Tuesday, October 28, 2008

Wired: Don’t pull the plug on computer security

Recent University of California-Berkeley data suggests that somewhere between 95 percent and 98 percent of all business records are originally electronic records produced and stored on personal computers and similar devices, and thus vulnerable to prying.

That statistic, along with concerns about hacking, identity theft, our heavy reliance upon the Internet and the daily bombardment of computer viruses, spyware, and other sneaky malicious software, should scare you about the security of your data. If you’re not a little paranoid about this, then perhaps you’re not being sufficiently careful.

The problem with electronic data security is that it’s usually either too little or too much. Striking the right balance between ease of use and Fort-Knox style security is difficult, particularly with wireless networks and broadband Internet connections. Here are some examples that I’ve run across recently.

Setting up a secure wireless network that authorized users can actually access without difficulty is often frustrating and time-consuming, which is one reason that a lot of wireless network users do not implement whatever security their hardware allows. While having lunch in Anchorage one day, I casually commented to an unknown nearby notebook computer user that I didn’t realize the restaurant had installed an Internet hot spot, only to be told that a nearby business’s wireless network was freely accessible to anyone. That’s far too insecure but very common. It’s also one major reason why I will not use a wireless network connection where business or other confidential data might be silently compromised. The other reason is wireless networking is very slow compared to the sort of fast hard-wired Ethernet connections that are now standard equipment.

A few years ago, I spoke about computer security at the American Bar Association’s annual technology conference in Chicago, placing a $20 bill on the podium and challenging audience members to see whether they could connect to my notebook computer. It took some of the audience members less than three minutes to do so, even though there were no nearby Internet “hot spots.” Most people don’t realize that the wireless connections of a Windows XP computer can silently make direct ad hoc connections to other unsecured XP computers, such that a stranger can read your files and write to them without your knowledge.

Indeed, in my own experiments, I’ve seen how a third party computer can even use XP’s network bridging feature to surreptitiously connect from one notebook computer’s wireless card to another wireless-equipped computer, and then use that rogue wireless connection to further connect to a business’ theoretically more secure hard-wired network.

Later that day, while waiting at O’Hare Airport for a flight back to Alaska, I startled a group of traveling Airborne soldiers by simply turning on my notebook computer, watching as it detected and connected to powered-up notebook computers being carried down the concourse. These people, of course, had not implemented even the rudimentary wireless network security available a few years ago.

Personally, I physically turn off all electrical power to my notebook computer’s wireless connection. That’s probably secure enough. By the way, Blue Tooth devices may be even less secure.

Microsoft announced the other day that it was automatically pushing a critical security correction to the tens of millions of Windows XP systems. Generally, when Microsoft automatically installs a security update on the average user’s computer, no questions are asked.

In this case, there should have been. The security release seems to cripple many existing anti-virus programs, which in turn prevent Microsoft’s own e-mail and Internet Explorer programs from even connecting to the Internet. That’s too secure. Thousands of users were affected, myself included.

After a number of phone calls to technical support and a fair bit of experimentation, I found that attempting to simply update security software either failed to solve the problem or became totally impractical because the glitch prevented any contact with the vendor’s Web site in the first place. The only reliable solution I found was to totally uninstall the Internet anti-virus and security program (not very secure there!), go directly to the vendor’s Web site, download the most recent anti-virus program version, and then completely reinstall and reactivate the anti-virus and Internet security software, a time-consuming and irritating exercise, assuming you can even find your old software license key and activation codes.

Not being able to access the Internet is probably the ultimate in network security, but that’s carrying matters rather too far.

Local attorney Joseph Kashi received his bachelor’s and master’s degrees from MIT and has been writing and lecturing about technology throughout the U.S. since 1990 for American Bar Association, Alaska Bar Association and private publications. He also owned a computer store in Soldotna between 1990 and 2000.


Anonymous said...

I recently came accross your blog and have been reading along. I thought I would leave my first comment. I dont know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.



Blogger said...

Did you think about trading with the most recommended Bitcoin exchange service - YoBit.