Showing posts with label Windows. Show all posts
Showing posts with label Windows. Show all posts

Thursday, February 11, 2016

Cyber Security for ordinary businesses

In this day and age, every thing your company does is on the company computers somewhere.  Email is forever.  First off, you need to identify the things that you need to keep secret from hackers and competitors.  Start with personnel records.  Those must be secret to keep competitors from pirating your best people.  Pay and salary is particularly sensitive because when that gets out, everyone in your company gets bad feelings about everyone who make more than they do.  And it points headhunters toward your less well paid people.  Production information; mechanical drawings, electrical schematics, parts lists, software source code, test procedures, recipes and formulas.  With this stuff someone can set up to make your product and compete with you.  That's legal in places like China.  At the very least they can make a good guess at your cost of production.  Sales and marketing; your customer lists and customer contact information.  If the competition gets to your customers and wins them over, you are hurting.  Email; there is bound to be damaging information in someone's email.
    To keep the hackers out, first consider keeping stuff OFF the hard drives.  Back it up to CD-ROM and keep the CD's in a locked room.  There is a lot of old stuff on hard drive that you don't use today, but could do a lot of damage in the wrong hands.  If the stuff is really valuable, now is the time to establish an off site backup location.
    Set up a secure network.  This is a small number of computers, kept in locked rooms,  and NOT connected to the general company network or the public internet, or the public phone network.  By not connected we means NO wires or wireless connections to anywhere.  Don't rely on "firewalls", some of them have caught fire in the past.  Snip off the wires going to the USB sockets to prevent Flash drive virus invasion.  Remove all floppy drives to prevent invasion by merely inserting a boot floppy in the "A:" drive. Keep all your sensitive stuff on the secure network.  When you do Engineering Change Orders, pull the master drawing off the secure network, give it to the engineer, and have him return the updated version to the secure network.
   Now we come to training your personnel.  Start with email.  Make sure everyone understands that email lasts forever, and will be used against you in court, and by hackers.  Tell them to never put anything in email that they would not post on the bulletin board at the local super market.  If the matter is sensitive, handle it face to face or over the phone.  And delete old emails after 30 days.
   You want to run an anti virus scan once a week on every computer in the company.  Virii can do the damnedest things, just ask the Iranians about Stuxnet.  Commercial virus scan programs are pretty good, and they get better every week.  Keep your anti virus updated.  Even if you have a deal that permits IT to run the virus scans remotely, you still want everyone to understand how important they are.
   All your creative people want to keep their stuff on their machines, just in case.  Encourage them to encrypt it, and/or back it up to CD and keep it  in a locked drawer.  And make sure the latest version is stored on the secure network as well as on their private hard drives. 
   Consider getting rid of Windows company wide.  It can be done.  Linux works, and isn't too difficult for your people to learn.  Windows is totally, but totally, insecure.  Anything stored on a Windows computer is vulnerable to small children, let alone adult hackers.

Tuesday, February 9, 2016

Obama does an Op-Ed in the WSJ

Nice big half a page with am illustration Op Ed piece.  "Protecting US Innovation From Cyberthreats". Sound great.  Only trouble is, the Op-Ed contains zilch about protecting anything.  Lotta nice empty words, typical Obama speak, but nothing of substance.  He does promise to spend money,  $19 billion on the "Cyber Security National Action Plan" what ever that might be.  And another $3 billion on federal IT.  And a new bureaucrat,  the Chief Information Security Officer, salary unspecified.  And another unfunded effort to "build a corps of cyber professionals" to "push best practices at every level".   And a new "cyber security Center of Excellence".  And a new "bipartisan Commission on Enhancing National Cybersecurity".
   Does anyone really think adding more bureaucrats, more funding, and more bureaucracy is gonna keep the hackers out?
   The real situation is this.  Any computer connected to the public internet or the public phone system is vulnerable to invasion and plundering.  Windows computers are ten time more  vulnerable than any other sort of computer.  We must never store valuable information on computers connected to the public internet.  And we should never store valuable information on any sort of Windows computer. They are like Swiss cheese, full of holes.  If we made this nation wide policy we would be a helova lot more secure than we are now.
   Obama doesn't understand any of this.  In fact I doubt that Obama knows how to boot up his laptop. 

Friday, June 5, 2015

Hacking US computers.

The TV newsies have been making a big deal of the big hack of  the federal Office of Personnel Management, where the personnel records, security clearances, performance reports, salaries, contact information, social security numbers, everything, of 4 million civil service workers were stolen. 
   Wanna bet the records were stolen off Windows systems?  Thank you Bill Gates for your continuing contributions to American security. 

Thursday, June 4, 2015

Shepherd Smith was trashing XP yesterday

Fox News commentator Shepherd Smith said that use of the old Windows XP operating system by the IRS led to the recent break in and identity theft on millions of taxpayers.
   I don't agree.  Windows XP is test tested, and Microsoft has been patching it for some12-15 years.  That's enough patches to plug many holes.  The newer Windows are fatter, slower, and flakier than well proven XP. 
   The real problem at IRS is the use of Windows in any form.  Windows is like Swiss cheese, full of holes that let hostiles in, and it's so big that no one understands it.  The IRS ought to be running some form of Unix  (Linux is a good one) which is infinitely more secure than any flavor of Windows. 

Friday, March 20, 2015

Market place winners and losers

Loser: Windows.  Only 56% of the hits on my blog were from Windows machines.  Used to be Windows had 90+% market share.  Runner up Linux!  29%.  Hard to believe.  Linux works good but the multiple suppliers haven't convinced the market that all Linux programs will run on all flavors of Linux.  The rest of the hits were  from various cell phone OS like Android.

Winner:  Firefox.  Top browser, 57% of hits here. Beat out Chrome. Internet Exploder way down at 11%.  This after some net buzz about how Firefox was all washed up. 

Sunday, July 20, 2014

Cyber Security according to the Economist

The Economist ran a 10 page special suppliment on cyber security, mostly hand wringing about how little security we have.
   They have a point there.  Most computers run Windows and Windows is like swiss cheese, full of holes.  Any Windows computer on the internet can be hacked, from the net, and quickly.  Bill Gates has hung all our dirty laundry out to dry in the sunlight, where anyone can see it.
  For instance, those electronic medical records that Obama stuck us with.  They are all visible on the net to any competent hacker.  For instance, when you apply for a job, HR can access your medical records and put the kibosh on hiring you if they see you as a high cost patient on the company medical plan.  And there is nothing you can do about it,  your doctor puts your medical records on the computer whether you like it or not, and there you are, hung out to dry.  Note: Don't tell your doctor about suicidal feelings, mental problems, anything that might be used against you, either at trial or at a hiring decision.
  Things you can do.  Use good passwords.  Avoid passwords found in dictionaries, they have all been cracked.  Passwords like sunlight, tornado, U.S.Grant, hunter, rapids, bulldozer are all precracked.  Use long passwords, longer is better.  Use mixed case (some caps, some lower case) and digits.  For instance Torino69 is stronger than just plain torino.   ByTheRocketsRedGlare is stronger than usemgr.
   The experts will tell you to use different passwords for each thing (account) that you log into.  Good advice, but tough to follow.  No way can I remember and keep straight 20 odd passwords for the 20 odd accounts I own. I do use strong passwords and that's about it. 
  Avoid Windows.  Use Linux, or Mac or even MS-DOS.  By the way, there is a market opening here, for an OS as user friendly as Windows without Windows uncounted security holes. 
   Never click on an email attachment. Even on email from a well known friend.  The friend's machine may have been hacked, and the hackers  always take away the address book.  Attachments, ESPECIALLY .doc and .xls (Word and Excel files) can contain hostile code that infects your machine with all sorts of horrible stuff.
   Keep your machine off the internet as much as you can.  Powering down takes it off the net, and saves electricity.  Powering down at night might save you a nasty virus or invasion by a botnet.
  Run an antivirus program at least once a month. 
  Don't let anyone stick strange thumb drives in your machine.  They can contain virii or worse that will infect you machine within seconds of plugging the thumb drive into a USB port. 
  

Thursday, December 26, 2013

Rootkit.bout.cidox.b

Nasty virus.  Lovable daughter, who is up for Christmas, was web surfing on my machine. One website she surfed thru infected my trusty Compaq 1750 NX
.  It's nasty.  It slows down the boot, slows down loading programs, slows down the internet, freezes the mouse, and crashes the whole machine erratically. 
   It's a rootkit, which means it hacks out a piece of hard disk to live on that is not part of the Windows file system.  This means that Windows, and Windows tools like Explorer cannot even see it on disk, even if you knew where to look. 
   I tried Anti Malware Bytes (that crashed before it finished) Spybot Search and Destroy, Microsoft's Malicious Software Removal Tool,  and Regclean without any luck.  But Kaspersky's TDSSKiller nailed it, or at least crippled it a lot.  Trusty Compaq is now running mostly normal, although there are moments of sluggishness that make me think the damn thing is still active. 
   Damn Microsoft for making Windows so vulnerable.  Damn virus writers.  Writing a virus ought to be a felony punishable by stoning to death in the public square.
  

Thursday, September 5, 2013

Firefox and Internet Explorer tie.

The two rival browsers are neck and neck with 31 % of page views here.  Chrome is coming on strong with 20 %.   Windows is still the dominant operating system, followed by Linux (12%) and Macintosh at 6%. 

Thursday, May 30, 2013

Microsoft, cyber espionage enabler

The TV news has been full of stories about hostile Chinese hackers stealing plans, programming, codes, and whatever for things like the F-35 jet fighter, anti-ballistic missiles, and the rest of the advanced US weapons systems.
   This would not be possible EXCEPT for Microsoft Windows.  Microsoft has deliberately perforated Windows with back door loop holes that make breaking into a Windows machine child's play.  For instance Autorun, a "feature" that loads and runs any program off of flashdrives.  Stick a flashdrive in a USB port and that machine is totally yours.  Stuxnet spread via autorun and so did the Bertlesmann - Sony rootkit of 2005.  No user cares much about autorun, but the Microsofties love it and have kept modifying it and making it more powerful and more difficult to turn off.
  For instance "remote job entry"  which by its very name tells you it is a back door.  Lord help the security minded owner who turns off "remote job entry",  Windows won't reboot without it.  Don't ask me how I know this. 
   For instance, Internet Exploder, which will download and run malicious code off websites, infecting your machine for merely visiting a hostile website.  Web browsers should NEVER download or run anything off the web unless the user specifically clicks on something.
  For instance allowing executable programming to be hidden inside of Office documents.  And furthermore allowing Internet Exploder to pass these infected documents directly to Office to be run by just clicking on them.
   There are lots more.  Windows is so big, so complicated, and so flaky that no one understands the whole thing.
   But as long as we run Windows, we make everything  available to our enemies.

Sunday, June 10, 2012

Windows Services Fax Services to Protected Storage

BTW.  Sorry about the format.  This data was originally a spreadsheet.  Converting it to something acceptable to blogger was only partly successful.


Fax Service
The name says it all. Fax sending works in Man
Man.
File Replication
Keeps Files updated between multiple file servers
Nohave
File Server For Macintosh
The name says it all.
Nohave
FTP Publishing Service
Sends files to clients
Nohave
Gateway for Netware
Support for obsolete networking protocol
Nohave
Human Interface Dev. Access
USB keyboards/Mice/Etc
Nohave
Help And Support
Used for Help&Support center.  Not system critical and can be disabled.
Nohave
IIS Admin Service
Modify workings of Internet Info Service (IIS)
Nohave
IMAPI CD-burning COM Service
Drag&Drop CD burn
Nohave
Indexing Service
Supports fast file finding at expense of slow boot.
Worthless Resource Hog. Use Add/Remove Programs to kill Indexing everywhere.
disabled
Internet Authentication Service
Pass word checker for remote clients
Nohave
Internet Connection Sharing
Small home network sharing of a single internet connection (dialup. DSL, cable modem)
Nohave
Intersite Messaging
Sends mail from server to server
Nohave
Ipsec Services
Special Internet Security not widely used. Not system critical and can be safely disabled.
Nohave
IPSec Policy Agent
Internet Security>
Man.
Kerboros Key Dist. Center
Enables user logon via kerborous
Nohave
License Logging Service
Logs Client access as Licensed or Pirate
Nohave
Logical Disc Manager
Reports new drive installation. Needed for USB storage devices. Otherwise can be disabled.
auto
 Logical disc Manager Admin Services
?
Man.
Message queueing
? Needed for Com+ WMI, MSMG

Messenger Service
Spam gateway
disable
Net Logon
Processes net logons
disable
Net Meeting Remote Desktop  Share
Supports MS net meeting. Bad security hole
disable
Network Connections
Supports dialup and tcpip connections
auto
Network DDE
Dynamic Data Exchange
disable
Network DDE DSDM
Supports Network DDE
disable
Network Location Awareness
Provides services the computers that share your internet connection (ICS)
 If not using ICS on a home network it may be disabled.
Nohave
Network Nets Transfer Protocol NNTP
Be a usenet news server
disable
NTLM Security Support Provider
Enables user logon via NTLM
disable
Online Presentation Broadcast
Real Time PowerPoint over the networkl
Nohave
Performance logs and alerts
Collects performace data from other computers
disable
Plug & Play
Loads hardware drivers. System critical. Do not disable.
auto
Universal plug7Play Host
Device host detect and Upnp support

Print Server for Macintosh
The name says it all.
Nohave
Print Spooler
background printing
auto
Process Control Service
?

Protected Storage
Secure storage for cryto keys? System critical do not diable.
auto

Saturday, June 9, 2012

Tweaking Windows Services.

Services are little programs that Windows runs behind your back.  Some are necessary, many are not.  All of them steal valuable RAM and CPU time.  You can see just what Services are slowing your machine from the Start Menu.  Do Start ->Settings->Control Panel->Administrative Tools->Services.  Services has an icon of meshed gearwheels.
    The services application gives you the name, a brief spiel, "started" and the startup type.  "Started" should be self explanatory.  Startup type "Auto" means load and start this service at boot time, slowing your boot and committing memory to the service even if you never use it.  Beware.  Service Remote Procedure Call (RPC) MUST be set to auto all the time.  Without RPC on auto Windows will fail to boot and the only recovery is to reinstall Windows from CD ROM.  Don't mess with RPC, it bites.
   Startup type "Manual" means Windows will load and start the service only when some program tries to use the service.  Load and start is so fast that putting services to manual doesn't slow anything down.  Setting things to manual makes the machine boot faster.
    Startup type "Disabled" means never load and run the service no matter what.  A number of services are security holes or spam gateways and should be disabled.

    I am posting the service settings that work on my machine (Blackbox), which runs Windows XP Media Center (XP with some add ons to make/fake it into being a digital video recorder).  It's a single machine home machine running by itself (no networking to other machines).   Since the number of services is vast, the service list is long and I'll post it in pieces.
   I was able to get my boot time down to 45 seconds and make Blackbox perceptibly livelier with these service settings.  I thought I'd pass them on.

Tweaking Windows Services Alerter to Fast User Switching




Dstarr Blackbox



Alerter
Transmits alerts for display by Messenger Services. Spam gateway.
disable
App. Layer Gateway Service
Supports Internet Connection Sharing.  Obsolete.  We use routers now to put multiple computers on one Internet wire.
Man.
Application Management
Install applications off the LAN.  Corp IT might want this, but I don’t.
Man.
Ati Hot Key Poller
Net rumor says that is a hot key grabber from ATI who makes my video hardware. I never use hotkeys
Man.
ARSVC
Media Ctr always ready stuff. Arservice.exe. Keeps hardware alive even after you power it down.
Man.
automatic Updates
Visits MS website looking for Windows Patches
Man.
Background Intel. Xfer Service
Network files xfer in background for Winupdate
Man.
Boot Info. Negotiation Layer BINL
Install Windows over LAN
Nohave
Certificate Services
X.509 Certificates?
Nohave
ClipBook
Allows other computers to see the clipboard. I ought to make it “disabled”.
Man.
Cluster Service
?
Nohave
COM+ Event System
auto Distribution of Com Events
Man.
Com+ System Applications
Same as above
Man.
Computer Browser
Finds other computers to place into Network Neighhood.  Needed for 2 computer LAN?
Man.
Crypto Services
Cypto support to auto update, WinMediaPlay&PNP
Nohave
Dcom Server Process Launch
Required for RPC. Do not disable
Nohave
DHCP Client
Obtains dynamic IP address from ISP or router. Needed for all networking
auto
DHCP Server
Furnishes dynanic IP addresses to clients
Nohave
Distributed File System DFS
Network File shares
Nohave
Distributed Link Tracking Client
Keeps track of location of files shared over the network
Man.
Distributed Link Tracking Server
Provides information to clients to keep track of shared files/
Nohave
Distributed Transaction Coordinator
Supports Com+ Msg Queueing, SQL file sharing over the network
Man.
DNS Client
Needed to convert www.names into IP numbers
Man.
DNS Server
Converts Domain Names into IP addresses for clients
Nohave
Error Reporting Service
Report errors back to Microsoft in Redmond
Nohave
Event Log
Logs Windows errors to disk. System critical cannot be disabled
auto
Fast User Switch Compatability
Allows login as new user w/o reboot.  I wouldn’t use it even if I had it. 
Nohave

Sunday, December 23, 2007

The many panes of Windows, Pt 4, The Registry

In the beginning was a frill. Windows 95 "enriched the user interface" by permitting every file to display a custom file icon, something that Windows 3.1 did not support. For Explorer to paint the file icons, it needs to find each icon on disk, and suck it up to the screen. It was decided to create a fast, ram resident database to hold all the needed file pointers. Such a data base, dubbed "the registry" was troublesome to create, so it was generalized to support any program's need to remember things while running. For instance, Windows programs want to remember the size and position of their window (full screen or something less), what files they had open, and what options the users had set, and where the home directory was. Provisions were made to hold patches to the code, and user authorizations, and to start programs.
The major attraction of using the registry is copy protection. The application's install program writes the needed keys into the registry. The program checks for the presence of these keys in the registry as evidence that the program hasn't been pirated. You cannot get MS Office to run on another machine by the simple trick of copying all the MS Office files to the other computer.
The copied program will note the absence of registry keys and refuse to run. Writing the needed keys into the registry by hand is theoretically possible, but in practice it is just too hard. Presto, instant copy protect for programs. The utility of this copy protection became obvious to every programmer and every Windows application uses it now.
Downside. Every program or virus running on the machine can change the registry, and the changes stick, making the damage permanent. The registry is very powerful, it can run anything on the hard drive, alter the code in any program, and change many important windows defaults, such as the default web site web browsers visit upon startup. Coding errors in ordinary applications can do things to the registry that break windows, windows applications , drivers and hardware. The S32EVNT1.dll bug was caused by a faulty registry key. The opportunities for malware to damage the system thru registry modifications are enormous. The registry is one humungous security hole waiting for a place to bite.
And we are stuck with it forever. Changing the powers of the registry would break many programs. For good commercial reasons Microsoft works hard to make each new version of windows run last year's programs, so the registry security hole is with us forever.