Showing posts with label autorun. Show all posts
Showing posts with label autorun. Show all posts

Friday, October 30, 2015

Cyber Security Law, just passed Senate

After the horrible hacks lately the Congresscritters have decided to DO SOMETHING.  It is unclear just what they are doing, the newsies haven't talked much about it, but it sounds like a deal to allow companies and the government to cooperate, share information about hacks and attacks with out fear of prosecution for collaboration and price fixing.  We now have a House version, and a Senate version in need of "reconciliation" (quick rewrite to make them both the same) and Obama says he will sign it. 
   I suppose it's worthy, although I'd like to know what it really says, how many pages, and what damaging little clauses got tucked into the darker corners. 
   It isn't what we need.
   We need to close the gaping holes in Windows that allow any hacker, even grade school hackers, to take over Windows computers, remotely from the Internet, and suck every thing off them.  Microsoft deliberately created these vulnerabilities with the idea of increasing sales.  We need somebody or some organization to publicize these gaping holes and create public pressure on Microsoft to close them.
   Number one gaping hole is a Windows feature (bug?) called autorun.  Autorun has been causing trouble since Windows 95.  Autorun makes music CD's inserted in the drive start to play, automatically, hands off, no keystrokes or mouse clicks needed.  That part isn't too dangerous, but the dark side of Autorun loads and starts any code found on the CD.  When USB and flashdrives came along, autorun was extended to load and run any code found on a flash drive.  Just insert a flashdrive into a USB port, and zap, the machine is infected.  Autorun spread the Stuxnet virus in Iran.  Agents merely tossed a few flashdrives into the parking lots at Iranian nuclear facilities.  Iranian workers saw them, picked them up, took them into work, plugged them into their computers, and Zap Bang, the Stuxnet virus started blowing up Iranian centrifuges.  Set the Iranian nuclear program back a year or more. 
  Number 2 gaping hole is the Basic interpreters built into all the Micosoft Office products.  Basic is a full powered computer language.  Malicious Basic programs can be inserted into Office documents (Word .doc and Excel .xls files) and Word or Excel will execute them.  Worse, if you click on such an Office document attached to an email, Windows starts up Word or Excel and passes the attachment in.  Bam you are infected.
   Until we force Microsoft to close these two gaping security holes, we will continue to get hacked.  These aren't the only holes in Windows, but they are the worst ones that I know of.  And Microsoft can close them, in an afternoon.  All Microsoft needs is some incentive to pull up its socks. 

Wednesday, March 6, 2013


Op Ed in today's Wall St Journal calling for new federal laws to harden up cybersecurity.  Author is a Texas Republican congressman on the Homeland Security Committee.  He talks about the risks, which are real.  Then he wants new laws.  Just what he wants to make law is less clear.  He mentions "necessary liability protections" and "streamlining processes" which don't mean much to me.  I am suspicious of "necessary liability protection".  Fear of tort lawyers suing the company down to its socks is a good motivator to tighten up security. 
   In the real world what cyber security means is the computer administrators all across the private and public sectors tightening up on passwords, disallowing login from the public internet, and paying real bucks to buy private lines to remote sites rather than passing everything over the wide open public internet.
  It means Microsoft has to close the gaping holes in Windows security.  Right now you can plug a CD or a flashdrive into a Windows computer and Windows will automatically and secretly load and execute what ever malware is on that media.  This is how the hard hitting Stuxnet worm was loaded onto Iranian computers.  Flash drives with Stuxnet in them were scattered about the parking lot and sharp eyed employees walking from their cars picked them up and took them into work.  There are dozens of other holes in Windows, it's like Swiss cheese.  Any high school kid can break into Windows  without working up a sweat.