• Some Windows XP Users Can't Afford To Upgrade

    Posted over 1 year ago
    by rhalbheer}

    I just read a post on slashdot:

    During a recent trip to an eye doctor, I noticed that she was still using Windows XP. After I suggested that she might need to upgrade soon, she said she couldn't because she couldn't afford the $10,000 fee involved with the specialty medical software that has been upgraded for Windows 7. Software written for medical professionals is not like mass market software. They have a limited market and can't make back their money in volume because there isn't the volume for an eye doctor's database product like there is for Office or Quicken. With many expecting Microsoft's upcoming end-of-support for XP to cause a security nightmare of unsupported Windows devices in the wild, it seems a good time to ask how many users may fall into the category of wanting an upgrade, but being priced out by expensive but necessary third-party software. More importantly, can anything be done about it?

    Let me briefly give you some insight into a discussion I had a few years ago: I was in touch with a regulator for medical devices as I wanted to understand their approach to patch management for embedded software. The reason behind my ask was, that I talked to hospitals in this country and the CIOs all told me that they are not allowed to patch/upgrade because they would violate the accreditation of the device. So, when I talked to the regulator, they told me that they require only a proper risk management process by the vendor of the device (not an effective, just a process) and from there on they do not want to act. They told me that the hospitals need to increase pressure on the vendors to keep software updated and the vendor does not have the incentive.

    This is one of the key scenarios, which scare me around Windows XP end of life. Machines which cannot be upgraded for legal reasons or because of economic pressure as described above.

    Roger

  • Microsoft Account: Enable Two-Step Verification

    Posted over 1 year ago
    by rhalbheer}

    We could even talk about two-factor authentication in my opinion. The idea is, that whenever you logon from an untrusted PC, you will be asked to use a second factor (or step). In my case, which I show below, I use the Authenticator app on my phone, which is similar to an RSA SecureID.

    How to set it up? Fairly easy:

    Logon to your Microsoft Account (formerly LiveID) on https://account.live.com .

    There you have all your account settings. Go to your Security Info:

    And choose Set up two-step verification, which will guide you through the wizard:

    Once you are done, get back to your Security Info and choose Authenticator App:

    In the meantime, download the Authenticator App to your phone as in the next screen you can pair them:

    Done! Enjoy the additional layer of security J

    Roger

  • Internet Accessible SCADA Systems

    Posted over 1 year ago
    by rhalbheer}

    This is a fairly scary view of the world…. Freie Universität Freiburg mapped the Internet accessible SCADA systems. Have a look on your own: https://www.scadacs.org/projects.html

    Roger

  • Cyber Espionage and Targeted Attacks

    Posted over 1 year ago
    by rhalbheer}

    This morning I read an article on Infoworld: Why you should care about cyber espionage which – to me – is a strange question. First of all, most companies have to protect some sort of intellectual property. It is not new for the Internet, that state-driven espionage not only targets state's secrets but industrial espionage as well. Therefore Cyber Espionage as it is in no way different than any other espionage. Did you care about losing your intellectual property 20 years ago? Better care about it today as well.

    Secondly, if I looked at the targeted attacks companies suffered, they are by no means limited to state-owned infrastructure. It hits private sector companies as well as public sector organizations.

    Should you are about protecting your intellectual property? For sure!

    Should you defend against targeted attacks? What a question. If you are concerned about this, I recently blogged about a paper we published: Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques.

    So, there should be no separation – just protect your infrastructure and make sure you care about classical network hygiene (as described in the paper above). This is the best first step to happiness J

    Roger

  • The Challenge of Patch Management

    Posted over 2 years ago
    by rhalbheer}

    Depending on where I travel and with which customers I talk, patch management is still the number 1 issue coming up. Not only is the challenge to deploy the updates – much worse, there is still an awareness issue in a lot of markets. People know that they should patch but too often do not do it – and if they do, well, there is no real process attached to it. Additionally, one of the issues I often raise publically is, that a lot of companies still focus on Microsoft products "only". I basically like it, when they keep "our" part of the infrastructure current but there is a lot more…

    We all know that the base for any security in any infrastructure is to stay current – often not only on patches but on software versions as well. I guess we all agree on that. But it gets worse. What about firmware and BIOS? How will we be able to keep them current? What do we do with protocols that are flawed, which need a major migration?

    The reason, why I come up with this is, that I read three articles this morning all going into this direction:

    And there are a lot of similar challenges. How do we handle such updates? How do we even find them? We have seen a lot of these issues recently in hardware and even in goods, which have computers embedded – like cars.

    This is still a very, very manual thing and I have currently no idea how to address such challenges besides having a good inventory, and understanding of the business processes to do a proper risk assessment and then a process handling the security updates. What would be needed from your point of view?

    My real fear is that we will see the attacks moving down the stack more broadly. If you can control the routers in a target's environment, well this would definitely be an interesting thing.

    Roger