Friday, October 30, 2015

Cyber Security Law, just passed Senate

After the horrible hacks lately the Congresscritters have decided to DO SOMETHING.  It is unclear just what they are doing, the newsies haven't talked much about it, but it sounds like a deal to allow companies and the government to cooperate, share information about hacks and attacks with out fear of prosecution for collaboration and price fixing.  We now have a House version, and a Senate version in need of "reconciliation" (quick rewrite to make them both the same) and Obama says he will sign it. 
   I suppose it's worthy, although I'd like to know what it really says, how many pages, and what damaging little clauses got tucked into the darker corners. 
   It isn't what we need.
   We need to close the gaping holes in Windows that allow any hacker, even grade school hackers, to take over Windows computers, remotely from the Internet, and suck every thing off them.  Microsoft deliberately created these vulnerabilities with the idea of increasing sales.  We need somebody or some organization to publicize these gaping holes and create public pressure on Microsoft to close them.
   Number one gaping hole is a Windows feature (bug?) called autorun.  Autorun has been causing trouble since Windows 95.  Autorun makes music CD's inserted in the drive start to play, automatically, hands off, no keystrokes or mouse clicks needed.  That part isn't too dangerous, but the dark side of Autorun loads and starts any code found on the CD.  When USB and flashdrives came along, autorun was extended to load and run any code found on a flash drive.  Just insert a flashdrive into a USB port, and zap, the machine is infected.  Autorun spread the Stuxnet virus in Iran.  Agents merely tossed a few flashdrives into the parking lots at Iranian nuclear facilities.  Iranian workers saw them, picked them up, took them into work, plugged them into their computers, and Zap Bang, the Stuxnet virus started blowing up Iranian centrifuges.  Set the Iranian nuclear program back a year or more. 
  Number 2 gaping hole is the Basic interpreters built into all the Micosoft Office products.  Basic is a full powered computer language.  Malicious Basic programs can be inserted into Office documents (Word .doc and Excel .xls files) and Word or Excel will execute them.  Worse, if you click on such an Office document attached to an email, Windows starts up Word or Excel and passes the attachment in.  Bam you are infected.
   Until we force Microsoft to close these two gaping security holes, we will continue to get hacked.  These aren't the only holes in Windows, but they are the worst ones that I know of.  And Microsoft can close them, in an afternoon.  All Microsoft needs is some incentive to pull up its socks. 

No comments: