Security = Scrutiny

This is an update of a post that originally appeared on July 22,2015.

There is a myth among administrators and developers that it’s possible to keep a machine free of viruses, adware, Trojans, and other forms of malware simply by disconnecting it from the Internet. I was reminded of this bias while writing Machine Learning Security Principles because some of the exploits I cover included air-gapped PCs. I’m showing my age (yet again), but machines were being infected with all sorts of malware long before the Internet became any sort of connectivity solution for any system. At one time it was floppy disks that were the culprit, but all sorts of other avenues of attack present themselves. To dismiss things like evil USB drives that take over systems, even systems not connected to the Internet, is akin to closing your eyes and hoping an opponent doesn’t choose to hit you while you’re not looking. After all, it wouldn’t be fair. To make matters worse, you can easily find instructions for creating an evil USB drive online. However, whoever said that life was fair or that anyone involved in security plays by the rules? If you want to keep your systems free of malware, then you need to be alert and scrutinize them continually.

Let’s look at this issue another way. If you refused to do anything about the burglar rummaging around on the first floor while you listened in your bedroom on the second floor, the police would think you’re pretty odd. The first thing they’ll ask you is why you don’t have an alarm system implemented into your home. Or if you do have one, wouldn’t it have been a good idea to set it in the first place, so more people would have been notified about this security breach. In addition to alarm systems, some homeowners also have an external security system installed around their homes. They would be able to provide a good image of the burglar. However, it’s still important to try and do something to actually stop the burglar. Whatever you do, you can’t just stand back and do nothing. More importantly, you’d have a really hard time getting any sort of sympathy or empathy from them. After all, if you just let a burglar take your things while you blithely refuse to acknowledge the burglar’s presence, whose fault is that? (Getting bonked on the back of the head while you are looking is another story.) That’s why you need to monitor your systems, even if they aren’t connected to the Internet. Someone wants to ruin your day and they’re not playing around. Hackers are dead serious about grabbing every bit of usable data on your system and using it to make your life truly terrible. Your misery makes them sublimely happy. Really, take my word for it.

The reason I’m discussing this issue is that I’m still seeing stories like, Chinese Hackers Target Air-Gapped Military Networks. So, what about all those networks that were hacked before the Internet became a connectivity solution? Hackers have been taking networks down for a considerable time period and it doesn’t take an Internet connection to do it. The story is an interesting one because the technique used demonstrates that hackers don’t have to be particularly good at their profession to break into many networks. It’s also alarming because some of the networks targeted were contractors for the US military.

There is no tool, software, connection method, or secret incantation that can protect your system from determined hackers. I’ve said this in every writing about security. Yes, you can use a number of tools to make it more difficult to get through and to dissuade someone who truly isn’t all that determined. Unfortunately, no matter how high you make the walls of your server fortress, the hacker can always go just a bit further to climb them. Sites like America’s Data Held Hostage (this site specializes in ransomware) tell me that most organizations could do more to scrutinize their networks. Every writing I read about informed security is that you can’t trust anyone or anything when you’re responsible for security, yet organizations continue to ignore that burglar on the first floor.

There is the question of whether it’s possible to detect and handle every threat. The answer is that it isn’t. Truly gifted hackers will blindside you and can cause terrifying damage to your systems every time. Monitoring can mitigate the damage and help you recover more quickly, but the fact is that it’s definitely possible to do better. Let me know your thoughts about security at [email protected].

A Windows Security Alert, Courtesy of Samsung

I’ve gotten used to a whole lot of silly vendor tricks over the years. Just about every vendor I’ve worked with has done something completely idiotic, just to cause the other guy woe. The user always ends up hurt. Readers of Administering Windows Server 2008 Server Core, Microsoft Windows Command Line Administration Instant Reference, and Windows 8 for Dummies Quick Reference need to be aware that according to a ComputerWorld article, Samsung has turned off Windows Update. The worrisome part of all this is that there is apparently an executable to turn the support off, but not another executable to turn support back on. Sites, such as engadget, are recommending you perform a clean install of Windows on your computer to get rid of the problem.

The whole issue seems to revolve around Samsung being worried that Microsoft’s updates will interfere with Samsung’s updates of its software. The result could be that the system won’t work. Phrases, such as “could be” and “might not”, always bother me. Samsung must not have tested the problem fully or they would have had a more positive and straightforward comment to make when asked about the problem. The point is that the user loses. Advice such as telling users they must reinstall Windows from scratch to get rid of the problem sounds just dandy until you figure out that most users can’t perform this task, so they’ll be out extra money getting someone else to do the job or we’ll all face the issues that happen when updates don’t occur. It’s not as if the Internet really requires yet more zombies (computers under hacker control)—we have no lack of them now.

A similar problem occurred not long ago when Lenovo thought it would be a good idea to pre-install the Superfish adware on the computers it put out. Most computer vendors add bloatware to their systems, which really does make it a good idea to perform a clean install when you buy a new system, but purposely adding adware seems a bit deranged to me. Lenovo later apologized and fixed the problem, but the point is that they made the mistake in the first place.

Some of my readers have asked why so many of my books include installation instructions or at least pointers to the installation instructions. The answer is that vendors keep doing things that make me shake my head and wonder just what they were thinking about. When you buy a new system from someone, perform a clean install of the operating system to get rid of the bloatware or have someone else do it for you. If you choose to keep the pre-installed operating system in place, make sure you research any oddities of the installation (such as turning off Windows Update). Otherwise, you might end up with a situation where Windows Update simply doesn’t do the job because someone told it not to. Let me know your thoughts on pre-installed software, bloatware, and vendors who seem completely clueless at [email protected].


Story Update!

According to a ComputerWorld article, Samsung will end the practice of disabling Windows Update. Of course, one has to wonder why they did it in the first place. If you have one of the systems that disabled Windows Update, a patch will restore the system to perform the required updates.