A Federal Department of Cyber Security?

Op Ed in Wednesday's Wall Street Journal calls for creation of one.  The writers want to consolidate some 11 existing cyber security agencies into one new cabinet level department.  Like we did creating the Homeland Security Dept some 15 years ago.  Sounds cool. I wonder what such a new bureaucracy would do, other than draw their pay.  The writers by the way, both work for Sullivan and Cromwell, a law firm doing cyber security work.  They probably figure that a big cyber security department could write bigger contracts that 11 smaller ones. 
  There are probably 300 million computers in the country, pretty much all of 'em running Windows, the world's most vulnerable operating system.  Some fraction of these (1/10th? 1/4?, maybe even 1/2?) have critical data, voter registration, credit card data, phone bills, driver registrations, title deeds, stock ownership, bank accounts, and more.  Destruction or even just tampering with any of this stuff would cause all sorts of havoc.  Not to forget national security stuff , codes, ciphers, location and numbers of nuclear weapons, plans for warplanes, operational orders, size and strength of the armed forces, war plans, effectiveness of weapons, and more.   And finally there is control of things like the electric power grid, nuclear power plants, the phone network, the Internet, even city traffic lights.  Putting out the lights, even just fouling up the NYC traffic lights would be very very expensive. 
  Keeping all this stuff secure is low level work, the system administrator of each of how many million computers, has to insist on strong user passwords, disabling passwords of employees leaving the outfit, weekly backup, keeping each machine up-to-date on Microsoft patches, keeping critical machines in locked rooms, insisting on periodic password changes, searching for and eradicating malware, insisting that only one firewall machine be on the public internet all the rest go thru the firewall machine to get to the net.  It's the unsung efforts of a vast number of low level workers that keeps us as secure as we are.  I don't see how a high level  cyber security department would help out here. 
   Users, commercial, military, and state, ought to come together and pressure Microsoft to close the many gaping holes in Windows security.  Microsoft ought to disable autorun (we spread Stuxnet on the Iranians via autorun).  Microsoft ought to remove the Basic language interpreters inside Word, Excel, and probably other stuff.  The Basic capability is never used by real users, and allows damaging malware to be hidden inside harmless looking documents, sent as e-mail attachments to infect victim computers.  And there are dozens of other Windows loopholes that anyone versed in Windows internals can tell you about.  Concerted pressure from all users might shape the Microsofties up.  
   As for the controlling of things, electric power generators, transfomers, trains, rolling mills, air traffic, etc. One simple rule will do a lot of good.  Never pass control or monitoring signals over the public internet or the public telephone network.  Run your own dedicated line, preferable fiber optic, preferably on your own poles.   Make it so hackers would have to climb a pole and tap a line to gain control.  Fiber optic is much harder to tap than traditional copper pairs. 
   We have a huge army of under employed lawyers in this country.  Tell the affected companies that we will sic those lawyers on them should they equipment fail because some hacker gained control over the internet. Keep it off the internet and we will be much safer. 

Cyber Security for ordinary businesses

In this day and age, every thing your company does is on the company computers somewhere.  Email is forever.  First off, you need to identify the things that you need to keep secret from hackers and competitors.  Start with personnel records.  Those must be secret to keep competitors from pirating your best people.  Pay and salary is particularly sensitive because when that gets out, everyone in your company gets bad feelings about everyone who make more than they do.  And it points headhunters toward your less well paid people.  Production information; mechanical drawings, electrical schematics, parts lists, software source code, test procedures, recipes and formulas.  With this stuff someone can set up to make your product and compete with you.  That's legal in places like China.  At the very least they can make a good guess at your cost of production.  Sales and marketing; your customer lists and customer contact information.  If the competition gets to your customers and wins them over, you are hurting.  Email; there is bound to be damaging information in someone's email.
    To keep the hackers out, first consider keeping stuff OFF the hard drives.  Back it up to CD-ROM and keep the CD's in a locked room.  There is a lot of old stuff on hard drive that you don't use today, but could do a lot of damage in the wrong hands.  If the stuff is really valuable, now is the time to establish an off site backup location.
    Set up a secure network.  This is a small number of computers, kept in locked rooms,  and NOT connected to the general company network or the public internet, or the public phone network.  By not connected we means NO wires or wireless connections to anywhere.  Don't rely on "firewalls", some of them have caught fire in the past.  Snip off the wires going to the USB sockets to prevent Flash drive virus invasion.  Remove all floppy drives to prevent invasion by merely inserting a boot floppy in the "A:" drive. Keep all your sensitive stuff on the secure network.  When you do Engineering Change Orders, pull the master drawing off the secure network, give it to the engineer, and have him return the updated version to the secure network.
   Now we come to training your personnel.  Start with email.  Make sure everyone understands that email lasts forever, and will be used against you in court, and by hackers.  Tell them to never put anything in email that they would not post on the bulletin board at the local super market.  If the matter is sensitive, handle it face to face or over the phone.  And delete old emails after 30 days.
   You want to run an anti virus scan once a week on every computer in the company.  Virii can do the damnedest things, just ask the Iranians about Stuxnet.  Commercial virus scan programs are pretty good, and they get better every week.  Keep your anti virus updated.  Even if you have a deal that permits IT to run the virus scans remotely, you still want everyone to understand how important they are.
   All your creative people want to keep their stuff on their machines, just in case.  Encourage them to encrypt it, and/or back it up to CD and keep it  in a locked drawer.  And make sure the latest version is stored on the secure network as well as on their private hard drives. 
   Consider getting rid of Windows company wide.  It can be done.  Linux works, and isn't too difficult for your people to learn.  Windows is totally, but totally, insecure.  Anything stored on a Windows computer is vulnerable to small children, let alone adult hackers.

Obama does an Op-Ed in the WSJ

Nice big half a page with am illustration Op Ed piece.  "Protecting US Innovation From Cyberthreats". Sound great.  Only trouble is, the Op-Ed contains zilch about protecting anything.  Lotta nice empty words, typical Obama speak, but nothing of substance.  He does promise to spend money,  $19 billion on the "Cyber Security National Action Plan" what ever that might be.  And another $3 billion on federal IT.  And a new bureaucrat,  the Chief Information Security Officer, salary unspecified.  And another unfunded effort to "build a corps of cyber professionals" to "push best practices at every level".   And a new "cyber security Center of Excellence".  And a new "bipartisan Commission on Enhancing National Cybersecurity".
   Does anyone really think adding more bureaucrats, more funding, and more bureaucracy is gonna keep the hackers out?
   The real situation is this.  Any computer connected to the public internet or the public phone system is vulnerable to invasion and plundering.  Windows computers are ten time more  vulnerable than any other sort of computer.  We must never store valuable information on computers connected to the public internet.  And we should never store valuable information on any sort of Windows computer. They are like Swiss cheese, full of holes.  If we made this nation wide policy we would be a helova lot more secure than we are now.
   Obama doesn't understand any of this.  In fact I doubt that Obama knows how to boot up his laptop. 

Hacking US computers.

The TV newsies have been making a big deal of the big hack of  the federal Office of Personnel Management, where the personnel records, security clearances, performance reports, salaries, contact information, social security numbers, everything, of 4 million civil service workers were stolen. 
   Wanna bet the records were stolen off Windows systems?  Thank you Bill Gates for your continuing contributions to American security. 

Shepherd Smith was trashing XP yesterday

Fox News commentator Shepherd Smith said that use of the old Windows XP operating system by the IRS led to the recent break in and identity theft on millions of taxpayers.
   I don't agree.  Windows XP is test tested, and Microsoft has been patching it for some12-15 years.  That's enough patches to plug many holes.  The newer Windows are fatter, slower, and flakier than well proven XP. 
   The real problem at IRS is the use of Windows in any form.  Windows is like Swiss cheese, full of holes that let hostiles in, and it's so big that no one understands it.  The IRS ought to be running some form of Unix  (Linux is a good one) which is infinitely more secure than any flavor of Windows. 

Market place winners and losers

Loser: Windows.  Only 56% of the hits on my blog were from Windows machines.  Used to be Windows had 90+% market share.  Runner up Linux!  29%.  Hard to believe.  Linux works good but the multiple suppliers haven't convinced the market that all Linux programs will run on all flavors of Linux.  The rest of the hits were  from various cell phone OS like Android.

Winner:  Firefox.  Top browser, 57% of hits here. Beat out Chrome. Internet Exploder way down at 11%.  This after some net buzz about how Firefox was all washed up. 

Cyber Security according to the Economist

The Economist ran a 10 page special suppliment on cyber security, mostly hand wringing about how little security we have.
   They have a point there.  Most computers run Windows and Windows is like swiss cheese, full of holes.  Any Windows computer on the internet can be hacked, from the net, and quickly.  Bill Gates has hung all our dirty laundry out to dry in the sunlight, where anyone can see it.
  For instance, those electronic medical records that Obama stuck us with.  They are all visible on the net to any competent hacker.  For instance, when you apply for a job, HR can access your medical records and put the kibosh on hiring you if they see you as a high cost patient on the company medical plan.  And there is nothing you can do about it,  your doctor puts your medical records on the computer whether you like it or not, and there you are, hung out to dry.  Note: Don't tell your doctor about suicidal feelings, mental problems, anything that might be used against you, either at trial or at a hiring decision.
  Things you can do.  Use good passwords.  Avoid passwords found in dictionaries, they have all been cracked.  Passwords like sunlight, tornado, U.S.Grant, hunter, rapids, bulldozer are all precracked.  Use long passwords, longer is better.  Use mixed case (some caps, some lower case) and digits.  For instance Torino69 is stronger than just plain torino.   ByTheRocketsRedGlare is stronger than usemgr.
   The experts will tell you to use different passwords for each thing (account) that you log into.  Good advice, but tough to follow.  No way can I remember and keep straight 20 odd passwords for the 20 odd accounts I own. I do use strong passwords and that's about it. 
  Avoid Windows.  Use Linux, or Mac or even MS-DOS.  By the way, there is a market opening here, for an OS as user friendly as Windows without Windows uncounted security holes. 
   Never click on an email attachment. Even on email from a well known friend.  The friend's machine may have been hacked, and the hackers  always take away the address book.  Attachments, ESPECIALLY .doc and .xls (Word and Excel files) can contain hostile code that infects your machine with all sorts of horrible stuff.
   Keep your machine off the internet as much as you can.  Powering down takes it off the net, and saves electricity.  Powering down at night might save you a nasty virus or invasion by a botnet.
  Run an antivirus program at least once a month. 
  Don't let anyone stick strange thumb drives in your machine.  They can contain virii or worse that will infect you machine within seconds of plugging the thumb drive into a USB port. 
  

Rootkit.bout.cidox.b

Nasty virus.  Lovable daughter, who is up for Christmas, was web surfing on my machine. One website she surfed thru infected my trusty Compaq 1750 NX
.  It's nasty.  It slows down the boot, slows down loading programs, slows down the internet, freezes the mouse, and crashes the whole machine erratically. 
   It's a rootkit, which means it hacks out a piece of hard disk to live on that is not part of the Windows file system.  This means that Windows, and Windows tools like Explorer cannot even see it on disk, even if you knew where to look. 
   I tried Anti Malware Bytes (that crashed before it finished) Spybot Search and Destroy, Microsoft's Malicious Software Removal Tool,  and Regclean without any luck.  But Kaspersky's TDSSKiller nailed it, or at least crippled it a lot.  Trusty Compaq is now running mostly normal, although there are moments of sluggishness that make me think the damn thing is still active. 
   Damn Microsoft for making Windows so vulnerable.  Damn virus writers.  Writing a virus ought to be a felony punishable by stoning to death in the public square.
  

Firefox and Internet Explorer tie.

The two rival browsers are neck and neck with 31 % of page views here.  Chrome is coming on strong with 20 %.   Windows is still the dominant operating system, followed by Linux (12%) and Macintosh at 6%. 

Microsoft, cyber espionage enabler

The TV news has been full of stories about hostile Chinese hackers stealing plans, programming, codes, and whatever for things like the F-35 jet fighter, anti-ballistic missiles, and the rest of the advanced US weapons systems.
   This would not be possible EXCEPT for Microsoft Windows.  Microsoft has deliberately perforated Windows with back door loop holes that make breaking into a Windows machine child's play.  For instance Autorun, a "feature" that loads and runs any program off of flashdrives.  Stick a flashdrive in a USB port and that machine is totally yours.  Stuxnet spread via autorun and so did the Bertlesmann - Sony rootkit of 2005.  No user cares much about autorun, but the Microsofties love it and have kept modifying it and making it more powerful and more difficult to turn off.
  For instance "remote job entry"  which by its very name tells you it is a back door.  Lord help the security minded owner who turns off "remote job entry",  Windows won't reboot without it.  Don't ask me how I know this. 
   For instance, Internet Exploder, which will download and run malicious code off websites, infecting your machine for merely visiting a hostile website.  Web browsers should NEVER download or run anything off the web unless the user specifically clicks on something.
  For instance allowing executable programming to be hidden inside of Office documents.  And furthermore allowing Internet Exploder to pass these infected documents directly to Office to be run by just clicking on them.
   There are lots more.  Windows is so big, so complicated, and so flaky that no one understands the whole thing.
   But as long as we run Windows, we make everything  available to our enemies.

Windows Services Fax Services to Protected Storage

BTW.  Sorry about the format.  This data was originally a spreadsheet.  Converting it to something acceptable to blogger was only partly successful.

Fax Service	The name says it all. Fax sending works in Man	Man.
File Replication	Keeps Files updated between multiple file servers	Nohave
File Server For Macintosh	The name says it all.	Nohave
FTP Publishing Service	Sends files to clients	Nohave
Gateway for Netware	Support for obsolete networking protocol	Nohave
Human Interface Dev. Access	USB keyboards/Mice/Etc	Nohave
Help And Support	Used for Help&Support center.  Not system critical and can be disabled.	Nohave
IIS Admin Service	Modify workings of Internet Info Service (IIS)	Nohave
IMAPI CD-burning COM Service	Drag&Drop CD burn	Nohave
Indexing Service	Supports fast file finding at expense of slow boot. Worthless Resource Hog. Use Add/Remove Programs to kill Indexing everywhere.	disabled
Internet Authentication Service	Pass word checker for remote clients	Nohave
Internet Connection Sharing	Small home network sharing of a single internet connection (dialup. DSL, cable modem)	Nohave
Intersite Messaging	Sends mail from server to server	Nohave
Ipsec Services	Special Internet Security not widely used. Not system critical and can be safely disabled.	Nohave
IPSec Policy Agent	Internet Security>	Man.
Kerboros Key Dist. Center	Enables user logon via kerborous	Nohave
License Logging Service	Logs Client access as Licensed or Pirate	Nohave
Logical Disc Manager	Reports new drive installation. Needed for USB storage devices. Otherwise can be disabled.	auto
Logical disc Manager Admin Services	?	Man.
Message queueing	? Needed for Com+ WMI, MSMG
Messenger Service	Spam gateway	disable
Net Logon	Processes net logons	disable
Net Meeting Remote Desktop  Share	Supports MS net meeting. Bad security hole	disable
Network Connections	Supports dialup and tcpip connections	auto
Network DDE	Dynamic Data Exchange	disable
Network DDE DSDM	Supports Network DDE	disable
Network Location Awareness	Provides services the computers that share your internet connection (ICS)  If not using ICS on a home network it may be disabled.	Nohave
Network Nets Transfer Protocol NNTP	Be a usenet news server	disable
NTLM Security Support Provider	Enables user logon via NTLM	disable
Online Presentation Broadcast	Real Time PowerPoint over the networkl	Nohave
Performance logs and alerts	Collects performace data from other computers	disable
Plug & Play	Loads hardware drivers. System critical. Do not disable.	auto
Universal plug7Play Host	Device host detect and Upnp support
Print Server for Macintosh	The name says it all.	Nohave
Print Spooler	background printing	auto
Process Control Service	?
Protected Storage	Secure storage for cryto keys? System critical do not diable.	auto

Tweaking Windows Services.

Services are little programs that Windows runs behind your back.  Some are necessary, many are not.  All of them steal valuable RAM and CPU time.  You can see just what Services are slowing your machine from the Start Menu.  Do Start ->Settings->Control Panel->Administrative Tools->Services.  Services has an icon of meshed gearwheels.
    The services application gives you the name, a brief spiel, "started" and the startup type.  "Started" should be self explanatory.  Startup type "Auto" means load and start this service at boot time, slowing your boot and committing memory to the service even if you never use it.  Beware.  Service Remote Procedure Call (RPC) MUST be set to auto all the time.  Without RPC on auto Windows will fail to boot and the only recovery is to reinstall Windows from CD ROM.  Don't mess with RPC, it bites.
   Startup type "Manual" means Windows will load and start the service only when some program tries to use the service.  Load and start is so fast that putting services to manual doesn't slow anything down.  Setting things to manual makes the machine boot faster.
    Startup type "Disabled" means never load and run the service no matter what.  A number of services are security holes or spam gateways and should be disabled.

    I am posting the service settings that work on my machine (Blackbox), which runs Windows XP Media Center (XP with some add ons to make/fake it into being a digital video recorder).  It's a single machine home machine running by itself (no networking to other machines).   Since the number of services is vast, the service list is long and I'll post it in pieces.
   I was able to get my boot time down to 45 seconds and make Blackbox perceptibly livelier with these service settings.  I thought I'd pass them on.

Tweaking Windows Services Alerter to Fast User Switching

		Dstarr Blackbox
Alerter	Transmits alerts for display by Messenger Services. Spam gateway.	disable
App. Layer Gateway Service	Supports Internet Connection Sharing.  Obsolete.  We use routers now to put multiple computers on one Internet wire.	Man.
Application Management	Install applications off the LAN.  Corp IT might want this, but I don’t.	Man.
Ati Hot Key Poller	Net rumor says that is a hot key grabber from ATI who makes my video hardware. I never use hotkeys	Man.
ARSVC	Media Ctr always ready stuff. Arservice.exe. Keeps hardware alive even after you power it down.	Man.
automatic Updates	Visits MS website looking for Windows Patches	Man.
Background Intel. Xfer Service	Network files xfer in background for Winupdate	Man.
Boot Info. Negotiation Layer BINL	Install Windows over LAN	Nohave
Certificate Services	X.509 Certificates?	Nohave
ClipBook	Allows other computers to see the clipboard. I ought to make it “disabled”.	Man.
Cluster Service	?	Nohave
COM+ Event System	auto Distribution of Com Events	Man.
Com+ System Applications	Same as above	Man.
Computer Browser	Finds other computers to place into Network Neighhood.  Needed for 2 computer LAN?	Man.
Crypto Services	Cypto support to auto update, WinMediaPlay&PNP	Nohave
Dcom Server Process Launch	Required for RPC. Do not disable	Nohave
DHCP Client	Obtains dynamic IP address from ISP or router. Needed for all networking	auto
DHCP Server	Furnishes dynanic IP addresses to clients	Nohave
Distributed File System DFS	Network File shares	Nohave
Distributed Link Tracking Client	Keeps track of location of files shared over the network	Man.
Distributed Link Tracking Server	Provides information to clients to keep track of shared files/	Nohave
Distributed Transaction Coordinator	Supports Com+ Msg Queueing, SQL file sharing over the network	Man.
DNS Client	Needed to convert www.names into IP numbers	Man.
DNS Server	Converts Domain Names into IP addresses for clients	Nohave
Error Reporting Service	Report errors back to Microsoft in Redmond	Nohave
Event Log	Logs Windows errors to disk. System critical cannot be disabled	auto
Fast User Switch Compatability	Allows login as new user w/o reboot.  I wouldn’t use it even if I had it.	Nohave

The many panes of Windows, Pt 4, The Registry

In the beginning was a frill. Windows 95 "enriched the user interface" by permitting every file to display a custom file icon, something that Windows 3.1 did not support. For Explorer to paint the file icons, it needs to find each icon on disk, and suck it up to the screen. It was decided to create a fast, ram resident database to hold all the needed file pointers. Such a data base, dubbed "the registry" was troublesome to create, so it was generalized to support any program's need to remember things while running. For instance, Windows programs want to remember the size and position of their window (full screen or something less), what files they had open, and what options the users had set, and where the home directory was. Provisions were made to hold patches to the code, and user authorizations, and to start programs.
The major attraction of using the registry is copy protection. The application's install program writes the needed keys into the registry. The program checks for the presence of these keys in the registry as evidence that the program hasn't been pirated. You cannot get MS Office to run on another machine by the simple trick of copying all the MS Office files to the other computer.
The copied program will note the absence of registry keys and refuse to run. Writing the needed keys into the registry by hand is theoretically possible, but in practice it is just too hard. Presto, instant copy protect for programs. The utility of this copy protection became obvious to every programmer and every Windows application uses it now.
Downside. Every program or virus running on the machine can change the registry, and the changes stick, making the damage permanent. The registry is very powerful, it can run anything on the hard drive, alter the code in any program, and change many important windows defaults, such as the default web site web browsers visit upon startup. Coding errors in ordinary applications can do things to the registry that break windows, windows applications , drivers and hardware. The S32EVNT1.dll bug was caused by a faulty registry key. The opportunities for malware to damage the system thru registry modifications are enormous. The registry is one humungous security hole waiting for a place to bite.
And we are stuck with it forever. Changing the powers of the registry would break many programs. For good commercial reasons Microsoft works hard to make each new version of windows run last year's programs, so the registry security hole is with us forever.