Blog:  Practical Reflections on Computer Security

If You Change, So Will They - Logical?   November 11, 2009          

To pick up where we left off in the last blog (below), the discussion was about the claim 'if you change to Mac or Linux, the crooks will only do the same'.

Inherent in this claim is the supposition that either or both of the non Windows systems will grow enough in market share to become attractive to the 'bad guys'.

Is that possible, or likely?  How does one determine how likely it may be?  

Since "anything is possible", it is theoretically possible for either Linux or Mac OS X to gain enough market share to become attractive as a target for those who write malware.

How plausible is this, though?  And how much of a change would this take?  Would Linux and/or Mac OS X need to be 25% of the total computers on the 'net, or would it take more?

Even assessing current market share, that is, determining how many of the computers on the internet are Macs, machines running Linux, and how may are PCs running Windows, is difficult. (For the sake of this discussion, by the way, I'll only consider desktop computers, not servers.)

Accurate market share numbers are a challenge because there are different ways to calculate it.  Gartner and IDC use similar methods, i.e. the number of computers sold.  NetApplications  and GlobalStats track operating systems used to visit websites.

For instance, in this most recent quarter, IDC shows Apple with slightly less than 10% in the U.S., and Gartner pretty much concurs

However, worldwide, Apple doesn't make the top five vendors, and, by IDC's numbers the fifth place global vendor, Toshiba, has a 5.2% market share.  That would make it likely that, even if Apple is number six, it's world wide market share is less than 5%.

Gartner and IDC don't track Linux on the desktop, however. Accurate numbers are very tough - maybe impossible to determine, because most computers running the Linux operating system on the desktop were sold with Windows installed.  Here the best way to determine numbers may be here, and here. Both show Linux at under 1%, and Mac OS X at 5.27% and 3.92% respectively at the time of this writing.

The trend has been up for both alternate OSs, but is it up enough to indicate that either of these choices could make an attractive target for those who write malware? Is this likely to change anytime soon?  If an OS  has to have 25% of the computers on the internet to make it financially worthwhile for a 'black hat' to write code for it, Apple would have to have five times the market share it has now.  Five times.  

Linux would have to have twenty-five times the market share it has now.  

Is this really plausible?  

I certainly don't think so, not in the foreseeable future.  

From a business perspective, so that your business is less of a target - choose well, choose intelligently, especially as to what OS you use to do on line banking.

Why 'It's No Use' is a Myth                                                      November 4, 2009

"If you change to Linux or Mac OS X for banking, the crooks will only do the same."

This is the 'It's no use.' arguement.  If you switch to Mac or Linux, the crooks will only find ways into those systems, so the argument goes.

Taken to the extreme, we might as well not lock our doors, use firewalls, or do anything at all to prevent 'black hats' or criminals of any kind from robbing us.

But let's take a closer look at the logic here. Notice first, that this argument doesn't factor in the issue of 'time'. Even if it were true that the crooks would be in hot pursuit of your data, how much time would it take them to write the code, get into your system, and make all other adjustments, in a new OS?  And what exactly would give them the incentive to go to all this extra effort, when there are still many potential 'marks' out there, using Windows?

Can 'the bad guys' make adjustments  instantly, or might it take them months, or a few years? If it takes a few years, that's a few years where you can worry less about this type of crime.

Second, there is a presupposition that the crooks have devoted their efforts to Windows, because, and only because it is the most prevalent OS.

There may be some truth to that.  Since Windows is the most widely used operating system, it is both the OS with which most crackers are familiar, and the OS that will offer the most opportunity for successful crimes.  There are simply more computers out there running Windows, so there are more potential victims for a crook to pilfer.

As an aside, there are advocates of both Linux and Mac OS X who claim that their operating systems are inherently more secure than Windows.  For now, though, I'll not delve into that topic.

From a purely practical, business point of view, here is a different perspective.

Is it practical, even smart, to lock the doors to your place of business?  Do you have security cameras installed?  If so, have you installed them because the cameras and locks, act as a deterrent? 

The smart business will use whatever tactics make business sense, to avoid being robbed.  If that means using a Linux CD or using a Mac to do online banking, as recommended by Washington Post's Brian Krebs, and The Register, maybe that's not such a bad idea.  

 But let's examine this further.  How much does it cost to use a Linux CD for online banking?  Macs are supposed to be expensive, aren't they?  

A Linux CD is free, except for the time and trouble it takes to implement the system. A new Mac Mini can be purchased for $599 and that's all you really need for online banking.  A used Mac can be even less.  

How do you know which of these would best suit your business?  Determine what expertise you have on staff.  Is there anyone who knows Linux or Mac OS X?  Assess how much time and trouble is involved in either - or both, of these alternatives.  These measures are very much like installing better locks, or security cameras.  In both cases the question is, will doing this make your business more secure?  What are the costs, in money and time?

For the time being, I'd agree with others that making either of these moves would indeed reduce the chances of becoming a victim to bank fraud, and perhaps other crimes too, such as theft of your customer records, etc.

There's another line of thought, though, in the claim that 'the cybercrooks will only start using  Linux or Mac OS X if you, and other businesses switch to those operating systems.  Inherent in this claim is the supposition that either or both of the non Windows systems will grow enough in market share to become attractive to the 'bad guys'.   

We'll look at that claim in the next blog post.

More on Crimes, How to Protect Your Business          November 2, 2009

Brian Krebs of the Washington Post continues to do a yeoman's job, reporting and investigating the crimes of bank fraud that are being perpetrated against small and medium sized business.  

He has learned from the FBI that at least $40 million has been stolen, and most of these crimes were committed during late 2008 and during 2009.

How can you avoid being a victim?  In addition to the recommendations I made in my Oct. 22 blog, take a look at the chart in Mr. Kreb's blog, which lists information on victims of this type of fraud.

Once you've gathered this information, here are a few more safeguards.

• Remind your people *not* to open any emails that look at all suspicious, and, of course, don't click on a link inside an email. Instead, open your browser and navigate to the link yourself, by retyping the link.  Don't copy it.

• Use Firefox as a browser, wherever possible - and keep it updated.  Firefox has recently made extra efforts, beyond any other browser, to insure security.

• While the safest option may be to do banking on a Mac or a PC running Linux, at the very least use a dedicated machine.  In other words use this machine for your banking only - no email accounts, or other web surfing at all.  Use it just for banking.

• Make sure your banking PC/Mac is used at your place of business, or another safe network - don't take it to an open, public network.

• Note that, of the victimized companies, those who bank with very small institutions, where employees know their customers, were most likely to recover potential losses. 

• Since many banks have a policy that requires 48 hour or even 24 hour notification of any unauthorized transfers, once you know your bank's policies, have someone check each day or every other day and act immediately on any suspicious transactions.

The basic strategy is to stay informed, and then act accordingly to protect your business.  

Stay safe out there!

Hold the Presses                                                                        October 22, 2009

Hold the presses - something really important has changed.  Washington Post security blogger Brian Krebs is now recommending that small and medium sized businesses no longer use Windows for financial transactions.

And here's another source with a similar view - I highly recommend reading the whole article, it's not long.

Why are people making such a radical recommendation?  First, there have been quite a number of businesses and government entities, that have been scammed out of hundreds of thousands of dollars.  All of these cases - at least so far, have exploited vulnerabilities on Windows.

One of the most publicized cases is Bullitt County, KY.

Here are a few others,

Downeast Energy, $150,000, September, 2009

Ferma Corp, $447,000 July, 2009

• Unique Industrial Product Co. $1,200,000 April, 2009

So far, there have not been any reports of businesses who use Linux or Mac OS X for financial transactions having been scammed.  The vulnerabilites that have been exploited do not apply to these other operating systems.  

My counsel is that businesses should read about these cases - it should take you less than an hour, and then evaluate your own situation.

Consider these questions/recommendations:  

1) How similar are your setup and your financial practices to these companies?

2) It's likely a smart move to have a conversation with your bank - what are their practices in situations like this?  Many of the affected companies simply had no way to recover the funds lost.

3) Would it make sense to investigate insurance policies for this kind of situation?  Perhaps consulting your financial advisors, and/or insurance agent would be in order.

4) Another possibility is to upgrade to Windows 7 on PCs that are used for financial transactions. However, some vulnerabilities have already been discovered in Windows 7.

5) Do you have people on staff that already have knowledge of Mac OS X or Linux?  Might it be worth having one or both of these operating systems available?  Might you want to train someone on your staff for these alternate systems, so that you can be more flexible?

And, finally, note that Brian Krebs has posted good instructions on how to use a Linux CD, which is free.

Also, in spite of the reputed high cost, a new Mac Mini can be purchased for $599.  Such a machine is easily able to do any e-banking a company may need, and one can run Windows on it, too.  Just do the banking from OS X.

More to come, as we track this story, and consider other business solutions.

Strategy - Beginnings                                                                 October 19, 2009

Let's get more strategic about the computer security challenges facing small & medium sized businesses. The goal is to make your business as safe as possible while interfering with your day to day operations, as little as possible.

Great goal.   How do you get there?

The first step is to know the basics.  Here's one source, 'Tips for Safe Computing'.  (More on basics to come in future blog entries.)

The next step is to stay up to date on what real dangers exist.  You have a good idea of the  security level of the locks on your place of business - and whether or not you need an alarm system.  You know this partially because you have a sense of your neighborhood, and you know how safe it is or isn't.

One of the goals of Security Reality Check is to help business owners and operators have that same level of comfort with respect to their computer security.

To achieve this, a business owner needs to know as much about what's going on that could threaten the business as s/he knows about how likely it is for some one to rob, or break into the physical business.  

Recently, a neighborhood association mail list informed us, here in San Jose, CA., that mail boxes had been broken into, at condo developments across the street from us.  A few weeks later, when checking the mail, I noticed mail on the ground - when I went to pick it up, I saw that the back of the mail box - which accesses eight mailboxes, was wide open.  Anyone could get my neighbor's mail.  I reported this to USPS, and the manager of our condo association.  And took note of the potential threat.  As a result, if I'm expecting any checks in the mail, I'll be quick to get to the mailbox, in addition to being more alert - that is, I'll pay more attention to our mailboxes.

What do you know about businesses who have systems like yours?  Have there been any exploits?  How well protected are your colleagues? Are there practices they're using that could benefit you?

Of the threats you hear about, which are real?  Which could affect you, and which ones are just theoretical, or worse, alarmist?

(For example, a 'real' threat is one that has a solid chance of impacting you.  If the threats out there pertain to Windows XP, and you've upgraded to Windows 7 or use Linux, then you'll know you don't have an issue - at least this time.)

The answers you come up with for yourself will be most valuable. I'll be adding more on these topics, in future blog entries. 

Business Person's Lament                                                         October 14, 2009 

Along with all the benefits of the the 'net, and connectivity, 'the bad guys' also now have the ability to steal money, and information from private citizens, and businesses.  And, they're getting better and better at it.

Being in business, though, almost always means we're very very busy.  How much time and effort, and money, does it make sense to put into the security issue - when there's so much else that needs attention?

Still, as detailed by Brian Krebs, at the Washington Post, some of the recent stories, are concerning, to put it mildly.  For instance, a business is robbed of $447,000, and another company lost $1.2 million, etc.  This story was published in September, 2009.

What does a prudent business person do?  How does one protect him/herself?

These and related topics will be covered in this blog - stay tuned!

Comments? Questions?  llg at securityrealitycheck.com