Enough With the Security FUD

One of my biggest complaints with the security industry in general, is that they seem to thrive on FUD. I find it to be particularily frustrating, because there actually is a lot of really important information there. Unfortunately, to find it you usually have to dig through layers of junk.

It pisses me off that someone like me, who is generally knowledgeable about such things although by no means an expert, can find frequently articles that are either completely wrong or very misleading. While this is merely annoying for me, the reality is that most people just lack the knowledge about computers and security to understand that oftentimes the information they are getting is just crap.

I was particularly annoyed by a recent article in ZDNet. Basically a Windows XP machine was set up on an unsecured wireless network and a security expert demonstrated a hack that downloaded some information from the compromised computers My Documents folder. It took about 11 minutes.

Getting onto the unsecured wireless network, pinging possible IP addresses of other computers on the network, finding Andy’s unpatched computer, scanning open ports for vulnerabilities, using the attack tool to build an exploit, and using the malware to get into the XP command shell took six minutes.

Frightening, yes. Surprising, no. The important part of the article is the fact that the compromised computer was running with SP1 and no protection whatsoever:

[They] connected a machine running Windows XP with Service Pack 1 to an unsecured wireless network. The machine was running no antivirus, firewall, or anti-spyware software…

This article isn’t really news at all. It simply demonstrates that if you put a default Windows XP SP1 install on a network, it is likely to get hacked (and fast). In fact, the “unsecured wireless network” part of this article is completely irrelevant. Granted, it may make hacking easier, but the fact remains; a default install of Windows XP SP1 will get hacked.

So, yes everybody, if you do not have SP2 on your Windows XP install, get it now. If you don’t have it because you pirated Windows, buy a fraking copy, or at least start using some free linux os (like Ubuntu).

I suppose there is no harm in reiterating the point that everybody, regardless of operating systems, should be upgrading their service packs. I do however take issue with the sensationalist tone of the article. Using FUD to increase page views or sell software doesn’t help anyone. This article could have just as easily been written about hacks for XP SP2 or Vista with patches installed. The hack probably would have taken a lot longer and had a lot of things line up perfectly, but that’s not to say it can’t be done. At least that type of article might have been newsworthy or even helpful. Even John Dvorak knows this article is crap.



appointive
appointive
appointive
appointive