Security For All

Security for everyone.

Abusing PDFs

My last post was all about how to secure PDF documents. So it’s only fair that I point you to information to undermine that good advice. To be fair and balanced. And leave no good deed unpunished.

Belgian security blogger and hacker extraordinaire Didier Stevens recently posted this entry all about hiding data in PDF files.

My corrupted PDF quip inspired me to program another steganography trick: embed a file in a PDF document and corrupt the reference, thereby effectively making the embedded file invisible to the PDF reader.

Essentially the trick is to manipulate the PDF keyword /EmbeddedFiles which points to the dictionary of embedded files such that it is not recognized by the PDF reader as a valid keyword.

As names defined in the PDF specification are case sensitive, changing the case changes the semantics: /Embeddedfiles has no meaning, and thus the PDF reader ignores it and doesn’t find the embedded file.

And voila! The embedded file is not displayed by the PDF reader.

Of course, once you know the stego trick, it’s easy to recover the embedded file: edit the PDF document with an hex editor and change the case back to /EmbeddedFiles.

But if you want to make it harder to detect, use PDF obfuscation techniques. Or embed the file twice with incremental updates. First version is the file you want to hide, second version is a decoy…

The PDF language offers so many features to hide and obfuscate data!

Thanks Didier for news we can abuse.

July 8, 2009 Posted by Joseph Webster | general, professional, security | , , | No Comments Yet

Securing PDFs

In a recent article, my favorite electronic evidence blogger, Sharon D. Nelson, Esq., in {ride the lightning} blog writes about how to properly secure a PDF document.

In order to properly secure an Adobe document, John [Simek, Vice President of Sensei Enterprises Inc.] advises a ‘two-step’ test.

The first step is to apply a password to the Adobe document that restricts any changes to the document (a “Change Permissions Password”).  The second step is to apply an “Open Document” password.  When both of these are applied, the PDF password cracker programs cannot get ‘at’ the flag that controls the editing of the document.

You provide your client with the “Open Document” password but not the “Change Permissions Password”.  This way they can view the contents of the document, but they have no ability to edit the document.

Using this dual password method, the software that is used to ‘crack’ the Adobe document password cannot get at the ‘flag’ and therefore cannot be used to break the security of the document (at least at this time).

This is very good advice, and as Sharon points out in a followup post, it will cost you nothing as your PDF generation software is already capable of doing this.

Turns out that the folks at Adobe, who know quite a bit about PDF documents provide a document (in PDF format!) all about securing PDF files. In addition to providing step-by-step instructions of the processes described in the previously mentioned blog entry [in sections entitled "Adding a document password" and "Restricting printing or changes to a document"] there are also the following sections.

Creating a Digital ID – A Digital ID is required whenever you certify or sign a PDF. A digital ID contains your signature information. If you don’t already have a Digital ID, you can obtain one from a third-party signature handler, or you can create a self-signed digital ID.

Sharing certificate information – To verify your digital signature or to enable others to encrypt documents for you, other users need to access your digital ID certificate. If you have created a self-signed digital ID, or if others can’t access your certificate, you can send it to them.

Signing a document – Make sure you have finished making changes to the document.

Creating a certified document – When you create a certified document, you indicate to others that you approve of its content. You can also specify the types of changes permitted for the document to remain certified. Detection of unwanted changes will be provided when the user signs the document. Therefore in order to protect the document, only the changes you wish to allow will be included.

You get confidentiality (when users encrypt using your cert) and well as integrity (if you lock down the document as suggested) and your recipients get non-repudiation (if you digitally sign the document). Nobody gets plausible deniability.

June 29, 2009 Posted by Joseph Webster | general, professional, security | , , | 1 Comment

Portrait of the developer as a hacker

Throughout my career as a software engineer and all around code monkey, I have been both denounced and applauded as a “hacker”. In my current position, it is part of my duties to “think like a hacker”. Clearly there is a lot of confusion surrounding the term hacker. Wikipedia has these definitions.

Since the definition of hacker isn’t the actual topic of this post we’ll just leave it at that. What I really wanted to rant write about was inspired by this article by Neil McAllister in his Infoworld Fatal Exception blog entitled Does the ‘hacker ethic’ help or harm today’s developers? wherein he writes the following.

Today the world of programming is arguably even more accessible. Novices might start by working with HTML and JavaScript before moving on to PHP, or maybe by writing Visual Basic macros for their spreadsheets and eventually graduating to full-scale application development. Introductory tools abound, such as Microsoft’s Small Basic, and never in history has more quality application source code been available for students to learn from. Computing may be big business today, but the hacker spirit is still alive and well.

Still, I have to ask: Is that really a good thing? If every modern American schoolchild knows more about PCs and computing than their parents ever could, why does Vineet Nayar, CEO of the Indian IT outsourcing vendor HTC Technologies, claim that most U.S. college grads are “unemployable”? Are Americans really falling behind in technical know-how? Or could it be that in our willingness to embrace the hacker ideal, we’re producing programmers who are unprepared for real-world work?

According to HTC’s Nayar, the American graduates he’s encountered are all obsessed with making big salaries. In countries like India, China, Brazil, and South Africa, on the other hand — where students have no such expectation — grads are much more likely to have devoted themselves to learning such “boring” details as development process, business methodologies such as Six Sigma and ITIL, and understanding a broad range of development tools — things that too often go missing from American graduates’ résumés.

And the problem goes even deeper than that. American-style hackers don’t just make for bad team members; they also make for bad programmers, albeit for reasons new grads seldom anticipate. “Cowboy coders” might be technically proficient, but their code is less likely to be maintainable in the long term, and they’re less likely to conform to organizational development processes and coding standards. As a result, quality assurance — including testing, debugging, code reviews, and refactoring — are likely to suffer.

American software development managers often complain that Indian programmers are too literal-minded, and that they lack the intuition and entrepreneurship characteristic of American programmers. But to listen to Nayar tell it, American programmers have swung the pendulum too far in the other direction. Can it be that we’re too in love with the hacker ideal of the 1980s to produce programmers who are truly prepared for today’s real-life business environment?

Having worked over the years with a number of outsourcing vendors (including HTC) I find Mr. Nayar’s comments quite amusing. Without dismissing his points entirely, it’s kind of hard to read “American graduates are all obsessed with making big salaries. In countries like India, China, Brazil, and South Africa, on the other hand, students have no such expectation” as anything other than “American graduates refuse to be exploited as the peasants they are“. But there are some valid points. Many American, Western European and Australian software developers particularly recent graduates are likely to get positions with smaller startup companies. These companies value innovation and speed of delivery above all. In their world there is no long run. Yet. They have to get something dazzling out right now. Therefore those are the things that developers are rewarded for: quickly producing amazing stuff. And the reward is usually that they get to keep working at a cool place. If you aren’t a hacker you’re a slacker in this world.

Now fast forward (or rewind depending on your point of view) to developers in large corporations that have products on the 10+ versions and development processes that have been evolving for 20+ years. You know, the guys that defined Six Sigma and ITIL. It’s a much different world there. Due to heavyweight processes and the burden of history and politics these shops tend to put out higher quality, more conservative products far less often than their smaller, more agile but less stable brethren. “Cowboy coders” don’t do too well in this kind of environment.

But it’s easy to see why Mr. Nayar holds his opinions, given the sort of development projects that are typically outsourced. Smaller companies usually outsource maintenance of that dazzling and rapidly developed (read “quick and dirty”) code. Larger companies usually outsource long term maintenance or conversion of legacy code. Arguably tasks that really shouldn’t be done at all, but almost invariably work that will be discarded as soon as it’s practical. In other words nothing critical or complex.

I’m certainly not implying that the developers who work for the outsourcing vendors are incompetent, it’s just the nature of outsourcing development. Essentially what you have is a contract that states “we will do precisely this coding for precisely that amount of compensation“. It’s the “precisely this coding” part that is the devil’s abode. It has been my experience that outsourcers will do exactly what you specify. No more, no less. If you are even the slightest bit vague or make assumptions about existing knowledge or skills there will be much unpleasantness often leading to project failure. Your project that is. The outsourcer still gets paid.

Another experience I’ve had with off-shore outsourcing induces hilarity with respect to Mr. Nayar’s Utopian view of software development team spirit in emerging markets. I was working for a large corporation that had outsourced the maintenance of a legacy system to an off-shore organization (in Bangalore if you must know) while I was busy working on replacing that system (a system that supported ITIL change management if you must know). I trained six (count em – 6) different project leads over the course of six months to do this maintenance because almost as soon as each was trained they took another position with another outsourcing vendor for higher pay. Finally gave up on the outsourcing before anything was ever really accomplished. Other than providing training to some smart folks that allowed them to get better gigs. To paraphrase Curt Cobain, it certainly smells like team spirit to me.

But back to Neil’s question, Can it be that we’re too in love with the hacker ideal of the 1980s to produce programmers who are truly prepared for today’s real-life business environment?

I would submit that unless you are a hacker you won’t be prepared for today’s real-life business environment. Yes even in large organization. Did I mention that I work for a large corporation and it is precisely this hacker ethic, thinking outside the box, trying to understand how everything works and most importantly how everything can be broken and exploited, that is a large part of my job as Advisory Software Engineer. But it is also true that if you are strictly a hacker, you limit your abilities as a software engineer. Note again that my education is in Electrical Engineering (as opposed to Computer Science) and that I’m certified in ITIL fundamentals (among other things). The point is that this isn’t an either-or proposition. You must be both a competent engineer and a hacker. If you rely strictly on your education to  inform your development, you will be doing on-the-job-retirement real fast. You need that hacker ethic to drive you to try crazy stuff, stuff that average developers don’t think of. And you will need that hacker ethic to figure out how that new technology really works, as opposed to how it’s advertised to work. Whether you are in Denver, Bangalore, Beijing, Sao Paulo or Capetown. Then if you work for some doofus like Mr. Nayar, you can always walk across the street and get something better once you get enough experience. On his dime. And how sweet is that.

June 29, 2009 Posted by Joseph Webster | general, professional, security | , , , , | No Comments Yet

Last Chance for a Stolen Laptop

I came across this interesting little program that might act as a last resort if your laptop gets stolen. While it is certainly no substitute for full disk encryption, which is what you should really be using to protect your data, I recognize that there are some situations where you cannot use full disk encryption. Like say when your employer refuses to allow you to install something on their hardware that would prevent them from accessing the data thereon. If that’s the case then while you are attempting to drag them into the 21st century you should give Prey a shot.


Prey helps you find your stolen laptop by sending timed reports to your email with a bunch of information of its whereabouts. This includes the general status of the computer, a list of running programs and active connections, fully-detailed network and wifi information, a screenshot of the running desktop and — in case your laptop has an integrated webcam — a picture of the thief.

Prey can use a web URL to check if it should generate and send the report, so you have a way of alerting remotely the program whenever your laptop disappears. It can (and should) be run as root so it doesn’t depend on an active user session to run, but only on a succesful boot.

You may be thinking “but what’s the point of this program if the guy will probably just format the thing right away?” and you’re completely right. However, experience shows that thieves tend to look in stolen computers for valuable information, so there’s actually a chance you can catch the guy (and there’s even some succesful cases!).

The best part about Prey is that it runs on Mac OS/X, Linux and Windows, is Open Source licensed under GNU Public Licence v3.0 and is completely free. As in free speech and free beer. So it won’t cost you a thing to try it out.

But as I mentioned before, if it’s portable it should be encrypted. Period. If your employer is balking turn them on to TrueCrypt, another open source and free multi-platform software package. If they insist on paying then they can get PGP Desktop. In the meantime use something like Prey.

June 22, 2009 Posted by Joseph Webster | general, professional, security | , , | No Comments Yet

Your Online Shadow

My ghost likes to travel so far in the unknown
My ghost likes to travel so deep into your space
from “Growing Up” by Peter Gabriel

Almost everyone these days has an online persona. A shadow identity or ghost of our physical selves. Not to get too metaphysical, that’s just what happens courtesy of Google when you decide to have a FaceBook, LinkedIn or MySpace page or blog or even Twitter. While allowing us to reach unimaginably large audiences with our self generated content. According to Security Bloggers Network member Martin McKeay’s web page counter his Network Security Blog has received over 24000 hits in a single day. The blog has 3221 subscribers through Feedburner. Certainly the average internet user is not nearly as well known, followed or prolific as Martin (aka “Captain Privacy”), but neither are they invisible. Laura Spencer in this article for the FreelanceFolder has this to say about your online shadow.


A couple of times every month I browse on over to Google and search for my own name to see what the results will bring. After I’ve done that, I type in the name of my website and run the search engine again.
Checking your online reputation like this is something that every freelancer should do on a regular basis. I wouldn’t recommend stopping with Google, either. You should also check on Twitter and on other social media sites.

While it might seem vain to search for yourself online, it’s actually an important step in protecting your online reputation. If you do business online, then you not only be checking on but also working to protect and manage your online reputation.

What You Can Learn From Your Online Reputation
Every time you search for your own name on Google or Twitter, you can learn several important things:

  • What people are saying about your business. If you have an unhappy customer, it’s possible they won’t express that dissatisfaction to you. Instead, they may blog about their dissatisfaction or comment negatively about your work on other sites. Sometimes, untruths and misinformation are spread about your company online without your knowledge.
  • Whether your work is being used without permission. As a freelance writer, my work is often “scraped” by plagiarists and used on other sites without my permission. Many plagiarists are careless about stealing my work — often my name remains with the piece. A quick search can turn up my articles on sites that I never submitted them to.
  • Whether someone else is using your personal or business name. As a freelancer, your name and your business name are important. But, are you the only one using your name? With a few quick searches, you can determine who is using your name online. If another individual or business has the same name, how are they using that name? Do they appear to be reputable?

This same advice is particularly applicable to high school or college students who utilize Web 2.0 as a major source of self expression and communication with friends. I saw a documentary about teens and social networking [I can't remember where - I'll post a follow up when I do] wherein a high school girl was bemoaning the insensitivity of her parents who had [gasp!] forced her to reveal her MySpace password. Presumably so they could monitor her activities. The primary complaint with this intrusion into her privacy was that MySpace was a “private place where she and her friends could express themselves freely“. Okay… About all I can say to that is that she better hope that her parents do a really good job of censorship now or she may have a rude awakening when potential employers, years later after college, discover all that wicked cool [to a teenager] stuff that she posted. And her friends posted. And her ex-friends posted. This could get ugly.

Gina Trapani has this article in Lifehacker all about how you can monitor your online shadow in a fairly automated way.


You already know how well your name Googles affects how strangers and potential employers find and perceive you. Short of Googling yourself every week, how do you keep tabs on your name or your product or company’s Google-ability?

Most search engines offer feeds of their results, but compiling them one by one is a time-consuming pain in the tuckus. Using a simple tool called MonitorThis, you can get ego search results from over 22 engines into your newsreader in one shot.

Since Google’s not the only game in town, you might want a more comprehensive look at where your keyword appears on the net, across blogs, photo search sites and more. MonitorThis is a simple web page that can construct a subscription list of search result feeds in one click. MonitorThis includes results fromTechnoratiMSN NewsFlickrYahoo and MSN, among others.

What MonitorThis does is construct an OPML file which you can import to your newsreader.

The article includes step-by-step instructions on exactly how you would set this up. Adam Pash in this Lifehacker article has yet another idea for tracking your not-so-elusive online shadow if you are a Twitter user.


In a post-Twitter world, you can also use something like TweetDeck to create a persistent Twitter search to keep track of what’s being said about you online. (For example, we keep a fairly close eye on what people are saying about Lifehacker this way, so that if people are having issues with the site or complaints with a post, we can address them as necessary.)

Remember, the first step is realizing that you have an online shadow and that like Peter Gabriel, your ghost likes to travel so far into the unknown. You can’t control how far it travels, but you can guide it. Or at least find out what trouble it has got itself into on the way.

June 21, 2009 Posted by Joseph Webster | general, professional, security | , , , , | 1 Comment

Moving on

“à tout le monde, à tous mes amis, je vous aime, je dois partir”
“To everyone, to all my friends, I love you, I must leave”
“A Tout Le Monde” by Dave Mustaine (Megadeth)

Although I’ve always kept my employer anonymous in this blog, a fair number have guessed that in real life I work for none other than Alan Shimel at StillSecure where I’ve been primarily developing the Safe Access NAC product. Until now. Next week I’m starting at a new position with another company. A large enterprise imaging company who will remain anonymous so as not to be compromised by my rants and ramblings here. Don’t worry, Security For All will continue. I’ll just have different security issues to rant about.

But before I leave StillSecure I like to acknowledge, and share what a great experience it’s been to work here. Without a doubt the most brilliant engineers and scientists I have ever encountered, were encountered at StillSecure. It has been a humbling and often intimidating experience for me. Yeah, I know I just used “humbling” and “me” in the same sentence. But it’s true. It’s also been the wildest ride in terms of hard core learning and experience that I’ve ever been on. Like drinking from a fire hose. Every single day. With the result that when I  accurately represent my StillSecure work experience on a resume folks assume it’s padded. And I’m not alone. In truth I’m pretty average for talent at StillSecure. To be clear, this move is definitely not due to any problems betwixt myself and StillSecure. On the contrary, working here has opened up new career opportunities for me. One of which was just to good not to take.

So to set the record straight and in homage to one of my favorite TV shows, Mythbusters, I’d like to address some myths and rumors about StillSecure. So without further ado…

Myth: StillSecure is not doing well.

If by “not doing well” you mean growing the business  in terms of both revenue and product offerings while keeping costs low and winning prestigious industry awards all during the worst economy since the great depression, then I guess you’re right. Seriously though, StillSecure is not only surviving but thriving. And congrats to CEO Rajat Bhargava who is a finalist for the Ernst & Young Entrepreneur Of The Year® 2009 Award for the Rocky Mountain Region.

BUSTED!

Myth: StillSecure is a tiny code monkey sweatshop with Dilbert-esque cubicals in a dark warehouse.

Actually there are no cubicals at StillSecure, rather a “bullpen” arrangement that facilitates agile development. The execs and admins use the same arrangement. Right now I’m sitting at my desk, looking out the window (actually a whole wall of windows) onto the front range of the Colorado Rockies. The StillSecure offices are in Superior, Colorado located approximately half way between Denver and Boulder on highway 36. On the upper floor above “Old Chicago” [restaurant], “Super Joe” [coffee shop] and “Superior Liquor” [booze]. That just about covers all the major food groups. I’m trying hard to imagine a more beautiful place to work. Sorry I can’t.

BUSTED!

Myth: McAfee/Symantec/SomeOtherBigSecurityCompany is waiting for StillSecure to tank so they can get the technology at fire sale prices.

If this is true, then like Rudyard Kipling’s Elephant’s child who was waiting for his nose to shrink back to normal after being stretched into a trunk by the Crocodile on the banks of the great grey-green, greasy Limpopo river, they will have to wait a long time. Also they might want to let the senior sales guy, who just had his best quarter ever in Q1, and looks to beat that in Q2 in on the secret. Or they might want to watch their backs.

BUSTED!

Myth: Alan Shimel is now kinder, gentler and less profane than the notorious Alan “I hafta call BS on that” Shimel of the past.

Okay you got me. This really is a myth. In real life he’s, well, Alan. Don’t try to BS him. But he is is kind to many if not most children, dogs and salesmen.

BUSTED!

So there you have it. I’ll end by thanking Alan Shimel and Mitchell Ashley (no longer at StillSecure but still Alan’s co-host of the StillSecure, After All These Years podcast) for hiring me at StillSecure and encouraging me to blog. And all of my colleagues at StillSecure. This experience has been truly outstanding.

So long and thanks for all the fish.

June 4, 2009 Posted by Joseph Webster | general, professional, security | , | 3 Comments

Low tech information disclosure in Boulder

KIA DUMPSTERHere’s a data breach in progress story from right here in Colorado. In the Peoples Republic of Boulder to be exact. I can say that – I live here. Anyway the Boulder Daily Camera reports it like this.

BOULDER, Colo. — Police have chained up 10 recycling bins outside Boulder’s now-defunct Anderson Kia car dealership after learning that the bins were stuffed with personal information from the dealership’s former customers.

All of the folders contained Social Security numbers, driver’s license information, photos, phone numbers and financial information for Kia customers.

Come on guys. Ever hear of a paper shredder? You might at least have attempted to sell the info or use it yourselves for nefarious purposes. Then we’d know you were crooks. Rather than just morons.

May 19, 2009 Posted by Joseph Webster | general, professional, security | , | 1 Comment

Law School network FAIL

So the other day my future daughter-in-law has this bizarre incident with her email account at the University of Maryland at Baltimore (Go Terps!) School of Law. Seems that she got one of those “time to change your password” messages, so like any tech savvy person who has been indoctrinated (and browbeat) by me she chooses a good strong password. System seems to take it okay only it’s obvious by several days later when she isn’t getting any email that something is wrong. So she calls the IT support guys who determine that the root of the problem is that their email system doesn’t like her new password. Apparently this antique system allows only 8-character passwords with only alphanumeric characters, so clearly her 14-character alphanumeric and special characters won’t work. Specifically the system really can’t deal with the semicolon character she used. Say what??!! Whoa dudes – party like it’s 1990! It gets better.

After recovering from the initial shock she asks them to reset the password and she’ll try to come up with a new one using the standards in place when she was a toddler. Sorry, says the IT support guy, but this will require “code changes” and since this is the weekend, that guy won’t be in until Monday. Eventually they decide to call the mystery email coder in to make the changes that will fix the problem. So four hours later she has a brand spanking new classic, eminently hackable password for her main law school account.

So where do I even start with a debacle of this magnitude? How about with a disclaimer. My son, who as you might guess also goes to UMB law school, tells me that UMB’s network is completely separate from and vastly superior to the law school’s network. So with that out of the way, where in the world did they find a POP server that lame? Coding? Give me a break, I’ll chalk that up to untrained and marginally functional tech support. Given the environment I’d imagine a student work study (read slave labor) gig. As for the 4 hour fix, I’m guessing 3 hours and 45 minutes to get onsite, 5 mins to reset the password and 10 minutes to write the notification. All in all not a stellar performance.

But herein lies the real problem. Given that this is a law school, all of those pissed off students who will be compromised when their data is lost in the coming breach will be lawyers. I’m thinking that’s a pretty big risk of litigation. Also one can only assume that the overall network, including the law school WiFi net, is as secure and well managed as the email server. Actually I have it on good authority that this is in fact the case. Holy pending lawsuit, Batman!

So let me end this with a plea to the security group that meets at the Barnes and Noble in Inner Harbor make an attempt to save these jokers from themselves. Unless of course you are sniping that free WiFi. And reading juicy emails from law students.

May 19, 2009 Posted by Joseph Webster | general, professional, security | , , | No Comments Yet

Keeping those apps updated

On the heels of Microsoft’s last Security Intelligence Report there have been a number of articles like this one on vnunet.com positing that applications rather than the OS (read Microsoft) are the primary culprits for software vulnerabilities.

Research by vulnerability specialist Secunia suggests that third-party applications are increasingly being used by malware writers in preference to using operating system attacks.

The Danish company said that data from its free Personal Software Inspector (PSI) tool showed that there were far more unpatched applications than operating systems among users. Furthermore, application patches were left open to abuse for far longer than operating system patches.

While I’m certainly not convinced that this lets OS vendors – and yes this includes Apple as well as Microsoft – off the hook, it definitely points out a serious problem: how do you keep all of your software patched. Not just the OS. The approach that pretty much all Windows users have grown to accept is to run the updater services that come with each package they install in addition to the OS updater. There are significant problems with this approach. There are frequently clashes between the different vendors updater programs, not to mention that they consume system resources and are generally not terribly stable. As if these weren’t bad enough, the bottom line is these updater programs – including OS updaters – only patch security problems as a side effect. Let’s be real here, the primary purpose of update programs is not to make the end user more secure – it’s to cover the vendor’s booty and to grab  more booty from the end user by pushing new features, applications and services.

Back when I was building highly available UNIX software, a patch meant “the smallest change possible to fix a specific problem“. If you weren’t seeing that specific problem, then you didn’t install the patch. In addition a patch NEVER, EVER introduced new functionality. Period. Now certainly this led to problems of it’s own like an explosion of patches and extremely complex mechanisms for determining which patches should be applied, but it also led to systems that were stable and highly available. Systems that were not shutdown or restarted for years. That is certainly not the case nowadays with personal computers. We’ve been convinced – mostly by OS vendors – that we should accept every update they choose to push to us. Without question. In fact the default (recommended) behavior in Windows Vista is to automatically install all updates that Microsoft deems “important”. Stuff like “Microsoft Genuine Advantage Validation Tool” (what user isn’t dying to have this on their machine?)  Stuff that reboots your machine – automatically (hey – it’s Windows we’re totally used to that). And application vendors can be even worse. Who hasn’t ended up with a copy of “Adobe Photoshop Album Starter” on their system with no idea what they would ever use it for. And don’t even get me started on Real. The point is that if what you want is to keep your personal computer secure without additional bloatware, crapware, superfluous features and the instability introduced by same, vendor provided update software will not get you there. Or even near there.

I’m a long time user and huge fan of Secunia PSI. I have it installed on all of my Windows machines because it actually addresses this problem of how to keep your applications and the OS patched. Without having to run multiple update services. Or even Microsoft update. How does it perform this amazing feat? First off, Secunia is primarily a security research company. They make a living by finding and cataloging software vulnerabilities. They also sell a corporate version of their Software Inspector, but in general they have no financial stake in end users buying the latest, greatest versions of any particular software. The Secunia company jewels are the research and associated database of vulnerabilities that they can cross reference to specific updates that will fix those vulnerabilities. Essentially Secunia PSI works like this: it scans your system for software that it knows about (a real scan, not just a registry scan) and looks up those packages in the Secunia database, reporting on vulnerable software it finds. It works on a pull rather than push model (i.e. you pull down their database info, you don’t push your software inventory to them). So rather than having Adobe or Microsoft notify you to download an update just because there is one, PSI will only notify you if there is a known vulnerability in your software and specifically which update will fix it. The best part is that it knows about all of the software installed on your system – not just the most recent version according to “Add Remove Programs”. A PSI scan of my wife’s laptop discovered three (count ‘em – 3) different and vulnerable versions of Apple Quicktime. Apparently several programs had installed their own private version of Quicktime and never registered it. I’ve seen similar situations with Java and Flash.

So now I run Secunia PSI on my Windows boxes – real and virtual – instead of a separate updater for every peice of software I own. Now if Secunia would only come out with a Mac version of PSI I’d be a happy camper. Or at least a marginally less snarky camper. So update your Windows systems intelligently. Don’t just be a stooge for the software vendors. Give Secunia PSI a shot. You’ll be glad you did. And your system will be much happier. And more secure.

April 27, 2009 Posted by Joseph Webster | general, professional, security | , , , , , , , , , , , | No Comments Yet

« Previous Entries