Is obsolete the new secure?
I recently read an article in Defense Systems Magazine that toyed with the idea of using what most would consider obsolete technology as a “security” measure. In this case they were specifically talking about the use of 8-inch (yes, you read that right) floppy disks that hold about 1 to 1.2 megabytes of data.
They make a convincing case for it as well. How many hackers not only can write a malicious program à la Stuxnet with such a limited amount of storage let alone even have equipment to write it to a disk?
Along this same vein, there are advocates of using old “retired” Operating Systems as a means of security. Really think about this point, how many hackers are going to develop and use exploits for Windows NT 4.0 or Windows 95? What about long ago unsupported Solaris OS’s? The cost to benefit ratio or, in business terms, return on investment (ROI) is almost nil since so few viable target systems.
Now, looking at things from a realistic perspective, companies by and large are not going to rely on aging, and unsupported technologies for normal day-to-day business. Given that reality, continual updates to the latest and greatest version of whatever platform they are using.
Yet hiding in that dark corner somewhere they might just have that old system running some specialized system that they just “forgot” or simply are “afraid” to touch. This is often true in the Industry Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) systems. These are those systems that run everything from the robot that built your car, the computer that controls a Computer Numerical Control (CNC) machine that makes parts or even the units that control the water and electrical systems for your utility companies. Companies really tend to hate updating these systems, regardless of how old they are because not only the cost involved but they tend to control critical pieces of the companies process or infrastructure.
There are really several big drawback of using obsolescence as a means of security. The first is that if there is a known vulnerability, there is no way to actually fix it. It is out there and can be exploited at any time. The second is attrition of technical experts with skills in that outdated software. Right now, you can find plenty of IT folks with current skill-sets on Windows XP if you’re still using it after the XPocalypse a few months ago. Taking that a few years back in time, try finding someone who is still in the industry with a still current working knowledge of Windows NT 3.51 that was release nearly 20 years ago and stopped being supported more than a decade ago. The final issue is an issue of physical products. We are talking the hardware bits that these obsolete systems run on. Finding compatible systems for these old programs to run on becomes hard and more expensive as time go one. This also includes the physical media for repair and reinstall if it’s required. How well does that 8-inch floppy going to hold up over time?
While obsolete, might very well work as method to secure systems, in the long run, the deck is stacked against it as a viable long-term solution to an ever persistent problem.
The Death of Windows XP… XPocalypse
On the 8th of April 2014, Microsoft effectively “pulled the plug” on its decade plus old operating system Windows XP. What this translates to for end users is fairly simple. Their Windows XP computer won’t stop running, but any future security issues that are identified with the Operating System will not be fix via a patch from Microsoft.
Why does this matter? As recently as February of 2014 by NetMarketShare shows that Windows XP still accounts for a fourth or a third of the computer systems running worldwide. That means up to a one-third of the world’s computers are no longer receiving security patches!
Outside of the home user that just does web surfing and typing word documents, there are thousands of businesses that still run XP as part of their end-user environment and network infrastructure. Infrastructure being the keyword, we are talking about things like ATM’s, medical devices/equipment, standalone Kiosk systems, digital security systems for buildings and Industrial Control Systems.
That last one might have you stumped a bit, don’t worry. Many in the IT field don’t have a good understanding of what they are or how it affects the IT industry. Industrial Control Systems include systems like SCADA (supervisory control and data acquisition), distributed control systems (DCS), and programmable logic controllers (PLC). These are the systems that control your utilities, amusement rides and run many industrial processing plants. Historically these systems have what would be considered very poor patch compliance since they are often deemed “Critical Systems” and might get patch as infrequently as once a year if at all.
Up until now, a malicious hacker had to get in to the system first to know if it was patch or not to see what exploits they could run. Now, since end of life for Windows XP, it becomes the wild wild west for these critical systems. When a vulnerability is discovered, you now know that every system running Windows XP is not only vulnerable, but will ALWAYS be vulnerable.
You might be thinking, how likely is an attack against an Industrial Control System? They are more likely than you would guess! The most famous attack against these types of systems was the infamous “Stuxnet” attack against the Iranian Nuclear Centrifuges, ruining one fifth of their assets. In 2013 a researcher at TrendMicro use a “honeypot” simulation of an Industrial Control System for a water pump facility in rural Missouri. This phantom system was attacked 17 times over a 4 month period of time. 12 of those attacks were deemed “serious” with attack sources from China, Laos, Russia and Palestine.
This is a major issue. So much so that recently the United Kingdom paid $9.1 billion dollars (US currency) to extend the support of Windows XP until July of 2015. The Netherlands government also purchased an extend support contract for its upwards of 4000 civil service employees still using Windows XP. Recent reports have indicated that even US Government Agencies have shelled out millions for extended support, most notably the Internal Revenue Service.
Even with extended support agreements, at $200 a system per year, there is only so long that it is financially responsible to extend the support, especially when computers can be purchased new with the latest Operating System for under $400. It will take and aggressive Operating System migration/computer replacement plan to root out all those hidden systems before the risk will be mitigated.
Continuing Education and the IT Workforce
Recently at my place of employment there has been much to do about “Continuing Education” with regards to professional IT workers and specifically when it comes to certifications. Many of the grumblings I often hear are thing of the nature:
– I don’t know why I need do this; I know how to do my job!
– I passed the exam, why do I have to do more “stuff”?
– This is just a racket of the certification company.
The list could go on, but I think you all get the gist of the overarching thoughts I have heard. While I can understand their frustration with having to find time to not only do the continuing education, but document it properly with your employer and certification company.
Let’s look at why Continuing Education is important:
1. IT is always changing. What you learned even as recently as a year ago can be completely out of date and superseded today.
2. Standards. Continuing Education is required by American National Standards Institute and International Organization for Standardization. Why do these organizations require it? Simple, it ensures that certified professionals keep up with the latest changes in field.
3. Would you really want someone who was certified in 1995 and has no evidence of actually being current with the technology being used now? Continuing Education is how this is accomplished. This process is used is a myriad of fields outside of IT. Notable examples of careers with Continuing Education requirements are Medical Professionals, Teachers, Legal, Engineers, and Architects.
4. Continuing Education sets you a part from your peers! It can introduce you to new technologies that will make doing your job as an IT Professional easier, faster, or better.
5. It helps the business bottom line. While you might be away from the work center to get the training, your bringing back skills that can assist in reducing the cost of running your IT center or find new software or procedures that make your business process more efficient and cost effective.
6. Even the most rigorous certification’s requirement for Continuing Education still only works out to be just under 4 hours a month with most being about 1 hour. Most certifications run in a three year cycle for recertification with Continuing Education with requirements of anywhere from 20 to 120 credits/units of Continuing Education in that time frame. While 50-120 may seem daunting, when broken down in to monthly quotas, it is not only “doable” but completely realistic.
7. Certifications with Continuing Education requirements mean higher salaries! Yes, they do have annual maintenance fees that can go up to $100 a year per certification, but the certifications are often gateways to higher salaries. Data shows that having a current certification can raise your pay by $5,000. Higher level certifications like CISSP can increase your salary as much as 10-15%!
Here is a sampling of some common certifications that was published by Global Knowledge and TechRepublic in 2010.
CCNA – Cisco Certified Network Associate … $79,695
MCP – MS Certified Professional … $74,438
MCSE – MS Certified Systems Engineer … $86,454
MCSA – MS Certified System Administrator … $76,337
CompTIA – Network+ … $70,902
CompTIA – A+ … $68,631
CompTIA – Security+ … $76,844
CISSP – Cert Info Sys Security Professional … $99,928
CCNP – Cisco Certified Network Professional … $89,864
VMware Certified Professional … $91,271
MCITP – MS Certified IT Professional … $82,044
CCDA – Cisco Certified Design Associate … $93,953
MCDST – MS Certified Desktop Support Technician … $70,197
8. It is a condition of employment. While many IT Professionals may have opted to keep their “For Life” certification, it is becoming more and more common for employers to require certifications that have Continuing Educations requirements. Whether it is to meet their own compliance standards or because they find value in having someone that is constantly abreast of the latest IT trends.
While Continuing Education can be painful if not properly managed, the benefits far exceed the detractors when weighted objectively against each other.
DEFCON 318!
The first DEFCON 318 group meeting will be December 12th at 6:00PM @ Noble Savage in downtown Shreveport. Come check it out.
Online Privacy: Is it real?
Online Privacy, to a large degree is a myth that we tell ourselves exists to ease our minds about the various things we do and place in to the ether of the beast called the Internet.
The largest problem with the Internet and the concept of privacy is how the Internet works. As an individual, you have little to no control over the various routers and switches your data will transverse as it makes it way from your computer, tablet or smart phone to the destination. Join that issue with the way things like email handle “headers” and that “anonymous” email account is not as anonymous as you would think.
Take for example the recent resignation of the Director of the Central Intelligence Agency. He appeared to have been covering his tracks with the deft hand of a true CIA “Spook”. The two individuals involved used a single anonymous email account, never actually sending the messages, but leaving them in the “draft” folder for the other to read when they logged in. With no emails between them to trace it does not leave much for a would be thief to work with. In this case, one of the individuals sending an email from that account brought down the house of cards. A threatening email sent from the joint account and subsequently reported to the authorities. From that email and the IP addresses in the headers, they were able to track the account back a group of email accounts that also used the same IP address and different IP address that have also accessed that anonymous email account. From that point it was fairly easy to determine the real people behind that account.
Keep and mind, one of the people involved was the Director of the CIA. This was the man in charge of one of the largest spy organizations in the world with top-notch encryption at his fingertips, and he was ousted by a single email. If the Director of the CIA can have his personal email hacked, what do you think your odds of not being able to be hacked are?
This leads back to the new adage of “don’t put anything on the internet that you wouldn’t want your Grandmother to see,” for once something is out in the ether, there is no way to take it back.
This even extends to digital photographs as well. Many of the modern digital cameras and smart phones embed “metadata” within the digital images that will tell things like the make and model of the camera and GPS locations. This makes it pretty easy for someone to take that “anonymous” adult photo without a face to track it back down to your house.
Can you have privacy on the Internet? That really depends on what you mean by “privacy.” Absolute, 100%, unbreakable privacy is likely to never happen unless you have a computer that you never turn on, never connect to anything, and have it locked in an armored room that only you have access to and you destroyed the only key, etc, etc. Can you have a reasonable assurance of data not getting in wrong hands by using the appropriate levels of encryption, strong passwords or better yet passphrases, not using public WiFi and most of all, not putting anything out on the Internet that you would not want someone else to see. The key in all things security is defense in-depth and not being the low hanging fruit for a hacker to seize on to and exploit.
Startup Weekend Shreveport-Bossier
Have you ever considered starting your own business but didn’t really know where to start? My friends over at the Shreveport-Bossier Cohab have the solution! this month (Oct 26-28, 2012) they are hosting a 54 hour “Startup Weekend” event! They will take you trough the process.
From their page:
“All Startup Weekend events follow the same basic model: anyone is welcome to pitch their startup idea and receive feedback from their peers. Teams organically form around the top ideas (as determined by popular vote) and then it’s a 54 hour frenzy of business model creation, coding, designing, and market validation. The weekends culminate with presentations in front of local entrepreneurial leaders with another opportunity for critical feedback.”
Sign Up: HERE