Is Security Research Always Useful?

Anyone involved in the computer industry likely spends some amount of time reading about the latest security issues in books such as Security for Web Developers. Administrators and developers probably spend more time than many people, but no one can possibly read all the security research available today. There are so many researchers looking for so many bugs in so many places and in so many different ways that even if someone had the time and inclination to read every security article produced, it would be impossible. You’d need to be the speediest reader on the planet (and then some) to even think about scratching the surface. So, you must contemplate the usefulness of all that research—whether it’s actually useful or simply a method for some people to get their name on a piece of paper.

Some of the attacks require physical access to the system. In some cases, you must actually take the system apart to access components in order to perform the security trick. Unless you or your organization is in the habit of allowing perfect strangers physical access to your systems, which might include taking them apart, you must wonder whether the security issue is even worth worrying about. You need to ask why someone would take the time to document a security issue that’s nearly impossible to see, much less perform in a real world environment. More importantly, the moment you see that a security issue requires physical access to the device, you can probably stop reading.

You also find attacks that require special equipment to perform. The article, How encryption keys could be stolen by your lunch, discusses one such attack. In fact, the article contains a picture of the special equipment that you must build to perpetrate the attack. It places said equipment into a piece of pita bread, which adds a fanciful twist to something that is already quite odd and pretty much unworkable given that you must be within 50 cm (19.6 in) from the device you want to attack (assuming that the RF transmission conditions are perfect). Except for the interesting attack vector (using a piece of pita bread), you really have to question why anyone would ever perpetrate this attack given that social engineering and a wealth of other attacks require no special equipment, are highly successful, and work from a much longer distance.

Another example of incredibly weird security research is found in the article, When the good guys are wielding the lasers. I have to admit it’s interesting in a James Bond sort of way, but we’re talking about lasers mounted on drones. This attack at least has the advantage of distance (1 km or 0.6 mi). However, you have to wonder just how the laser was able to get a line of sight with the attack object, a printer in this case. If a device is critical enough that someone separates it from the Internet, it’s also quite likely that the device won’t be sitting in front of a window where someone can use a laser to access it.

A few research pieces become more reasonable by discussing outlandish sorts of hacks that could potentially happen after an initial break-in. The hack discussed in Design flaw in Intel chips opens door to rootkits is one of these sorts of hacks. You can’t perpetrate the hack until after breaking into the system some other way, but the break-in has serious consequences once it occurs. Even so, most hackers won’t take the time because they already have everything needed—the hack is overkill.

The articles that help most provide a shot of reality into the decidedly conspiracy-oriented world of security. For example, Evil conspiracy? Nope, everyday cyber insecurity, discusses a series of events that everyone initially thought pointed to a major cyber attack. It turns out that the events occurred at the same time by coincidence. The article author thoughtfully points out some of the reasons that the conspiracy theories seemed a bit out of place at the outset anyway.

It also helps to know the true sources of potential security issues. For example, the articles, In the security world, the good guys aren’t always good and 5 reasons why newer hires are the company’s biggest data security risk, point out the sources you really do need to consider when creating a security plan. These are the sorts of articles that should attract your attention because they describe a security issue that you really should think about. Likewise, reading articles such as, Software developers aren’t implementing encryption correctly and 4 fatal problems with PKI help you understand why your security measures may not always work as well as anticipated.

The point is that you encounter a lot of information out there that doesn’t help you make your system any more secure. It may be interesting if you have the time to read it, but the tactics truly aren’t practical and no hacker is going to use them. Critical thinking skills are your best asset when building your security knowledge. Let me know about your take on security research at John@JohnMuellerBooks.com.

 

Security = Scrutiny

There is a myth among administrators and developers that it’s possible to keep a machine free of viruses, adware, Trojans, and other forms of malware simply by disconnecting it from the Internet. I’m showing my age (yet again), but machines were being infected with all sorts of malware long before the Internet became any sort of connectivity solution for any system. At one time it was floppy disks that were the culprit, but all sorts of other avenues of attack present themselves. To dismiss things like evil USB drives that take over systems, even systems not connected to the Internet, is akin to closing your eyes and hoping an opponent doesn’t choose to hit you while you’re not looking. After all, it wouldn’t be fair. However, whoever said that life was fair or that anyone involved in security plays by the rules? If you want to keep your systems free of malware, then you need to be alert and scrutinize them continually.

Let’s look at this issue another way. If you refused to do anything about the burglar rummaging around on the first floor while you listened in your bedroom on the second floor, the police would think you’re pretty odd. More importantly, you’d have a really hard time getting any sort of sympathy or empathy from them. After all, if you just let a burglar take your things while you blithely refuse to acknowledge the burglar’s presence, whose fault is that? (Getting bonked on the back of the head while you are looking is another story.) That’s why you need to monitor your systems, even if they aren’t connected to the Internet. Someone wants to ruin your day and they’re not playing around. Hackers are dead serious about grabbing every bit of usable data on your system and using it to make your life truly terrible. Your misery makes them sublimely happy. Really, take my word for it.

The reason I’m discussing this issue is that I’m still seeing stories like, “Chinese hacker group among first to target networks isolated from Internet.” So, what about all those networks that were hacked before the Internet became a connectivity solution? Hackers have been taking networks down for a considerable time period and it doesn’t take an Internet connection to do it. The story is an interesting one because the technique used demonstrates that hackers don’t have to be particularly good at their profession to break into many networks. It’s also alarming because some of the networks targeted were contractors for the US military.

There is no tool, software, connection method, or secret incantation that can protect your system from determined hackers. I’ve said this in every writing about security. Yes, you can use a number of tools to make it more difficult to get through and to dissuade someone who truly isn’t all that determined. Unfortunately, no matter how high you make the walls of your server fortress, the hacker can always go just a bit further to climb them. Headlines such as “Advanced Attackers go Undetected for a Median of 229 Days; Only One-Third of Organizations Identify Breaches on Their Own” tell me that most organizations could do more to scrutinize their networks. Every writing I read about informed security is that you can’t trust anyone or anything when you’re responsible for security, yet organizations continue to ignore that burglar on the first floor.

There is the question of whether it’s possible to detect and handle every threat. The answer is that it isn’t. Truly gifted hackers will blindside you can cause terrifying damage to your systems every time. Monitoring can mitigate the damage and help you recover more quickly, but the fact is that it’s definitely possible to do better. Let me know your thoughts about security at John@JohnMuellerBooks.com.

 

Death of Windows XP? (Part 5)

Windows XP, the operating system that simply refuses to die. The title of this post should tell you that there have been four other posts (actually a lot more than that) on the death of Windows XP. The last post was on 30 May 2014, Death of Windows XP? (Part 4). I promised then that it would be my last post, but that’s before I knew that Windows XP would still command between 10 percent and 15 percent market share—placing it above the Mac’s OS X. In fact, according to some sources, Windows XP has greater market share than Windows 8.1 as well. So it doesn’t surprise me that a few of you are still looking for Windows XP support from me. Unfortunately, I no longer have a Windows XP setup to support you, so I’m not answering Windows XP questions any longer.

Apparently, offering Windows XP support is big business. According to a recent ComputerWorld article, the US Navy is willing to pony up $30.8 million for Microsoft’s continued support of Windows XP. Perhaps I ought to reconsider and offer paid support after all. There are many other organizations that rely on Windows XP and some may shock you. For example, the next time you stop in front of an ATM, consider the fact that 95 percent of them still run Windows XP. In both cases, the vendors are paying Microsoft to continue providing updates to ensure the aging operating system remains secure. However, I’m almost certain that even with security updates, hackers have figured out ways to get past the Windows XP defenses a long time ago. For example, even with fixes in place, it’s quite easy to find headlines such as, “Hackers stole from 100 banks and rigged ATMs to spew cash.”

What worries me more than anything else is that there are a lot of home users out there who haven’t patched their Windows XP installation in a really long time now. Their systems must be hotbeds of viruses, adware, and Trojans. It wouldn’t surprise me to find that every one of them is a zombie spewing out all sorts of garbage. It’s time to put this aging operating system out of its misery. If you have a copy of Windows XP, please don’t contact me about it—get rid of it and get something newer. Let me know your thoughts on ancient operating systems at John@JohnMuellerBooks.com.

 

A Windows Security Alert, Courtesy of Samsung

I’ve gotten used to a whole lot of silly vendor tricks over the years. Just about every vendor I’ve worked with has done something completely idiotic, just to cause the other guy woe. The user always ends up hurt. Readers of Administering Windows Server 2008 Server Core, Microsoft Windows Command Line Administration Instant Reference, and Windows 8 for Dummies Quick Reference need to be aware that according to a ComputerWorld article, Samsung has turned off Windows Update. The worrisome part of all this is that there is apparently an executable to turn the support off, but not another executable to turn support back on. Sites, such as engadget, are recommending you perform a clean install of Windows on your computer to get rid of the problem.

The whole issue seems to revolve around Samsung being worried that Microsoft’s updates will interfere with Samsung’s updates of its software. The result could be that the system won’t work. Phrases, such as “could be” and “might not”, always bother me. Samsung must not have tested the problem fully or they would have had a more positive and straightforward comment to make when asked about the problem. The point is that the user loses. Advice such as telling users they must reinstall Windows from scratch to get rid of the problem sounds just dandy until you figure out that most users can’t perform this task, so they’ll be out extra money getting someone else to do the job or we’ll all face the issues that happen when updates don’t occur. It’s not as if the Internet really requires yet more zombies (computers under hacker control)—we have no lack of them now.

A similar problem occurred not long ago when Lenovo thought it would be a good idea to pre-install the Superfish adware on the computers it put out. Most computer vendors add bloatware to their systems, which really does make it a good idea to perform a clean install when you buy a new system, but purposely adding adware seems a bit deranged to me. Lenovo later apologized and fixed the problem, but the point is that they made the mistake in the first place.

Some of my readers have asked why so many of my books include installation instructions or at least pointers to the installation instructions. The answer is that vendors keep doing things that make me shake my head and wonder just what they were thinking about. When you buy a new system from someone, perform a clean install of the operating system to get rid of the bloatware or have someone else do it for you. If you choose to keep the pre-installed operating system in place, make sure you research any oddities of the installation (such as turning off Windows Update). Otherwise, you might end up with a situation where Windows Update simply doesn’t do the job because someone told it not to. Let me know your thoughts on pre-installed software, bloatware, and vendors who seem completely clueless at John@JohnMuellerBooks.com.


Story Update!

According to a ComputerWorld article, Samsung will end the practice of disabling Windows Update. Of course, one has to wonder why they did it in the first place. If you have one of the systems that disabled Windows Update, a patch will restore the system to perform the required updates.

 

Avoiding Unwanted Spaces

Some time back, I created the Adding a Location to the Windows Path blog post to help readers make better use of some of my book examples. Adding a location to the path makes it possible for Windows to locate applications with greater ease. However, that post didn’t make it clear that a space in a path would cause problems. For example, a path such as, C:\Windows; C:\Python33 (note the space) won’t work. In order for the path to work, each individual path must be separated from the others with just a semicolon, such as C:\Windows;C:\Python33. If you’ve added a path to your Windows setup and find that Windows can’t locate the applications you want to use, please check for an unwanted space in the path.

The limitation on using spaces in a path makes sense because you also have to restrict their use at the command line. For example, typing Dir /A D (with a space between the A and the D) will produce an error. In order to obtain the correct results, you must type Dir /AD and press Enter. The reason the space causes a problem is because the command processor treats spaces as a delimiter, a separator between command elements. The space tells the command processor that one element has ended and a new one has started.

Spaces can creep into commands with relative ease. All it takes is a relatively simple tap on the spacebar at the wrong time. In addition, spaces can be hard to spot when you use certain fonts. When working in an editor to create batch files or other permanently stored command forms, always use a mono-space font, such as Courier New, to make spaces easier to spot. The point is to look for unwanted spaces when a command line feature doesn’t work properly and you know you have typed the correct command.

As a reminder from my books, the command line can also be case sensitive in some cases. Make sure you check your commands to ensure they’re formatted correctly. Let me know about your book-specific command line issue at John@JohnMuellerBooks.com.

 

Working at the Command Line

I maintain statistics about each of my books. Lately, I’ve noticed a trend with my command line reference books. More people are sending me e-mail about Microsoft Windows Command Line Administration Instant Reference and Administering Windows Server 2008 Server Core. However, the questions are becoming more diverse and less technical. Rather than the targeted questions about administration needs, I’m getting what I think are probably power user questions as well. People see my blog posts about commands, such as FindStr, and they naturally want to know more.

Someone recently wrote to ask me about what I thought the trends regarding the command line are. Based on my statistics, I would think that administrators are continuing to use the command line and more power users are rediscovering the command line. However, basing an opinion solely on book-related e-mail isn’t always the best idea and it certainly isn’t very scientific. Statistically, the e-mail is probably skewed to some extent because people aren’t speaking in general about their feelings—they have specific questions.

So, today I come to you with a request. Could you either comment to this blog post or send me e-mail about how you use the command line, or whether you use it at all? Microsoft is doing everything it can to move people to PowerShell. You can do quite a lot with PowerShell, including writing scripts that are more robust than those you can write at the command line. In addition, there are sites, such as PowerShell.com, that cater to the needs of the PowerShell user.

Even though it would seem at first like PowerShell is the future and the command line is passé, the command line has the advantage of simplicity and long term stability. In addition, there are still more resources available for the command line than there are for PowerShell. I generally use the command line for all my needs because I simply haven’t had a need for the additional resources that PowerShell provides. Let me know your thoughts about the command line and whether you generally see PowerShell as the required replacement for it at John@JohnMuellerBooks.com.

 

Death of Windows XP? (Part 4)

The last post, Death of Windows XP? (Part 3), was supposed to be the last word on this topic that won’t die, but as usual, it isn’t. The hackers of the world have figured out a new an interesting way of getting around Microsoft’s plan to kill Windows XP. It turns out that you can continue to get updates if you’re willing to use a registry hack to convince Windows Update that your system is a different version of Windows that is almost like Windows XP Service Pack 3, but not quite. You can read the article, How to get security updates for Windows XP until April 2019, to get the required details.

The hack involves making Windows Update believe that you actually own a Point of Sale (POS) system that’s based on Windows XP. The POS version of Windows XP will continue to have support until April of 2019, when it appears that Windows XP will finally have to die unless something else comes along. It’s important to note that you must have Windows XP Service Pack 3 installed. Older versions of Windows XP aren’t able to use the hack successfully.

After reading quite a few articles on the topic and thinking through the way Microsoft has conducted business in the past, I can’t really recommend the registry hack. There are a number of problems with using it that could cause issues with your setup.

 

  • You have no way of knowing whether the updates will provide complete security support for a consumer version of Windows XP.
  • The updates aren’t specifically tested for the version of Windows XP that you’re using, so you could see odd errors pop up.
  • Microsoft could add code that will trash your copy of Windows XP (once it figures out how to do so).


There are probably other reasons not to use the hack, but these are the reasons that come to mind that are most important for my readers. As with most hacks, this one is dangerous and I do have a strong feeling that Microsoft will eventually find a way to make anyone using it sorry they did. The support period for Windows XP has ended unless you have the money to pay for corporate level support—it’s time to move on.

I most definitely won’t provide support to readers who use the hack. There isn’t any way I can create a test system that will cover all of the contingencies so that I could even think about providing you with any support. If you come to me with a book-related issue and have the hack installed, I won’t be able to provide you with any support. This may seem like a hard nosed attitude to take, but there simply isn’t any way I can support you.

 

Death of Windows XP? (Part 3)

Questions continue to come in from readers who are still using Windows XP despite the fact that Microsoft is only marginally supporting it. Yes, it’s the operating system that refuses to die and readers really are confused as to why Microsoft has decided to kill what is obviously a popular operating system. They’re in good company. In fact, some authors, such as John Dvorak, have gone a lot further in their negative comments regarding the demise of Windows XP. The point is that Microsoft is quite determined to force anyone they can into using Windows 8.1, whether it works for them or not. It doesn’t seem to matter that people still have perfectly usable systems that are happily running Windows XP without problem.

My first two posts on this topic, Death of Windows XP? and Death of Windows XP? (Part 2) should have addressed any questions that people reading my books might have. Essentially, I recommend updating to Windows 7 (for business users) or Windows 8.1 (for consumers) when your hardware begins to die of old age or your needs change.

 


I no longer have access to a Windows XP system, so I’m not able to provide support for my old Windows XP books at this point in time. If you have one of my old Windows XP books, you’ll need to use it as is. I haven’t purposely gone out of my way to orphan the books, but the technology is old and I simply don’t have the resources to provide support for these books any longer. In addition, none of my current programming books are designed for Windows XP developers.

In the meantime, you need to ensure that you get security updates. Microsoft has extended a limited level of security support until 14 July 2015 that includes malware signatures and the associated engine. You won’t receive any sort of bug fixes. In order to enhance the security of your environment, you may want to consider these changes to your system:


  • Use a browser that receives regular security upgrades, such as Chrome or Firefox (IE is a bad choice because Microsoft won’t update it).

  • Remove any software that is prone to security problems, such as Java.

  • Rely on an account with limited privileges, rather than use the Administrator account.
  • Update any application software as often as is possible.
  • Keep the number of installed applications as small as is possible.
  • Examine your system (especially your hard drive) for signs of intruders (such as unexplained processes) on a regular basis.

  • Stay offline whenever possible.

These strategies can help you out for a while, but they’re short term solutions. Eventually, you need to go offline permanently (such as when using the system to run older games) or upgrade to something newer. Please let me know whether you have any additional questions about Windows XP and how it affects support for my books at John@JohnMuellerBooks.com.

An Update on the RunAs Command

It has been a while since I wrote the Simulating Users with the RunAs Command post that describes how to use the RunAs command to perform tasks that the user’s account can’t normally perform. (The basics of using the RunAs command appear in both Administering Windows Server 2008 Server Core and Windows Command-Line Administration Instant Reference.) A number of you have written to tell me that there is a problem with using the RunAs command with built-in commands—those that appear as part of CMD.EXE. For example, when you try the following command:

RunAs /User:Administrator “md \Temp”

you are asked for the Administrator password as normal. After you supply the password, you get two error messages:

RUNAS ERROR: Unable to run – md \Temp
2: The system cannot find the file specified.

In fact, you find that built-in commands as a whole won’t work as anticipated. One way to overcome this problem is to place the commands in a batch file and then run the batch file as an administrator. This solution works fine when you plan to execute the command regularly. However, it’s not optimal when you plan to execute the command just once or twice. In this case, you must execute a copy of the command processor and use it to execute the command as shown here:

RunAs /User:Administrator “cmd /c \”md \Temp””

This command looks pretty convoluted, but it’s straightforward if you take it apart a little at a time. At the heart of everything is the md \Temp part of the command. In order to make this a separate command, you must enclose it in double quotes. Remember to escape the double quote that appears withing the command string by using a backslash (as in \”).

To execute the command processor, you simply type cmd. However, you want the command processor to start, execute the command, and then terminate, so you also add the /c command line switch. The command processor string is also enclosed within double quotes to make it appear as a single command to RunAs.

 

Make sure you use forward slashes and backslashes as needed. Using the wrong slash will make the command fail.

The RunAs command can now proceed as you normally use it. In this case, the command only includes the username. You can also include the password, when necessary. Let me know if you find this workaround helpful at John@JohnMuellerBooks.com.

 

Death of Windows XP? (Part 2)

The fact that Windows XP, despite some pretty aggressive attack by Microsoft on its own product, is still alive isn’t in doubt. Of course, there is the matter of support to consider. Microsoft has decided not to provide any more support for Windows XP unless you’re a big company or government organization with immensely deep pockets and have a lot of cash to spend. Stories abound about the Dutch and British governments forking over huge bucks to keep their copies of Windows XP patched. Of course, the IRS is in on it too. (Microsoft begrudgingly decided to provide security updates for Windows XP until 14 July 2015 after a lot of complaining.)

My previous post on this topic, Death of Windows XP?, discussed some of the pros and cons of keeping the aging operating system around. In general, it’s a good idea to update to Windows 7 if you have equipment that can run it. Windows 8 has received a lot of negative press, especially for business needs. After working with it for a while myself, I see it as a good consumer operating system, but not necessarily something a business would want to use. Even with the updates, Windows 8 simply forces the user to work too hard to get things done in a manner that businesses would normally do them.

What surprised me this past week (and it shouldn’t have) is that some larger organizations are taking matters into their own hands. For example, if you’re a Windows XP user in China, you can get updates for your Windows XP installation from Qihoo 360. The point is that it appears that Windows XP will continue to receive patches and security updates even if Microsoft isn’t involved. This process almost reminds me of what happened to IBM when it started to drop the ball on the PC. At one time, everything revolved around IBM, but then the company made some really bad decisions and third parties had an opportunity to take control of the market (which they promptly did).

Whether you believe Windows XP is worth saving or not isn’t the issue. What the whole Windows XP scenario points out is that Microsoft is losing it’s grip on the market, even the desktop market where it once reigned supreme. What are your thoughts about Microsoft’s future? Let me know at John@JohnMuellerBooks.com.