Bad Security Can Be Fatal

If you want to know just how bad it can be when software suppliers get their security wrong, look no further than this advisory from the FDA.

There appears to be a remote exploit against medical drug infusion pumps, potentially allowing an attacker to change the drug dosage. While there are no reports of any actual attacks against this exploit, it could obviously have extremely serious consequences. It’s the Hospira Symbiq Infustion System, so you don’t need to worry (this time) unless or your hospital you use one of those devices.

It seems to be the result of schoolboy security errors. The advisory recommends closing the FTP and Telnet ports. Networked medical devices should under no circumstances be programmed to accept FTP or Telnet connections. They also advise changing the default passwords — the device should not function until the default password has been changed. Such mistakes may be forgivable on some networked devices, but no on medical devices.

Basic Security 1: Keep Your Operating System Updated

This is the first in a series of posts on things that everyone should be doing to improve their security. These are the things that are so important that there’s no real room for debate about whether they’re worth doing or not in your situation — just do them.

The single most important thing you can do to improve your security is to keep your operating system (OS) updated. New vulnerabilities are being found all the time that can compromise your data, or let an attacker take complete control of your machine, and software suppliers are usually pretty quick at issuing fixes for these vulnerabilities (except for Android devices). But the fixes will do you no good unless you install them, or even better allow them to be installed automatically. We’ll talk about upgrading standalone web browsers, email clients and other critical software in a future post.

Many people are nervous about applying software updates because it feels like a security risk to do so. It’s true that you should be careful what software you allow to run on your machine, and you should be cautious if a window suddenly pops up saying “Run this to upgrade your software”, but it’s far far safer to keep your software upgraded than it is to not do so. Just make sure that you download the update from the software company’s website or using the operating system’s built-in update facility, and don’t do it while you’re on a public wifi network.

Check your OS version

The first step with your operating system is to make sure that it’s new enough that the supplier is still supporting it with security patches. If not, then you need to upgrade right now to a supported version. If your hardware is too old to run a newer version, then I’m afraid it’s junk, at least if it’s a computer. You need new hardware. If it’s a computer, it will be at least five years old, and probably older, so you’ll have had your money’s worth out of it. If it’s a smart phone or tablet, those are newer devices with shorter lifespans, and you may have to live with a faster upgrade cycle. But their operating systems tend to be more secure, and you may be able to get by for a while on an older version. I’ll attempt to tell you below when that’s not the case.

So, you need to determine what version of the operating system you’re currently running on any device you have that creates or accesses your personal information — that will generally be any computer, smartphone or tablet that you own. If you don’t know what version of your operating system you have, search online for “check Windows version” (or OS X, or iOS, or Android, or whatever your operating system is, and follow the link.

Windows XP (and earlier versions such as Windows 2000, Windows 98 and Windows 95) is no longer supported. “Extended support” for Windows Vista (which includes security fixes) expires on April 11 2017, so if you’re a Vista user, you will need to have upgraded by that date. Windows 7 and higher are all good until at least 2020. Windows 10 has just been released, and is a free upgrade for users of Windows 7, 8 or 8.1, but not Vista or XP. However, note that the free upgrade will only be available for a year from the launch date.

Apple do not publish support expiry dates like Microsoft do, but they are currently supporting OS X 10.8 (Mountain Lion), 10.9 (Mavericks), 10.10 (Yosemite) and the forthcoming 10.11 (El Capitan). If you’re still using 10.8, it’s likely that support will end soon, and you should be thinking about upgrading. Almost any Mac that runs 10.8 will also run all newer versions up to and including 10.11. Apple’s OS upgrades are generally free.

iOS 8 is the only iOS version still supported, and it won’t run on the iPhone 4 or older, the first generation iPad, or the 4th generation or older of the iPod Touch. The forthcoming iOS 9 should run on anything that will run iOS 8. iOS is secure enough that you may be able to get away with running an unsupported version for a while, but keep an eye on announcements of critical vulnerabilities if you do so.

Android is much less standardised than iOS, and phone manufacturers are not always good about providing upgrades for phones that are no longer sold. Only Android versions 4.4 (“KitKat”) and 5.0 (“Lollipop”) or newer are still supported. With the announcement of the Stagefright vulnerability, you have a difficult choice to make if you’re on an Android version between 2.2 and 5.1 (especially if it’s before 4.1) and you can’t get a fix from your handset manufacturer.

Check for OS updates

Having worked out what version of your operating system you have, it’s time to check for updates. It’s worth doing so even if it’s no longer supported, or if you plan to upgrade to a newer version, since it will improve your security more quickly and may make the upgrade process go more smoothly.

If you don’t know how to check for updates, search online for “update Windows Vista” or “update Android 4.1” or whatever the name and version of your operating system are. Then follow the instructions that you find. You may find that you’re updating some other software as well, besides the OS, and that’s fine — there are very few situations in which updating your software will reduce your security. I would advise enabling automatic updates to make sure that you stay updated in future — pretty well all modern operating systems have that feature.

Keep An Eye On It

Security is a process, not a check-list that you can complete once and be finished with it. You should periodically check that your OS is remaining up-to-date, and is still supported by the supplier. At the current product lifecycles, you should be looking to update your version of Windows at least every five years, OS X every two years, and iOS or Android every year. That’s it for operating systems. Next time, we’ll look at the other software running on your computer, tablet or phone.

Update your BIOS

Well, here‘s a fun one. Your BIOS is the small computer built into your main computer that handles things like the boot sequence, and everything else that happens before you’ve loaded your operating system. And in many cases an attacker with access to your machine can write their own code to it simply by having your machine go to sleep and then waking it up again.

This is not a remote exploit, and it’s unlikely to actually affect you unless you’re being explicitly targeted. But you should update your BIOS with a fixed version, if your machine is affected. If you’re on OS X then just keeping up-to-date with your OS updates will do the trick, but on Windows you’ll need to get an update from your computer’s manufacturer, not from Microsoft. So far only some Apple and Dell machines are known to be affected.

Windows 10 Will Share Your Wifi With Your Contacts

The Register points out that by default Windows 10 will upload an encrypted version of your wifi password to Microsoft and anyone in your contacts will be able to use your wifi. Now, that’s a nice feature and lots of people might find it useful — but it should really be opt-in rather than opt-out, even though that would drastically reduce the take-up. Windows Phone has apparently been doing this for some time, but no one has noticed, because no one actually uses Windows Phone.

By default, your Outlook.com and Skype contacts will be able to use your wifi, assuming they’re also using Windows 10. If you opt in, then so will your Facebook friends.

The feature is called Wi-Fi Sense, and it’s relatively hard to opt-out — you have to change the name of your wifi network to have “_optout” on the end. I think I’d rather opt out by not installing Windows 10, and not giving my wifi password to anyone who is running Windows 10.

Even worse, it’s not just your network that’s shared (Windows doesn’t know which network is yours, after all); it’s any password-protected wifi network you connect to. So you’re potentially sharing the passwords of your employer, friends and family, not just your own password.

Edited: It appears that The Register is being needlessly alarmist. It’s hardly the first time, and I should have checked more thoroughly.

Arstechnica has a more sensible version of the story. Wi-fi sense is opt-in in Windows 10, and you have to opt in for each network. However, you should still be careful — for example, Gmail adds everyone you email to your address book, so if you since your Gmail address book with your Outlook.com contacts, then everyone you’ve ever emailed will be able to use any wifi network that you’ve chosen to share. And certainly don’t share your employer’s wifi network.

Welcome

Information security is one of the biggest issues of our time, affecting both individuals and society as a whole. It seems like every day there’s another news story about websites being hacked or critical software vulnerabilities. As more of our lives and our infrastructure go online, things will only get worse.

And yet most of us are being asked to make decisions, both individually about our own security and collectively about society as a whole that we’re not equipped to make. Security is about trade-offs, and you can’t choose the balance between usability and security, or between cost and security, unless you understand the implications of your choices. On this blog, I hope to provide enough information that my readers can make better-informed decisions.

And it’s called Opinionated Information Security for a reason. I don’t take a neutral point-of-view, as supposedly found in Wikipedia articles. I have opinions, and I plan to share them. I hope that I will give you enough information that you can have opinions of your own, whether or not they’re the same as mine.

I’m a Mac OS X and iOS user myself, and will inevitably be better-informed on those operating systems than on Windows or Android. But I’ll try to include the basics for all consumer operating systems. If you’re using Linux, or any other Unix variant (except OS X, iOS and Android) then I’ll assume you have a higher degree of technical knowledge.

Stagefright Android Vulnerability

This looks like a bad one. An attacker can execute their own code on many Android phones simply by sending an MMS message, and in some cases you don’t even have to view the message to be infected. And the whole Android software update ecosystem is a complete mess, so very many phones will never get patched for it. At the time of writing it seems like there are almost no fixes available from handset suppliers, although the vulnerability was discovered and reported (by Joshua Drake at Zimperium zLabs) in April.

There’s not much you can do about other than waiting for your supplier to release a fix. It’s worth changing the settings in apps like Messenger and Hangouts that can receive MMS messages to not “automatically receive MMS messages”. If your Android version uses Messenger for SMS messages, you can block messages from people you don’t know, but of course that could block messages that you want to receive.

If you’re on an old handset — and that may mean only a few months old — you may never get a fix. I would certainly avoid opening messages that you’re not expecting from anyone you don’t know, but it seems that may not be enough on at least some phones — the bug is much harder to exploit on iOS versions 4.1 and later, so they’re potentially less affected. If your Android version is so old that it’s 2.1 or earlier, then you’re not affected at all.

It’s this kind of thing that frankly makes me question whether anyone should be buying an Android phone, except for a Nexus or another phone made by Google themselves. The manufacturers don’t regard themselves as software companies, and so don’t pay enough attention to software issues and getting updates out to users, especially users on handsets that aren’t being manufactured any more.

More later, when we have clearer details of exactly who is affected and how bad it is.

Edited to add: Here is the original blog post announcing the vulnerability.