It seems quite surprising to me to learn about this. After all, didn’t Firefox try to market itself as the safer, more secure alternative to browse the web than Microsoft Internet Explorer? Furthermore, considering that hackers tend to focus their exploit efforts on the most popular web browser for maximum impact, and Microsoft Internet Explorer still takes top place in the browser market share, you wouldn’t expect Firefox to take the number one spot for being most vulnerable.

But according to the Web Application Security Trend Report (Q1-Q2 2009) by Cenzic, the numbers do show Firefox taking the lead with vulnerability to 44% of 3100 exploits tracked. Microsoft Internet Explorer came in at 15%. Safari scored surprisingly badly too at 35%, but this was explained by the new inclusion of iPhone and iPod Touch web browsers under the category of Safari in this report. (In the previous report for Q3-Q4 2008, Safari came in at 8%, Firefox at 39% and Microsoft Internet Explorer at 43%).)

Now, I’d be thinking twice when Firefox says it’s the safest way to surf the web. I don’t know where Safari stands when the numbers for iPhones and iPod Touches are omitted, but it does seem ironical to be telling users now that Microsoft Internet Explorer is probably the way to go if you care about your security.

Related posts:

1. Balloting for Your Browser European PC users are going to have to make a...
2. First Chrome, Now Stainless The browsers war is heating up again. It’s not Internet...
3. The New Safari Apple recently released a new version of their Safari...

There’re plenty of software updates this week. First up was for Snow Leopard which is updated to Mac OS X 10.6.2, which contains quite a number of fixes (58, apparently) including an important one that involves data loss. Then, the Safari web browser itself, whose updates are distributed separately from Mac OS X, was updated to version 4.0.4. It fixes some security vulnerabilities, and improves performance and stability. Finally, there is also the update to Microsoft Office 2008 for Mac with version 12.2.3, which fixes stability and security issues.

That’s all happened in just half a week. It could have been worse, had it been some other operating system, and it’s not really all that bothersome if you consider that many of the updates happen automatically. “Automatically”, however, could typically be any time in a one week window, since automatic checks are often configured to happen at weekly intervals. Furthermore, that’s all assuming that you are using your computer and it is connected to the Internet at reasonable broadband speeds.

It’s just one computer, or just one device. Yet there are so many updates to talk about. Sometimes I’d think life would be so much easier had all the software been sufficiently tightly integrated so that users just need to know of one update. Perhaps moving all the apps to the web (or the “Internet”) will make this easier. You’d still need some basic operating system, a web browser, and device drivers to take care of, but I suppose this would be much easier to manage.

Update (13 Nov 2009): To add to the update week is WordPress 2.8.6, released today.

Related posts:

1. Long Wait for Nokia Phone Software Updates The Nokia N97 software v12.0.024 became available on 18 Aug...
2. Mac OS X vs Windows Updates Versioning Apple posts updates to their Mac OS X operating system...
3. Software Upgrade Disables Functionality Software upgrading is one of those common chores that many...

This was another guest lecture I attended this week. It’s the boss of the company who engaged Jackie Chan to fight virii for its TV commercial we’ve been seeing on our TV screens. Yes, Eugene Kaspersky. The title of his talk? Check it out in the photo on left. Eugene shared his vision for a secure Internet. He’s idealistic. But I suppose visions can be idealistic. Unfortunately, the steps to achieve that vision were also unrealistic. But then again, I suppose it is alright to dream. Like how Jackie Chan can fight virii.

I think I’m too pragmatic. I think about how difficult all this will be. Realistically, will we ever have a secure Internet? We may build better defenses, the bad guys will develop better attacks. Can we ever have an Internet police? Can we ever ever have an Internet passport? I had expected a lecture on concrete steps we can take towards better security on the Internet. These ideas are too distant.

Maybe I’m a bit to sarcastic. Where is Kaspersky in Gartner’s magic quadrant?

Related posts:

1. Fighting With Microsoft Word It’s amazing how difficult it can be to use Microsoft...
2. SecurityVision 2009 Lacks Security Vision In the past week, I attended an IDC conference SecurityVision...
3. Keeping WordPress Secure A hot topic going around in WordPress circles now is...

A hot topic going around in WordPress circles now is a worm making its rounds hijacking vulnerable WordPress installations, and how just a little effort on the part of administrators could have saved the trouble of cleaning up after the worm. This is the inevitable problem with IT security. No matter how hard developers try to make a software safe and secure, easy to update, and respond quickly to new emerging threats, it is never enough for some users. Someone, many people in fact, will fall prey to the exploits.

I’m actually pretty impressed with how easy it is to keep a WordPress installation secure. WordPress started out like any other web application, but over time it has improved itself so much that you could, starting first with online upgrade of plugins, now upgrade the entire core of WordPress online. No need SSH or shell access to your WordPress installation. Everything is done simply through the web-based administrative interface of WordPress itself.

This is really a whole lot easier than WordPress peers. I also run a Drupal site, and I can tell you upgrading Drupal is really very painful. At least, the official Drupal upgrading steps are painful, if there is any unofficial shortcut to simplify it, I don’t know about it.

I could not have asked for anything simpler for WordPress.

Now, I ask myself what could be simpler. I suppose some WordPress administrators are perhaps looking for “automatic updates”. You know, like how Windows could automatic check for updates, download and install those updates. This would certainly be a neat feature, although of course many other WordPress administrators (myself included) would be hesitant about my WordPress installation automatically upgrading itself without my knowledge.

Hackers are not going to go away. I think if there are any WordPress administrators, or indeed any type of system administrators, who don’t want to be bothered with the details of IT security, they would be better off buying a service from someone else.

Related posts:

1. Urgent Security Update to Wordpress Yes it keeps us busy even during the festive season....
2. Urgent WordPress Security Update Security updates keeps us busy during festive holidays again. The...
3. WordPress Wins Best CMS Award I was somewhat surprised to learn that WordPress won the...

This would be my first visit to Nanyang Polytechnic. I was there for the SCADA Security and Controls event organized by (ISC)² and AiSP. The venue was pretty nice. I think I would have loved my JC to have been like this. The polytechnic seems to be quite serious about the H1N1 precautionary controls, with smart card readers, infra camera scanners, automatic sticker dispensers, etc. The seminar itself, however, was a little disappointing.

Who do you think would be attracted to an event titled “SCADA Security and Controls”? It would have to be people who know enough of SCADA to understand that it presents security risks to infrastructure. That is precisely why people like me wanted to attend, to find out what mitigation steps we can take, what others are doing, what new developments are happening, etc.

It turns out that the speakers were mostly stating the obvious. The obvious things that we all already know. The necessary steps to improved security that are so generic that they really apply to any environment, nothing even remotely SCADA specific. I’m quite surprised by the lack of substance. Can you imagine trying to teach IT security professionals the fundamentals of patch management, network partitioning, etc.

I suddenly realized I could label myself an expert in SCADA security. I don’t really need to know anything about SCADA. I just need common sense. Can someone pay me to fly all over the world to tell people the obvious?

Related posts:

1. SecurityVision 2009 Lacks Security Vision In the past week, I attended an IDC conference SecurityVision...
2. IT Security Carnival This week is IT Security Week at NUS, and so...
3. Caring For End-Users’ Security In the past, most companies don’t care. They do sell...

In the past week, I attended an IDC conference SecurityVision 2009. Something quite strange was said during the opening address which kind of surprised me. The speaker was admitting to having a virus on her computer which she could not get rid off. Her “IT people” were unsuccessful either. But it was okay, because (so she explains) the computer did not do anything dangerous except causing some annoyances on her display. What kind of IT security are you trying to teach people?

How can it be that a virus cannot be gotten rid off? How can anyone be so certain, particularly since one clearly doesn’t understand it enough to get rid of it, that the virus was not doing anything fishy in the background? If this is the kind of messages we get from an IT security conference, how can we expect the lay-person to understand IT security any better? This is truly alarming.

All the “IT experts” say IT security is important. Personally, I feel it is important too. But it is quite disappointing to see IT people treat the topic so lightly. Particularly, in an IT security event.

Related posts:

1. SCADA Security Talk This would be my first visit to Nanyang Polytechnic. I...
2. Taking Security for Granted The case of Jemaah Islamiyah leader Mas Selamat’s escape...
3. Caring For End-Users’ Security In the past, most companies don’t care. They do sell...

In the past, most companies don’t care. They do sell products with security features, but the features are turned off by default because they usually make the product more difficult to setup and use, and customers may get turned off by the complexity of getting the product to work. Fortunately, some companies are now trying to make security easy. They are putting some extra effort to take care of their customers’ interests.

One area has got to do with wireless network security. Wireless broadband routers are so prevalent nowadays. The biggest security risks with these products is with the wireless network access. Anyone in the nearby vicinity can connect to the wireless network and get direct access into your home network, as if they were plugged in with a cable to your broadband router. There have been many security enhancements to the wireless network technology: WEP, WPA, WPA2, etc.

But in the past, few manufacturers bother to turn them on, because it was difficult to explain to customers what needs to be done to setup their computer. If a product was difficult to setup, customers are going to “condemn” the product as “not-working”.

Sometimes, “setup wizard” programs make the security configuration easy. But it is even easier to not have to run the wizard. So again, it ends up that end-users don’t bother with it. What does it take to get the security awareness message across?

Well, the Linksys WRT610N I bought recently had a sticker pasted across all its ethernet ports. You can’t plug in a UTP cable until you’ve peel off the sticker. What’s written on the sticker?

WARNING: If left unsecured, your wireless network may be accessible by unauthorized users. Follow the instructions in the installation Wizard to secure your wireless network. See User Guide for additional information.

That’s really good.

Related posts:

1. SCADA Security Talk This would be my first visit to Nanyang Polytechnic. I...
2. How an IT Engineer Fixed His Home PC The symptoms: No beep, no video. Sounds bad. What happened...
3. SecurityVision 2009 Lacks Security Vision In the past week, I attended an IDC conference SecurityVision...

This week is IT Security Week at NUS, and so they have an IT Security Carnival held at the Forum. They have been running this for some years now, and I must commend the organizers for their excellent work all around. In my opinion, this is one of the more successful and meaningful event, and I’m not saying that just because IT security is one of my pet areas too.

On the one hand, the carnival is not unlike the many bazaars organized by the various student groups. But unlike the other bazaars, this one has a distinct theme and purpose, and the activities are aligned with the goals of the event. Okay, so what if Latin ballroom dancing has nothing to do with IT security, but it does serve to add another dimension to the event and draw in crowds. (It clearly did quite well filling the near empty floor left by the Deputy President’s opening address just prior to it.) There is a balance between activities that are designed to bring about increased IT security awareness, and others that simply add fun to the carnival atmosphere.

I think this is something sorely lacking in many student run bazaars that, in my opinion, have become strictly commercial affairs. I don’t understand why the university seems to be condoning such activities. If it were up to me, I’d charge commercial rental rates and demand profit-sharing.

Another peeve I have is with Munchie Monkey. This is a student-run cafe that serves Italian fare. They are helped out or supported by Spageddies. On the surface, it seems like a very nice arrangement. The students can learn a lot about operating a real business, everything from working the tables, collecting money, marketing, etc. Even if the food or service were to be slightly below standard, I’d still be quite supportive. But wait… they are closed for the long school vacation. Hmm. I think they are forgetting one lesson: You cannot simply close your business for a long vacation. In the real world, you’d still have to pay various overheads.

I may sound nasty expecting students to forgo their holidays to work. But hey, I’m not saying everyone has to work. They can work out some kind of rotation amongst themselves right? Maybe reduce the opening hours even? But not to simply shut down for the vacation! Working does involve some commitment and sacrifices.

Related posts:

1. SecurityVision 2009 Lacks Security Vision In the past week, I attended an IDC conference SecurityVision...
2. SCADA Security Talk This would be my first visit to Nanyang Polytechnic. I...
3. National University of Shopping What do students at NUS do? Shop of course. Why,...

Security updates keeps us busy during festive holidays again. The last one with WordPress 2.3.2 kept us occupied prior to the 2008 New Year. Today, the new WordPress 2.3.3 release happens just prior to the Lunar New Year. The major focus of this security release is to fix a flaw in the XML-RPC implementation. Other XML-RPC problems were also plugged in the previous WordPress release. Holidays or not… you should try to upgrade ASAP! More details on 2.3.3 here.

Related posts:

1. Urgent Security Update to Wordpress Yes it keeps us busy even during the festive season....
2. WordPress 2.5.1 Security Update WordPress 2.5.1 was just released yesterday to fix one very...
3. WordPress 2.6.5 Security Update WordPress has been updated to version 2.6.5, which fixes one...

When ZDNet reports Boeing 787 at risk of in-flight hacking, you start to worry about how your personal safety can sometimes be threatened by hackers. I wonder what was Boeing thinking about when they connected passenger Internet and entertainment networks to their on-board flight systems network. Professionals in the IT security circles already know how systems and applications must be designed with security from the start, how they need to be reviewed and audited, etc. I certainly hope aircraft manufacturers apply these principles in designing and building aircraft too!

Nowadays, so many things are driven by computers and networks. It is inevitable that IT security becomes a fundamental concern in any product or service. Already we hear horror stories about how terrorists in the Internet age can seize control of utility grids, telecommunication infrastructure, etc. Hopefully we don’t have to learn any lessons the painful way.

Not too long ago, while sitting in a Boeing 747 waiting to depart Changi Airport, I was reminded how dependent aircrafts have become on computers. To cut a long story short, the pilots could not get the fuel intake valve to open, and as a result, they still hadn’t taken in a single drop of jet fuel even when all passengers were already seated and ready for departure! (I am surprised there was no way to mechanically open it manually!)

The captain explained with some embarrassment that they were going to try the equivalent of “rebooting” the aircraft (yes, he really used the word “reboot”). It entailed shutting off power to the entire aircraft to power-cycle all the flight systems. We were asked to remain calm as the cabin became totally quiet and all the lights shut off (except for emergency lights that still worked). The flight eventually departed 3 hours later after a computer board was replaced.

How worrying it would be had a “reboot” been required mid flight!

It is also quite worrying how we are not able to build reliable and dependable computer systems. We have heard about trains colliding due to computer problems, telephone network crashing due to software errors, power grids shutting down due to computers… all these happening without terrorists playing a part. Can you imagine IT savvy terrorists helping to create chaos?

Related posts:

1. Caring For End-Users’ Security In the past, most companies don’t care. They do sell...
2. Blogging From 10363m High   I was quite wary of taking this direct non-stop...
3. Hawaii Day Zero As with most air travel to any distant destination, the...