How Safe is Your Success? Part 2 of 8

Jan 16
00:37

2005

Bill Hely

Bill Hely

  • Share this article on Facebook
  • Share this article on Twitter
  • Share this article on Linkedin

"How Safe is Your Success" is a series of eight ... Each article ... a ... aspect of a ... problem which is of ... ... to those who do business on-line. Most Inte

mediaimage

"How Safe is Your Success" is a series of eight articles. Each article addresses a different aspect of a universal problem which is of particular importance to those who do business on-line. Most Internet users are at least aware there are dangers "out there",How Safe is Your Success? Part 2 of 8 Articles but few appreciate the real extent of those dangers, the possible (even likely) consequences, or the best, most practical and least expensive means of countering them. This series is intended to at least provide some useful awareness of the situation.

-------------------------

Part 2 – Shoring Up Your Browser

In Part 1 of this series I gave you some "homework" reading. If you followed up on that recommendation you have already had a glimpse of some of the things we'll discuss in this part. If you didn't do so back then, I urge you to read that article before continuing:
http://hackersnightmare.com/FreeContent/Browser_Wars.pdf

Now, there simply isn’t the space available here to get into the specifics of the various browser brands and versions so, where specifics are at all necessary, I'm going to restrict this article to Microsoft's Internet Explorer. Despite the inroads made by competitors such as Mozilla Firefox, Internet Explorer is still the choice (even if by default) of 90% of the worlds Internet-using population. No matter whose survey figures you choose to believe, it's somewhere around that number. Even so, while the fine detail may differ, the general warnings and recommendations herein apply to all browser brands.

As computer programs become more and more complex, the likelihood of errors somewhere in the thousands – even millions – of lines of programming code becomes so high as to be almost guaranteed. Obviously it is thus essential that there be some way to correct any errors that may be discovered after the program has been released. The method of doing so is referred to as "applying patches and/or updates". Broadly speaking, we can say that patches fix "broken things", while updates add new functionality. In either case it is usually a simple process of downloading a small corrective file and running it to apply the fix/update to the main browser program.

Unfortunately, if they think about it at all, millions of browser users the world over take the position "if it works, why mess with it?". Their browser gets them around the Internet and that's all they want of it. But they are giving no thought to what is happening behind the scenes; to what advantage is being taken of the "broken things" they haven't bothered to patch.

A great example of the dangers of such complacency can be found in a short article from USA Today that is actually more to do with firewalls (which we will look at in Part 7 of this series). I urge you to read this article now, paying particular attention to the fact that the malicious exploits mentioned were all targeted at, and made possible by, known flaws in Internet Explorer – flaws for which a patch was available but had not been applied. Please do read this article before continuing:
http://hackersnightmare.com/FreeContent/Other/HoneyPots.pdf

Patches were available to plug the holes that were exploited by the MS Blaster and Sasser worms (as described in the above article) even before those attacks took place. It was the sheer number of unpatched Internet Explorer installations globally that allowed those very costly and near-catastrophic attacks to take place at all. Instead of going off with a bang that was heard around the world and echoed in all the mainstream media, they should have resulted in nothing more than a fizzle.

Internet users who don't patch their Windows Operating System and browser regularly are doomed to get infected. If you have an always-on broadband connection, then make that a guarantee. The really insidious thing about all this is that you often will not even know that someone or some thing has squirreled away inside your computers. Only if you are lucky will you be alerted by "strange things" happening or some sort of obvious problem. But be aware an infection can be more akin to a slow cancer – invisible but "deadly" to your safety, your security and possibly to your bank account. Your files can be altered and your precious data browsed by strangers without your knowing anything about it.

For the private individual on a home PC it is an unnecessary risk, and far from "relatively harmless". In my eBook The Hacker’s Nightmare™ I include a contribution from a retired FBI Special Agent who tells just how little information is needed to steal someone's identity. There is enough such information on just about any home PC.

For a business it's just plain crazy to ignore these threats, and possibly even criminally negligent. In many countries the holder of data about others is legally responsible for the safety of that data. If you store information about customers, suppliers, employees, patients, etc. data carelessness could leave you exposed to enormous legal and financial penalties. Exacerbating the danger further is the fact that often management is legally responsible for the actions of employees, so the onus is on business operators to take all necessary steps to ensure data security. Oh, and complaining that you are only a small business, a sole operator or just work from home is very unlikely to garner much sympathy when the letter of the law is applied.

By itself, regularly patching and updating your browser, operating system and other major software applications will not give you 100% protection. But it is a very necessary component of a sensible and thorough defense-in-depth strategy.

With specific regard to the browser, you'll find numerous articles on the web explaining that you must make all sorts of modifications to Internet Explorer's configuration settings to further enhance it's security. If you have never done so, click on Internet Explorer's "Tools" menu item, then select "Internet Options" from the list. Have a look through the various Tabs and options with which you are presented (just look, don't touch!). Do you really want to get involved with all that complexity? There are options and custom settings for this and that, zones, advanced privacy settings and so on. An inappropriate selection or a clash of options can make things worse instead of better — so don't experiment! It is much better and much safer all round to use the afore-mentioned defense-in-depth strategies to protect the browser and much else besides.

Exactly how you implement regular, scheduled patching and updating depends on several factors such as Windows and browser versions. You can find all the necessary information and instructions at the Microsoft website and in the various Help files that accompany Windows and browser. A much better option would be to consult "Chapter 15: Patches, Updates and Service Packs" and "Chapter 16: Microsoft's Patch & Update Services" from The Hacker’s Nightmare™. Those chapters are designed to provide all the details and instructions in one place and in a logical, jargon-free and easy to follow manner, with the added bonus of having ready access to all the strategies and tutorials in the rest of the book to really implement solid defense-in-depth protection.

However you go about it, there's one thing you must be clearly aware of: probably sooner than later complacency will cost you – perhaps very dearly. Keeping your Operating System and your browser patched right up-to-date is NOT optional.

-------------------------