Secunia provides a free Personal Software Inspector (PSI) tool that checks the software and plugins on your system to make sure that they are up-to-date. I’ve used this tool on several systems this week and it works really well. If you’re not already using another software product that does this type of check, I highly suggest that you give PSI a try.
After spending three hours yesterday watching the Google I/O 2010 keynote addresses, I was pretty upbeat about Google and Android. I was really impressed with the innovation and the execution of ideas. Unfortunately, all of that was overshadowed when I learned about the latest Android spyware discovery presented at Black Hat. Story here.
From a development standpoint, Android’s open platform is a good thing. It allows developers to do some amazing things with the technology and bring some very impressive applications into the mobile marketplace. But as many of us know, it’s also an open invitation for hackers to “have their way” with the phone and the user community’s information.
I had an epiphany in 2001 that changed my life forever – computer security is essentially worthless. The organization that I worked for at the time spent hundreds of thousands of dollars on traditional security measures (firewalls, network intrusion detection systems, vulnerability scanners and anti-virus software) and not only didn’t they stop hackers from penetrating the organization’s defenses, they didn’t help detect the hackers either. To someone trying to secure over 10,000 systems, this revelation was quite disheartening.
After several years of intense research on computer security and hacking, I started to realize that I can’t help organizations make their networks and systems secure. I can help organizations implement security, identify known vulnerabilities and find compromised systems, but I resigned myself to the fact that any attempts to create a completely secure environment are futile. What I discovered, is that the technology and security paradigms that people rely on to protect themselves are only effective against amateur hackers – not professional and Top Tier hackers.
Fast forward to today. Devices, information and credentials are being compromised more than ever – and the situation is just getting worse. Computer security is still essentially worthless. But why?! Security experts have continuously advocated security measures, policies, patches, anti-virus, vulnerability scans and password best practices. They have also continuously advocated training, increased system and network monitoring, and better incident response. With all of this good advice, why is hacking still a problem after all these years? Isn’t anyone listening?
When I gave Dan a copy of my book, I wasn’t expecting a review. I know he is very busy keeping us all informed about security and attending conferences, both online and in person, so I was pleasantly surprised when I received his email that he wrote a review. Dan is a very knowledgeable guy, so his feedback is priceless.
There is an interesting article over at NPR that a shortage of Cyberwarriors threatens U.S. security. The article states that James Gosler, a veteran cybersecurity specialist who has worked at the CIA, the National Security Agency and the Energy Department, “… estimates there are now only 1,000 people in the entire United States with the sophisticated skills needed for the most demanding cyberdefense tasks. To meet the computer security needs of U.S. government agencies and large corporations, he says, a force of 20,000 to 30,000 similarly skilled specialists is needed.”
Who are these 1,000 people and what exactly are these most demanding cyberdefense tasks?
When the computer industry decided to release operating systems with an open software architecture, they really didn’t have hackers in mind. All the industry was thinking about was functionality, some basic security to keep “honest people honest” and how an open software architecture would allow others to take the technology to new levels. Unfortunately, what the computer industry didn’t realize, is that hackers would take advantage of this open software architecture as well.
As someone who has spent many years chasing down hackers that can avoid detection by conventional security measures, I see the eFuse technology as a good thing. (Read stories about the eFuse controversy here and here.) If a hacker obtains physical access to a phone and replaces the operating, how is the owner going to know that it contains a keylogger, information gatherer and covert means to send the information to the hacker? Is everyone so tech savvy that they can tell the difference between the real Android operating system and one that has been altered? I don’t think so.
For the second day in a row, I’ve had to listen to a sob story about home computer malware infections. Both situations were completely avoidable.
In the first story, a woman’s husband let his friend use their computer while she wasn’t home. His friend visited several porn sites and the computer got infected with pop-up porn ads. She doesn’t know how the system got infected, but after doing a complete malware scan, the computer identified and removed three pieces of malware.
In the second story, a man let his cousin use his computer while his cousin was staying with him for a week. The cousin visited several porn sites and fell victim to some type of fake anti-virus software that completely trashed the computer. The man is going to spend the weekend backing up his data and completely reinstalling everything on his computer.
If you’re going to allow your friends and relatives to use your computer, you really need to lay down the law as to what they can do and where they can go on the Internet. If they want to check their email and social media sites, that’s fine, but they should not be opening email attachments, downloading software, codecs or plug-ins – and definitely not visiting any porn sites. If you’re lucky, they won’t pick up any undetectable malware that will rear it’s ugly head in the days that follow.
If you want your friends and relatives to be able to do “whatever” on your computer, the best thing to do is setup a virtual machine like VMware Player (free) or VMware Workstation for them to use instead of your regular desktop environment. While a separate log in account for your regular desktop might seem like a good idea, it won’t do any good against malware that is able to obtain administrator permissions via some type of exploit or buffer overflow.
Your friends and relatives are probably very nice people, but when it comes to computer security, you may end up finding out the hard way that they are your worst enemy.