I don’t plan to mention every security related thing I see in TV, but this one made me chuckle.
On The Finder, a new show on Fox, Michael Clarke Duncan’s character, finds a character logged into the computer as him. He asks in his booming voice, “How do you know my password?”
The answer, “you say it to yourself as you type it in.”
I’ve caught myself doing that a few times. The worse is when the password is a phrase from a song.
This is just a case of bad timing.
Back in August, BlueCoat implemented some changes to the BlueCoat WebFilter. It introduced some new categories and renamed some other categories. On the ProxySG, no change was necessary for the renamed categories. However for ProxyClient (the client side install that provides protection when off the corporate network), you needed to manually update the config.
Unfortunately for us, no one bothered to update that config. While reviewing some BlueCoat best practices, I doublechecked our existing settings and found that we still had the old categories selected in ProxyClient. I made the required changes and saved to server. On my client, ran the updater and got an error back, “Received status 400 from server”. I received the same error testing directly from my browser.
Opening a case with support they directed me to a Technical Alert – ProxyClient Installation is Failing with HTTP 400 response from server. I’d seen that before running into this problem, but hadn’t read it since I wasn’t installing ProxyClient. Didn’t remember the error 400 tiein. It turns out, the problem occurs when making the SSL connection from the client to the server to pick up the configuration. This is true of a new install or an updated configuration.
The cause of the problem is MS12-006. Since this contains SSL fixes for the BEAST vulnerability, I’m going to have to ignore BlueCoat’s suggested workaround of uninstalling the Microsoft security update. Not sure if this can be fixed with a new ProxyClient version or if I’ll be waiting for a ProxySG release which would involve much more testing.
“Prevention is ideal but detection is a must.”
That is what my immediate reaction was to DreamHost announcing it has detected an intrusion. I love that.
How many companies would even notice before all their customers were calling asking why they were owned?compan
How many companies would refuse to talk about security incidents or blame the customer?
How many would take the PR hit to preëmptively perform password resets immediately instead of waiting until the investigation was complete. A week, or a month from now we could know that the passwords were’t gotten, but in an abundance of caution action is taken now to prevent damange.
Maybe I’ve drunk on the koolaid, but I think DreamHost did the right things from the reports I’ve seen.
MaskedScheduler.blogspot.com was once the abandoned blog of a Fox exec who would write about past successes and current failures. It was great reading. For whatever reason, the Masked Scheduler decided to confine his prose to Twitter’s 140 characters and the blog wasn’t used anymore.
Fast forward to today, and I find my RSS reader suddenly has a ton of posts from the Masked Scheduler blog. Instead of the TV commentary, I find spamish gadget/electronic posts. I’m guessing it is trying to take advantage of the link love the former blog enjoyed.
When you decide to terminate a social media account whether a blog or twitter, you should consider taking down the content but holding on to the name. This is true particularly for free sites. You’ve built a brand, you have thousands of inbound links. According to Google Reader there are 200 of us on Reader that got this unintended content because the Masked Scheduler apparently deleted the account and then it was available for reuse after a period. Now I’m guessing here based on the archive.org crawl from last year showing the account is gone, so it doesn’t appear to be a compromised account. Just the case of a username being abandoned and picked up by someone else.
This isn’t a SEO blog, I see Google has announced a change to their algorithm. This change is designed to punish websites that have a so many ads at the top of the page forcing you to scroll down to see content.
Reminded me of the default theme in WordPress. The top image on many screen resolutions wastes so much space you have to scroll down to see anything. Probably not who they are targeting.
One of the recommended security measures for WordPress is to change the default database prefix. When you use the default setting, hackers can more easily perform SQL injection attacks. The easy way to avoid this is to change the prefix before installing WordPress for the first time. If you forget to do this, you can either do this manually with vi, sftp, and phpmyadmin or you can use a plugin to make the changes. I went the manual way. I followed instructions from digwp but I also doublechecked those instructions with several other sites.
This post largely exists as a test post to verify posting, at least, still works. If you see anything else broken, please let me know.
I use Incapsula to protect the site. SQL Injection protection is included in their free protections. Nevertheless, I finally decided the risk was worth the limited reward.
Does anybody really care (about time)?
This Chicago song came to mind for today’s blog post about NTP.
I was walking down the street one day. ok, I’ll stop. I was reviewing my firewall logs and I noticed systems going to external services for NTP.
It is best practice (and company policy) for all systems to be using the same time source. It is very difficult to match up logs from different systems when they may have different times.
It turns out there were two problems at play. The first is default configurations. People setting up specific equipment didn’t update NTP or assumed because it was set on one system it would replicate to other appliances part of that “group”. The other thing that happened was an issue with the internal NTP server caused the Unix admin to point his servers elsewhere for time.
Your internal NTP server needs to be rock solid.
Another item that still needs to be addressed here, is secondary NTP. People are going to the same primary NTP server and then using whatever was default on the device as the backup NTP. Yeah, not such a good idea.
Source code for Symantec Endpoint Protection 11 and Symantec Antivirus 10 has been stolen. According to speculation in news reports, the source code had been provided to the Indian government and was compromised from their servers. Security companies often provide source code to be able to sell software in a country. I suppose they are worried about NSA backdoors. This hack highlights the problems with loaning out your source code.
Symantec downplayed the severity of the report saying SAV 10 is no longer sold (end of support in July 2012) and SEP11 is 4-5 years old.
Even if the source code was a from a earlier version, I am confident the source code doesn’t change that much in a major build. Symantec Endpoint Protection 11 may have initially been released 4 or 5 years ago (can that be right?) but it is still the main version in use today. Its successor SEP 12.1 was only released in July and most people would wait before deployment.
I was a bit surprised by some of the reactions in to this disclosure. Rob Rachweld of Imperva says there is “not much hackers could learn from it” because they already analyze antimalware products. The Atlantic Wire quotes Bruce Schneier as saying it isn’t a big deal.
I think it is a big deal. Antivirus products do have vulnerabilities. Antivirus products are widely deployed and often it is possible to find out what a particular company is using. Isn’t code analysis easier than trying to blackbox test or trying to reverse engineer the code? Depending on how diligent Symantec has been, I think this could lead to more security updates for Endpoint Protection.
Chris Parden, Symantec spokesmen says the are developing a remediation process for enterprise customers still using affected products.
Over on Symantec Connect (the Symantec support forum), I frequently see people ask about the ability to automatically scan a removable drive when it is connected to a system. They also submit it as an “idea”. The Idea section is where you can make product suggestions that users can discuss and vote up or down.
I often wonder where this idea comes from because it seems like a particularly bad idea. It seems like someone decided that was the only way to solve the problem of USB based malware like conficker. That isn’t the case and it can be very inconvenient.
If I connect a 1 Gb drive to the system do I really want to wait while Symantec Endpoint Protection scans the full hard drive? I dont think so. Endpoint Protection can disable autorun solving 80% of the malware problem, and real-time scanning will still scan files as they are actually used.
Like most bad ideas this requirement comes from hardening guides and auditors. I was reading the Critical Security Controls and found the following:
Quick wins: Organizations should configure systems so that they conduct an automated anti-malware scan of removable media when it is inserted.
As I said, I think a full drive scan is completely unwarranted. Do any other antimalware products have this capability?
If you haven’t logged into your WordPress today, this is news to you. Version 3.3.1 has been released to fix a XSS vulnerability.
According to ThreatPost, this is only a vulnerability if you installed WordPress by browsing to the IP. Most installs are hosted and you would browse to the site FQDN to install. These systems aren’t vulnerable.
The update also fixed 15 bugs. So review the release notes and determine if you need to update. Or just do it.
