Microsoft came out with a new edition of its Security Intelligence Report today, saying that company data shows that Windows XP machines are much more likely to be infected in encounters with malicious software on the Internet. Windows XP machines were six times more likely to be infected than machines running Windows 8, the latest version of Microsoft’s operating system, the company said. The Security Intelligence Report (or SIR) is a unique window into the malicious activity online, given Microsoft’s massive footprint of more than 1 billion systems running versions of the Windows operating system, and the detailed data it collects from them through its automatic update patching- and malware removal features. This is the 15th such report Microsoft has issued. The company used the latest report to hammer home a message about the need for Windows XP users to move off that system to a newer version of the […]
Patching
Zombies Gone, Problems Persist With Emergency Alert System
More than six months after hacked Emergency Alert System (EAS) hardware allowed a phony warning about a zombie uprising to air in several U.S. states, a security consulting company is warning that serious issues persist in software from Monroe Electronics, whose equipment was compromised in the earlier attack. Software updates issued by Monroe to fix security problems with earlier versions of its software have introduced serious, new issues that could once again allow EAS devices to be compromised by a remote hacker, according to a post by Mike Davis, a researcher at the security firm IOActive on Thursday. Patches issued by Monroe Electronics, the Lyndonville, New York firm that is a leading supplier of EAS hardware, do not adequately address problems raised by Davis and others earlier this year, including the use of “bad and predictable” login credentials. Further inspection by Davis turned up other problems that were either missed […]
Google Will Use Cash To Clean Up Open Source
The widespread use of vulnerable or buggy third party code is serious problem facing public and private sector organizations, alike. Just this week, for example, The Wall Street Journal reported that an independent audit of Healthcare.gov, the star-crossed Federal Government website that is the primary health exchange in more than 30 states, is choking on poorly integrated or extraneous code that “served no purpose they could identify.” But what happens when the third-party code in question is open source code? Things get more complex. For one thing: open source is the salt and pepper of the software world: a common ingredient in applications of all sorts. And, as security researchers have noted: many of the so-called “smart devices” that are populating the physical world run variants of Linux, the open source operating system. But because those source code repositories are managed cooperatively and collectively by volunteers, security often takes a […]
Software Safety Should Be Treated Just Like Food Safety. Discuss.
It’s easy to agree with statements like “the food we buy in supermarkets should be safe to eat.” After all, who wants go to bat for shoddy growers pushing contaminated lettuce, or distributors sending out botulinum-laced fish and meats? But what about software safety? Suffice it to say that if people ate software applications instead of, say, cinnamon rolls, they’d be dropping like flies. That’s because the code that powers those applications is often riddled with potentially dangerous insecurities. Unlike the food industry, however, there have been only fitful efforts by government and industry to address what everyone recognizes is a widespread problem. I’ve written elsewhere about the relative lack of a “safety culture” in the software industry compared with industries like civil aviation or even food. (Remember: most of the food recalls and alerts that are issued today are voluntary.) But there’s also a decades-long track record of the government taking […]
Security Of “Things” Increasingly The Stuff Of Headlines
It looks as if the mainstream media is waking to the security implications of the “Internet of Things,” in the wake of recent demonstrations at the Black Hat and DEFCON conferences that highlight vulnerabilities in everything from home automation systems to automobiles to toilets. Stories in The New York Times and other major news outlets in the last week have highlighted concerns about “the cyber crime of things” as Christopher Mims, writing in The Atlantic, called it. Insecure, Internet connected devices ranging from surveillance cameras to home heating and cooling systems could leave consumers vulnerable to remote attacks and spying. The stories come after hacks to non-traditional computing platforms stole most of the headlines from this year’s Black Hat and DEFCON shows in Las Vegas. A compromise of a Toyota Prius hybrid by researchers Charlie Miller of Twitter and Chris Valasek of IOActive was featured prominently in stories by Forbes and […]
