secure IT Foundation

Posts Tagged ‘Computer Security War

‘Defence in depth’. That is what the commercial security world calls having multiple layers of security to protect you in case one fails.

Simply put, your home computer needs to have multiple layers of defences including an up to date browser like Firefox, have Anti Virus software that works, run Windows Update every month and update all your applications at least weekly, as a minimum. Sounds like hard work, no one interested in your computer? Don’t be a muppet!

If your computer is hacked then you could be storing child porn, terrorist training material, or your computer could be used to send spam. Assuming that you never entered any personal or financial information, else that would have been stolen as well, the worst case scenario is that your home gets raided as part of the war on terror and computers seized…

No one can guarantee perfect Internet computer security unless you unplug the Internet.

A recent hacking contest showed that ALL major browsers on the Internet can have security issues including Safari on Macs, iPhones, Windows 7,  and both Internet Explorer 8 and Firefox on any computer. So next time you click on a link sent to you, visit dubious websites, or download a file from the Internet, be sure of your defences and make sure they are deep!

SecurityBrad

Advertisements

Unlike the default settings in Windows, Linux users have to enter the administrative password before they can install new software. Recently a popular variant of Linux called Fedora introduced a change to alter the security model of Fedora to no longer require the administrative password before installing new software.

On paper it seems sensible, Fedora users could only install applications using the equivalent of ‘Add and Remove Programs / Software’ in Windows, from a list of approved titles. To ensure only approved software is installed, these approved items have a digital signature to prove they have not been altered before they are installed.

Seems reasonable so far, so why is it a problem for the Linux security model? It is a matter of trust. If you have administrative password to an operating system then it is assumed that you will only install software you trust. If you don’t have administrative password or equivalent permissions granted to you by someone who does, then it is assumed you won’t have the administrator’s trust to install new software.

What Fedora did was to move the trust from administrators only, to allowing any user to trust third party software implicitly. Suddenly the only security control to protect an unprivileged user, was the process of getting software added to the Fedora software collection, to get a digital signature.

Windows users may be lost at this point because you are mostly used to a world where you have full control of your operating system. The outcome was that Fedora reverted back to the typical Linux security model due to public pressure. What this shows is that the correct security model for operating systems is not to allow the user to install software without entering the admin password to grant your trust to the software provider. It works for OSX, UNIX, LINUX etc and it can work in Windows XP / Vista / 7.

So why doesn’t Windows come with this security feature as a default, you may ask? One to ask Microsoft…

SecurityBrad

There hasn’t been a major operating system update for some time then two come along together. Both Apple Mac’s Snow Leopard and Microsoft’s Windows 7 are available, so both PC and Mac users have to decide if they upgrade.

We have covered the correct decision process you should use when deciding if you should buy a new computer to get Windows 7 previously. The verdict was if your current secure computer is working fine with XP or Vista, then there is little benefit for the home user apart from eye candy. If your computer is slow now then adding 7 will not change much, software is no substitute for having fast hardware. Mac’s have an advantage here in that the hardware is known by Apple, and they will know the benefits of software changes better than Microsoft whose user could have a near infinite combination of hardware.

From testing and research though, neither operating system could be called ‘secure out the box’. Macs have the advantage of using non admin users on a daily basis, a practice that Windows 7 does not yet enforce, but can do perfectly well. Malware is mostly a Windows problem but Macs have their own malware these days, and the inclusion of very basic malware detection in Snow Leopard shows that it will only get worse according to Apple.

Both have fully functioning firewalls, and the default services offered over a network are mostly a sensible choice for either OS. However it is not all good. Both do suffer from default browsers with known security issues. Years ago the problem with PCs was their accessibility over a network to viruses and worms, but this vulnerability has been mostly closed.

The risk comes these days from the moment the home computer user starts to use their computer! You open a web page loaded with malware and your brand new operating system can be compromised. Even if both Snow Leopard and Windows 7 are using non admin users, poor security practice by the user can allow malware to run. There is nothing any operating system can do if the user enters the administrative password and installs an application which contains malware. The new malware detection in Snow Leopard only stops a couple of known viruses, so the virus writers will modify them not to be detected. Then begins the Mac Anti Virus arms race as seen with Windows.

Overall both operating systems offer a default level of security. Macs do offer a higher level of security out the box, but it still is far from a truly secured compared to the Secure Computer Standard. Windows 7 has a much higher security level than Windows XP out the box, but again it still is far from a truly secured compared to the Secure Computer Standard. Both 7 and Snow Leopard offer better user experiences than previous versions, so Mac users will upgrade and 7 will be adopted through people updating their hardware over time. The Secure IT Foundation’s conclusion is that Windows 7 and Snow Leopard are both not secure out the box, and both offer little in the way of user education.

Wouldn’t it be nice if you had to watch a safety video before you used the new operating system. Works well to give all air passengers a minimum level of safety knowledge for flight, perhaps its time computers came with a safety manual. Until then you can always read the Home Computer Policy

SB

Security is an odd concept. You cannot hold it or touch it but is controls and impacts your life daily. Cameras, monitoring and big brother like states all exist to achieve one aim, to control human behaviour. Do this, don’t do that, warnings, penalties. All there to control your behaviour, for the benefit of society. Problem is there is little apparent benefit for you if you comply, apart from not
being penalised.

In reality, governments usually do have good intentions and impose controls for your own benefit. Cameras do help solve crimes, monitoring of the Internet does stop terrorist actions and child abuse. Warnings are given because someone has ignored an obvious danger before, penalties so your inappropriate behaviour has a real impact in your life, where it hurts – in your bank balance!

The reason why security is a good thing is poorly explained though. It gets lost in the sea of negativity with the focus on extra costs and not what it might help prevent, so it is perceived as a bad thing. As the rewards for security are always that bad events did not happen to you, you will only see the rewards if you can picture the impact of the bad event that did not happen.

So in terms of home computers, the bad events usually are the computer gets hacked, your information stolen and used to make criminals money at your expense. Possibly your secrets could be made public to the world. Think about the real consequences about these events, and this is your reward every time they do not occur. The Risk Profile Questionnaire helps you consider what may be a threat, only you can put a value on these threats, as it is about your life. Security is in the mind, as only you can see the rewards for adopting a secure approach to home computing and only you can implement it.

So get your mind used to idea that security can be a good thing, read the Home Computer Policy and educate yourself and others.

SB

It is still busy times for computer security. If you were not aware, Microsoft, omitted in this month’s STOM day a security fix for a networking issue that has been fixed in final version of Windows 7, but leaves Vista users vulnerable. It is known as SMB2 and you can read more about it on The Register.

As we have said before, with new security issues being reported daily but fixes released days / weeks / years later, we are still on the losing side of the computer security war. The bad guys can release exploits to take control of a computer before security professionals can apply updates. If the world’s security strategy depended purely on applying updates, then you would have to say we have lost completely. In this weeks major issue, both the good and bad guys are working on an exploit for the issue, but what is really needed is Microsoft to release the fix to Vista users asap. Even more frustrating is the knowledge Microsoft have a fix!

Our attackers have speed, flexibility and an understanding of human behaviour e.g. greed, on their side. Us defenders have a hard time stopping the attackers, our defences are mostly reactive strategies like patching, Anti Virus signatures and Intrusion Detection Systems in the corporate world.

While these strategies do give some protection, the best defence is a strong offence. We should be focusing on strength by ‘defence in depth’ and ‘least privilege’, and offence from security awareness and a ‘no by default’ approach. The Secure IT Foundation is committed to increasing security awareness and to make ‘no’ the default response from the user. In combination with manufacturers applying a home computer standard like ours, then we can start to have a stronger offence in the war on computer security.

We may have lost another battle for home computer security, but there is hope and if everybody works toward a single goal of a secure home computer then we can still win the war. Some Dunkirk spirit is needed, else we may as well surrender now and go back to pen and paper!

SB



  • Coldwind: Couldn't agree more. I downloaded a piece of software just now, disabled the 'toolbar' 'offer' (which fortunately for me has become a reflex); but co
  • ModemJunki: I only discovered this today - I had updated the firmware to the latest out of habit, and I could STILL access my TrendNet cams on the local network w
  • PrentOS – a Simple Secure Computer « Secure IT Foundation: [...] September 2010 we said it was time for a brand new start to computing, well it is starting to take shape… [...]

Categories