Is Security Research Always Useful?

Anyone involved in the computer industry likely spends some amount of time reading about the latest security issues in books such as Security for Web Developers. Administrators and developers probably spend more time than many people, but no one can possibly read all the security research available today. There are so many researchers looking for so many bugs in so many places and in so many different ways that even if someone had the time and inclination to read every security article produced, it would be impossible. You’d need to be the speediest reader on the planet (and then some) to even think about scratching the surface. So, you must contemplate the usefulness of all that research—whether it’s actually useful or simply a method for some people to get their name on a piece of paper.

Some of the attacks require physical access to the system. In some cases, you must actually take the system apart to access components in order to perform the security trick. Unless you or your organization is in the habit of allowing perfect strangers physical access to your systems, which might include taking them apart, you must wonder whether the security issue is even worth worrying about. You need to ask why someone would take the time to document a security issue that’s nearly impossible to see, much less perform in a real world environment. More importantly, the moment you see that a security issue requires physical access to the device, you can probably stop reading.

You also find attacks that require special equipment to perform. The article, How encryption keys could be stolen by your lunch, discusses one such attack. In fact, the article contains a picture of the special equipment that you must build to perpetrate the attack. It places said equipment into a piece of pita bread, which adds a fanciful twist to something that is already quite odd and pretty much unworkable given that you must be within 50 cm (19.6 in) from the device you want to attack (assuming that the RF transmission conditions are perfect). Except for the interesting attack vector (using a piece of pita bread), you really have to question why anyone would ever perpetrate this attack given that social engineering and a wealth of other attacks require no special equipment, are highly successful, and work from a much longer distance.

Another example of incredibly weird security research is found in the article, When the good guys are wielding the lasers. I have to admit it’s interesting in a James Bond sort of way, but we’re talking about lasers mounted on drones. This attack at least has the advantage of distance (1 km or 0.6 mi). However, you have to wonder just how the laser was able to get a line of sight with the attack object, a printer in this case. If a device is critical enough that someone separates it from the Internet, it’s also quite likely that the device won’t be sitting in front of a window where someone can use a laser to access it.

A few research pieces become more reasonable by discussing outlandish sorts of hacks that could potentially happen after an initial break-in. The hack discussed in Design flaw in Intel chips opens door to rootkits is one of these sorts of hacks. You can’t perpetrate the hack until after breaking into the system some other way, but the break-in has serious consequences once it occurs. Even so, most hackers won’t take the time because they already have everything needed—the hack is overkill.

The articles that help most provide a shot of reality into the decidedly conspiracy-oriented world of security. For example, Evil conspiracy? Nope, everyday cyber insecurity, discusses a series of events that everyone initially thought pointed to a major cyber attack. It turns out that the events occurred at the same time by coincidence. The article author thoughtfully points out some of the reasons that the conspiracy theories seemed a bit out of place at the outset anyway.

It also helps to know the true sources of potential security issues. For example, the articles, In the security world, the good guys aren’t always good and 5 reasons why newer hires are the company’s biggest data security risk, point out the sources you really do need to consider when creating a security plan. These are the sorts of articles that should attract your attention because they describe a security issue that you really should think about. Likewise, reading articles such as, Software developers aren’t implementing encryption correctly and 4 fatal problems with PKI help you understand why your security measures may not always work as well as anticipated.

The point is that you encounter a lot of information out there that doesn’t help you make your system any more secure. It may be interesting if you have the time to read it, but the tactics truly aren’t practical and no hacker is going to use them. Critical thinking skills are your best asset when building your security knowledge. Let me know about your take on security research at John@JohnMuellerBooks.com.

 

Death of Windows XP? (Part 5)

Windows XP, the operating system that simply refuses to die. The title of this post should tell you that there have been four other posts (actually a lot more than that) on the death of Windows XP. The last post was on 30 May 2014, Death of Windows XP? (Part 4). I promised then that it would be my last post, but that’s before I knew that Windows XP would still command between 10 percent and 15 percent market share—placing it above the Mac’s OS X. In fact, according to some sources, Windows XP has greater market share than Windows 8.1 as well. So it doesn’t surprise me that a few of you are still looking for Windows XP support from me. Unfortunately, I no longer have a Windows XP setup to support you, so I’m not answering Windows XP questions any longer.

Apparently, offering Windows XP support is big business. According to a recent ComputerWorld article, the US Navy is willing to pony up $30.8 million for Microsoft’s continued support of Windows XP. Perhaps I ought to reconsider and offer paid support after all. There are many other organizations that rely on Windows XP and some may shock you. For example, the next time you stop in front of an ATM, consider the fact that 95 percent of them still run Windows XP. In both cases, the vendors are paying Microsoft to continue providing updates to ensure the aging operating system remains secure. However, I’m almost certain that even with security updates, hackers have figured out ways to get past the Windows XP defenses a long time ago. For example, even with fixes in place, it’s quite easy to find headlines such as, “Hackers stole from 100 banks and rigged ATMs to spew cash.”

What worries me more than anything else is that there are a lot of home users out there who haven’t patched their Windows XP installation in a really long time now. Their systems must be hotbeds of viruses, adware, and Trojans. It wouldn’t surprise me to find that every one of them is a zombie spewing out all sorts of garbage. It’s time to put this aging operating system out of its misery. If you have a copy of Windows XP, please don’t contact me about it—get rid of it and get something newer. Let me know your thoughts on ancient operating systems at John@JohnMuellerBooks.com.

 

A Windows Security Alert, Courtesy of Samsung

I’ve gotten used to a whole lot of silly vendor tricks over the years. Just about every vendor I’ve worked with has done something completely idiotic, just to cause the other guy woe. The user always ends up hurt. Readers of Administering Windows Server 2008 Server Core, Microsoft Windows Command Line Administration Instant Reference, and Windows 8 for Dummies Quick Reference need to be aware that according to a ComputerWorld article, Samsung has turned off Windows Update. The worrisome part of all this is that there is apparently an executable to turn the support off, but not another executable to turn support back on. Sites, such as engadget, are recommending you perform a clean install of Windows on your computer to get rid of the problem.

The whole issue seems to revolve around Samsung being worried that Microsoft’s updates will interfere with Samsung’s updates of its software. The result could be that the system won’t work. Phrases, such as “could be” and “might not”, always bother me. Samsung must not have tested the problem fully or they would have had a more positive and straightforward comment to make when asked about the problem. The point is that the user loses. Advice such as telling users they must reinstall Windows from scratch to get rid of the problem sounds just dandy until you figure out that most users can’t perform this task, so they’ll be out extra money getting someone else to do the job or we’ll all face the issues that happen when updates don’t occur. It’s not as if the Internet really requires yet more zombies (computers under hacker control)—we have no lack of them now.

A similar problem occurred not long ago when Lenovo thought it would be a good idea to pre-install the Superfish adware on the computers it put out. Most computer vendors add bloatware to their systems, which really does make it a good idea to perform a clean install when you buy a new system, but purposely adding adware seems a bit deranged to me. Lenovo later apologized and fixed the problem, but the point is that they made the mistake in the first place.

Some of my readers have asked why so many of my books include installation instructions or at least pointers to the installation instructions. The answer is that vendors keep doing things that make me shake my head and wonder just what they were thinking about. When you buy a new system from someone, perform a clean install of the operating system to get rid of the bloatware or have someone else do it for you. If you choose to keep the pre-installed operating system in place, make sure you research any oddities of the installation (such as turning off Windows Update). Otherwise, you might end up with a situation where Windows Update simply doesn’t do the job because someone told it not to. Let me know your thoughts on pre-installed software, bloatware, and vendors who seem completely clueless at John@JohnMuellerBooks.com.


Story Update!

According to a ComputerWorld article, Samsung will end the practice of disabling Windows Update. Of course, one has to wonder why they did it in the first place. If you have one of the systems that disabled Windows Update, a patch will restore the system to perform the required updates.

 

Death of Windows XP? (Part 4)

The last post, Death of Windows XP? (Part 3), was supposed to be the last word on this topic that won’t die, but as usual, it isn’t. The hackers of the world have figured out a new an interesting way of getting around Microsoft’s plan to kill Windows XP. It turns out that you can continue to get updates if you’re willing to use a registry hack to convince Windows Update that your system is a different version of Windows that is almost like Windows XP Service Pack 3, but not quite. You can read the article, How to get security updates for Windows XP until April 2019, to get the required details.

The hack involves making Windows Update believe that you actually own a Point of Sale (POS) system that’s based on Windows XP. The POS version of Windows XP will continue to have support until April of 2019, when it appears that Windows XP will finally have to die unless something else comes along. It’s important to note that you must have Windows XP Service Pack 3 installed. Older versions of Windows XP aren’t able to use the hack successfully.

After reading quite a few articles on the topic and thinking through the way Microsoft has conducted business in the past, I can’t really recommend the registry hack. There are a number of problems with using it that could cause issues with your setup.

 

  • You have no way of knowing whether the updates will provide complete security support for a consumer version of Windows XP.
  • The updates aren’t specifically tested for the version of Windows XP that you’re using, so you could see odd errors pop up.
  • Microsoft could add code that will trash your copy of Windows XP (once it figures out how to do so).


There are probably other reasons not to use the hack, but these are the reasons that come to mind that are most important for my readers. As with most hacks, this one is dangerous and I do have a strong feeling that Microsoft will eventually find a way to make anyone using it sorry they did. The support period for Windows XP has ended unless you have the money to pay for corporate level support—it’s time to move on.

I most definitely won’t provide support to readers who use the hack. There isn’t any way I can create a test system that will cover all of the contingencies so that I could even think about providing you with any support. If you come to me with a book-related issue and have the hack installed, I won’t be able to provide you with any support. This may seem like a hard nosed attitude to take, but there simply isn’t any way I can support you.

 

Death of Windows XP? (Part 3)

Questions continue to come in from readers who are still using Windows XP despite the fact that Microsoft is only marginally supporting it. Yes, it’s the operating system that refuses to die and readers really are confused as to why Microsoft has decided to kill what is obviously a popular operating system. They’re in good company. In fact, some authors, such as John Dvorak, have gone a lot further in their negative comments regarding the demise of Windows XP. The point is that Microsoft is quite determined to force anyone they can into using Windows 8.1, whether it works for them or not. It doesn’t seem to matter that people still have perfectly usable systems that are happily running Windows XP without problem.

My first two posts on this topic, Death of Windows XP? and Death of Windows XP? (Part 2) should have addressed any questions that people reading my books might have. Essentially, I recommend updating to Windows 7 (for business users) or Windows 8.1 (for consumers) when your hardware begins to die of old age or your needs change.

 


I no longer have access to a Windows XP system, so I’m not able to provide support for my old Windows XP books at this point in time. If you have one of my old Windows XP books, you’ll need to use it as is. I haven’t purposely gone out of my way to orphan the books, but the technology is old and I simply don’t have the resources to provide support for these books any longer. In addition, none of my current programming books are designed for Windows XP developers.

In the meantime, you need to ensure that you get security updates. Microsoft has extended a limited level of security support until 14 July 2015 that includes malware signatures and the associated engine. You won’t receive any sort of bug fixes. In order to enhance the security of your environment, you may want to consider these changes to your system:


  • Use a browser that receives regular security upgrades, such as Chrome or Firefox (IE is a bad choice because Microsoft won’t update it).

  • Remove any software that is prone to security problems, such as Java.

  • Rely on an account with limited privileges, rather than use the Administrator account.
  • Update any application software as often as is possible.
  • Keep the number of installed applications as small as is possible.
  • Examine your system (especially your hard drive) for signs of intruders (such as unexplained processes) on a regular basis.

  • Stay offline whenever possible.

These strategies can help you out for a while, but they’re short term solutions. Eventually, you need to go offline permanently (such as when using the system to run older games) or upgrade to something newer. Please let me know whether you have any additional questions about Windows XP and how it affects support for my books at John@JohnMuellerBooks.com.

An Update on the RunAs Command

It has been a while since I wrote the Simulating Users with the RunAs Command post that describes how to use the RunAs command to perform tasks that the user’s account can’t normally perform. (The basics of using the RunAs command appear in both Administering Windows Server 2008 Server Core and Windows Command-Line Administration Instant Reference.) A number of you have written to tell me that there is a problem with using the RunAs command with built-in commands—those that appear as part of CMD.EXE. For example, when you try the following command:

RunAs /User:Administrator “md \Temp”

you are asked for the Administrator password as normal. After you supply the password, you get two error messages:

RUNAS ERROR: Unable to run – md \Temp
2: The system cannot find the file specified.

In fact, you find that built-in commands as a whole won’t work as anticipated. One way to overcome this problem is to place the commands in a batch file and then run the batch file as an administrator. This solution works fine when you plan to execute the command regularly. However, it’s not optimal when you plan to execute the command just once or twice. In this case, you must execute a copy of the command processor and use it to execute the command as shown here:

RunAs /User:Administrator “cmd /c \”md \Temp””

This command looks pretty convoluted, but it’s straightforward if you take it apart a little at a time. At the heart of everything is the md \Temp part of the command. In order to make this a separate command, you must enclose it in double quotes. Remember to escape the double quote that appears withing the command string by using a backslash (as in \”).

To execute the command processor, you simply type cmd. However, you want the command processor to start, execute the command, and then terminate, so you also add the /c command line switch. The command processor string is also enclosed within double quotes to make it appear as a single command to RunAs.

 

Make sure you use forward slashes and backslashes as needed. Using the wrong slash will make the command fail.

The RunAs command can now proceed as you normally use it. In this case, the command only includes the username. You can also include the password, when necessary. Let me know if you find this workaround helpful at John@JohnMuellerBooks.com.

 

Death of Windows XP? (Part 2)

The fact that Windows XP, despite some pretty aggressive attack by Microsoft on its own product, is still alive isn’t in doubt. Of course, there is the matter of support to consider. Microsoft has decided not to provide any more support for Windows XP unless you’re a big company or government organization with immensely deep pockets and have a lot of cash to spend. Stories abound about the Dutch and British governments forking over huge bucks to keep their copies of Windows XP patched. Of course, the IRS is in on it too. (Microsoft begrudgingly decided to provide security updates for Windows XP until 14 July 2015 after a lot of complaining.)

My previous post on this topic, Death of Windows XP?, discussed some of the pros and cons of keeping the aging operating system around. In general, it’s a good idea to update to Windows 7 if you have equipment that can run it. Windows 8 has received a lot of negative press, especially for business needs. After working with it for a while myself, I see it as a good consumer operating system, but not necessarily something a business would want to use. Even with the updates, Windows 8 simply forces the user to work too hard to get things done in a manner that businesses would normally do them.

What surprised me this past week (and it shouldn’t have) is that some larger organizations are taking matters into their own hands. For example, if you’re a Windows XP user in China, you can get updates for your Windows XP installation from Qihoo 360. The point is that it appears that Windows XP will continue to receive patches and security updates even if Microsoft isn’t involved. This process almost reminds me of what happened to IBM when it started to drop the ball on the PC. At one time, everything revolved around IBM, but then the company made some really bad decisions and third parties had an opportunity to take control of the market (which they promptly did).

Whether you believe Windows XP is worth saving or not isn’t the issue. What the whole Windows XP scenario points out is that Microsoft is losing it’s grip on the market, even the desktop market where it once reigned supreme. What are your thoughts about Microsoft’s future? Let me know at John@JohnMuellerBooks.com.

 

Red Herrings

Whenever a new exploit surfaces, such as Heartbleed, and the media focuses all its attention on it, I have to wonder whether the exploit may not be a red herring—a bit of misdirection used to keep our attention focused anywhere other than it should be. It’s true that this exploit is quite terrible. It affects any server running Secure Sockets Layer (SSL) and Transport Layer Security (TSL) software based on OpenSSL, which is actually supposed to protect people engaged in confidential transactions. Supposedly, Windows and OS X servers are immune to the exploit, but these servers often rely on services offered by servers that are affected, so everyone is suspect at this point. It’s my understanding that the exploit is incredibly easy to implement and doesn’t leave any trace once the perpetrator has gone. Fortunately, there are also ways to fix the problem and most sites will likely have it fixed within a couple of days.

The exploit is an eye opener for users who have grown complacent about Internet use over the years. Most of the articles I read about Heartbleed don’t even address the user, but the user is the real loser. It’s the user’s information that is gone forever without a trace and the user who will likely bear the brunt of the financial problems caused by Heartbleed. Even if a company is forced to pay some sort of compensation to the user for the loss of information, the compensation will never fully repay the user for the inconvenience and loss of reputation that such an exploit causes. Unfortunately, the user continues to pay a price long after the exploit is forgotten in the form of lost opportunities and an inability to make use of certain services due to a loss of reputation caused by the exploit.

However, I began this post by talking about red herrings—the misdirection often found in the plot of detective novels. I find it interesting that this bug was introduced in December 2011 and is only now making headlines. This means that Heartbleed was a usable, viable means of grabbing information surreptitiously for over two years. It makes me think that there must be other kinds of exploits of this sort that nefarious individuals are currently using to grab every last bit of information possible about you. All the media attention on this one particular exploit is taking the spotlight off those other exploits. Perhaps Heartbleed has outlived its usefulness and was actually made visible by the hacker community on purpose for the purpose of hiding the true activities of these individuals. Of course, there is no way of knowing.

What all this leads me to believe is that individuals must exercise good judgement when engaging in online activities of any sort. No one will fix your credit report or reputation once ruined and counting on the financial community to make amends simply won’t work. These people are rich for a reason—they know how to hold onto their money (as in, you won’t get any). In addition, software is always going to contain errors because programmers are human, so you must count on future exploits every bit as bad (or potentially worse) than Heartbleed. With this in mind, consider taking these suggestions to moderate your online behavior and make it a little more safe.

 

  • Use strong passwords that are easy to remember so you don’t have to write them down.
  • Change your password relatively often (every month or two works pretty well).
  • Use different passwords on every site you visit.
  • Never engage in transactions of any sort with any organization you don’t know.
  • Rely on a single credit card for financial transactions and never use the credit card for any other purpose (better yet, rely on an online-specific financial aid such as PayPal).
  • Don’t expose more information about yourself than necessary.


There are other ways in which you can protect yourself, but if you follow these few techniques, you can avoid a considerable number of security issues. The point is that Heartbleed is a scary exploit and there are probably a hundred other exploits, just as scary, already in play out there. Someone will always want your information and just handing it over to them seems like a bad idea, so take steps to personally keep your information secure. Let me know your thoughts about security red herrings at John@JohnMuellerBooks.com.

 

Death of Windows XP?

There have been a lot of stories in the trade press about Windows XP as of late. A number of readers have written to ask about the aging operating system because they’re confused by stories from one side that say everyone is sticking with Windows XP and stories from the other that say people are abandoning it. Windows XP is certainly one of the longest lasting and favored operating systems that Microsoft has produced, so it’s not surprising there is so much confusion about it.

Microsoft is certainly putting a lot of effort into getting rid of the aging operating system and for good reason—the code has become hard to maintain. Development decisions that seemed appropriate at the time Windows XP was created have proven not to work out in the long run. Of course, there are monetary reasons for getting rid of Windows XP as well. A company can’t continue to operate if no one buys new product. It must receive a constant influx of funds to stay in business, even a company as large as Microsoft. In short, if you’re Microsoft and you want to stay in business, rather than service what has become an unreliable operating system, you do anything it takes to move people in some other direction.

On the other side of the fence are people are are simply happy with the operating system they have today. The equipment they own is paid for and there isn’t a strong business reason to move to some other platform until said equipment breaks. The reliability of computer equipment is such today that it can last quite a long time without replacement. Theoretically, based on reliability alone, it’s possible that people will continue to use Windows XP for many more years. I have such as system setup to hold my movie database and to play older games I enjoy, but I don’t network it with any other equipment and it definitely doesn’t have access to the Internet.

From many perspectives, reports of the death of Windows XP are likely premature. The latest statistics still place the Windows XP market share above 27 percent. Even when Microsoft’s support goes away on April 8th, many third party vendors will continue to support Windows XP. What Microsoft’s end of support means is that you won’t get any new drivers for new hardware or upgrades to core operating system features. However, you can still get updates to your virus protection and Windows XP will continue to operate with your existing hardware.

For most people, the question of whether to keep Windows XP around hinges around the simple question of whether the operating system still fulfills every need. If this is the case, there really isn’t any reason to succumb to the fear mongering that is taking place and move to something else. However, once your equipment does start to break down or you find that Windows XP doesn’t quite fit the bill any longer, try moving along to something newer.

As to the essential question about the level of Windows XP support I’m willing to provide for my books, it depends on the book. My system no longer has development software on it because developers have moved on to other platforms. So, if you ask me programming questions about Windows XP, I’m not going to be able to help you. To some extent, I can offer a little help with user-level support questions for a few of my older books. However, I won’t be able to cover issues that my support system doesn’t address any longer, such as connecting to a network or the Internet. In sum, even though I can offer you some level of support in many cases, I can’t continue to provide the full support I once did. Let me know about your Windows XP book support questions at John@JohnMuellerBooks.com.

 

Using the Set Command to Your Advantage

Last week I created a post about the Windows path. A number of people wrote me about that post with questions. Yes, you can use the technique for setting the Path environment variable to set any other environment variable. The Windows Environment Variables dialog box works for any environment variable—including those used by language environments such as Java, JavaScript, and Python. Windows doesn’t actually care what sort of environment variable you create using the method that I discuss in that post. The environment variable will appear in every new command prompt window you create for either a single user or all users of a particular system, depending on how you create the environment variable.

A few of you took me to task for not mentioning the Set command. This particular command appears in both Administering Windows Server 2008 Server Core and Windows Command-Line Administration Instant Reference. It’s a useful command because you can temporarily configure a command prompt session to support a new set of settings. When the session is ended, the settings are gone. Only those settings you create as part of Environment Variables window have any permanence. There are other tricks you can use, but using Set for temporary environment variables and the Environment Variables window for permanent environment variables are the two most common approaches.

In order to see the current environment variables you simply type Set and press Enter at the command line. If you add a space and one or more letters, you see just the matching environment variables. For example, type Set U and press Enter to see all of the environment variables that begin with the letter U.

To set an environment variable, you add the name of the variable, an equals sign (=), and the variable value. For example, to set the value of MyVariable to Hello, you type Set MyVariable=Hello and press Enter. To verify that MyVariable does indeed equal Hello, you type Set MyVariable and press Enter. The command prompt will display the value of MyVariable. When you’re done using MyVariable, you can type Set MyVariable= and press Enter. Notice the addition of the equals sign. If you ask for the value of MyVariable again, the command prompt will tell you it doesn’t exist.

Newer versions of the command prompt provide some additional functionality. For example, you might set MyVariable within a batch file and not know what value it should contain when you create the batch file. In this case, you can prompt the user to provide a value using the /P command line switch. For example, if you type Set /P MyVariable=Type a value for my variable: and press Enter, you’ll see a prompt to enter the variable value.

It’s also possible to perform math with Set using the /A command line switch. There is a whole list of standard math notations you can use. Type Set /? and press Enter to see them all. If you write application code at all, you’ll recognize the standard symbols. For example, if you want to increment the value of a variable each time something happens, you can use the += operator. Type Set /A MyVariable+=1 and press Enter to see how this works. The first time you make the call, MyVariable will equal 1. However, on each succeeding call, the value will increment by 1 (for values of 2, 3, and so on).

Environment variables support expansion and you can see this work using the Echo command. For example, if you type Echo %MyVariable%, you see the value of MyVariable.

However, you might not want the entire value of MyVariable. Newer versions of the command prompt support substrings. The variable name is followed by a :~, the beginning position, a comma, and the ending position. For example, if you place Hello World in MyVariable, and then type Echo %MyVariable:~0,5% and press Enter, you see Hello as the output, not Hello World. Adding a negative sign causes the expansion to occur from the end of the string. For example, if you type Echo %MyVariable:~-5% and press Enter, you see World as the output.

The Set command is a valuable addition to both the administrator’s and programmer’s toolkit because it lets you set environment variables temporarily. The Set command figures prominently in batch file processing and also provides configuration options for specific needs. Let me know about your environment variable questions as they pertain to my books at John@JohnMuellerBooks.com.