Do You Listen When They Cry Wolf?

It’s been an interesting couple of weeks in the internet security domain.  First, there was the HeartBleed issue and, over the weekend, information about insecurity with the Microsoft Internet Explorer browser.  As you can imagine, there are millions of installations of Internet Explorer in use.  Of particular interest are those installations that are still running Windows XP which Microsoft has indicated that there will be no updates for.

Since the stop of support for Windows XP, I’ve been finding myself morbidly checking out the operating system of people that I have interactions with – in particular vendors who have a Point of Sale software that may or may not actually require Windows XP.  I used to ask if they planned to upgrade until I realized that most of the answers were – “no, what’s the problem – my software works”,” too expensive”, “my software needs XP”, “my computer won’t run a newer operating system”, “that would be the boss’ decision”, or “that would be done by our Corporate IT Department”.  In reality, the answers that I got didn’t inform me of much and probably just made me look sillier or nerdier than normal.  I stopped asking but do continue to look.

In my Zite reader, I have entire sections devoted to all the web browsers that I have installed and use regularly.  I like to read about tips, tricks, the latest add-ons to increase productivity and, yes, want to know when there’s a problem that need addressing.

This morning, the Internet Explorer section was completely full of articles about the security problem.  Probably the most interesting and objective one came from Forbes:

In cases of stories like this, I always try to track back to the developer site to see their reaction, response, and their plans to deal with it.

In this case, Microsoft’s Technet has it addressed:

You’ve got to be impressed that it’s out in the open and not swept under the rug.  There’s a few woulda, couldas in there but it’s a good read and offers some suggestions for configuring your computer, explains that they’re on it and looking for a fix, probably out of their regular update cycle to handle it.  Given all of the stories about it, it’s probably in their best interest to get a fix done and out the door as soon as possible.

Now, I know about this because I enjoy reading technical stuff.  I know by the looks that I get from others that I’m probably in the minority! 

But, if you’re in the category of just wanting your computer to work, will you even know?  It was on the morning news today but would the general public even know what to do or how to do it?  And, how about those Corporate IT Departments?  Are they informing their clients and giving advice about how to protect things?  I read a Twitter message directed to me last night that Internet Explorer is the only browser they’re allowed to use for their own safety.  What will happen today?

When you fill your car up at a self-serve gas station, there’s always a kill switch to immediate stop the process if it gets out of hand.  Does your computer or vendor have a kill switch that can be used in case of emergencies?

Or, do you care or even listen?  I wonder – does the security world cry wolf too often?

Feel free to share your security thoughts in the comments below. 

About these ads

7 thoughts on “Do You Listen When They Cry Wolf?

  1. In education (and possibly enterprise, I don’t know) a lot of organizations use system images or some other “keep everything stable” technology, preventing user updates or automatic updates to software, even in the face of serious vulnerabilities. Flash Player is probably the most dramatically unpatched. That’s a policy/approach that needs to change.

    Chrome and Firefox (maybe others) have bypassed user account control and will automatically update without user intervention or administrative privileges in Windows. That should be the norm, not the exception.

    I try to keep up with major security news and keep my software up to date. Steve Gibson of GRC and Security Now! is one of my primary sources of information, and his explanations of the tech and its security issues are awesome.

    Like

  2. Sorry, forgot to respond to your question – security doesn’t cry wolf too often, but sometimes overhypes a few of the myriad problems that exist. Password hygiene can’t be stressed enough, but people treat it like flossing – they know what they *should* do, but it never seems urgent until they need to seek professional help.

    Like

  3. I love Brandon’s comparison of our approach to security being like our approach to flossing. I put Heartbleed information on my school blog page, and told my students to change their own info, and tell their parents to do the same. Yesterday, I e-mailed the head of out IT department to ask about strategies, as we run Explorer and must use it as default on our laptops to have some board programs work. Right now, I have to switch over to Chrome as default when I come home. I actually got a reasonable answer from IT, but my problem is that I only got it because I asked, rather than everybody getting that message. If everyone around me has their head in the sand, sometimes I get frustrated being the only one who’s noticed that the sky might be starting to fall (sorry for mixed metaphor).

    Like

  4. Interesting story, Lisa. Perhaps it will be thought through and a better message sent. But even then, the recipient has to read it, understand it, and act on it. I would suspect that that may be too big a task for some. I love your sky is falling analogy…but many won’t be concerned until the worst happens to them and then the finger pointing begins. There has to be a nice mix of paranoia and common sense.

    Like

  5. Brandon, I’ll echo Lisa’s thoughts about flossing. Talking teeth hygiene and password hygiene in the same post is a new high for this blog! Sadly, computer ownership doesn’t come with a driving license and as we move more and more towards the internet of everything, I think it should. Does this not support the case for computer literacy as a required component of education?

    Like

  6. IT people at both my school and the one my wife teaches at warned people about the IE security hole pretty quickly. Fortunately we, at my school, update software pretty regularly. We’re running Windows 7 everywhere for example. Since Microsoft announced a patch for the IE problem today I am hopeful that all the computers at school will be updated soon. We’re on school vacation this week which may make that easier. Microsoft has announced that the patch is available for Windows XP as well which I think was both nice and necessary. My personal systems all have the patch now.

    Like

  7. I think that it’s a great example of good will to post the update to IE for Windows XP. As soon as I read the story about the release, I rebooted to Windows and did a Windows Update. I didn’t wait long enough to see if it would get pushed to me. So, hopefully, everything is good until until the next incident.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s