Thursday, May 1, 2014

Security 101 - How Important Is It to Update Your Devices?

Article 1 of 3

In this multipart series, I will examine the various aspects of what we call "security" in the Digital Age, and how we can protect ourselves from the exploits of others.

The Lessons

MacRumors recently reported that the adoption of iOS 7 has reached 87%.  That is 87% of all Apple devices connected to iTunes - not just the eligible devices new enough to be compatible with 7.  If we are talking just devices that have iOS 7 on them, it approaches close to 100%.  That is a monumental accomplishment if you stop for more than 2 seconds to consider.  Android, as Apple, Inc. is proud to point out, is a smattering of device models and manufacturers, all running various versions of the operating system, with around 10% of the market updating to the latest OS major release - let alone security patches.  This is a monumental flop, as I will point out below.  I am opening this post with a discussion of mobile devices, but let's back up a bit.  What lessons have "we" mobile device junkies learned from computers?

I think it fair to state that we as a society have learned the following lessons.  As individuals, how you understand and apply these lessons are of great importance to you.  It's up to you - learn from someone else's mistakes, or learn from your own.  The latter is more costly.
  1. If people can find a way of exploiting a computer, they will; whether for monetary gain, political ambitions, or merely just for the fun of disrupting other people's lives.
  2. Every computer depends on Humans to develop the Operating System that gives it its security, and on the Humans who use it to implement that security.  If someone "makes a mistake" or fails to identify and close a loophole, it will be there to exploit.
  3. Now that computers are connected to the Internet, the ability to and ease of downloading malicious software (a.k.a. malware) has increased exponentially.  Add to that, the fact that computing has reached every corner of the world, and billions of people have computers at their disposal - people with all kinds of morals, agendas, and abilities.  Multiply the sum of the above by the fact that instructional information (of all types - both helpful and harmful) is available on the Internet on any topic, including hacking and vulnerabilities.
  4. Now, let's define what a "computer" is.  This is an electronic device, with processing, memory (typically operating RAM and storage flash/disk memory), that has input and output, and runs a set of software called an Operating System that allows people to interact with it, and run application software.  With this basic definition, that broad brush includes:  Laptop/Notebook computers, Desktop computers, Rack servers, Any mobile phone ever produced, Any tablet, Any Television produced within the last - at least 10 years, your cable set-top box, any other set-top box (Chromecast, Roku, Apple TV, etc.), most alarm clocks (think iHome), any automotive vehicle produced in, say, the past 20 years...the list goes on.  Today, it is almost anything that requires electricity.  My Blendtec blender has a digital readout and buttons - and may be one of the few devices that is on the borderline because it has only physical I/O (buttons and display), and no Internet connectivity - yet!
  5. The more you follow patterns, and the simpler those patterns are, the easier it is for someone to hack you.  More specifically, if you use say 5 different passwords for all the hundreds of web sites and software you use, and those passwords are always 8 characters, have an upper-case first letter, and a number at the end, and replace certain letters with certain numbers - voila, that's a simple pattern.  If you use the same password for Google ID, Apple ID, Hertz, Avis, Marriott, Delta, Southwest, American Express, and your bank - well, you get the picture.  Once someone has one password, they have all your passwords!
  6. A simple name/password system is the easiest to hack.  Once you add more factors, it becomes very difficult for people to hack.

So, what are the implications of these lessons?  If you have a computer, someone either has or will develop a virus (or malware to be more general) for it, or be able to hack into it.  Why?  Because the systems are developed by Humans and therefore inherently hackable.   These hackers will try to make money off it, they will try to attack you for political gain (think Syrian Electronic Army, think NSA), or just because they can and they have the time and the need to feel excited at seeing the mayhem they created in other peoples' lives.

What are the takeaways from these lessons?  With PC's, we have gotten accustomed to the following security measures:
  • Regular security updates from the OS manufacturer (Microsoft, Apple, Ubuntu, Google, etc.)
  • Antivirus software that identifies and prevents attacks
  • Firewalls to prevent active attacks from the Internet
  • Spyware and Adware protection that does the same as Antivirus software against malware that tries to do some not-so-nice but not necessarily catastrophic things to us
In the Post-PC world of today, where the vast majority of devices on the Internet are NOT PC's, have these lessons transferred?  No!  We are all vulnerable, but not helpless.

And, more importantly, what can you do to protect yourself from this?

From Desktop to Mobile

From the definition of computers you can extrapolate the applicability to your mobile devices (note: not just "my" definition, but "the" because bottom line, that is what a computer is - and all devices under that huge genre are susceptible to the faults pointed out here).  Why the emphasis on mobile?
  1. The growth rate of mobile market has far outstripped the growth of the PC market.
  2. Mobile devices are inherently "personal" across cultures.  As such, we interact with them as if they are our own, personal spheres of computing - much more so than a PC.  However, these "personal" computers are definitely interconnected via many technologies, and always (or most always) "online." Also, it seems we are more willing to install apps and put data on/through them that either we may not on a PC, or is more convenient to deal with than a PC.
  3. Other than, to a limited degree Apple, the PC lessons have NOT translated to mobile devices.  What antivirus software are you running on your mobile device?  Yeah, I thought so.
    1. I say Apple to a limited degree, because if you go through iTunes to install software, they at least vet the apps.  If you have not jailbroken your device, the OS at least sandboxes each app to limit its ability to conduct malicious activities.  Windows, Android - forget it.  Blackberry?  Too small to even consider.

To Update...Or Not To Update

So, on PC's what dos Update do?  When OS manufacturers identify these security flaws, they let you update your system with their fixes through the Update mechanism.  If you don't use it, then your device remains vulnerable to those ways of causing you harm.  If you don't educate yourself on how to update your device - well, then that's on you.  When you get a car, you have to learn about getting fluid changes (not just oil), tire pressure, battery replacement, and so on.  If not, guess what?  Same thing with your computing world.  Except in this case, it isn't just the parts grinding on each other and wearing them out - it is someone out there intentionally trying to mess you up, and going after you via the Internet, Bluetooth, etc.

If you have a way to turn automatic updates on, do so.  If not, make sure you check - on a weekly or monthly basis at the very least.  Should you update?  AS SOON AS IT COMES OUT.

Why Apple?

While many people love to hate Apple, again you have to think about what it is they have accomplished.  When they put out a product, they don't just put it out there - they offer a complete, "soup to nuts" solution. When an update is available on iOS mobile devices, each device will receive a notification.  Critical updates will actually interrupt the user using the device, and prompt them to install the update.

When I use the cliche "soup to nuts," I do mean that Apple has considered and handles each and every aspect of a device - from the developer network it needs to develop third-party apps to make it successful - to the end consumer and all aspects of delivery, support, training, and service - to all points in between in the supply chain.  They are not fragmented - they are organized, move forward with a plan and determination, and operate with integrity.

Updates do not occur in the same way on Android.  Indeed, since Android is an open OS (meaning Google gave it out to the public for free), many manufacturers have modified it to their own purposes to put their own competitive "flavor" on it.  This makes updates from Google even more iffy, because they could cause unforeseen issues on certain manufacturers or models if applied.

I don't know for sure, but I would guess that Windows Mobile updates the same as Windows.  My whole problem with Windows, though, is that Microsoft developed it.  Microsoft is the king of marketing and making money from products, but not the king of reliability and delivering what consumers really want.  Historically they have convinced everyone that they are the only game in town, but that is crumbling around them because they totally missed the large growth Mobile market and are scrambling to catch up.  Meanwhile, the plethora of security exploits on Windows are well-known, ubiquitous, and persistent.  The recent fiasco discovered in Internet Explorer affects releases 6 through 11 - practically every version of Internet Explorer in use today (see Microsoft bulletin MS14-021).  And Internet Explorer is core to Windows, so if you just install some other browser, you are still not replacing core functionality with the new browser - embedded IE built into Windows and other Microsoft products propagate the inherent security flaws that make the system unstable and insecure.

If anyone has experience with Ubuntu on mobile devices, I would love to know how that fares.  I assume updates are delivered via the Software Centre, but are they pushed automatically (or push notifications so you can pull them)?

No comments:

Post a Comment