Re: Attackers Exploit Animate Cursor Flaw

[Neil Cherry <njc@xxxxxxxxxxx>]

In comp.home.automation, you wrote:
> "Marc_F_Hult" <MFHult@xxxxxxxxxxxxxxxxxxxxx> wrote in message
>
>> On Fri, 30 Mar 2007 19:21:39 -0400, "Robert Green"
>>
>> >Attackers Exploit Unpatched Explorer Flaw
>
><stuff snipped>
>
>> IMO, HA and a smart home ought to be helpful in smart risk assessment and
>> effective risk reduction, and real-time loss mitigation (think sprinklers
>> and their cyber equivalents) -- not feeding paranoia.

> With more and more emphasis on HA, alarm and even HT systems being "internet
> enabled" security issues are going to require careful consideration.  It
> appears that the cursor exploit is being considered as rather serious among
> security experts.  It's unfortunate that not one poster here has indicated
> an interest (or perhaps a willingness) to engage in discussions about how to
> secure the HA to internet interface as best as possible.  Perhaps we need to
> sort that sociological issue out before any technological or educational
> interaction can proceed.

I don't know if I can add anything useful to the conversation but I
have a few points that may be of interest. I know a number of
engineers who refuse to secure their home systems. One recent revealed
that his home PC was so full of spyware that it failed to boot. He
went to a local electronics retailer for advice on how to fix the
problem (cha-ching, sale made). Another has a wireless system where he
only uses WEP because it's 'good enough' (WEP can be cracked in about
a minute). In the lab, at work, a vendor failed to inform us that
their tool actually ran Embedded Windows and we had a nice case of
spyware that kept re-infecting the lab servers. What a nightmare to
find that one, and to get fixed! Modern printers (as well as other
Internet ready appliances) are now running embedded Windows, how do
you go about finding out and getting that fixed. Two years ago it was
demonstrated that a Cisco router could be infected, used to run remote
code and turned into a zombie machine. I'm also pretty sure there are
various Linux embedded devices that have their fair share of problems.
These complexities are enough to drive the engineering staff to drink.
The average user can't even begin to comprehend what this all means or
how to properly deal with it. Remember they pretty much want
plug-n-play.

If you're concerned with securing the access to the HA env. from
outside the home this isn't too difficult. You've got VPN or ssh
tunnels that can easily solve those kinds of problems. With the
appropriate home route/firewall that can easily be established.

The main problem with security is that it generally an after thought.
Users only care about it when it interferes with the usage of the
system (either by making it difficult to use or by fixing it after the
fact). Vendors are more concerned with getting the system usable so
they can get it out the door (they can always fix it later).

Right now I'm can only take comfort in know that my system is more
secure than that of my neighbors' systems. It's like when riding a
bicycle by a loose dog. You don't have to be the fastest rider just
don't be the slowest rider.

--
Linux Home Automation         Neil Cherry       ncherry@xxxxxxxxxxx
http://www.linuxha.com/                         Main site
http://linuxha.blogspot.com/                    My HA Blog
Author of:    	Linux Smart Homes For Dummies