Security Now

It is Tuesday evening.  I am listening to Security Now.  If you are not, I recommend that you do so.  

Security now features Steve Gibson, the provider of the personal pen test, Shields Up, and the author of the storage integrity progam, Spin Right.  

I find myself passing over reports of problems, vulnerabilities, attacks and breaches.  I simply wait for Steve's weekly informed analysis.  Now, I admit it, I am both old and lazy.  If I applied what remains of my intellect, I might be able to distill from the media, perhaps, as much as ninety percent of what Steve does.  After all, what I lack in intellect, I make up for in experience. Still, it turns out to be much more efficient for me to wait for Steve's articulate analysis, than to do the work myself.  

Security Now is a weekly two hour podcast on the security and privacy issues of the week.  They pride themselves on being available everywhere in every format.  While I simply rely upon my YouTube subscription, you can expect to find it in your favorite place and format.  

I hope that you find the weekly two hours to be as valuable. efficient, not to say entertaining, as I do.  

  

iPadOS 26

 The geeks have been militating to make iPadOS more like Mac OS, Android, or even like Windows.   This frightened me.  I take comfort from the fact that with iOS I am more than a click away from contaminating my system.  I take comfort from the fact that one can recommend iOS for children and people born before 1980. 

As beta releases of iPadOS 26 have become available, there have been reviews saying that the iPad is "ready for laptop duty," you  "can finally ditch your mac," and "the iPad is a full-on computer now."  

Thank God!  All the hype to the contrary not withstanding, one still "cannot change the core system or application code of iPadOS 26 directly through the user interface. Apple's operating systems, including iPadOS, are designed as a "walled garden" for security and stability. This prevents users from altering the compiled code, which is what the system and apps actually run on."  That from Apple; I could have saved myself a lot of angst if I had asked Apple in the first place.

Yes, the screen in 26 is much more like that of the Mac.  The windowing and multi-tasking are more like that of the Mac.  The file system is more capable.  There is a task bar with drop-down menus.   One can copy and paste from one app to another, indeed from one device to another.  One takes comfort in the fact that Apple first figures out how to do a feature or a function safely before adding it to the system.  

But the iPad is still an application-only computer.  It still uses purpose built apps, nearly two million of them in the store.  It is still a closed system.  Program code is still hidden.  It is a system in which one can enjoy in safety, most, but not quite all, of the benefits of the general purpose computer on which it is built.  Rest easy, Steve Jobs.

 

Attack Surface Managment

 Thanks to our colleague, Ben Carr, for the idea and the title of this post.  I wrote most of what follows in response to a post of his on LinkedIn

The attack surface of the typical enterprise includes all the users as well as all the other resources.

I think about the desktop where most of the vulnerabilities are in system code, system code that dwarfs the applications.

I think about all the applications that are on that system that are rarely if ever used.  

I think about the orphan data and servers.

I think about the excess privileges that permit entire enterprises to be compromised starting with one user who clicks on bait in an e-mail or on a web page that he visits out of curiosity.  

So, one way to manage the attack surface is to reduce it.

• Remove unused user IDs.  Reverify and reauthorize users at least annually.  
• Remove unused or rarely used applications or services.
• Install only what you really need.
• Prefer purpose-built apps to general and flexible facilities (e.g., browsers, spread-sheets, word processors).
• Hide systems, applications, services, and sensitive data behind firewalls and end-to-end application-layer encryption.
• Employee restrictive access control (i.e., least privilege, zero-trust, "white-list") at all layers
• Scan and patch only what is left (i.e., that which can be seen by potentially hostile people and  processes).
• Other.