By Bill Hely
"How Safe is Your Success" is
a series of eight articles that address different aspects of a universal
problem, one that is of particular importance to those who do business
on-line. Most Internet users are at least aware there are dangers "out
there", but few appreciate the real extent of those dangers, the possible
(even likely) consequences, or the best, most practical and least expensive
means of countering them. This series is intended to at least provide some
useful awareness of the situation.
Part 2 – Shoring Up Your Browser
In Part 1 of this series I gave
you some "homework" reading. If you followed up on that recommendation
you have already had a glimpse of some of the things we'll discuss in this
part. If you didn't do so back then, I urge you to read that article before
continuing:
http://hackersnightmare.com/FreeContent/Browser_Wars.pdf
Now, there simply isn’t the
space available here to get into the specifics of the various browser brands
and versions so, where specifics are at all necessary, I'm going to restrict
this article to Microsoft's Internet Explorer. Despite the inroads made
by competitors such as Mozilla Firefox, Internet Explorer is still the
choice (even if by default) of 90% of the worlds Internet-using population.
No matter whose survey figures you choose to believe, it's somewhere around
that number. Even so, while the fine detail may differ, the general warnings
and recommendations herein apply to all browser brands.
As computer programs become
more and more complex, the likelihood of errors somewhere in the thousands
– even millions – of lines of programming code becomes so high as to be
almost guaranteed. Obviously it is thus essential that there be some way
to correct any errors that may be discovered after the program has been
released. The method of doing so is referred to as "applying patches and/or
updates". Broadly speaking, we can say that patches fix "broken things",
while updates add new functionality. In either case it is usually a simple
process of downloading a small corrective file and running it to apply
the fix/update to the main browser program.
Unfortunately, if they think
about it at all, millions of browser users the world over take the position
"if it works, why mess with it?". Their browser gets them around the Internet
and that's all they want of it. But they are giving no thought to what
is happening behind the scenes; to what advantage is being taken of the
"broken things" they haven't bothered to patch.
A great example of the dangers
of such complacency can be found in a short article from USA Today that
is actually more to do with firewalls (which we will look at in Part 7
of this series). I urge you to read this article now, paying particular
attention to the fact that the malicious exploits mentioned were all targeted
at, and made possible by, known flaws in Internet Explorer – flaws for
which a patch was available but had not been applied. Please do read this
article before continuing:
http://hackersnightmare.com/FreeContent/Other/HoneyPots.pdf
Patches were available to
plug the holes that were exploited by the MS Blaster and Sasser worms (as
described in the above article) even before those attacks took place. It
was the sheer number of unpatched Internet Explorer installations globally
that allowed those very costly and near-catastrophic attacks to take place
at all. Instead of going off with a bang that was heard around the world
and echoed in all the mainstream media, they should have resulted in nothing
more than a fizzle.
Internet users who don't
patch their Windows Operating System and browser regularly are doomed to
get infected. If you have an always-on broadband connection, then make
that a guarantee. The really insidious thing about all this is that you
often will not even know that someone or some thing has squirreled away
inside your computers. Only if you are lucky will you be alerted by "strange
things" happening or some sort of obvious problem. But be aware an infection
can be more akin to a slow cancer – invisible but "deadly" to your safety,
your security and possibly to your bank account. Your files can be altered
and your precious data browsed by strangers without your knowing anything
about it.
For the private individual
on a home PC it is an unnecessary risk, and far from "relatively harmless".
In my eBook The Hacker’s Nightmare™ I include a contribution from a retired
FBI Special Agent who tells just how little information is needed to steal
someone's identity. There is enough such information on just about any
home PC.
For a business it's just
plain crazy to ignore these threats, and possibly even criminally negligent.
In many countries the holder of data about others is legally responsible
for the safety of that data. If you store information about customers,
suppliers, employees, patients, etc. data carelessness could leave you
exposed to enormous legal and financial penalties. Exacerbating the danger
further is the fact that often management is legally responsible for the
actions of employees, so the onus is on business operators to take all
necessary steps to ensure data security. Oh, and complaining that you are
only a small business, a sole operator or just work from home is very unlikely
to garner much sympathy when the letter of the law is applied.
By itself, regularly patching
and updating your browser, operating system and other major software applications
will not give you 100% protection. But it is a very necessary component
of a sensible and thorough defense-in-depth strategy.
With specific regard to the
browser, you'll find numerous articles on the web explaining that you must
make all sorts of modifications to Internet Explorer's configuration settings
to further enhance it's security. If you have never done so, click on Internet
Explorer's "Tools" menu item, then select "Internet Options" from the list.
Have a look through the various Tabs and options with which you are presented
(just look, don't touch!). Do you really want to get involved with all
that complexity? There are options and custom settings for this and that,
zones, advanced privacy settings and so on. An inappropriate selection
or a clash of options can make things worse instead of better — so don't
experiment! It is much better and much safer all round to use the afore-mentioned
defense-in-depth strategies to protect the browser and much else besides.
Exactly how you implement
regular, scheduled patching and updating depends on several factors such
as Windows and browser versions. You can find all the necessary information
and instructions at the Microsoft website and in the various Help files
that accompany Windows and browser. A much better option would be to consult
"Chapter 15: Patches, Updates and Service Packs" and "Chapter 16: Microsoft's
Patch & Update Services" from The Hacker’s Nightmare™. Those chapters
are designed to provide all the details and instructions in one place and
in a logical, jargon-free and easy to follow manner, with the added bonus
of having ready access to all the strategies and tutorials in the rest
of the book to really implement solid defense-in-depth protection.
However you go about it,
there's one thing you must be clearly aware of: probably sooner than later
complacency will cost you – perhaps very dearly. Keeping your Operating
System and your browser patched right up-to-date is NOT optional.
-------------------------
Bill Hely is a technologist,
consultant and author living in Brisbane, Australia. For most of the last
two decades his professional focus has been on advising and supporting
small business operators in Information Technology and Office Productivity
issues — and rescuing them when they didn't heed his advice the first time
around. He is the author of several books on technology for the business
operator, including the Bible of Internet and computer security "The
Hacker's Nightmare". For more information on this must-read tutorial
and reference visit: http://HackersNightmare.com
|
