For Goodness’ Sake, Apply Your System Updates
WE (SHOULD) ALL KNOW BY NOW that system updates are important. If you don’t keep your system updated, your data could be compromised. And that sucks for you. When an enterprise doesn’t run a system update, it can compromise millions of people’s data. That
It happened again: There’s been another breach of security that leaves the personal information and Social Security numbers of US citizens exposed. I’ve seen this once before with the Office of Personnel Management hack a couple years ago. This time, however, the scale of the breach dwarfs all others. I also noticed that the affected organization was using open-source software. What?
One thing open-source and Linux users like to say is that the OS and software is more secure than proprietary software. This is true for one big reason: A volunteer programmer is free to experiment and contribute any code in order to fix bugs or add new features. Any open-source code that is found to have a vulnerability can be fixed by anyone with the interest and skill to do so. Generally speaking, security holes are fixed as soon as they are found. When the SambaCry vulnerability was discovered, patches were available within a day or two.
There are downsides, though. Vulnerabilities(also called “vulns") can be reported in public mailing lists or bug trackers. While it’s great for developers to have easy access to the information they need to patch the code, it also makes the vuln public knowledge. Furthermore, patch notes often have details about what type of vulnerability the patch fixes. At that point, running unpatched software is like living in an old circular saw blade warehouse that’s been marked seismically unsafe in a city such as Tokyo or San Francisco. When something goes wrong, you can’t say someone didn’t warn you.
As for the Equifax hack, a vuln in Apache Struts (CVE-2017-5638) was posted by the National Institute of Standards and Technology (NIST) on March 10. (The notice describes a vulnerability that would allow a remote attacker to upload a file and execute arbitrary code.) The Struts team released a patch that mitigated CVE-2017-5638 on March 7. Equifax issued a statement on September 7 saying it detected an intrusion as early as May. I’ll let you do the math.
Besides a sudden interest in how credit freezes work, what you should take away from this as an end user is that updating software matters. After all, Equifax isn’t alone. There are countless blogs running old versions of WordPress or WordPress plugins that are compromised every day. There’s also a lot of angst about the Internet of Things: Many IoT devices don’t have an update mechanism for users to keep those devices patched. There’s a legitimate fear that a botnet of smart LED bulbs could bring down critical infrastructure.
Sure, we love to moan about Windows 10 updates, but they keep you safe. Likewise, running Linux without regular updates only offers a false sense of security. Running updates manually one per week is a good habit to get into. And since running an update often only takes one or two console commands, it’s not exactly a burden. If you’re running programs compiled from source, be aware that your package manager won’t update those programs, and updates are your responsibility. If you’re running an Internet-facing web server or NAS at home, keeping your systems updated is even more crucial.
When you do find yourself updating your system, remember that any of the programs listed in the update, left unpatched, could be a potential weak point; it only takes one application to compromise a system. With the growing complexity of computer systems, there will always be security holes. But if you update your system regularly, you can plug those holes as soon as they become apparent.
There is a legitimate fear that a botnet of smart LED light bulbs could bring down critical infrastructure.