Fattony&jwoolward
Tx for your input. My sentiments exactly ..
Nothing is fully secure and runnind old os’s or saying macos or Linux are more secure is a sensless discussion. Be aware of what you are doing, choose a sensible solution and get on with it.
> Considering that perhaps 75% of NSA/GCHQ programmers are on Facebook and 100.0000000% of them are on Linkedin
Most definitely not true! The core programmer/mathematician part of those organisations take security VERY seriously. Clearly the out-sourced sysadmins don’t…
Social engineering attacks are scary. There is little that can be done about them – taken to the extreme almost anyone can be tricked (if they can be identified).
This interesting (and extremely accessible) paper has just come out – the author is advocating a more “common sense” (my words) approach to security worries. Is MOSSAD interested in your data? No? Then stop worrying and get on with life.
I have to say, that really makes me laugh…
Considering that perhaps 75% of NSA/GCHQ programmers are on Facebook and 100.0000000% of them are on Linkedin 
My email server deletes all emails from linkedin.com…
RSA were compromised by malicious Excel files
How were they sneaked in?
RSA were compromised by targeting specific individuals via their LinkedIn and/or Facebook accounts IIRC. After the attack RSA closed access to these sites for their employees, but had to open up LinkedIn again if my memory serves me right. They are quite open about the attack, they held a good seminar about it at a security conference 2 years ago which ended with a discussion regarding social media.
With UPnP, for example, it’s entirely possible for your PC to be accessible from the Internet despite being behind a NATing firewall.
That is indeed true, which is why I would never use a UPNP router – they allow any old app to open a port in the router, which is outrageous. You may as well turn off the firewall and google for the word sex and click on every link that comes up, and click on every link in every email you get
People frequently use laptops away from home (especially pilots). If you connect that laptop to a network that is not under your control (e.g. a hotel wireless network), it’s then open to attack from other systems on that network.
I wonder how likely that is. On most wifi access points you can configure whether clients should be able to see each other. Obviously, in any commercial setting, this will be OFF otherwise there will be havoc. I recall when Virgin Media first connected a load of people up on some fibre broadband, your Network Neighbourhood showed the whole street As you say, any who owns a wifi network can see “everything” and could mount attacks, which is presumably where the windows firewall should help – assuming (a) you don’t have silly open ports on it (especially RDP with a null password 
) and (b) the attacker is not exploiting some hole whereby merely presenting malformed packets to the external LAN interface of the computer enables his to run code of his choice without having the login credentials. Windows had such back doors (usually caused by a lack of buffer overflow checks) but surely they must have been plugged on winXP now, after 10-12 years? It is however a fair point which is why I prefer to use 3G over WIFI if there is no cost or required-performance issue; the 3G network is much less likely to be compromised than some hotel’s WIFI router. But I always use a VPN for anything sensitive, anyway.
How often do you have to download seemingly innocuous files from the Internet? PDFs, Word files, even JPGs and other image files have all been used to exploit systems.
I think that comes back to clicking on any URL you see, without care. I think the usability-life of any PC thus used is going to be measured in weeks if not days. But I would regard that as mostly application specific. Windows (I mean M$ code) would not normally open the files – unless you have say Explorer to show thumbnails for any jpegs. It is a back door in the Jpeg, PDF, etc display app which somebody would be exploiting.
Also most of these files are viewed with apps which are continually updated, or can be. For example most people use Adobe to open PDFs. Adobe update that all the time. Word is an issue, for sure, but I would not open a Word file from somebody I didn’t know. (I also would not send one to somebody because that just drives the poor sod to have to spend money on the latest version of M$ Word. Always use PDF if possible).
But my point is that none of the above is connected with winXP no longer being patched.
RSA were compromised by malicious Excel files
How were they sneaked in?
You can usually do social engineering e.g. if you see DSCNxxxx jpegs on some website, these come from a Nikon camera. Then you can usually get the EXIF data to get the camera model. Then you do a WHOIS lookup on the domain and get the owner’s name. You then do a bit of googling to get his email address. Or you email the webmaster, etc. You then email him with an email with a forged From: header which looks like from Nikon, pointing to a URL containing a firmware upgrade for his actual camera. To most people this will be credible enough and they will fall for it… Nowadays most pics online are from phones and contain the GPS data also, so knowing the whole address right down to the house number you can do an even convincing email
NAT is not a security measure per se. It was designed to allow “private” IP addresses (i.e. RFC 1918 addresses) to be used on an internal network but still allow traffic to be routed to the Internet. It’s the firewall that does the security enforcement. Sure, your RFC 1918 address isn’t directly accessible from the Internet but, in order to “talk” to the Internet, you need a RIPE address. That will be reachable from the Internet. It’s then down to how your router/firewall handles traffic that is directed toward that RIPE address. With UPnP, for example, it’s entirely possible for your PC to be accessible from the Internet despite being behind a NATing firewall. Also, it’s not unfeasible that your home router/firewall has exploitable security weaknesses in it. When was the last time people updated the firmware on their home router/firewall? Most people don’t even realise their router/firewall runs software, let alone the fact you can update it.
But let’s assume you have all that under control. Don’t forget that a lot of the PCs we’re talking about will be laptops. People frequently use laptops away from home (especially pilots). If you connect that laptop to a network that is not under your control (e.g. a hotel wireless network), it’s then open to attack from other systems on that network. They don’t even need to be directed attacks – it could be in indiscriminate worm that keeps polling for targets. A decent host-based firewall would minimise this risk but it won’t be fool proof.
Peter is correct about most compromises coming from the browser and email client. But let’s not forget about file format attacks. How often do you have to download seemingly innocuous files from the Internet? PDFs, Word files, even JPGs and other image files have all been used to exploit systems. If you’re sensible about using an unsupported operating system you can minimise the risks by using browsers and email clients that are still supported. But the biggest problem will be if (when?) someone discovers a weakness in a built-in OS file parsing mechanism, like an image file. MS won’t supply a patch for XP and then every PC that downloads files like that from the Internet will be exploitable. If we’re talking image files, that means EVERY PC. Antivirus is worthwhile bit it’s an arms race. New malware won’t be detected until a signature is developed and that signature is downloaded by your antivirus.
RSA were compromised by malicious Excel files and they’re a security company that are most notable for their two-factor authentication tokens. If they can get compromised, anyone can. That said, if you’re pretty clued-up and careful you can make yourself a much harder target. I don’t run antivirus because it cripples your machine but I do make sure I’m very careful about what sites I browse, what files I open or download and what I connect my laptop to.
NAT has nothing to do with security anymore. It is so easy to pass by that it is best compared with a paperwall.
Can you explain how exactly one can penetrate NAT?
I am not talking about somehow sneaking some executable code to somebody inside – that will work for every organisation where people have internet access
This whole discussion is a bit in line with the state of the technology of GA with its dinasour engines.
The whole discussion about security is a bit of a hoax. Not that the threat is not real but the prescribed methods are all inadequate + that if you really want to create a secure environment you will need to get to a point where actually you have created a nice bunker which will be secure but will not let you do the things you wanted to do in the first place like communicating with the outside world and or be mobile.
There is no such thing as a secure OS, wether, it is any kind of Windows, Linux or MacOs. The simple fact is that the more we use it, with more and more programs the more vulnerable you become.
The most secure version of any OS generally is the latest OS with all the latest security patches and fixes installed. This in itself poses already a big threat as most people will not keep up with installing the latest continuosly.
NAT has nothing to do with security anymore. It is so easy to pass by that it is best compared with a paperwall. A good firewall will help but still is insufficient because if the traffic is legal .. it still does not look at what the traffic is intending to do .. and it is exactly this what makes it so vulnerable.; A good Intrusion Prevention System will help you a great deal further. What is good? I let everybody judge that for himself as there are to many people who claim to know it all. When we get to this point in a discussion I usually ask for people to take out their keyring.Usually you will have a bunch of cheap keys and one or two 3 star keys. And that is exactly what you can do. Choose 3 star solutions. Higher usually does not make any sense as it becomes progressively expensive or harder to use. In my IT company we have chosen to sell Sonicwall as it is a good UTM Firewall targeted at our typical 10-500 seat workspace with a good pricetag attached to it. Gartner says Fortigate and Sonicwall are the top players in the UTM segment.
But what happens when you leave the confines of your corporate firewall? There are no true good solutions because all the software solutions work on the bases of closing every hole two ways… But if you want to work than you will need to start opening up .. and this decision is then left to a user who usually does not know about this kind of stuff.
So what is security? It is a difficult discussion with no solution other than be sensible:
- make sure you have the latest installed with all the proper patches and fixes and the correct settings.
- make sure you have good backups
- be careful with very confidential stuff and never open anything you do not trust.
As for the cloud .. embrace it .. but do it sensible. Dropbox or MS equivalent Skydrive (or Skydrive Pro for companies) make a device very flexible. Nowadays installing a new device and getting all the information on it is easy.. Open box .. run through setup .. install Office 2013 which nowadays is very quick .. attach to your mailbox and install your skydrive or Dropbox and 90% of your system is up and running.. (I wish Jeppesen would also work like this).
Please be aware that Dropbox or Skydrive is a syncing mechanism. It is not a backup.. If you delete a folder .. even by accident .. you will delete it on all systems.
I definitely think the threat is real, perhaps more so for organizations/businesses than home users based on the damage it might do. Todays malware doesn’t intend to cause the same amount of direct damage as 5-10 years ago, today it’s all about stealing information or using your computer to attack other people/organizations.
The threats today rarely exploit network based services, the last big one was Downadup/Conficer IIRC. So as you mention Peter, most computers are protected from these attacks from the Internet by routers/firewalls. For corporations/organizations it would have to infect by other means, such as USB pins or downloaded applications that contain the virus/malware and then spread internally on the network where the security often is lower.
Instead malware and other harmful applications exploit known vulnerabilities via email or malicious websites and they will probably be even more successful when XP goes end of life. Since the exploits rely on OS weaknesses it might not matter if the user switch from IE to Chrome/FF or Outlook to Thunderbird, but together with a cocktail of the recent Adobe exploits or Java exploits all it takes is for the user to view the wrong PDF or visit the wrong website. Since the XP OS exploits never will be patched it must be pretty near nirvana for these people.
To rely on antivirus software is often a false sense of security. They might not discover the exploit in time or if the attacker uses an advanced form of obfuscated code which the antivirus software doesn’t recognize. And we all know that there will be lots of PCs that have non-updated versions of Adobe Flash/Reader and Java for years to come.
XP, though of course it was originally as draughty as the gates of hell, must be fairly secure after so many years of security patching.
The industry have come up with far better ways to secure the OS and its applications since the launch of XP. If the underlying security features of the OS is low it is much easier to develop exploits for the user space applications.
It might be true that some hackers might get excited about the lack of security support for XP. However, so long as firewall or antivirus manufacturers keep supplying definition updates for their software on XP, the regular home or small business network I don’t think has much need to really worry.
Where I work we have tens of thousands of XP machines and it’s been a right PITA to evaluate the hundreds of known applications, drivers, patches and so on for compatibility with Win7. There is professional software that helps with this of course, but its a gamble. Then there is all the application deployment testing and UAT, and training and so on that goes with a OS upgrade. M$ has to draw the line somewhere though, and there has been plenty of warning, so I guess they are forcing our hands to upgrade, which contributes to their revenues too :-)
