Security is not a feature; it’s a process. Notes on issues, patches and essays on security.
“Credit and bank card numbers of many as 240,000 Boston Globe and Worcester Telegram & Gazette subscribers were inadvertently distributed with bundles of T&G newspapers on Sunday, officials of the newspapers said today.”
Follow the link to read how clever they were…
Joho the Blog blogs Isenseuss. Here’s the talk David Isenberg gave at O’Reill eTel. It is, rather amazingly, a disquisition about freedom to connect, done in the style of dr. Seuss.’ …”
Here’s the first stanza, to encourage you to read on…
When Ed Whitacre, the head of AT&T, says,
“They’re not going to use my pipes for free”
he’s not talking about Them, he’s talking about Me.
He’s talking about Us, it should be plain to see.
Now here’s a silly headline: OSNews purports that Linux Users May Be Violating Sarbanes-Oxley. A brief read of the article will tell you that a corporation is likely violating its obligations to its shareholders if it is failing to audit, track, monitor and closely examine the copyright, license and patent requirements of ALL of the products they use. There may be just as much liability from the shareware, freeware, postcardware and every-ware installed willy-nilly inside a company. Developers, consultants, IT personnel and users are notorious for bringing in a little utility from home on floppy, USB tab or download and spreading it around the office. It may be that the Fortune 500 is liable for thousands of postcards for EditPad as well.
The solution is to follow the law, even one as obnoxious as SOX (and complain to your legislator if this is burdensome), with an audit and a compliance plan. The inflamatory headline that “Linux users are bringing chaos to the world” is just insulting. Any company using software needs to do their best to ensure they are not violating copyright, patents or licenses. No news here, move along.
InfoWorld: Top News: Oracle releases quarterly security patches. Imagine only having to release patches four times a year!
New mac patches today: my iMac greeted me with a slew of patches today: QuickTime, iTunes, iPod and Mac OS X. The security patch readme includes:
The 10.4.4 Update delivers overall improved reliability and compatibility for Mac OS X v10.4 and is recommended for all users.
It includes fixes for:
“For detailed information on this Update, please visit this website: http://www.info.apple.com/kbnum/n302810 … For detailed information on Security Updates, please visit this website: http://www.info.apple.com/kbnum/n61798. ”
Get patching!
Despite releasing it last week, MS06-001, the WMF flaw, was also released as one of three Critical, Remote Code Execution possible patches that comprised the January 2006 Microsoft security bulletin. As is typical, the patches seem to affect every supported version from Windows 2000 on up. However, earlier versions of Windows are provided with a link which seems to say “you’re on your own.” Here are the patches:
MS06-001 – Vulnerability in Graphics Rendering Engine Could Allow
Remote Code Execution (912919)
MS06-002 – Vulnerability in Embedded Web Fonts Could Allow Remote
Code Execution (908519)
MS06-003 – Vulnerability in TNEF Decoding in Microsoft Outlook and
Microsoft Exchange Could Allow Remote Code Execution (902412)
So, Microsoft graphics, Microsoft Fonts, Microsoft Office and Microsoft Outlook all have serious flaws. Get patching!
It is the second week of 2006.
Garrett Fitzgerald’s Blogs Apples and Oranges. “In a recent post, Craig Berntson trumpets about a recent CERT report that “proves” that Windows is more secure than Linux. What he doesn’t mention is that the “Linux/Unix” list lumps together the Linux kernel, Mac OSX, HPUX, SCO Unixware, and others. So, when comparing 1 OS against 6 or more OSs, the 1 OS comes out ahead. What a surprise.”
Over at Groklaw, the poster does a fine job of pointing out the problems with just quoting the gross numbers from this survey. It would be far better to identify how many security flaws led to major exploits and the costs of the cleanup. Trivial items are counted one-for-one with items that cost millions to clean up, exploits are listed multiple times (on both Windows and non-Windows platforms).
Bottom line: security is a process, not a feature. Millions more computers were turned into spam-sending zombies, and not just because they are running a more commonly-available operating system. They were exploited because the OS runs as an administrator with the rights to alter anything on the machine. Only one OS manufacturer shipped software that has that fatal flaw.
Bravo to Microsoft for shipping the WMF patch early, rather than waiting an additional five days to ship on their regularly scheduled Patch Tuesday. Many security experts were very concerned about this flaw.
Users of Windows 2000, XP and 2003 should update immediately. Users of previous versions of Windows should stop using IE until Microsoft ships a patch.
The actual MS06-001 Security Bulletin is a bit confusing. It lists “Maximum Severity Rating: Critical” but in the FAQ seems to indicate that they are not shipping a version for Win9x/ME:
“Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) — Review the FAQ section of this bulletin for details about these operating systems….”
In the FAQ… “How does the extended support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition affect the release of security updates for these operating systems?”
“For these versions of Windows, Microsoft will only release security updates for critical security issues.
”
Okay, I’m confused. Critical or not? Supported or not?
Computerworld News catalogs A Sober Primer: The worm from A to Z. “With the Sober worm set to launch new attacks at midnight tonight, here’s an A-to-Z guide to identifying the worm’s many iterations for the past two years.” The linked article talks about the latest incarnation, due to launch at midnight tonight. You may want to turn your Windows PC off tonight, just in case. Check to make sure your virus scanner is up to date, that your firewall is enabled (both incoming and outgoing, not the Windows one-way XP firewall), that your malware detectors are up to date and have scanned your machine recently.
It probably won’t affect anything more than usual, but you ought to check to make sure you’ve got charged batteries for the cellphone, the PDA, the flashlight. A full tank of gas in case you need to drive off to a client first thing, and the Windows ATM isn’t working. Filling the bathtub with water will let you flush the toilet if the water pressure goes. Perhaps you should review your Emergency Preparedness Checklist, just in case. Sleep tight. Don’t let the bedbugs bite.
Trustworthy Computing. Ain’t it grand?
Slashdot post: Wisconsin Requires Open Source, Verifiable Voting. AdamBLang writes “Previously covered on Slashdot, Wisconsin Governor Jim Doyle today signed legislation that “will require the software of touch-screen voting machines used in elections to be open-source. Municipalities that use electronic voting machines are responsible for providing to the public, on request, the code used.” Madison’s Capital Times reports “the bill requires that if a municipality uses an electronic voting system that consists of a voting machine, the machine must generate a complete paper ballot showing all votes cast by each elector that is visually verifiable by the elector before he or she leaves the machine.””
Bravo! Kudos to Wisconsin! The electronic voting industry has been asking “Trust Us!” for much too long. Voting is far too important to trust a black-box, unverifiable, unauditable system. Full transparency is not an option, it’s required.