All these protection tools are nice. But ultimately, what’s most important is that the operating environment is secure, and that users are properly educated about IT security. I really don’t know how helpful this Google Safe Browsing really is. But quite clearly warnings about invalid SSL certificates are often routinely ignored by users. People want to visit their website. They don’t want to care about the technical hinderances.

Back to HardwareZone. I didn’t go find out where the malware is. I imagined it is probably something snuck in by a bad guy through a forum posting. In practice, these things are getting increasingly more troublesome to handle because of the interactivity of the web we use today. However, Google Safe Browsing Diagnostics say the problem is with sites.hardwarezone.com. A cursory glance just shows it mostly hosting advertisements, CSS files, images, etc. I wonder, what could be wrong with the site.

Related posts:

1. First Chrome, Now Stainless The browsers war is heating up again. It’s not Internet...
2. A Tale of Two Nexus S Phones I was quite intrigued to learn that the Nexus S...
3. Is Google or Yahoo More Popular? I’ve started running some web analytics on my web access...

Okay, I know, computer viruses are indeed rampant and everywhere. But if it is on your own computer, you don’t just give up and surrender, do you? I’m talking about IT professionals here.

Some time ago I was stunned by the remarks of the keynote speaker of a security conference, who apparently was resigned to sharing her notebook with a virus. It is just so bizarre that an IT security professional would say such a thing, and more so in an IT security conference.

So what happened? Well, to safeguard the anonymity of the person, system and circumstances involved (it’s a security system too, after all), let’s just say: System administrator didn’t actually consider the virus infection to be a significant event that had to be dealt with urgently. In fact, the said system administrator was, like the above keynote speaker, resigned to living with the virus.

I think we have a serious problem. Not that I don’t know already.

Related posts:

1. SecurityVision 2009 Lacks Security Vision In the past week, I attended an IDC conference SecurityVision...
2. Software Updates Week There’re plenty of software updates this week. First up was...
3. Caring For End-Users’ Security In the past, most companies don’t care. They do sell...

Some people think IT security is like real world physical security. You can design and construct a building, then sort out details like the locks, the doors, and the perimeter fencing later. When you take this idea to build application systems, the idea is that you can figure out authentication, access controls and firewalls later. Unfortunately, things aren’t so simple.

The truth is that things aren’t so straight forward in the physical world either. It’s just that with the physical world, the flaws can be seen more obviously, so if you think more deeply, you can appreciate new angles that need to be tackled and deal with the risks as needed. For example, people understand that there can be threats like bombs, gate-crashing vehicles, fire, floods, etc, and if these need to be dealt with, they will do so. Obviously, some of these issues need to be thought out during the design phases of the building project.

With application systems, the threats are not seen, and they are not properly appreciated. You can tell people about them, but many will still not give the entire matter of IT security due attention.

The worst of it is when people know a little, but think they know “enough”, will do something in-between to address the risks, then live in the false sense of security that all threats have been sufficiently neutralized. Knowing “a little” is often more dangerous than not knowing at all.

Security needs to be addressed holistically. You’ve probably heard the saying that the chain is only as strong as the weakest link. There is no point in fortifying a single component in the chain. If you make the front door of your house so difficult to break into, the burglar would just climb in through the window.

Another thing that I hear from time to time is about security through obscurity. In this day and age, some IT people still believe in this. It’s funny that I’m doing my reservist now, and it has something to do with security too. The army is very much a firm believer in security through secrecy. It doesn’t work. But the people who run it thinks it does. Oh well, maybe they really do know better, but things are just being implemented wrongly.

The 911 incident is probably about one of the most tech-savvy terrorist attacks to date. It’s not IT, no doubt. But they’ve moved on from making bombs to flying big planes. Just think what might be possible had terrorists turned to IT security vulnerabilities. I still cannot believe that one of the big take-home messages from a SCADA security talk I attended was to keep your Windows patches up-to-date.

Related posts:

1. SecurityVision 2009 Lacks Security Vision In the past week, I attended an IDC conference SecurityVision...
2. SCADA Security Talk This would be my first visit to Nanyang Polytechnic. I...
3. Caring For End-Users’ Security In the past, most companies don’t care. They do sell...

But according to the Web Application Security Trend Report (Q1-Q2 2009) by Cenzic, the numbers do show Firefox taking the lead with vulnerability to 44% of 3100 exploits tracked. Microsoft Internet Explorer came in at 15%. Safari scored surprisingly badly too at 35%, but this was explained by the new inclusion of iPhone and iPod Touch web browsers under the category of Safari in this report. (In the previous report for Q3-Q4 2008, Safari came in at 8%, Firefox at 39% and Microsoft Internet Explorer at 43%).)

Now, I’d be thinking twice when Firefox says it’s the safest way to surf the web. I don’t know where Safari stands when the numbers for iPhones and iPod Touches are omitted, but it does seem ironical to be telling users now that Microsoft Internet Explorer is probably the way to go if you care about your security.

Related posts:

1. Balloting for Your Browser European PC users are going to have to make a...
2. Browser Wars The browser wars are heating up. As some of you...
3. The New Safari Apple recently released a new version of their Safari browser,...

That’s all happened in just half a week. It could have been worse, had it been some other operating system, and it’s not really all that bothersome if you consider that many of the updates happen automatically. “Automatically”, however, could typically be any time in a one week window, since automatic checks are often configured to happen at weekly intervals. Furthermore, that’s all assuming that you are using your computer and it is connected to the Internet at reasonable broadband speeds.

It’s just one computer, or just one device. Yet there are so many updates to talk about. Sometimes I’d think life would be so much easier had all the software been sufficiently tightly integrated so that users just need to know of one update. Perhaps moving all the apps to the web (or the “Internet”) will make this easier. You’d still need some basic operating system, a web browser, and device drivers to take care of, but I suppose this would be much easier to manage.

Update (13 Nov 2009): To add to the update week is WordPress 2.8.6, released today.

Related posts:

1. Long Wait for Nokia Phone Software Updates The Nokia N97 software v12.0.024 became available on 18 Aug...
2. Nokia Phone Software Updates Nokia phones, just like other phones, contain software (or sometimes...
3. Mac OS X vs Windows Updates Versioning Apple posts updates to their Mac OS X operating system...

I think I’m too pragmatic. I think about how difficult all this will be. Realistically, will we ever have a secure Internet? We may build better defenses, the bad guys will develop better attacks. Can we ever have an Internet police? Can we ever ever have an Internet passport? I had expected a lecture on concrete steps we can take towards better security on the Internet. These ideas are too distant.

Maybe I’m a bit to sarcastic. Where is Kaspersky in Gartner’s magic quadrant?

Related posts:

1. SecurityVision 2009 Lacks Security Vision In the past week, I attended an IDC conference SecurityVision...
2. Fighting With Microsoft Word It’s amazing how difficult it can be to use Microsoft...
3. Keeping WordPress Secure A hot topic going around in WordPress circles now is...

I’m actually pretty impressed with how easy it is to keep a WordPress installation secure. WordPress started out like any other web application, but over time it has improved itself so much that you could, starting first with online upgrade of plugins, now upgrade the entire core of WordPress online. No need SSH or shell access to your WordPress installation. Everything is done simply through the web-based administrative interface of WordPress itself.

This is really a whole lot easier than WordPress peers. I also run a Drupal site, and I can tell you upgrading Drupal is really very painful. At least, the official Drupal upgrading steps are painful, if there is any unofficial shortcut to simplify it, I don’t know about it.

I could not have asked for anything simpler for WordPress.

Now, I ask myself what could be simpler. I suppose some WordPress administrators are perhaps looking for “automatic updates”. You know, like how Windows could automatic check for updates, download and install those updates. This would certainly be a neat feature, although of course many other WordPress administrators (myself included) would be hesitant about my WordPress installation automatically upgrading itself without my knowledge.

Hackers are not going to go away. I think if there are any WordPress administrators, or indeed any type of system administrators, who don’t want to be bothered with the details of IT security, they would be better off buying a service from someone else.

Related posts:

1. Urgent WordPress Security Update Security updates keeps us busy during festive holidays again. The...
2. Urgent Security Update to WordPress Yes it keeps us busy even during the festive season....
3. Preparing Simplicity for WordPress 2.7 WordPress version 2.7 beta 2 was released yesterday, with the...

Who do you think would be attracted to an event titled “SCADA Security and Controls”? It would have to be people who know enough of SCADA to understand that it presents security risks to infrastructure. That is precisely why people like me wanted to attend, to find out what mitigation steps we can take, what others are doing, what new developments are happening, etc.

It turns out that the speakers were mostly stating the obvious. The obvious things that we all already know. The necessary steps to improved security that are so generic that they really apply to any environment, nothing even remotely SCADA specific. I’m quite surprised by the lack of substance. Can you imagine trying to teach IT security professionals the fundamentals of patch management, network partitioning, etc.

I suddenly realized I could label myself an expert in SCADA security. I don’t really need to know anything about SCADA. I just need common sense. Can someone pay me to fly all over the world to tell people the obvious?

Related posts:

1. Security Cannot Be Slapped On Many people are still not getting it. IT security has...
2. SecurityVision 2009 Lacks Security Vision In the past week, I attended an IDC conference SecurityVision...
3. IT Security Carnival This week is IT Security Week at NUS, and so...

How can it be that a virus cannot be gotten rid off? How can anyone be so certain, particularly since one clearly doesn’t understand it enough to get rid of it, that the virus was not doing anything fishy in the background? If this is the kind of messages we get from an IT security conference, how can we expect the lay-person to understand IT security any better? This is truly alarming.

All the “IT experts” say IT security is important. Personally, I feel it is important too. But it is quite disappointing to see IT people treat the topic so lightly. Particularly, in an IT security event.

Related posts:

1. Security Cannot Be Slapped On Many people are still not getting it. IT security has...
2. SCADA Security Talk This would be my first visit to Nanyang Polytechnic. I...
3. PCs and Viruses Sometimes, I think we’re doomed. Our IT, our cyberspace, they...

One area has got to do with wireless network security. Wireless broadband routers are so prevalent nowadays. The biggest security risks with these products is with the wireless network access. Anyone in the nearby vicinity can connect to the wireless network and get direct access into your home network, as if they were plugged in with a cable to your broadband router. There have been many security enhancements to the wireless network technology: WEP, WPA, WPA2, etc.

But in the past, few manufacturers bother to turn them on, because it was difficult to explain to customers what needs to be done to setup their computer. If a product was difficult to setup, customers are going to “condemn” the product as “not-working”.

Sometimes, “setup wizard” programs make the security configuration easy. But it is even easier to not have to run the wizard. So again, it ends up that end-users don’t bother with it. What does it take to get the security awareness message across?

Well, the Linksys WRT610N I bought recently had a sticker pasted across all its ethernet ports. You can’t plug in a UTP cable until you’ve peel off the sticker. What’s written on the sticker?

WARNING: If left unsecured, your wireless network may be accessible by unauthorized users. Follow the instructions in the installation Wizard to secure your wireless network. See User Guide for additional information.

That’s really good.

Related posts:

1. Security Cannot Be Slapped On Many people are still not getting it. IT security has...
2. SCADA Security Talk This would be my first visit to Nanyang Polytechnic. I...
3. SecurityVision 2009 Lacks Security Vision In the past week, I attended an IDC conference SecurityVision...