Stop Using Software Built in Russia

The war in Ukraine that broke out in late February 2022 forces me to tell you to shut down, uninstall, and replace any software built in Russia that is on any computer you control. I am not the only one saying this. The caution applies especially to anti-virus and malware utilities and Virtual Private Network (VPN) tools.

Anti-virus and malware tools must have access to everything on a computer and they are remotely updated almost every day, which makes them dangerous if they are subject to unscrupulous interference. Virtual Private Networks are used to make network traffic harder to snoop on and more secure. They can be dangerous because their manufacturer may have access to all your network traffic. Most apps only access their own network traffic.

If you are sympathetic to the plight of the Ukraine, getting rid of Russian software is a way to place your own economic sanction on the invaders. Giving up Russian vodka and caviar is another way.

If you don’t care about Ukraine, you have still have another critical reason to act.

You must understand that your computing systems depend on the honesty and integrity of the manufacturers of the software running on your computer. Vulnerabilities, security weaknesses, are discovered in software from reputable software houses all the time. Most of these are mistakes, but some are software features, functionality that makes us want to buy software. But some of these features give manufacturers extraordinary power over systems.

This is not all bad. Software design frequently trades off between security and efficiency or convenience. A classic book on software design, Design Patterns, describes building blocks for designing reusable software modules, including patterns for making data and processes accessible throughout a system. These accessibility building blocks make a system more efficient, but less secure because a tiny breach can open up an entire system. The security of well-designed systems depends on the integrity and care taken by their manufacturers to strike the right balance. A careless or unscrupulous manufacturer can release scandalously insecure applications that the market will lap up, until the disastrous insecurity is discovered and a crisis ensues.

For example, a password reset provision in an application is a great convenience, and nearly a requirement for any commercial product. Yet password reset is a gaping security hole when the wrong hands are able to invite unauthorized actors into a system by changing passwords. Remote access for support is another required feature for most systems that becomes a weapon when a criminal uses it to take over.

Backdoors—routes into an application known only to developers—used to be common. Backdoors are now considered extremely bad practice, but some developers still use them to save time during development. But the last few weeks before release are often the most hectic of the entire software development cycle. Unless management insists, removing backdoors can be neglected by busy developers working long hours. The software user’s only protection from secret backdoor access is the integrity and honesty of the software manufacturer.

This is why I continually tell folks to be careful about what they install on their computers. Only install apps from reputable vendors. Don’t just assume a vendor is reputable; actively check them out.

Some, perhaps most, Russian software companies are honest and do not intend to exploit their customers. However, all businesses operating in Russia are subject to coercion by their government. That’s the way business now works in that country. If the Russian government wants a backdoor into an application, they can compel a Russian company to put one in. Since the war in Ukraine started, the pressures can only have increased.

Doing business in Russia differs from business in western countries like the United States, Canada, and the European Union. Government and private abuses do occur here, but we have a free press, whistle blower protection, and a tradition of following laws that are scrutinized by the public and changed when enough people oppose them. Maybe not fast enough, often enough, or exactly the way each of us might agree with, but the public eventually is heard in western governments.

With the Ukraine war, public oversight and rule of law in Russia has disappeared. You may argue that it was never present, but your computer is still in jeopardy if you are running Russia-built software. Your home computer could conceivably become an instrument in a cyberattack on western or Ukrainian infrastructure. Compromised home computers have played roles in criminal attempts to shut down servers by overwhelming them with traffic.

I don’t like blacklists and I will not publish a Russia blacklist here. I urge everyone to add checking for Russian involvement as part of their due diligence for installing software on their computer. As much as I admire Chinese traditional culture, I have also added the People’s Republic of China to my due diligence list. North Korea goes without saying, but I’ve never seen a North Korean software product.

For example, Kaspersky Internet Security is a popular and powerful anti-virus tool. Run a Google Search on “Kaspersky Internet Security Russia” and see dozens of items on the dangers of Kaspersky. Wikipedia has a “Software companies of Russia” page. These provide useful hints.

Ultimately, in this age of misinformation, you have to rely on research and judgement.

I am a cautious person by nature and do a lot of research. Along with reading software reviews, I go to the website of software houses I suspect and check their corporate pages.

Is their stock publicly traded? I tend to be less suspicious of companies traded on the Nasdaq or New York stock exchanges. The Securities and Exchange Commission (SEC) and the Federal Trade Commission help keep them honest, although foreign investment is allowed. Privately held corporations and those on foreign exchanges get more scrutiny from me.

Where is their company headquarters? Where do their officers and members of their board of directors live? Where are their development labs? Most large software companies now have labs all over the world, but a company with most of their developers in Russia attracts my suspicion. Check their jobs listing. Where are they recruiting? What does the trade press say about the company?

Triangulate multiple sources. The fact-checker’s rule of thumb is that any point not supported by three independent sources requires more examination. Be extra cautious when a piece “just sounds right.” That may be your preconceived bias speaking to you, a frequent source of bad decisions.

When my suspicions are aroused, I must have a good reason to install or continue to use the company’s software on my systems.

Be careful, folks.

A note of thanks to my friend from the Whatcom County Library System, Neil McKay, for edits and useful comments.

Malware On Apple

Toto, I’ve a feeling we’re not in Kansas anymore

Mac fans and Apple marketing used to say Macs were immune to computer viruses. That was never entirely true, but it was mostly true. Users of Apple products really had fewer virus and malware issues.

But the landscape has evolved. Apple security incidents have gradually increased. In early February this year, 2022, the Microsoft 365 Defender Threat Intelligence Team, Microsoft’s crack computer security group, posted an analysis of a Mac trojan, a malicious software that looks innocent. The malware is surprisingly sophisticated. As it has grown in the wild, it has continually grown more malicious. This report on the Mac trojan signals the new world of Apple security.

Don’t be naïve. Everything in tech is touched by marketing. Microsoft fired this shot to convince system administrators that connecting Apple devices to Microsoft server systems can make Apples safer. You can take that claim for whatever a competitor’s claim is ever worth. The report is reliable, but it goes down best with a grain of salt.

Apple has left the farm in Kansas. It’s time to take Apple viruses and malware seriously.

History and Relationship with the Past

From the late 1980s on, Apple equipment was strong in niches like education and graphic design, but Microsoft was orders of magnitude more popular in typical homes and businesses, mostly because tons of Windows compatible software ran on cheap generic PCs from competing hardware manufacturers like Lenovo, Dell, and HP.

Apple focuses on user-friendly, high-end, premium products. They released the first commercial graphic all-in-on computer, the Macintosh, and followed it up with a string of top-shelf innovative products like the iPod, iPhone, and iPad as they continually improved their line of premium desk and laptop computers. This winning strategy eventually made them the most profitable company on earth.

Microsoft, on the other hand, has striven for a wide variety and high volume of useful products on competitive generic hardware. Clearly not a losing strategy: they became the second most profitable company on earth.

Security Through Obscurity

For years, choosing quality over quantity indirectly improved Apple’s reputation for security. Until recently, breaking into an Apple product was not an attractive project for most hackers.

Breaking into a computer system is easier than it ought to be, but it still requires time, effort, and risk. Given a choice between developing a technique for penetrating a Microsoft Windows system and an Apple system, hackers regularly chose Microsoft because the large Microsoft user base increased the chance of finding a juicy victim.

Security types call this “security by obscurity.” However, avoiding attention to avoid attack no longer helps after the victim engages an attacker’s attention.

In the last decade, Apple’s enormous success has blown away its obscurity. Now hackers see juicy Apple targets and are out to snag them.

Unix Roots

Microsoft has cleaned up its act considerably in the last decade, but early on, they had a dismissive attitude toward security. Windows developers and their predecessor DOS developers assumed that a personal computer was a standalone appliance like a toaster or a steam iron.

Securing a standalone PC meant locking the door to the office, chaining PCs to desks, and locking their cases. In those days, a physical hard drive was thought more valuable than the data it contained.

Microsoft took a long time to recognize that a PC connected to a network requires a different kind of security.

Meanwhile, the rising tide of hackers grew into a dark industry devoted to raping and pillaging Windows installations. Eventually, Microsoft realized they had to do something, and they have, but they’ve played a lot of catch-up.

Apple developers may have been slightly more aware of the dangers, but their “security by obscurity” cloak obscured impending threats.

Even so, Apple made a sound engineering decision a few years ago: instead of continuing to develop their proprietary standalone operating system, they adopted a variant of Unix, the open-source operating system long favored by academic, engineering, and enterprise developers. The popular open-source operating system, Linux, is also a Unix variant.

Disclosure: I am a dyed-in-wool and unreconstructed Unix programmer.

Unlike Windows, whose roots are in stand-alone PCs, Unix was designed for multiuser computers, and, more significantly, heavily used in colleges and universities as a teaching tool. AT&T developed Unix and then offered it as a royalty-free product to educational institutions for a small administrative fee. In those days, almost all software included source code. Universities were not allowed to distribute the source code or their work built on Unix, but they retained rights. Consequently, Unix was widely adopted by university computer science departments. This was a boon to Unix security.

I was one of the computer rats who hung out in the Western Washington University computer center in the middle of the night studying Unix and trying to break into the university multiuser system. We weren’t criminals, just inquisitive and rambunctious college students. While Windows and DOS basked in single user isolation, my cohort in university computer science programs all over the world pored over source code and beat the hell out of Unix. We learned a lot, and our archenemies, the sys admins, often other students, also learned. The upshot was Unix security systems, both code and administrative practices, were scrutinized and hardened.

When Apple made the momentous decision to replace their proprietary operating system, they became the beneficiary of all the prodding and testing my friends did in the 1980s and 90s. By adopting Unix, Apple acquired an operating system that had security pounded into its foundations—a much better position than the Windows security features bolted onto a gradually hardening insecure foundation.

So. Yes. Apple products are inherently more secure than Windows. But not much. And possibly not any longer. Microsoft, by no means a cluster of idiots, has worked hard to secure their products.

Keep in mind that secure is always a relative statement. When a professional says a system is secure, it’s a form of bluster that braces their self-confidence. A system may be more secure than others, but it’s only harder to break, not unbreakable.

Apple’s operating system is harder to hack into than older versions of Windows, but Windows today is orders of magnitude more secure than Windows of a few years ago. At the same time, Apple’s sharp engineers have only recently stepped into the target zone. They have their own catch-up game to play.

Scope

The Mac trojan Microsoft reported on began as a basic data theft exploit in late 2020. Apparently, the exploit begins like most hacking ventures: with an email that tricks an insider into letting a miscreant in. The exploit became more sophisticated over time. When the malware was first installed, it only transmitted basic system information to a master server. Over the next year, new capabilities were gradually added to the basic exploit and the malicious bot (the trojan acting as a robot under hacker remote control) started downloading installable applications.

Macs have mechanisms for preventing installation of untrusted software. The bot gained the capability to circumvent the protection. Then it began collecting and exporting more information and running code with root privilege, which is the highest level of privilege in a Unix system. For self-defense, the bot began removing and renaming the files it installed to thwart antimalware utilities that search for characteristic files to detect malware. It also started injecting ads into webpages.

I’m not going further into the details of the Mac trojan. Go to the Microsoft site, or take a look at this list of macOS malwares.

Counter Moves

I recommend that all Apple users begin to follow the basic rules of computer hygiene if they don’t already. Follow them carefully and the chances that you will run into trouble will shrink drastically. These are the rules I follow for myself. The last time I was hacked, knock on wood, I was running Windows XP.

The Rules

One

Don’t be tricked into trouble. Most victims of online attacks were, at some point, tricked in a non-technical way with the skills of a con artist, not computer skills or knowledge. For example, some clever hacker impersonates your boss on the phone and asks you to email a list of employee usernames and passwords to an odd address. Clearly a dangerous request. Check it out before you comply.

Or someone claiming to be your favorite niece calls from Waco asking you to give her access to your Amazon account because she’s in a jam. Or you get a phone call from Apple asking for your account password. Don’t get rooked by liars and imposters.

These cons are called “social engineering.” Their intent is to trick you into opening the door to a hacker.

Two

Avoid dodgy websites. You know which sites. The ones that appeal to base instincts or offer something too good to be true. Super gadgets for $19.99. Unbelievable cures that doctors keep secret for fear of losing patients. Inside financial tips. Salacious celebrity pics.

Click on one of those kind of web sites and you can lose more than your time and money; you could also infect your computer with nasty malware that will hurt for months to come if the infection is not promptly detected and removed.

Three

Be careful with downloads and installs. The simplest and most effective way to compromise your computer, laptop, tablet, or phone is to install an application that promises to entertain or perform useful work, but also opens your device to exploitation. During an install, your computer is a patient on the operating table whose heart is in the hands of a surgeon. If the surgeon is a crook, your computer is defenseless.

To protect yourself, get your apps from reputable sources. The Apple, Microsoft, and Google app stores vet the applications they offer. That’s a big help, but they are not perfect. Some nastiness gets through. Before you install, check the reviews and the reputation of the developer on the network. Avoid being the first to install a new app. Always download from secure (HTTPS) sites.

Get your hardware drivers directly from your operating system and device manufacturer sites. If you can’t avoid a third party site, research them thoroughly. I often go to Toms Hardware for driver information.

Four

Scan regularly for malware. Apple now has malware scanning (antivirus) built in. In addition, third party anti-malware tools are available for Apple. Almost all are effective when used properly.

Anti-malware tools are fiercely competitive, and the malware landscape changes daily. The tool that is the best today may be second rate tomorrow and best again next week. The brand of tool is not as important as regular updates and frequent scans.

Choose a malware scanner with a solid reputation. These scanners are uniquely well-positioned to mess with your device and steal data. Choose a well-reviewed scanner from a reliable source. Some popular scanners have been accused of questionable practices.

When you have chosen a scanner you trust, accept updates and run scans often.

Five

Keep your operating system and apps patched. Hackers are always looking for new vulnerabilities. They find the holes and exploit them quickly. The industry battles hackers continually with patches that stop up the holes in defenses. Turn away the invaders before they get in.

Automatic updates may be annoying, but the benefits outweigh the trouble. Sign up for automatic maintenance from reputable sources whenever you can. Automatic updates occasionally mess up, but that happens less as the sources get better at patching, and a botched patch is usually far less damaging than a successful attack.

Six

Use strong passwords. Password cracking is more sophisticated today than when the old rules were written. Long (sixteen characters or more) random passwords are still difficult to crack, but hackers have ways of cracking commonly used passwords. Any single word that appears in any dictionary, any common sequence of characters (like ‘123456789’ or ‘qwerty’) is a breeze. I like memorable nonsense phrases like ‘MyPetRockSaysHi!’.

A password manager utility that generates long random passwords is useful. Never duplicate a password. Some of the worst breaches in recent years have been based on duplicated passwords.

Current opinion is now that changing passwords frequently is counterproductive because it leads to weaker and duplicated passwords. A strong password that has never been revealed or compromised does not ever need to be changed.

Multi-factor authentication (MFA) is now common. Use it in addition to a password. Multi-factor authentication is harder to hack than the strongest password. For example, sites and devices that request a fingerprint or a face scan after entering a correct password are safer than a password alone because the chances that a hacker can get both are low.

The strongest multi-factor systems use an app generated token, like a 5-character code, or require a special USB device (key) that you have to plug in. Critical accounts, such as your bank or your brokerage account should always use multi-factor authentication.

The Future

More secure platforms are possible in the future because the many platforms of today were naively designed without much thought to the potential for abuse.

Bitter experience has burned off the naiveté. Computer security will always be a challenge because computing systems are maddeningly complex. Developers and designers will never be able to foresee every security flaw.

In the early days of our current computing platforms, software developers did not think much about security. The goal was to build a network to interconnect systems and make them reachable, not put up barriers to access. In retrospect, that was jaw-droppingly naive. The hackers of today still take advantage of that naiveté.

Fortunately, the industry is wiser now.  With new attitudes, improvement is possible.


I must credit my Whatcom County Library System friend, Neil McKay and computer communications expert, Steve Stroh, for their substantial help.

Burning Down the Internet

A Friday (10 Dec 21) headline in Wired magazine reads ‘The Internet Is on Fire‘. That got a lot of attention and drove me to researching the log4j vulnerability, as it is called.

The Damage

The situation is bad, very bad, but the computer network is probably not in quite as dire straits as the attention-getting headlines and news items imply.

The defect is in a popular open-source library that is used in enterprise applications, the computer programs that support large businesses and government agencies. Log4j is one of the most frequently downloaded open-source modules. The module has even migrated off-planet and is running on Mars. A patched version was posted 10 Dec 21 and was already downloaded over 630,000 times four days later. The vulnerability clearly has the development community’s attention.

The defect is also easy to exploit. I daresay that an experienced enterprise developer could code up a successful exploit in less than an hour. Just messing a system up might only take minutes. The first exploits in the wild were on gaming platforms, no doubt by script kiddies.

The ease of attack and seriousness of the compromise have sent hackers on a mad hunt over the network, seeking vulnerable systems.

Home Computers

In general, home computer users should not worry.

The vulnerability may affect individuals, most likely because a remote commercial service an individual uses was attacked or a work-related application was damaged. All an individual can do is wait for the pros to fix the issues. But these issues are on network servers, not home computers.

An attack on a home computer is possible, but not likely. The vulnerability can only affect home computers that have Java (plain Java, not Java Script) installed. A few user level programs require Java installed, but the vast majority don’t. If you have Java installed, you are probably savvy enough to realize you have it because installing and keeping Java updated is usually annoying. Check your installed Java programs for the log4j modules or uninstall Java and forgo some applications until the fire is out.

The fix will be to the application, rather than the Java installation. Be sure to have auto-update turned on to get fixes as they are developed. If you don’t know how to check module dependencies, contact me in the comments. Enterprise scripts that check for log4j are difficult to write, but spotting log4j on a home system is much easier. Although it’s not hard, it’s too technical to discuss here. If you are a Java programmer, you probably would not have much trouble creating your own patch from the publicly available patched log4j.

Some damage will certainly occur, but, after all those downloads of the patched version, the vulnerability is already much harder to exploit today than it was last Thursday before it was reported. As fixes go, this one is fairly easy and quick, which will turn the vulnerability into history soon, although the ubiquity of the module in enterprise system means a lot of work will have to be done quickly.

How the Vulnerability Works

Log4j is a logging utility. All serious computer programs use some form of logging to record what the program does while it is running. I’ve looked over the programmer’s manual for log4j and some code examples. It’s a nice package: powerful, efficient, and looks easy to work with. A little too powerful for its own good, but I can see why it’s used everywhere.

Enterprise applications are usually widely distributed these days, which means they are made of many separate programs running on different computers distributed through an organization. In addition, most enterprise applications communicate with many other applications in the enterprise and some outside the enterprise.

An example of the power of these complex systems is Amazon’s success in selling such a wide range of products to so many people using so many different warehouses and shipping methods. Keeping all the accounts straight and delivering as predicted most of the time while facing pandemic supply chain disruption is a gargantuan task that requires a huge number of interrelated programs running on millions of networked computers.

When a system like Amazon’s malfunctions, the costs become millions in minutes.

These systems are extremely complex and can be devilish to keep running properly. Large systems change constantly. Equipment is added and replaced. Software added, upgraded, or replaced. Network configurations change as facilities go on and offline. There is no “if ain’t broke, don’t fix it” because everything breaks that is not fixed before the next change breaks it.

One way of managing system-breaking change is to place a sort of map of the system in various places and design applications to consult the map to determine how they should connect with other applications. When a change occurs, the maps are updated, perhaps automatically, and the rest of the system changes to accommodate the change, making the system more resilient and reliable.

Unfortunately, this can also be dangerous. A log that can report the real-time configuration of the system makes proactive reconfiguration and troubleshooting much easier. The log4j developers added this in 2013. But if hackers can get a finger into the map mechanism, they can do great damage.

The log4j vulnerability implements a powerful feature, but it also opened a wide-open door to hacking. I can easily imagine excited and giddy log4j developers neglecting to consider the dangerous consequences of their neat feature. I won’t go into the details of the mechanism, but the vulnerability can trick applications into importing malicious code from a bogus server controlled by hackers instead of a legitimate repository. When executed, bogus code can eventually hand control to the hackers.

The Fix

Fixes are available. The 10 Dec patched version of log4j ends the problem. A change to the configuration of log4j will also fix it, although the reconfigured old version of log4j probably does not work as well as the patched version. A quick change to network firewalls can block the problem also, although not all network firewalls have the capability. Unfortunately, deep packet inspection firewall rules that will stop the log4j vulnerability have a reputation for compromising performance. However, short term instant fixes are often a godsend in crises like this one.

The Prognosis

As I said beginning this post, the log4j vulnerability is bad. However, I am heartened by the vigor of the reaction in the development community. The problem was found, reported promptly, and fixes generated in days, not weeks or months. The industry is maturing and becoming more responsible.

Frustrate Phone Hackers

The NSA mobile device best practices contains the easiest and best tip for cellphone cybersafety I have heard in years. I’m surprised I had not thought of mentioning it. I regularly tell folks to turn off their computers when they are not using them because it discourages hackers. The same applies to cellphones.

The NSA suggests powering down once a week. I say, more often is better if you can swing it.

Here’s why. Everyone, including criminal hackers, likes a regular work week and hates to waste effort. Just like the rest of us, criminals want a regular, productive five-day, nine-to-five work week. When law enforcement tries to discover the source of a hack, they often identify the time zone of the hacker by looking at file and event dates and times. They know when hackers in China, for one example, like to start and end their day, even when they knock off for lunch.

Now, suppose some ordinary nine-to-five criminal has succeeded in pwning (taken over) your computer or cellphone. They come back from their borsch, pelmeni, and sour cream, raring to resume stripping you bare. They discover your computer has disappeared. Nasty words follow in foreign languages. Do you suppose they will wait patiently for you to power up? Not a chance. Most likely, after having lost a morning’s work getting ready to knock you over, they will not make the same mistake twice. They will move on to easier pickings. If you are lucky, your unreliable habits will annoy the hinks to the point that they throw you on their private “do not hack list.”

Recent trends in hacking make shutting down and restarting even more desirable. For decades, anti-virus and malware tools have relied on file signatures for detecting attacks. The tools scan computer file systems for files with characteristics (names, sizes, time stamps, and embedded sequences of characters) that signify infection. Having identified an infection, the tool moves or removes files and takes other steps to kill the infection.

Hackers know all about the way these tools work and they have responded with more subtle ways of infecting computers. Most of these involve avoiding detectable file changes by injecting nasty stuff into memory— the high-speed short-term information storage that disappears when a computer is rebooted.

And there you have it: power down a computer or phone with that kind of infection and the infection is gone. All that lovely hacking work destroyed. What a shame. Not.

I have regular irregular habits. I have a tablet in our living room that I use occasionally. I regularly shut it off when I’m not using it. Some days, it’s up all day and until late at night. Other days, it’s never up. I have several computers in my office. When the witching hour arrives and I decide to turn in for the night, I power them off. My last act of the day is to shut down and restart my phone. Midnight on the U.S. west coast is 10am in Moscow, a location where a lot of hacking goes on.

The next day, I power up the computers in my office as needed. On days I spend working in the yard or running errands, they may be up only for an hour or two. The point is to include irregularity for hackers into your regular habits.

I’ll end this post with a few other good habits for using smart cellphones:

  • Enable automatic updates whenever possible. Operating system and app vendors discover security vulnerabilities and fix them all the time. Let them help you be safe.
  • Going through the Google, Apple, and Microsoft app stores decreases vulnerability, but does not guarantee that an app will be safe. Frequently installed and favorably reviewed apps are the safest. If you must go outside the app store walled garden, be very very careful.
  • Minimize the number of apps you have installed. If you don’t use an app, remove it. Every app you have installed is a potential security vulnerability. If you don’t use it, why let an app increase the possibility that you will be hacked?
  • Secure your phone. Entering a PIN is a pain but leaving your unsecured phone next to a coffee shop cream pitcher or among the half inch copper elbow fittings at Home Depot could be the prelude to a disaster. I have concerns with biometrics like facial and fingerprint scans, but they are better than nothing if you can’t be bothered with anything more secure. Some phones will unlock your phone when it is at certain locations, like home and work. Consider using that feature.

Periodically restarting your phone is the simplest step you can take. Do it. Wait a day or two. Do it again.