Keeping those apps updated

On the heels of Microsoft’s last Security Intelligence Report there have been a number of articles like this one on positing that applications rather than the OS (read Microsoft) are the primary culprits for software vulnerabilities.

Research by vulnerability specialist Secunia suggests that third-party applications are increasingly being used by malware writers in preference to using operating system attacks.

The Danish company said that data from its free Personal Software Inspector (PSI) tool showed that there were far more unpatched applications than operating systems among users. Furthermore, application patches were left open to abuse for far longer than operating system patches.

While I’m certainly not convinced that this lets OS vendors – and yes this includes Apple as well as Microsoft – off the hook, it definitely points out a serious problem: how do you keep all of your software patched. Not just the OS. The approach that pretty much all Windows users have grown to accept is to run the updater services that come with each package they install in addition to the OS updater. There are significant problems with this approach. There are frequently clashes between the different vendors updater programs, not to mention that they consume system resources and are generally not terribly stable. As if these weren’t bad enough, the bottom line is these updater programs – including OS updaters – only patch security problems as a side effect. Let’s be real here, the primary purpose of update programs is not to make the end user more secure – it’s to cover the vendor’s booty and to grab  more booty from the end user by pushing new features, applications and services.

Back when I was building highly available UNIX software, a patch meant “the smallest change possible to fix a specific problem“. If you weren’t seeing that specific problem, then you didn’t install the patch. In addition a patch NEVER, EVER introduced new functionality. Period. Now certainly this led to problems of it’s own like an explosion of patches and extremely complex mechanisms for determining which patches should be applied, but it also led to systems that were stable and highly available. Systems that were not shutdown or restarted for years. That is certainly not the case nowadays with personal computers. We’ve been convinced – mostly by OS vendors – that we should accept every update they choose to push to us. Without question. In fact the default (recommended) behavior in Windows Vista is to automatically install all updates that Microsoft deems “important”. Stuff like “Microsoft Genuine Advantage Validation Tool” (what user isn’t dying to have this on their machine?)  Stuff that reboots your machine – automatically (hey – it’s Windows we’re totally used to that). And application vendors can be even worse. Who hasn’t ended up with a copy of “Adobe Photoshop Album Starter” on their system with no idea what they would ever use it for. And don’t even get me started on Real. The point is that if what you want is to keep your personal computer secure without additional bloatware, crapware, superfluous features and the instability introduced by same, vendor provided update software will not get you there. Or even near there.

I’m a long time user and huge fan of Secunia PSI. I have it installed on all of my Windows machines because it actually addresses this problem of how to keep your applications and the OS patched. Without having to run multiple update services. Or even Microsoft update. How does it perform this amazing feat? First off, Secunia is primarily a security research company. They make a living by finding and cataloging software vulnerabilities. They also sell a corporate version of their Software Inspector, but in general they have no financial stake in end users buying the latest, greatest versions of any particular software. The Secunia company jewels are the research and associated database of vulnerabilities that they can cross reference to specific updates that will fix those vulnerabilities. Essentially Secunia PSI works like this: it scans your system for software that it knows about (a real scan, not just a registry scan) and looks up those packages in the Secunia database, reporting on vulnerable software it finds. It works on a pull rather than push model (i.e. you pull down their database info, you don’t push your software inventory to them). So rather than having Adobe or Microsoft notify you to download an update just because there is one, PSI will only notify you if there is a known vulnerability in your software and specifically which update will fix it. The best part is that it knows about all of the software installed on your system – not just the most recent version according to “Add Remove Programs”. A PSI scan of my wife’s laptop discovered three (count ’em – 3) different and vulnerable versions of Apple Quicktime. Apparently several programs had installed their own private version of Quicktime and never registered it. I’ve seen similar situations with Java and Flash.

So now I run Secunia PSI on my Windows boxes – real and virtual – instead of a separate updater for every peice of software I own. Now if Secunia would only come out with a Mac version of PSI I’d be a happy camper. Or at least a marginally less snarky camper. So update your Windows systems intelligently. Don’t just be a stooge for the software vendors. Give Secunia PSI a shot. You’ll be glad you did. And your system will be much happier. And more secure.

Security ideas for your mom part 2

Let’s recap shall we?

Mom wants to get online to read email, surf the web and Google stuff that you don’t even want to know about. We’ve already presented 4 ideas – which essentially boil down to 2 themes:

  • Use Common Sense
  • Know how to use your stuff

Okay, now we’re ready to get serious and specific about helping mom manage the risks of her internet behavior. So let’s look a little closer at each of the things mom wants to do:

Send and receive email – This will clearly require an email client, but what else? Well, let’s assume that mom wants to check out pictures of you and your significant other frolicking in the surf on your last vacation. And of course there’s Uncle Edgar who sends out those swell PowerPoint presentations and Aunt Thelma who sends MP3s of the latest hymns (at least that’s what mom says they are). So far all of this  can be handled by any personal computer (and most cell phones) running any OS with either built in or free add on software.

Email risks fall into 2 categories, cyberfraud (e.g. phishing scams) and attachment-borne malware (e.g. worms or trojans embedded in attachments). While there are virus scanners that can scan your email for malware attachments, these will never sufficiently mitigate the threat without a judicious application of the first 4 ideas. Unfortunately almost all cyberfraud is undetectable by virus scanners, simply because there is nothing wrong with the email format or data itself. The fraudster relies on the recipient to actually take action to fall into the trap. So the only way to mitigate a cyberfraud threat is by using the first 4 ideas. While there are “anti-phishing” mechanisms built into most browsers and some email clients these days, they are useless if you don’t understand them and they are certainly not foolproof.

Surf the web – This is going to require a web browser. Again, any personal computer and most cell phones will come with a web browser sufficient to the task. While the actual choice of browser is mostly a personal taste kind of deal (if there is a choice – which there may not be on a cell phone) some browsers definitely have better security features than others (more on that later).

Web surfing risks include cyberfraud (note that email cyberfraud will almost always utilize some web-based component like a malicious web site that the email links to), downloaded malware (e.g. a trojan embedded in a file you download), malformed images (pictures that are designed with intentional flaws to crash the browser – or worse), malicious active content (all those cute dancing hamsters are really little programs that can actually do worse than just annoy you), leakage of personally identifiable information (e.g. some web sites will collect personal information from you in exchange for some goodie – and then sell it to spammers or phishers) and privacy invasion (e.g. tracking your surfing habits using third-party cookies). The right choice of web browser software and associated “plugins” will go a long way toward mitigating these threats, but again you must apply ideas 1 – 4 to achieve a decent level of threat mitigation. It should be noted that your web surfing habits have a dramatic impact on the risk you incur. Specifically if you intend to visit adult (porn) or warez (pirated software) sites your risk is increased exponentially. Whereas reputable sites like legitimate shopping sites or wikipedia are relatively low risk, a trip to the typical warez site can almost guarantee several of the above threats being real and present. So the moral of this story is don’t even think about stealing software or surfing for porn unless you really know what you are doing and take extreme measures well beyond the scope of what I’m going to tell you about in these posts.

Using search engines – Usually all you need is a browser for this, but almost invariably search engines like Google are way more than just search engines. Google, for example, is an entire suite of web services. They have portals, email, calendar, instant messaging, contacts, office tools and a whole lot more. And they are not alone. Yahoo has similar offerings as does AOL (to some extent). And each and every one of those bad boys wants to install some kind of browser toolbar and desktop application on mom’s computer. My advice is (again see the first 4 ideas) decide on single search provider and use only what you need. Otherwise you will subject yourself to a cornucopia of conflicting crapware. Trust me, it bites wind and mom won’t like it.

Search engine risks include all of the web surfing risks listed above (well Duh! search engines raison d’être is to allow you to surf lots of places really fast). But in addition there is a search engine specific risk of search engine gaming (e.g. a porn site will intentionally embed words like “angels” or “family values” into pages just so the search engines will direct you there when you search for those words). Luckily if you are a firm adherent to the first 4 ideas, this can usually be minimized to simply an annoyance. Also most modern search engines do a pretty good job of filtering out gamed results.

Throughout this post it may seem that (in addition to not adding anything tangible to our list of ideas) I’ve been using the terms risk and threat interchangeably. Just so there’s no confusion let’s go right to the definition of the relationship between them:

Risk management is a structured approach to managing uncertainty related to a threat.

This seems like a logical place to break so we’ll pause here for station identification and finish this up in another post.

Security ideas for your mom part 1

So here’s the scenario:

Your mom wants to get a PC so she can get email, check out those internets and use the google. She’s heard about all the nasty stuff out there like in those commercials with the little old lady speaking with the voice of a biker. So she knows it’s a dangerous world out there on the internets and knows she must get some of that security to protect her. Of course she calls you, since you use that stuff all the time at work. Oh … and she thinks those “I’m a Mac, I’m a PC” commercials are really cute and that a Mac would be great because it doesn’t get any of those nasty viruses.

Sound familiar? Thought so. So what do you tell her? How about, “Gee mom, sounds like what you really need is a good cell phone, not a computer” or “Sure, get a Mac and then you can be stylish while getting pwned“. Problem is, you like your mom and want to help her make the right choice. Other problem is that you also like your significant other and really don’t want to commit to a full-time tech support gig.

What you’ve just encountered is the fundamental problem in personal computer security. For years Bill and Steve have been telling us that a personal computer is an appliance, just like a television or a toaster. That certainly sells lots of PCs and Macs but the problem is that, well, it’s balderdash. Hogwash. Crapola. When you purchase your first computer you discover this right away. Ahh, but not to worry – Uncle Bill (actually Uncle Steve now) has you covered. They’ll automatically push out fixes (to stuff they built wrong!) to keep you safe and secure. Okay… But wait! There’s more! There are many companies out there just dying to help you be more safe and secure who can’t wait to get their hands on your money. So before you know it that spiffy new computer you bought runs like a bloated turtle and you get to pony up annual payments for that privilege. And are you really safe and secure? Maybe. Possibly. Who knows?

So let’s go back to the original question: what is security in this context? What are the risks that your mom will face online and how does she manage them? Can you really “buy security” (or lease it per current business models) to manage these risks? Hang on there, Hoss! You just listen to Uncle Joe before you turn over any of mom’s hard-won dinero. Here is the Joe’s official in order list of security ideas for your mom.

Security Ideas for Mom

  1. Think. Don’t be an idiot. The vast majority of cyber incidents that result in actual damage could have been prevented by a simple smell test. This covers a lot of territory, but basically it comes down to this – use common sense. Obvious stuff like, don’t open email attachments you weren’t expecting or can’t identify. Or if something pops up you don’t understand – find out what it is before you click on it. My friend, a computer novice, recently upgraded to get online. He had all of the stuff you are supposed to have including anti-virus software from a leading vendor (think yellow box). So he gets this browser pop-up while he’s surfing that says “Your computer is infected with a virus!!! Press this button to remove it and make your system safe!!!” So he does. And it does heinous things to his computer, including disabling his spiffy yellow AV. DOH! It’s time to put that PC out of it’s misery and start over. This ugliness could have been prevented had my friend, an otherwise intelligent person, just thought about it for a moment and asked himself one simple question: “does this seem fishy?” (the smell test!). But isn’t that a little harsh? I mean we already established that he’s a computer novice. No, actually, it’s a dandy segue into the next point.
  2. Learn how to use your hardware and software. Or stated in the reverse, don’t use something you don’t understand. What I’m not suggesting here is that mom should become a hacker just so she can check email. Look at it this way: I don’t understand the complete operation of the stability control system in my Honda, but I do know that when the “TPS (Tire Pressure Sensor)” light comes on that I better check and adjust the tire pressure, and if the light doesn’t go off when I’ve done that I should take it in to my local Honda dealer. (Honda – here is an excellent sponsorship opportunity). The point is that you don’t need to be an expert, you just need to know basically how the system works and what it’s trying to tell you. In the example of my friend of #1, Had he known what to expect from his AV software when it encountered a virus, he wouldn’t have been fooled by the phony. If you don’t understand what a program does, then you almost certainly don’t need it. But wait – what about all that stuff that comes with mom’s new computer? Isn’t the point of that to take care of everything so that she doesn’t have to know anything about computers? In a word, NO! The purpose of that stuff – which is mostly crapware – is to sell you more stuff you don’t need. You think the company who manufactured your computer has your best interest at heart? See #1. And once again another dandy segue into the next point.
  3. It’s your computer. You don’t have to run anything you don’t want. Mom needs to show that machine who’s boss – Yeah who’s your mama! The point here is that just because your computer came with XYZ security suite (one month trial!) and your internet service provider gives you ABC security suite (the “lite” version – but for a fee you can get the real version!) you don’t have to use either. Remember – who’s your mama! If you really want to use a security suite then do a little research (see #2) and check out the many excellent free and open source packages. Chances are you can get out of this without parting with more of your dough. But more to the point, choose your computer wisely in the first place. Most folks walk into their local electronics superstore and expect the friendly sales staff to educate them about what they should buy. Duh – see #1. Why not, instead, make the idea of computer as appliance your goal? Lets take this from the top: Mom wants to a. get email, b. surf the web, c. search for information (as translated from the earlier mom-speak). My iPhone does all that and much more. In fact my iPhone does way too much for what mom needs, so she shouldn’t spend the money. My son has a modestly priced smart phone that does everything mom needs. Both phones are totally cool and pretty easy to use and you can turn off stuff you don’t need. And both are quite a bit more like an appliance than your average PC. The idea here is that you should get something that does what you need and only what you need. Also, forget the idea that you should “buy something that you can grow with”. Balderdash. Hogwash. Crapola. Whatever you buy today is going to be landfill fodder in 5 years (actually 3 years if you depreciate it with the IRS). There is no rule that says you must be able to read email, surf the web, chat with your friends, edit photographs, make music and produce movies all on the same device. Despite what the commercials say. See #1. In fact, let me assure you as a semi-serious electronic music producer, I definitely do not want my studio machine to be surfing the web. Remember – who’s your mama! Yeah I have multiple machines. One to do email and internet-related stuff and, well, lots of others to do other stuff (I admit it – I’m a geek). But my email and internet box is old (like 8 years old!) and cheap and it does it’s one job really well. Just like a toaster. Don’t be afraid to look into a mini laptop. These babies are small, cheap and will do everything mom needs. So on to the next idea (which is really a corollary to #1). Sorry lame segue this time.
  4. Your friends are clueless. Sad but true. When mom starts getting email she will no doubt have friends and relatives who think that chain letters really do bring good luck and/or prosperity and everyone they know should be alerted to the latest (to them) internet jokes and inspirational (why are angels supposed to be inspirational?) ravings. These well meaning folks will grab onto an internet hoax or urban legend and spam every one they have ever known with it. Some of these will turn out to be phishing scams, or “manual malware” (e.g. “to defeat this evil virus that no AV software can detect remove the KERNEL.SYS file“). Bottom line is, mom should seriously suspect any content she receives from these lovable – but clueless – folks. Especially when they state “you must see this adorable …” – no you must not. But just in case mom refuses to believe that Aunt Helen would ever send her something nasty. I know this guy in Nigeria who really needs to get a bunch of money out of the country and he’s willing to cut someone in if they’ll help him.

So before this post gets (even more) out of hand, notice that these first – and most important – four ideas have nothing to do with which anti virus software is best, or whether Macs are more secure than PCs. They are about common sense. Which isn’t all that common. I’ll actually get into addressing specific risks when “Security ideas for your mom” continues in another post.