Web Security, A Lot More Complicated Than It Seems

I recently finished writing Security for Web Developers. During the months that I worked on the book, I became aware of a serious problem in the reporting, handling, and supposed fixes for the problem of web security—everyone seems intent on making things fast and easy. Depending on the source, you also see a fair amount of finger pointing at play. Sources put the blame on just one or two entities in most cases. Unfortunately, the picture is far more complex than simply applying a bandage to one or two potential security problem sources. I started understanding the problem when I wrote HTML5 Programming with JavaScript for Dummies and CSS3 for Dummies, but it wasn’t until I wrote this book that I began to understand the true enormity of the problem. It isn’t just one or two or three sources—it’s all the sources combined. In this latest book I explore a lot of different sources of security problems and provide advice on how to overcome these issues to some extent.

  • Users
  • Application Developers
  • Third Party Library, API, and Microservice Providers
  • Administrators and Other IT Staff
  • Product Distributors
  • Data Service Providers

Many other groups appear in the book as well. The more I dug, the more I found that just fixing one problem or educating one group wouldn’t solve anything. Hackers look for easy ways to gain access to applications and the current system provides them with plenty of opportunities. The current strategy of responding to just one potential threat will continue to fail simply because the hacker will move on to another threat. Unless an organization is willing to take a holistic approach to security, hackers will continue to enjoy overwhelming success without a whole lot of work. In writing Security for Web Developers, I attempted to provide a broader view of the security picture so that development teams that include all of the stakeholders involved in an application effort can finally work together to resolve the security issues in their individual areas of expertise (including users who are susceptible to too many kinds of attack to mention).

A reader recently asked me whether the strategies in my book will prevent attacks, which is a loaded question and one that is hard to answer. My view of security is that a determined hacker will always gain entrance to your system, so you must remain vigilant at all times. If someone wants your data, they’ll gain access, but if you’re equally vigilant, you can keep the damage to a minimum. For that matter, you might be able to prevent any real damage. However, you need to realize that no security measure you take is going to succeed all the time.

What my book does is help make your system less appealing. In other words, if a hacker is just looking for a system to invade and not specifically your system, then making your system less appealing will see the hacker move to other systems. Like anyone else, a hacker seeks to minimize effort and maximize gain. Making your system less appealing by employing a holistic security approach will increase the effort the hacker must employ and make it less likely that the hacker will continue probing.

Unless you really want to see your organization’s name join the victim list in the trade press, you really do need to employ security across an organization, which means vetting software fully, educating users, having appropriate policies in place, reviewing software before placing it in production, and so on. Using just one or two measures simply won’t work. Let me know if you have questions regarding my upcoming book at John@JohnMuellerBooks.com.

 

Security = Scrutiny

There is a myth among administrators and developers that it’s possible to keep a machine free of viruses, adware, Trojans, and other forms of malware simply by disconnecting it from the Internet. I’m showing my age (yet again), but machines were being infected with all sorts of malware long before the Internet became any sort of connectivity solution for any system. At one time it was floppy disks that were the culprit, but all sorts of other avenues of attack present themselves. To dismiss things like evil USB drives that take over systems, even systems not connected to the Internet, is akin to closing your eyes and hoping an opponent doesn’t choose to hit you while you’re not looking. After all, it wouldn’t be fair. However, whoever said that life was fair or that anyone involved in security plays by the rules? If you want to keep your systems free of malware, then you need to be alert and scrutinize them continually.

Let’s look at this issue another way. If you refused to do anything about the burglar rummaging around on the first floor while you listened in your bedroom on the second floor, the police would think you’re pretty odd. More importantly, you’d have a really hard time getting any sort of sympathy or empathy from them. After all, if you just let a burglar take your things while you blithely refuse to acknowledge the burglar’s presence, whose fault is that? (Getting bonked on the back of the head while you are looking is another story.) That’s why you need to monitor your systems, even if they aren’t connected to the Internet. Someone wants to ruin your day and they’re not playing around. Hackers are dead serious about grabbing every bit of usable data on your system and using it to make your life truly terrible. Your misery makes them sublimely happy. Really, take my word for it.

The reason I’m discussing this issue is that I’m still seeing stories like, “Chinese hacker group among first to target networks isolated from Internet.” So, what about all those networks that were hacked before the Internet became a connectivity solution? Hackers have been taking networks down for a considerable time period and it doesn’t take an Internet connection to do it. The story is an interesting one because the technique used demonstrates that hackers don’t have to be particularly good at their profession to break into many networks. It’s also alarming because some of the networks targeted were contractors for the US military.

There is no tool, software, connection method, or secret incantation that can protect your system from determined hackers. I’ve said this in every writing about security. Yes, you can use a number of tools to make it more difficult to get through and to dissuade someone who truly isn’t all that determined. Unfortunately, no matter how high you make the walls of your server fortress, the hacker can always go just a bit further to climb them. Headlines such as “Advanced Attackers go Undetected for a Median of 229 Days; Only One-Third of Organizations Identify Breaches on Their Own” tell me that most organizations could do more to scrutinize their networks. Every writing I read about informed security is that you can’t trust anyone or anything when you’re responsible for security, yet organizations continue to ignore that burglar on the first floor.

There is the question of whether it’s possible to detect and handle every threat. The answer is that it isn’t. Truly gifted hackers will blindside you can cause terrifying damage to your systems every time. Monitoring can mitigate the damage and help you recover more quickly, but the fact is that it’s definitely possible to do better. Let me know your thoughts about security at John@JohnMuellerBooks.com.

 

Java 7 Patches and Future

It’s always important to keep your software updated with the latest patches. This is especially true with Java because so many hackers target even the smallest weaknesses. According to a recent ComputerWorld article, Java 7 has reached the end of its public life for updates. You need to upgrade to Java 8 in order to continue receiving free updates from Oracle. The rapid pace of updates that vendors rely on now is made necessary by hackers who apparently create malware updates even faster. Even at the fast release pace that Oracle is using, the malware just keeps rolling out. In other words, as a developer you need to exercise proactive coding to keep security risks at bay, in addition to relying on Oracle and other vendors for help.

A number of people have asked me about updates to Java eLearning Kit for Dummies. As far as I know, the publisher currently doesn’t have plans for an update. Of course, that could change at some point. Until the next update, however, the examples I’ve tested with Java 8 work fine on a Windows system. I’ll be performing additional testing on both OS X and Linux. However, I don’t have quite the number of people testing the book code as I had when I wrote it. If anyone does encounter a problem with the code, I’d greatly appreciate hearing about it at John@JohnMuellerBooks.com. I can’t guarantee that I’ll be able to fix absolutely every issue, but I’ll try to find workarounds and publish them on the blog for you.

As always, please don’t send me your personal code—I only work with book-specific code. Using the downloadable source is always the best way to get the most you can from a book. I’ve also created the Using My Coding Books Effectively post to help you get the most from my books. It’s important to me that you get the most you can from my books.

 

Considering Our Future Cyber War

It’s not if a cyber war will happen, but when. Precisely what form such a war will take depends on the perpetrators and their goals. I’ve spend quite of time discussing the relative insecurity of the Supervisory Control and Data Acquisition (SCADA) systems out there. However, I’m only assuming that SCADA is going to be targeted at some point because it’s such low hanging fruit and no one seems to have any interest at all in securing. Plus, the attack would be of the sort that we’d have a hard time defending against (and possibly identifying at first as the hospitals fill with victims of some mysterious problem).

I recently read an article by John Dvorak entitled, “What if Facebook Is Hacked Next?” John makes some excellent points, but probably doesn’t go far enough. Why would an attacker stop with just Facebook? Why not attack all of the sources of social media out there, including places like LinkedIn and Twitter? The confusion created by the loss of all social media would be amazing. It could easily act as a smokescreen for some other activity even more devastating than the loss of data. While everyone is scrambling to fix their social media issues, someone could work in the background to do something truly horrible.

Actually, the attacker might not even have to do anything other than disrupt all online activities. Think about the number of jobs lost, the hit to online commerce, and the other problems that such an attack would cause. Perhaps these people are simply waiting until more brick and mortar stores close that people no longer have local resources to help in such an emergency. For example, think about the problems that the loss of online stores would have to IT professionals who maintain huge networks of computer systems. The potential for truly terrifying results is amazing.

A cyber war is coming. Just when it will arrive is the topic of much speculation, but my feeling is that it’ll come sometime soon. What sorts of security measures do you have in place? Have you done anything else to prepare? Let me know about your thoughts on cyber war at John@JohnMuellerBooks.com.