Category Archives: Security

Some tips for a safer Windows experience

Posted on by

Here are some simple tips to help you secure your Windows PC.

The checklist

  • Ensure that Windows Update is enabled and set to check for, and apply, updates daily.
  • Ensure that you have the campus AV solution (Symantec) installed. Other AV products are theoretically acceptable, but may well not be licensed for professional use (eg. AVG Free, etc).
  • Log on using a ‘normal’ user account – use a separate one for administrator access.
  • Avoid the ‘unholy trinity’ of often-exploited software – Java, Flash, and Adobe Reader – see below. Uninstall these from your PC.
  • Avoid Internet Explorer when possible – even Microsoft is moving past it!
  • Consider an update to Windows 10 if your software supports it; if not, try installing the Microsoft EMET toolkit – see below.
  • Accept that even if you do all of the above things will go wrong, and ensure you have suitable backups.

The Unholy Trinity

The “unholy trinity” are three commonly installed, and often exploited, bits of software. Removing these from your computer reduces the number of ways your machine can be exploited.
  • Java is often installed for no good reason, and even when it is needed the automatic update process is unsatisfactory, leaving older versions installed. If you don’t know that you need Java, remove it. If something important breaks then it’s easy to reinstall. Note that the commonly used ImageJ does not require a separate Java install – it has its own private copy.
  • Flash is possibly the most exploited software ever installed on a PC. For each of the last three months there have been urgent updated needed to address bugs which were being exploited in the wild. Not all of these were web-based either – exploits have been spread using Flash applets embedded in Word files. The only safe approach with Flash is not to install it. If there is a Flash site which you must use then Google Chrome with a suitable Flash blocking extension is a tolerable workaround, but not perfect.
  • Adobe Reader is not the only program which can read PDF files, but it is the most exploited one. Matters are made worse by the web browser plugin which is part of the default install, which allows PDFs embedded in web pages to open automatically. This has been used to spread malware in the past. Alternative PDF readers include FoxIt and SumatraPDF. If you must use Reader for certain documents (eg. encrypted files such as Inter-Library Loans) then don’t use it as your default PDF viewer and disable the web plugin. Also make sure that you are running the current version as the default installation on the PCs we buy is typically several versions out of date. 

Windows 10 and EMET

While Windows 7 is still getting security patches from Microsoft, it is an OS from 2009, and the state of the art in computer security has moved on since then. Windows 10 has many new features which help secure your PC, mitigating the effects of malware. Unless your software absolutely cannot work under Windows 10 then I suggest planning a migration sooner rather than later. Windows 10 seems quite happy on hardware which supports Windows 7.

If you are obliged to keep running Windows 7 (or 8) then you should strongly consider installing Microsoft EMET (Enhanced Mitigation Experience Toolkit) which adds extra security layers that have proven effective in blocking some types of malware. In the default install it toughens up Office and Internet Explorer with no additional work needed.

If you only have one or two bits of software which won’t work in Windows 10 you may want to consider running them in a virtual machine. The School has a membership in the VMWare Academic Program which provides free copies of VMWare products to staff and students for teaching and research.

Web browsers

Even Microsoft has moved away from Internet Explorer, with their new Edge browser in Windows 10, though it’s still under heavy development and not really ready for prime time. As Edge is not even available for earlier versions of Windows I suggest installing either Chrome or Firefox and using them as your main browser. Both support a range of extensions such as advert (e.g. Adblock or AdBlock Plus) and flash (e.g. Flashblock, Flashcontrol) blockers which can help protect you from malicious applets and compromised advert servers.

More info

It’s OK not to understand everything written above; what’s not OK is to do nothing. If you don’t know, ask someone who does, like one of the school computer support staff.

You can find more information about campus computer security on the Information Services Data Security site – though you should ignore the suggestion about installing Adobe Reader! For more general computer security information Krebs on Security is an excellent starting point.

SSH into kelvin2.qub.ac.uk

Posted on by

Kelvin2 is the new QUB HPC system – access is typically via SSH, but if you’re using a Unix (Linux/OS X) terminal client then you may see an error message along these lines:

$ ssh 1234567@kelvin.qub.ac.uk
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The ECDSA host key for kelvin2.qub.ac.uk has changed,
and the key for the corresponding IP address 143.117.27.22
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:pHx9AoPvrR9cXC5nBZerkrq/A4mUTeugPYgWbImGnko.
Please contact your system administrator.

which is all very scary and unsettling. However it’s not actually anything to worry about.

Kelvin2 has four head nodes, so kelvin2.qub.ac.uk resolves to four different IP addresses (and virtual machines) – this is presumably for redundancy so if one machine fails the others are still available. Which is great, but as there is no telling which one you will be pointed to at any given time this leads OpenSSH to become unhappy and confused.

The workaround is to pre-populate the file ~/.ssh/known_hosts with the expected public keys, as shown below – these are very long single lines and the text box below will probably scroll to the right. Make sure to paste these into your known_hosts file as long lines, with no wrapping.

kelvin2.qub.ac.uk,143.117.27.21 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAHWMgZWOmETQjmych3RrxMyVcQgtVa1ndkrFbUpiFiP7aiZoVAcacyoGImJWMjKCU+ihkTtREXDz4EDDrMEce4=
kelvin2.qub.ac.uk,143.117.27.20 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLNqmr6N1XCVdDlkvnI+qxO8QMPsyYPk3zd/CmgKDdgDgdn7rCpJRR3qBuiRjTM0Ok/GWzYk/h8Axaba0CVpv30=
kelvin2.qub.ac.uk,143.117.27.22 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNQm41eL7A0QoTt9nwMz6gPZxw1L0i379r6f8lNQczoSQuLG9yp1M6ei7S0L6VwquBRkIMdmHzF4HtXmt33wy4k=
kelvin2.qub.ac.uk,143.117.27.19 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH1T8XlKSmbuHOn0eEIVHfrvzYDBm0G6i2ansLID5XKtedN3OoxU/PqL6glR9pHhN5TinVgOsYYjX+YxlULwoxs=

Security patches

Posted on by

At the end of last week a disturbing security issue was acknowledged in iOS and OS X Mavericks – the effect was that SSL certificates were not properly authenticated, so people were vulnerable to man-in-the-middle attacks. The flaw affected iOS6, iOS7, and OS X 10.9 Mavericks; third party testing suggested OS X 10.8 Mountain Lion and earlier OS X releases were fine.

Patches were released last week for iOS6 and iOS7, though the iOS6 update only worked on devices which were not capable of running iOS7 – this was enough to make me update my iPhone and iPad to iOS7, which I had resisted on grounds of taste to this point (aside – iOS7 ain’t so bad after all)

Today (Tuesday) Apple released OS X Mavericks 10.9.2, which includes fixes for the problem along with a lot of other issues – while it’s good to have the fix, it’s unfortunate that it’s rolled in with the general system update. Nonetheless Mavericks users should update as soon as possible (after making proper backups).

Interestingly Apple also released updates for Lion (10.7) and Mountain Lion (10.8) to address the SSL issue and other bugs which had already been fixed in Mavericks. The ongoing lack of fixes for these bugs is something I wrote about before and was what led me (and others) to assume that the Lions had been abandoned in favour of Mavericks. Of course, as soon as I finish rolling Mavericks out to a number of people Apple issues the long-awaited security patch… Thanks guys.

There are also updates for Safari to address various security bugs, but notably there is nothing for OS X 10.6 (Snow Leopard), apparently confirming earlier suspicions that Apple no longer supports 10.6; a definitive statement would be useful but clearly isn’t going to happen. Anyway, if you’re still using Snow Leopard on a machine which you can update to Mavericks (or Mountain Lion) you should do so; if the Mac won’t support Lion and later then I’m afraid it’s time for a new Mac, right now.

Anyway, after all this patching you might assume that you’re safe. Sorry. Now there’s evidence of a flaw in iOS7 which allows a malicious app to monitor keystrokes. So far this is a proof of concept only – there’s no evidence this is being exploited in the wild, but the PoC app did get published in the App Store, so malicious apps may already be out there. Yay. One assumes there will be another iOS patch very soon.

I’m reminded of the quip about thermodynamics – you can’t win; you can’t break even; you can’t even quit the game.

Lest Windows users start to feel smug, it turns out that the EMET hardening toolkit on Windows can be bypassed, and Microsoft also rolled out a patch for flaws in Windows Update which has to be applied outside of Windows Update, so probably most people will never even hear about it…

Finally, there are urgent updates for Flash (what else is new?) which once more illustrates the importance of limiting your Flash use as much as possible though the use of Click-to-run extensions, even if you only have Flash via Google Chrome.

Mac security updates

Posted on by

This article, while mostly click-baiting troll fodder, does raise a reasonable point.

The release notes for OS X Mavericks list a large number of security issues which are resolved in 10.9 only. A month on from the release of Mavericks no equivalent updates have been posted for Snow Leopard, Lion, or Mountain Lion. Absent official comment from Apple it seems that since the update to Mavericks is free, that’s your security patch.

Given the problems that come with any major system update this seems an utterly unreasonable approach, especially for cases where we’re dealing with complex third-party software which needs to be validated on each update. It’s bad enough that new Macs can never have older versions of the OS installed on them, but this is affecting machines which are currently running properly and now one has to choose between security and application stability. I’m at a loss to suggest the less bad option. Various applications require new versions to work on Mavericks, and not all of these updates are free.

This also absolutely reinforces my relief that I am no longer using OS X Server for anything apart from an illustration of why Linux or even Windows is a better server OS…

Windows XP end-of-support

Posted on by

As of April 8 2014 Microsoft will terminate all support for Windows XP – this means there will be no further security updates issued regardless of the severity of the problem. In effect this means that all machines running Windows XP must be upgraded to Windows 7/8, or replaced, before this date.

If you have a Windows XP system which you currently use to your satisfaction you will likely be unhappy with this news, but there are sound reasons for taking action. Many security issues which are found in more modern variants of Windows actually affect XP too; hackers will analyse the patches for modern Windows systems to identify the issue and test it against XP – if they find an exploit it will never be fixed on XP. While running AV software may help in the short term, sooner or later it’s likely there will be issues which cannot be avoided. As JANET rules require that any machine attached to the QUB network has up to date security software and a fully patched OS, we simply cannot have XP machines attached to the campus network once support ends.

Even if your machine does not connect to the network (e.g. one used for instrument control) you will still have to upgrade sooner or later. If you use USB keys to transfer data from a standalone machine it can still be infected with viruses transferred on the stick itself, and without a network connection it can’t have up-to-date AV software which might block these.

Aside from the security issues, if you have a system which requires XP for some reason then you are already at significant risk, since modern systems may well not support running XP. As/when the machine breaks it may be impossible to repair/replace it, forcing you to update in an uncontrolled manner. If you have software which only works on XP then you need to plan to either upgrade to a more recent version or migrate to another package if there is no update available. Virtual machines may help in a pinch, but are still subject to security issues.

If you are running Windows XP at the moment you should urgently speak with your computer support officer to begin planning your migration. Within Physics we will be trying to identify XP systems by walking around offices and labs, but that is solely so we know what may need to be removed from the network come April!

In many cases the best option will be to obtain a new machine, though with more recent machines it may be possible to install Windows 7. Since direct upgrades from XP to Windows 7 are potentially problematic in most cases clean installs will be required, with subsequent reinstallation of other software, which will not be that different to migrating to a new machine.

Please do not interpret this as persecution of Windows users – the requirement for machines to have up-to-date operating systems and software applies to all platforms, from Macs to Linux to Unix. All Macs should be running at least OS X 10.6 or later, for example. Windows XP simply currently has wider use around Queen’s, and more hackers interested in exploiting those systems.

Update – those contemplating an update from XP to Win7 should probably review this guide from Microsoft.

Happy Halloween

Posted on by

Here’s a little Halloween computer story which is quite possibly real and most definitely concerning.

Add in another story involving Adobe incompetence.

I have a pretty poor opinion of Adobe software. Flash and Reader are two of the worst security problems on any computer, and my honest advice is not to install either.

These days there are few things one really needs Reader for. Macs, Windows 8, and Linux systems all come with perfectly competent PDF reader applications; under Windows 7 there is the well regarded Foxit reader which is free and has a better track record. The only times I have ever needed Adobe Reader are

  • reading encrypted PDFs used for inter-library loans
  • printing some Royal Mail prepaid mail envelopes

so I tend to think that most people are fine without it. If you must install Reader, make sure it’s not the default PDF reader and stop it from installing its web browser plugin. On the Mac this is a tedious manual process – you have to manually remove it from /Library/Internet Plug-ins/ after each update. Another reason to avoid it!

Flash is known as a security disaster, and hopefully its failure on mobile devices will lead to its eventual demise. However for the moment it’s still out there and at times necessary. My preferred solution for some time was to use Safari as my default browser, with no Flash plugin installed, and have Google Chrome as the backup browser. Chrome has its own internal Flash install which is sandboxed and auto-updates. Even then I would use a plugin blocking extension so that Flash objects would only work when clicked on.

Newer versions of Safari on the Mac now have more granular control on which websites can use plugins, so combined with the ClickToPlugin Safari extension a Safari-only option is more tolerable. Under OS X Mavericks Safari also sandboxes Flash, which will help, but is not a universal panacea as sandboxes can be broken too.

In case you’re wondering why I’m so paranoid, a common infection vector for malware is the insertion of exploit code in either Flash objects, or even tiny PDFs, embedded in web pages. These can affect perfectly legitimate sites too – either the site is hacked, or a third party advert or content service the site uses is compromised; either way you could end up with these malicious objects running when you visit a web page. Hence it’s best to minimise the attack ‘surface area’ as much as possible!

In a future post I’ll talk about some more security matters, including passwords. Meanwhile, as they used to say on Hill Street, Let’s be careful out there.