Death by Connected Device

The title for this post is dramatic on purpose. In my book, Accessibility for Everybody: Understanding the Section 508 Accessibility Requirements, I describe all sorts of useful technologies for making the lives of those with special needs better. In fact, this particular book has received so much attention that I’ve expanded its coverage significantly by devoting forty (and counting) posts to it. The fact is that implanted devices will continue to be a part of our lives and their use will only increase, which is why articles, such as Cyber crime: First online murder will happen by end of year, warns US firm, have me more than a little concerned. The fact is that we’re all in line for a major wake-up call at some point if something isn’t done to secure the Supervisory Control and Data Acquisition (SCADA) systems we all rely on to connect devices to the Internet today. The hardware, software, and other functionality required to make everything happen is encapsulated in a technology known as the Internet of Things (IoT). Soon, everyone will know about IoT, but few people will know or understand the underlying SCADA systems that goes with it.

The part of the articles that I’ve read so far that intrigues me most is that politicians and others in the know have been disconnecting themselves from the Internet. Note the mention of Dick Chaney disconnecting himself from the wireless part of his implanted device in the aforementioned article. If the devices and their connections were secured, our former vice president wouldn’t be quite so worried. Unfortunately, the rest of us probably won’t be quite so lucky unless we refuse to have the devices implanted at all (which would seem to be a self-defeating stance to take). I’ve actually been discussing this issue for quite some time now. The latest significant treatment of the topic appears in my An Update On Special Needs Device Hacking post. I’ve also broached the topic in Determining When Technology Hurts. The point is that this issue isn’t new, but we certainly haven’t done anything about it.

Will it actually require a slew of front page news stories depicting people assassinated through their implanted devices for someone to get the idea that there are really awful people out there who would like to kill someone (anyone) with impunity? It seems to be the case. So, now we’re seeing stories about the event actually taking place sometime soon. Even if we don’t see someone killed, I can see a situation where people have money extorted from them by hackers who have gained illegal access to their implanted devices.

I’m all for the advancement of technology that has significant potential to help people. I’ve written more than a few posts on the topic. Helping people to walk, see, hear, touch, and have generally better lives is a great idea in my book. However, the time is long past for securing these devices in a meaningful way so that only those who really need access will actually get it. Just why there hasn’t been any legislation regarding this need is beyond me. Our politicians are obviously aware of the problem and have done the work required to protect themselves, but they don’t see to be in much of a hurry to protect their constituents.

Given what I’ve seen in the past, I’m sure the medical community won’t be in any hurry to secure these devices because security has been a legislated requirement in the past. With this in mind, what do you feel needs to happen with these devices to make them a better deal for those who need them? Let me know your thoughts about the lack of security for implanted devices and devices connected to IoT in general at [email protected].

 

Death of Windows XP? (Part 4)

The last post, Death of Windows XP? (Part 3), was supposed to be the last word on this topic that won’t die, but as usual, it isn’t. The hackers of the world have figured out a new an interesting way of getting around Microsoft’s plan to kill Windows XP. It turns out that you can continue to get updates if you’re willing to use a registry hack to convince Windows Update that your system is a different version of Windows that is almost like Windows XP Service Pack 3, but not quite. You can read the article, How to get security updates for Windows XP until April 2019, to get the required details.

The hack involves making Windows Update believe that you actually own a Point of Sale (POS) system that’s based on Windows XP. The POS version of Windows XP will continue to have support until April of 2019, when it appears that Windows XP will finally have to die unless something else comes along. It’s important to note that you must have Windows XP Service Pack 3 installed. Older versions of Windows XP aren’t able to use the hack successfully.

After reading quite a few articles on the topic and thinking through the way Microsoft has conducted business in the past, I can’t really recommend the registry hack. There are a number of problems with using it that could cause issues with your setup.

 

  • You have no way of knowing whether the updates will provide complete security support for a consumer version of Windows XP.
  • The updates aren’t specifically tested for the version of Windows XP that you’re using, so you could see odd errors pop up.
  • Microsoft could add code that will trash your copy of Windows XP (once it figures out how to do so).


There are probably other reasons not to use the hack, but these are the reasons that come to mind that are most important for my readers. As with most hacks, this one is dangerous and I do have a strong feeling that Microsoft will eventually find a way to make anyone using it sorry they did. The support period for Windows XP has ended unless you have the money to pay for corporate level support-it’s time to move on.

I most definitely won’t provide support to readers who use the hack. There isn’t any way I can create a test system that will cover all of the contingencies so that I could even think about providing you with any support. If you come to me with a book-related issue and have the hack installed, I won’t be able to provide you with any support. This may seem like a hard nosed attitude to take, but there simply isn’t any way I can support you.

 

Death of Windows XP? (Part 3)

Questions continue to come in from readers who are still using Windows XP despite the fact that Microsoft is only marginally supporting it. Yes, it’s the operating system that refuses to die and readers really are confused as to why Microsoft has decided to kill what is obviously a popular operating system. They’re in good company. In fact, some authors, such as John Dvorak, have gone a lot further in their negative comments regarding the demise of Windows XP. The point is that Microsoft is quite determined to force anyone they can into using Windows 8.1, whether it works for them or not. It doesn’t seem to matter that people still have perfectly usable systems that are happily running Windows XP without problem.

My first two posts on this topic, Death of Windows XP? and Death of Windows XP? (Part 2) should have addressed any questions that people reading my books might have. Essentially, I recommend updating to Windows 7 (for business users) or Windows 8.1 (for consumers) when your hardware begins to die of old age or your needs change.

 


I no longer have access to a Windows XP system, so I’m not able to provide support for my old Windows XP books at this point in time. If you have one of my old Windows XP books, you’ll need to use it as is. I haven’t purposely gone out of my way to orphan the books, but the technology is old and I simply don’t have the resources to provide support for these books any longer. In addition, none of my current programming books are designed for Windows XP developers.

In the meantime, you need to ensure that you get security updates. Microsoft has extended a limited level of security support until 14 July 2015 that includes malware signatures and the associated engine. You won’t receive any sort of bug fixes. In order to enhance the security of your environment, you may want to consider these changes to your system:


  • Use a browser that receives regular security upgrades, such as Chrome or Firefox (IE is a bad choice because Microsoft won’t update it).

  • Remove any software that is prone to security problems, such as Java.

  • Rely on an account with limited privileges, rather than use the Administrator account.
  • Update any application software as often as is possible.
  • Keep the number of installed applications as small as is possible.
  • Examine your system (especially your hard drive) for signs of intruders (such as unexplained processes) on a regular basis.

  • Stay offline whenever possible.

These strategies can help you out for a while, but they’re short term solutions. Eventually, you need to go offline permanently (such as when using the system to run older games) or upgrade to something newer. Please let me know whether you have any additional questions about Windows XP and how it affects support for my books at [email protected].

Red Herrings

Whenever a new exploit surfaces, such as Heartbleed, and the media focuses all its attention on it, I have to wonder whether the exploit may not be a red herring—a bit of misdirection used to keep our attention focused anywhere other than it should be. It’s true that this exploit is quite terrible. It affects any server running Secure Sockets Layer (SSL) and Transport Layer Security (TSL) software based on OpenSSL, which is actually supposed to protect people engaged in confidential transactions. Supposedly, Windows and OS X servers are immune to the exploit, but these servers often rely on services offered by servers that are affected, so everyone is suspect at this point. It’s my understanding that the exploit is incredibly easy to implement and doesn’t leave any trace once the perpetrator has gone. Fortunately, there are also ways to fix the problem and most sites will likely have it fixed within a couple of days.

The exploit is an eye opener for users who have grown complacent about Internet use over the years. Most of the articles I read about Heartbleed don’t even address the user, but the user is the real loser. It’s the user’s information that is gone forever without a trace and the user who will likely bear the brunt of the financial problems caused by Heartbleed. Even if a company is forced to pay some sort of compensation to the user for the loss of information, the compensation will never fully repay the user for the inconvenience and loss of reputation that such an exploit causes. Unfortunately, the user continues to pay a price long after the exploit is forgotten in the form of lost opportunities and an inability to make use of certain services due to a loss of reputation caused by the exploit.

However, I began this post by talking about red herrings—the misdirection often found in the plot of detective novels. I find it interesting that this bug was introduced in December 2011 and is only now making headlines. This means that Heartbleed was a usable, viable means of grabbing information surreptitiously for over two years. It makes me think that there must be other kinds of exploits of this sort that nefarious individuals are currently using to grab every last bit of information possible about you. All the media attention on this one particular exploit is taking the spotlight off those other exploits. Perhaps Heartbleed has outlived its usefulness and was actually made visible by the hacker community on purpose for the purpose of hiding the true activities of these individuals. Of course, there is no way of knowing.

What all this leads me to believe is that individuals must exercise good judgement when engaging in online activities of any sort. No one will fix your credit report or reputation once ruined and counting on the financial community to make amends simply won’t work. These people are rich for a reason—they know how to hold onto their money (as in, you won’t get any). In addition, software is always going to contain errors because programmers are human, so you must count on future exploits every bit as bad (or potentially worse) than Heartbleed. With this in mind, consider taking these suggestions to moderate your online behavior and make it a little more safe.

 

  • Use strong passwords that are easy to remember so you don’t have to write them down.
  • Change your password relatively often (every month or two works pretty well).
  • Use different passwords on every site you visit.
  • Never engage in transactions of any sort with any organization you don’t know.
  • Rely on a single credit card for financial transactions and never use the credit card for any other purpose (better yet, rely on an online-specific financial aid such as PayPal).
  • Don’t expose more information about yourself than necessary.


There are other ways in which you can protect yourself, but if you follow these few techniques, you can avoid a considerable number of security issues. The point is that Heartbleed is a scary exploit and there are probably a hundred other exploits, just as scary, already in play out there. Someone will always want your information and just handing it over to them seems like a bad idea, so take steps to personally keep your information secure. Let me know your thoughts about security red herrings at [email protected].

 

Your Security is an Illusion

I receive a number of queries about security from administrators and users every month, and many of these questions have links to all sorts of security issues that have occurred recently-everything from National Security Agency (NSA) spying to the Target security breach (incidentally, a number of other businesses have been attacked in the same manner). The fact of the matter is that books such as Administering Windows Server 2008 Server Core, Microsoft Windows Command Line Administration Instant Reference, and Windows 8 for Dummies Quick Reference have been telling you all along that security is a matter of vigilance-that software will never do the job alone. Even so, readers keep sending requests for some sort of magic bullet that will allay all their fears and make the task of security automatic.

Maintaining a reasonably secure system is a matter of observing personal, data, and system-wide best practices, something that SeedboxCo.net could help with if you’re unsure about how to go about it. Many other authors have listed these best practices in the past, but here are some of the techniques that people fail to use most often:

  • Use complex passwords that are easy to remember so you don’t need to write them down-consider using a passphrase whenever possible.
  • Change your password reasonably often and don’t rely on the same set of passwords all the time.
  • Keep your passwords secret so that no one else can abuse them.
  • Encrypt your data.
  • Perform local data backups regularly.
  • Ensure your applications remain updated with the latest security fixes.
  • Update your system as needed to ensure it provides a full set of modern security features.
  • Install security applications that check the incoming and outgoing flow of data, and block anything that looks remotely dangerous.
  • Check your system regularly for any files, folders, software, or other items that look out of place.


This list doesn’t even include some of the common user foibles, such as opening e-mail from parties they don’t know. In addition, none of these techniques are automated. You have to perform the manually in order to get the benefits they provide. Yes, it’s true that some of the techniques are automated once you start them, but you still have to start them. For example, installing security software will automatically monitor the data flow on your system, but you still have to install the security software manually.

Even with all of these security measures in place, someone who is truly determined can break into your system. You should simply count on it happening at some point, even if you’re incredibly careful. When a security breach does occur, you need to have a contingency plan in place.

Any good contingency plan will include a method of evaluating the damage caused by the security breach. You need to know just what was compromised and what the fallout of the compromise will be. Make sure that you are open and honest with your customers at this time as failure to do so can lead to other consequences. Silencing employees who speak out is even worse – you don’t want to juggle a legal fight with a whistleblower lawyer at the same time as cleaning up a data breach – so remain open to conversation at this time. Even individuals experience fallout from security breaches, such as identity theft. Once the damage is evaluated, you need a method for fixing the problems it has caused. In some cases, you may actually have to format the drive and start from scratch, which is where that data backup is going to become critical.

There is no magic bullet when it comes to security. Over the years I’ve searched, in vain, for a magic bullet and it isn’t even possible to conceive of one. Therefore, it’s the user and administrator who are best prepared for the eventuality of spying and security breaches that are in the best position to handle it later. Let me know your thoughts on security at [email protected].

The Myth of the Unbreakable Password

Complete books have been written about the topic of security and the correct way to create passwords. Each expert claims that if you only adhere to the conventions that he or she sets forth, that your computer will be safe. Let me say up front that the unbreakable password is a myth. Yes, you need to come up with something a lot better than “Secret” or your birthday, but be assured that any password you use is breakable. In fact, in the real world, what you’re striving to do is create a password that takes longer to break—realizing that anyone who really wants access to your system will gain it. Computer hardware has become so powerful that seemingly unbreakable cryptography is quite vulnerable today.

Many security experts want you to use completely undecipherable passwords such as @f*/L12-X]. If you can’t come up with a good password of your own, PCTools actually provides a generator to create one for you. If you’re unsure about the safety of your password, you can have it checked to determine how long it would take to crack. (Unfortunately, the number you get isn’t completely realistic because computer technology for cracking passwords improves all the time, as does the capability of the hardware used to crack it.) Of course, it would be absolutely impossible to remember such a password, so anyone having such a password is going to write it down. All someone has to do is pose as a janitor and pick up all the yellow stickies that have the password printed on them (or write them down as they pass through to avoid suspicion). For that matter, social engineering attacks can often yield passwords through a phone call in a few minutes.

Because truly secure passwords are the stuff of science fiction, other experts have come up with the passphrase. A passphrase such as “My yellow car is gr8!” theoretically has a long crack time and are easy to remember. Unfortunately, recent advances in cracking technology seem to make passphrases a bad bet too. It seems that the crackers now use grammar as part of their strategy to figure out your password. They use applications to figure out the most common words that would come in a sequence of words.

The advice today is to use unrelated words separated by special characters—something I have advocated in any book I write that contains information about security. A password like “Elephant*Green?H3llo” is infinitely easier to remember than @f*/L12-X], but still quite secure. Even so, if someone is determined, they can combine a dictionary attack with some brute force techniques and discover your password in a reasonable amount of time—assuming you don’t simply give it to them as part of a social engineering attack.

There are technologies that promise to make it harder for crackers to gain entry to a system, but they’re usually complicated. For example, you can add a retina (iris) scanner or thumbprint reader to improve security, but that means an additional purchase, specialized software, training, and other costly changes to your setup. Security cards are another option, but again, you have additional costs to consider and the use of a security card is open to social engineering attacks (unlike a person’s thumb or retina, which are firmly attached). Most organizations still rely on passwords or passphrases in the interest of saving money, so creating usable, easily remembered passwords that truly are safe should be the focus of administrators whenever possible.

One new method of securing systems does appear in Windows 8. In this case, the system displays a picture when you start it up and you use gestures to circle or otherwise identify pictorial elements in place of typing a password. There are some experts who are already saying the feature is easily cracked. It seems as if the technique would be unwieldy with a mouse and it has already been said that most people aren’t buying touch screens to use with Windows 8 (see my Some Interesting Windows 8 Information post for details), so this security feature may be a non-starter for most organizations.

Passwords and passphrases won’t likely go away soon, so the best approach for most users and administrators is to create a system where passwords are complex, easily remembered (and therefore, not written down), and changed relatively often. The combination of these three elements should make your PC safer from crackers. However, the best security is vigilance. Check your system for intrusion often. Rest assured, someone who really wants to get in will do so and without too much effort. Let me know your thoughts about passwords at [email protected].

 

Virus Scares and Hoaxes Galore

It seems as if the holiday season can bring out the worst in some people for whatever reason-I have never figured out why. My inbox is sometimes packed with e-mail from concerned readers about this hoax or that virus. I read about viruses and hoaxes galore online as well. It seems as if there is an upsurge every year in the number, variety, and severity of these complete wastes of time. In my book, the people who perpetuate these sorts of things are either ill-informed or simply sad. If all of the energy that goes into creating these scares would go instead into some productive use, I can’t even begin to imagine the benefit to mankind as a whole. Instead, we have readers running about like Chicken Little exclaiming that the sky is falling. Of course, there is the issue of if a pandemic actually were to happen in the future, we would have to worry about what information was true and what wasn’t. This could cause a lot of confusion, especially if we had to make a tough decision during a global crisis. I hope the government would take the lead in tackling any misinformation, or at least produce an official US list of open states should we find ourselves in a lockdown. We want to be able to trust what we hear, read, and see. If we can’t do that, it will cause a lot of issues and maybe even lives.

John Dvorak ran an article in his blog the other day entitled, “Did You Fall for the Facebook Hoax?” I’m not too thrilled about some of the language he used, but the information he provides is right on the mark. You can probably sum it up as, “Anything that sounds too good, weird, or evil to be true, probably isn’t.” Of course, most of us want to be sure that something really is a hoax, so it pays to check out Hoax Busters, VMyths, or Snopes.com, just to be certain. These sites track all of the current myths and hoaxes out there, so you can see the basis for that hoax that arrived in your e-mail this afternoon. The point is that hoaxes aren’t real and you shouldn’t believe them, even a little.

When it comes to viruses, you can be sure that the Internet is plagued with them. Tomorrow I fully expect to see an article about the next major virus that will take down the Internet after emptying every bank in the world of funds. Yes, civilization will cease to exist with the next virus created by the cracker (a black hat hacker who uses his/her skills for ill, rather than good) who works only at midnight in a darkened room above a garage.

The fact is that viruses are real, but crackers often attack the least prepared Web surfers just as any other thief attacks the unsuspecting person on the street. There are enough people who are ill prepared to work on the Internet that crackers really don’t have to worry about creating a truly devastating virus that will invade every network on the planet. For one thing, it’s a waste of the cracker’s time-for another, must viruses have a relatively short active life before someone comes along with a fix that prevents them from spreading. Crackers know this, so they create viruses that work well enough for the time they expect the virus to be active, and then the cracker moves on to something else.

In general, a computer system can be invaded by a virus at any time-just as you can get a cold at any time. You tend to catch colds when your bodily defenses are down. The same holds true for your computer. When you let your computer defenses down, it has a better chance of getting a virus. However, even with the best defenses, there is a small chance you could still get a virus, but being prepared significantly reduces the risks. Here are five things you can do to ensure you’re prepared for a virus attack.

  1. Keep your virus protection updated.
  2. Install all of the required patches for your operating system and applications.
  3. Don’t open an e-mail from someone you don’t know, no matter how tempting the message might be (remember Pandora’s Box).
  4. Don’t go to sites you don’t trust.
  5. Keep your browser locked down so that it doesn’t automatically execute code when you visit a site. This means setting your browser to disable both JavaScript and Java support. Most browsers have an exception list you can create for sites you trust, so these sites will continue to work as they always have.


When you follow these five guidelines, you have a very good chance of avoiding viruses on your computer. The next time you see an e-mail message containing a hoax or trying to get you excited about the latest virus that will take down the Internet, consider the fact that these sorts of messages have been going around the Internet for quite a long time now and we have yet to see a major Internet down time. Let me know your thoughts about viruses and hoaxes at [email protected].

Social Networking Traps

I recently read an article on ComputerWorld entitled, “‘Girls Around Me’ shows a dark side of social networks.” It isn’t the first time that FourSquare and Facebook have gotten press for their lack of respect for user privacy and it won’t be the last. Even the social network I use, LinkedIn, has received more than a few black eyes in the privacy arena. Any time you engage in any sort of social network, everything that you upload is going to be treated as someone’s personal data source. You have no choice about it. Absolutely everything you upload, from your name and picture, to the last time you updated the list of things you’re interested in, will be used by someone for some purpose other than the one you envisioned—count on it!

Yes, these social networks help you maintain your relationships with friends and they do provide a means of creating professional networks with others. However, if you think that these companies are running these social networking sites out of the goodness of their hearts, think again. These companies run these sites to obtain any personal information about you that they can. The information is used to generate demographics, to spam your inbox with e-mail you never wanted, and to keep outsiders informed about your activities. If you engage in any sort of social networking, someone is spying on you and they’re doing it with the blessing of the company that hosts your page. In short, if you don’t want someone misusing a piece of your information, keep it to yourself because these organizations have no self-control in misusing your information.

What does surprise me is that anyone things that this old news is even worth printing. Do people not understand that the naked pictures they posted of themselves at an illegal party will have long lasting effects? If you think that there is any help coming from the government, think again. In the US, at least, there isn’t any chance whatsoever that the government will take a stand on employers and others probing every dark secret you’ve ever posted. Lest you think that you can take a stand and simply not allow information to your information, think again. People have gotten fired for refusing to share their secrets. Anything you post also lasts forever, like some sort of terrifying tattoo that you can’t scrub clean. I’ve used special search engines like the Wayback Machine to dig up material that the author was certain was scrubbed from the Internet forever. Get used to the idea that once you upload a picture, make a statement, or do something else weird on the Internet, the material is going to last forever whether you want it to or not and someone is going to dig it up to embarrass (or harass) you at the most inconvenient moment.

I’ve used social networking professionally. It helps me make contacts with other professionals so that I can get consulting or editing jobs. With this in mind, I keep my posts professional. I try not to post anything I think could be embarrassing later. Obviously, I’ve made mistakes, just like everyone does, but nothing of a gross nature. Still, these little errors have crept up in the past when talking with others. It begins innocently enough…but you said, “So and So” on your LinkedIn page. Didn’t you really mean that? As much as a misstatement makes me shuffle in my seat, I can only imagine the terror of someone finding a picture that was supposed to be viewed by friends alone.

The short version of all this is that you need to use social networking carefully. Share only what you want people to see forever. Write your posts and save them as drafts—let them sit a day or two before you actually publish them. Don’t think that your Web site or blog are safe either; both are often used as weapons against their authors by unscrupulous people. It’s a new world out there. Social networking as made it possible for more people to find out more information about you faster than ever before. The life you ruin could be your own! Let me know your viewpoint on social networking and privacy at [email protected].

 

Understanding the Relative Insecurity of SCADA Systems

It wasn’t long ago that I wrote about how Supervisory Control and Data Acquisition (SCADA) systems affect those with special needs in Security and the Special Needs Person. I then posted an update on that original message in An Update On Special Needs Device Hacking. In both cases, I decried the lack of security for SCADA systems that affect those with special needs. I realize that only a truly nasty person would turn off someone’s insulin pump in order to kill them, but our world is unfortunately filled with some pretty nasty people.

One person (who shall remain nameless) wrote to tell me that it was fine that I was worried about special needs people, but that he wasn’t worried about it because these problems don’t affect him. Well, let’s say that you truly are superhuman and will never once need to use any sort of special needs device in your entire life (statistically, you’d really need to be superhuman or die early). Let’s put the whole SCADA issue in another light. Let’s look at your car.

Your car contains SCADA systems. Those ads you see for turning your car on, opening the windows, flashing the lights, and so on using a cell phone are really telling you about the SCADA systems in your car. If you can access your car using a cell phone, someone else can do the same thing. All they need to do is break the security, which someone has already conveniently done for them. CNET News recently ran an article about how an expert hacker had broken into a car.

Imagine now that you’re on an off-ramp. There are cars crowding you on both sides. A crook uses his cell phone to turn off your car engine and unlock the doors. Bam, you’re suddenly in a world of hurt because the car manufacturer thought it would be a neat idea to let you control your car using a cell phone. I have to wonder why such control is even necessary. Does it even serve a useful purpose? If so, why can’t it be secured better?

Of course, not every drives. So, let’s look at another SCADA issue. A recent InfoWorld article states bluntly that our water system is already under attack by hackers. Sure, the hackers are only kicking the tires of their new toy for now, but how long do you think they’ll wait to do something truly terrifying to your water supply? The experts have been warning about this sort of attack for quite some time, but everyone ignored them as being sensationalists. The sad thing is that the experts probably didn’t scream loud enough this time.

Someone out there is probably thinking that the bad guys can overcome physical security too. You’re right, of course. Someone can remove a padlock, jimmy a car, and overcome physical security in all sorts of other ways. The point is that the bad guy has to be in physical contact with the object to overcome it when you’re using physical security. In addition, if you’re nearby, a physical security system often buys you enough time to call the police or obtain help in some other way. The remote control nature of SCADA systems makes it possible for someone to break into the system and do something nasty with it long before you’re even aware of the intruder.

SCADA systems make a modern world possible by allowing remote control of many of the devices that we need to live. I can fully understand how a utility would need to monitor and control a system from a remote location, and how such control actually makes the system safer. However, it’s time that we realize that these systems are dangerous in the wrong hands and that we need to do something about them before a major accident occurs. Here are some ways to make SCADA systems better:

  • The SCADA systems we do need should be secured better.
  • All SCADA systems should be restricted to wired connections only and those wired connections should be on a private, secure, network.
  • Researchers should be advised not to research break-ins for hackers to use (and then publish them for the whole world to see).
  • Our society also needs to seriously consider where SCADA systems can be removed.

Remote control is a two-edged sword and you can bet the bad guys have no compulsion about playing dirty—count on them not following the rules. If there is a way for you to access something, the bad guys will find a way to access it too. Let me know what you think about the threat of SCADA system break-ins at [email protected].

Security Implications of the AT Command

I read the security post provided by Roger Grimes with interest this morning because I’ve always felt that the Task Scheduler is just another entry point for viruses and the like on any system. As he mentions, it’s an avenue that many administrators fail to check because they don’t really think about it. As Roger points out, there are three ways to add new entries, but this post focuses on the oldest of the three, the AT command.

Before you can interact with the Task Scheduler, you must have its service started. This is a given on Vista and Windows 7, where Windows relies heavily on the Task Scheduler. However, you’ll want to read my Interacting with the Task Scheduler Service for details about this service. It’s important to have the service setup correctly in order to work with it error free.

The AT command is the oldest way of working with the Task Scheduler. At one time you could access it from the command prompt even if you weren’t an administrator. This meant that any virus or other piece of nasty software could cause woe without notice on your part. However, if you try to use the AT command at a normal command prompt in Windows 7, you’ll receive an Access Denied error message, which is at least a start in the right direction.

To use the AT command to create a new entry, you must provide a time and command as a minimum. For example, if you type AT 15:00 “Dir C:\” and press Enter, you’ll create a new task that starts at 3:00 pm on the current day. You’ll receive a numeric identifier for the task. The entry also shows up in the Task Scheduler console (found in the Administrative Tools folder of the Control Panel) as At plus the identifier, such as At1 as shown here.

TaskSchedulerEntries01

If you want to list the jobs created by the AT command, you type AT and press Enter. The AT command only lists those jobs that it creates—you won’t see any jobs created using other Task Scheduler techniques.

Likewise, to delete jobs using the AT command, you provide the identifier you received when you created the job along with the /Delete command line switch. For example, if the identifier for the task you created earlier in this post is 1, then you’d type AT 1 /Delete and press Enter. In this case, the AT command doesn’t provide any output. In order to verify that the job is actually gone, you must type AT and press Enter. Here’s what the command output from this session looks like.

TaskSchedulerEntries02

The true power of AT lies in remote access. For example, if you have an Administrator command line open, have a server named WinServer on your network, and possess administrator privileges on that server, you can type AT \\WinServer 15:00 “Dir C:\” and press Enter to create a command that starts at 3:00 p.m. (local time) on WinServer. It’s important to realize that the command will execute when it’s 3:00 p.m. on the server, not 3:00 p.m. on your system. You can likewise list and delete remote entries using the same commands you’d use for local entries. Again, the Task Scheduler console will display these entries, but only on the host machine (so you’d need to access that system remotely to see it from your local computer).

Windows 7 does make it harder to use the AT command, but not impossible. If an outsider should gain access to an account with administrator privileges, it wouldn’t take long for a virus to add all sorts of nasty commands to every machine on the network. As Roger comments in his post, administrators need to exercise vigilance in order to catch potential security issues such as this one. Let me know if you have any questions at [email protected].