buy cheap levitra cheap levitra online cheapest generic levitra levitra versus viagra order generic levitra online viagra cialis levitra online pharmacy levitra levitra for sale discount levitra levitra for women cheap viagra online cheap generic viagra female viagra cream viagra for women herbal viagra non prescription viagra generic viagra lowest prices buying viagra online order cheap viagra purchase viagra online
 

Chapter 4. Keeping Your Operating System And Application Software Secure

At a Glance

This chapter investigates techniques you can use to reduce the chances that your operating system and applications software are vulnerable to security breaches.

Introduction

Principle 1: Computers run programs.

Principle 2: Programs have bugs.

Principle 1 is obvious. Given that people write programs and people are not perfect, Principle 2 is expected. It is not clear, however, why there are so many security-related bugs. Problems such as buffer overflows (see definitions in Addendum 3) are easy to avoid; nevertheless, they seem to be involved in almost half of all known security bugs.

Commercial Software

How does it normally work?

Several years ago, when you bought PC-type software, that was it; no updates were available until you bought the next version. Now most software is updated regularly, particularly for security problems. For some software such as operating systems, “regularly” means almost daily.25 For most products, there is no charge for updates.

25 In October 2003, following a severe security problem related to a problem in Microsoft Windows, Microsoft decided that it was unreasonable and unrealistic to have users apply patches weekly, and that in the future, they would only issue monthly updates unless a problem was severe and urgent.

Many companies that offer commercial software also provide some updates to address bugs in general, and security vulnerabilities in particular. In the case of larger vendors, you can go to the corporate web site, click on a “support” or “downloads” tab and find any available fixes for their products.

Typically, when you go to a software supplier’s web site, you identify what software packages and versions you have and they will list what updates are available. In some cases, it is completely clear what updates are relevant for your computer; in other cases the choices are less obvious. Once you have decided what updates you need, you download them onto your computer. The next step is to apply the update. Depending on the software, this may mean running the program that you have just downloaded or following the steps outlined in the accompanying documentation or instructions. In some cases, once the update is downloaded, it will install itself automatically.

In recent years, there have been three new trends:

1. For complex programs such as Microsoft Windows, Microsoft provides software via their web site (“Windows Update”). An applet inspects your computer and gives you a list of updates that apply to your system. You can then download and install these updates as described above.

2. The update that you find and install as described is not really the actual update, but a program that will, while it is running, download and install the actual update. So, for instance, you might find that there is a major update to one of your programs. When you look at it you will see that it is only 500,000 bytes – really small for a software update. In fact, this is just the program that will download the real upgrade and install it – the real upgrade consisting of perhaps 30,000,000 bytes.

3. Some programs have built-in functions that will dynamically check to see if updates are available and may even install them (with your permission).

These capabilities were designed to make your life easier. In all cases, the task of selecting exactly what updates you need (a complex task for operating systems and certain applications) is completed for you by the programs.

The developing country conundrum

As you can see, many of these processes are designed to run online and typically involve downloading many megabytes of updates. That works well if you have a high-speed connection to the Internet (greater than 1 megabyte per second), or a dialup connection where you can remain connected for several hours. In developing countries, however, this is often not the case. There are two alternatives to address this problem:

1. Don’t update your system and applications.

2. Have someone else download the update and provide detailed instructions for how to install it. The update can be distributed on CD or via a local area network, if there is one.

The first alternative is not acceptable given the rise in security risks. So, the only reasonable alternative is to work cooperatively to download and share the updates.

There are several vehicles for doing this:

  • If an organization owns multiple machines, a local technical support person should take responsibility for downloading updates and installing them or making them available to others.
  • Computer clubs or other groups could download updates and make them available to their members.
  • For individual users, Internet Service Providers (ISPs) could offer a service whereby they get the updates for popular products and common operating systems and distribute them locally. This could also reduce the ISP’s requirement for international bandwidth, reducing their costs.
  • Computer stores that sell the machines can make the updates available to their customers.
  • During a flurry of computer worm vulnerabilities in 2003, Microsoft began distributing some updates on CDs locally in various countries. Perhaps this practice will be continued.

The last three types of software update distribution are not prevalent, but given the increased need to keep software up to date, they may become a sensible commercial strategy for ISPs and vendors in the developing world. Although this will be a welcome support strategy for users, they will need to ensure that the source of these local updates is reliable and trustworthy. If they are not reliable and trustworthy, they could become a way to distribute Trojans and viruses.

Should you install updates as soon as they are available?

This has been a debate among computer professionals for decades. The two arguments are:

Pro: If you install updates immediately, you protect yourself from failures that are already known. In the case of security-related updates, you will protect yourself from penetrations and exposures that the original system allowed.

Con: Anytime programmers write code, they can make mistakes or break some other part of the program. This applies to updates as well as to the original pro grams, so there is a chance that the update will introduce new problems that are unrelated to the problems it is designed to fix.

The problem of attackers and criminals using security flaws to penetrate systems and alter or destroy data has changed the scope of the problem. Once a security flaw is announced, even if the announcement comes with a patch, attackers will immediately create viruses and other tools to exploit the problem. Those who do not implement security fixes quickly may be compromised.

Today’s conventional wisdom:

  • Novice users and those who use their computers for non-critical tasks should apply all updates soon after they are available. The risk of introducing new problems through the updates is lower than the risk of having a seriously out-of-date machine.
  • Sophisticated users and technical administrative staff should install security-related updates immediately, but they can defer larger overall upgrades that may have multiple functional changes in them. Delaying for a few weeks or months may allow more adventurous users to install the upgrades, discover the problems, and report them, giving the manufacturer an opportunity to fix the flaws before you install the overall upgrade on your system.

If your computers are used for business applications, it is always a good policy to test all changes and new software on an identical, but non-critical computer before applying them to your production machines. You can never tell when a change will stop an existing application from working properly.

Non-traditional and non-commercial software

The previous discussion focused mainly on commercial offerings including operating systems and major applications that are common to many computing environments. How does the situation change with other types of software?

Shareware and small-supplier commercial software

There is a vast amount of software that is offered for free, or for a modest cost. The level of support offered by suppliers varies enormously. In general, upgrades are offered periodically, either for free or for a small fee. These programs do not tend to have security exposures, so their upgrades are aimed at fixing non-security flaws or adding functionality; as such they are beyond the focus of this book. However, some freeware applications, such as firewalls and virus checkers do fall in our domain and will be discussed later in this book.

If you use programs that have clear security implications, make sure you understand what the supplier’s upgrade policy is. You do not want to be in a position where you are using security-sensitive software and the upgrade support suddenly disappears or you cannot afford to buy it. Deploying software such as a virus checker that is not regularly (daily or weekly) updated may be more dangerous than not using one at all, because if you use it, you may be working under a false sense of security.

Open Source software

Open Source software that is in active development tends to be well supported. In some cases, there may be feebased services available for upgrades and support, even though the original software was free. Red Hat’s version of Linux, which is available both for free and through commercial vendors, is a good example. Organizations that desire a higher level of technical support may find it worthwhile to purchase the package or at least the services to support it.26 It is important to note that, as with some free software, if you decide to use the software at no charge and without paid support, the period for which security fixes are available may be quite short. Therefore, if you select non-support software for your operating system or other critical sub-systems, you may need to upgrade to new versions very often (perhaps as every six months).

26 See selected links on Linux and other Open Source projects in the Annex on Electronic Resources.

The update processes for Open Source products tend to be more difficult that those for Windows, but are in line with other Unix products and the installation procedures for the original Open Source products. There are Open Source Windows-based products that distribute binaries and use simple installers as well.

As with Windows-type systems, updates and patches for large Open Source systems are sizable themselves. It is important to identify local sources of these updates to reduce Internet download times for individual users.

One final issue related to Open Source software is worth some discussion. There is an ongoing debate between advocates of Open Source and advocates of traditional proprietary software regarding which product is more secure.

Proprietary software advocates say:

  • since the source is available for Open Source products, attackers can easily analyze the code and locate all of the flaws which they can exploit;
  • since a large number of people in different locations and without organizational ties may be working on a given Open Source product, standards may be lax and the uneven integration of the various components may cause security vulnerabilities;
  • since the people working on proprietary products are paid by the manufacturer, they follow instructions and the quality is uniform (and high);
  • since no single authority is responsible for some Open Source products, security could be ignored if it does not happen to be important to any of the individual developers.

Open Source advocates say:

  • since so many people are working on the source, problems tend to be recognized by the “good guys” and fixed quickly;
  • the people working on proprietary products may generate uniform quality code, but it may not be secure if the manufacturer does not value security highly;
  • with proprietary programs, you are at the mercy of the manufacturer to fix problems, and that may cause long delays.

In fact, each of these arguments has some validity to it. There is no way to ensure that either proprietary or Open Source software is secure or that problems will be discovered and fixed in a timely manner. In both types of software, there are examples of exemplary behavior and of careless behavior on the part of their respective designers and support organizations.

Pirated Software

Neither the authors nor the publisher of this book advocate software piracy, but it would be foolish to pretend that it does not exist. Software piracy is a problem throughout the world, but it is particularly relevant in countries where the relative cost of legitimate software compared to wages far exceeds that in developed countries and where local laws and law enforcement make punishment highly unlikely.

Aside from the potential for legal liability due to violating the product owner’s property rights, there are two issues related to security and pirated software that must be addressed. Neither is very common, but both are possible.

1) It is possible that pirated software may not be updateable, or that an update may stop it from working.

2) Some pirated software includes other “goodies” that you may not have expected. These can include backdoors, keyboard loggers or other malicious software.

  
 


Copyright © 2003 The International Bank for Reconstruction and Development / The World Bank

Buy ativan Online Buy diazepam Online Buy effexor Online buy Cephalexin buy norvasc online Buy Vicodin Online order zyrtec 10mg order zyban 150mg Order cheap Zyban discount Zyban buy meridia without prescription meridia for depression purchase meridia buy meridia medication meridia no prescription usa pharmacy phentermine 37 5mg online phentermine no prescription phentermine very cheap difference between adipex and phentermine discount phentermine cheap Zyban no rx buy cheap zocor buy generic lisinopril order zocor 20mg Buy Ephedra Online order cheap Ephedra Online buy singulair order cheap Synthroid buy Synthroid online buy desyrel online Buy Atenolol Online Buy Atarax Online Buy Amoxicillin Online Buy Baclofen Online Buy Amitriptyline Online Buy Neurontin Online Buy Pravachol Online buy cheap tramadol 50 mg buy cheap tramadol overnight Order Phentermine 37.5 online Buy Phentermine Adipex 37.5mg Phentermine 37.5 Mg 90 Tablets original phentermine 90 Tablets Buy Zithromax 250mg Buy Generic Zithromax Order Zithromax 100 mg order discount zithromax Order lipitor 60 pills buy lipitor 40 mg Generic Lipitor 20 mg Purchase Lorazepam 2.5mg order Soma 350mg Soma Discount Prices order generic Soma Buy Provigil 30 pills order discount Provigil Buy paxil Online
phentermine no prescription phentermine 37 5mg online buy meridia without prescription buy cheap tramadol overnight order phentermine online no prescription buy cialis no prescription buy xanax online buy ambien no prescription cheap generic viagra viagra cialis levitra Phentermine 37.5 Mg 90 Tablets Buy Phentermine (Adipex) 37.5mg discount phentermine purchase meridia online buy tramadol online non prescription viagra original phentermine 90 tablets buy cheap tramadol overnight phentermine no prescription phentermine 37 5mg online tramadol cod online tramadol hcl very cheap tramadol buy tramadol at a cheap price online cheap tramadol without prescription order tramadol cod tramadol 180 next day tramadol tramadol hydrochloride order tramadol online cheap phentermine phentermine without prescription generic phentermine strongest phentermine cheap 37 5 phentermine long term phentermine use phentermine on sale phentermine 6 pm order where to buy phentermine phentermine hcl