The following is from the RSS Feed for Microsoft Security Bulletins
MS04-018: Cumulative Security Update for Outlook Express (823353)
MS04-019: Vulnerability in Utility Manager Could Allow Code Execution (842526)
MS04-020: Vulnerability in POSIX Could Allow Code Execution (841872)
MS04-021: Security Update for IIS 4.0 (841373)
MS04-022: Vulnerability in Task Scheduler Could Allow Code Execution (841873)
MS04-023: Vulnerability in HTML Help Could Allow Code Execution (840315
MS04-024: Vulnerability in Windows Shell Could Allow Remote Code Execution (839645)
Archive for July 2004
July 2004 Microsoft Security Bulletins
Business Newsletters not big spam source
Arial Software performed an audit of the email subscription practices of over 1000 companies. http://www.arialsoftware.com/whitepapers/SpamAudit2004.pdf
What they found in their study is that signing up for a newsletter from a reputable business doesn’t get you onto any spammer lists. However, even big name companies have problems in unsubscribe requests and don’t follow what Arial feels is a best practice of double opt-in. (They dont describe double opt-in that I saw, but I assume that is where you subscribe via webform and are sent a url via email that you must click on. Then they send you another confirmation that you are really in.)
XP SP2 RTM Delayed
News.com is reporting that the long anticipated service pack 2 for Windows XP will be released to the manufacturers in August.
The service pack contains new security features that system administrators await with a mix of hope and dread. Hope that hope systems will be more secure by default and less likely to contribute as virus spreaders. Dread because of the fears that legacy products wont work well with the changes.
Why I stopped worrying and learned to love autoupdates
Remember when we were able to take the time to try out virus definition updates before deploying them to the company? That sure helped avoid unpleasant interactions with company software. At the very least we’d wait a bit and let some other poor sap experience the mayhem at HIS company that comes with a bad virus update.
Over time, that began to be an indefensible position. Too often the enemy would be at the gate before we’d even receive a virus update. The second the definition was available it had to be deployed just to stop the damage. Its funny how best practice shifts over time. Yesterday virus defs are considered carefully before deployment and today we’re begging for anything, even beta defs.
Besides the need to get the new defs out to meet an immediate threat, we also found that the virus def quality had greatly improved and some fears were no longer applicable.
The same thing is occurring now with patching (operating system and programs). I wont bore you by rehashing the mean time to exploit. We all know its the time between release of patch and public exploit is shrinking. Even today we all sit and wait for Tuesday and the 7 patches that are coming. Hopefully this will help with the Internet Explorer mayhem. How long is prudent to wait before deploying the patch when people are actively having their browser exploited? Auto-updating is here for patches as well. Lets hope that in time we can apply these OS and software patches with the same level of assurance we apply the anti-virus patches (virus definition updates).
Developing an Employee Usage Policy Part 2
My professor posted the following guidelines for creating/evaluating an employee use policy.
Email and Internet Usage Policy
Implementation of sound, well-written policies helps manage risk by defining acceptable and unacceptable forms of behavior and educating employees as to the organization’s expectations concerning their behavior. Organizations can and should expect their employees to act ethically and the organization, as well as its employees, should expect to be accountable to society for their actions. On the positive side, good policies
encourage ethical behavior, and discourages criminal behavior,
encourage polite and civil communication,
encourage individual integrity and honesty,
encourage respect for others and their property,
protect the organization’s information infrastructure from danger, and
the risk of lawsuits.
Good policies also
discourage copyright infringement, software piracy, and plagiarism,
discourage slander, libel, defamation, and mendacity, and
discourage profanity, obscenity, pornography, and waste.
(See Kinnaman, D., Critiquing acceptable use policies. http://www.io.com/~kinnaman/aupessay.html)
Continue reading ‘Developing an Employee Usage Policy Part 2’ »
Did They Read It? Part 2
Back on May 23rd, I wrote a short article on the controversy surrounding “Did They Read It”, a program that adds a webbug to your email so you know that it was read, and how many times it was read.
At the time I predicted that Congress would soon have a law forbidding webbugs. Well, its not Congress, but according to this article at BroadbandReports.com the French have announced that under French law it is already illegal for a French citizen to use didtheyreadit.com.
I’d go see if DidTheyReadIt.com has a response, but Websense doesn’t let me access that website. Websense as them in the spyware catagory.
I cant help but feel that people who get this sense of violation when they read about didtheyreadit are unaware of webbugs and how they are likely used in all the html newsletters and promotional material that you already get. This just makes the technology available to the average user.
If you want to remain in control of your email, you need to make sure you’re reading in a “text only” mode. Or run a personal firewall that will disallow or prompt outbound http attempts from your mail client. I imagine that Outlook 2003′s default of not loading images on mail from external people would help also.
Greylisting
My personal ISP has started using Greylisting as a method to combat spam.
What is Greylisting?
Greylisting says that until proven otherwise we’re not going to trust an inbound mail connection. It takes the envelope from, the envelope to and the source IP address and forms a tuple. If it has previously let that combination through, then it will whitelist in. But for most mail it will give a temporary failure message. Real mail servers will try again at a preset time. Spammers wont. Even if spammer catch on to this game and reattempt delivery, the mail server can be set to not accept the new attempt for delivery for a default time period (20 minutes). This really throws a monkey wrench into the amount of mail the spammer can send. If the spammer is using a mail sender that will retry, perhaps by that point in time he would be blacklisted due to imput from other antispam sources.
Thus far I am very happy about this on my “vanity” domain name. Not sure if it would be good for business use. Some mail servers do not correctly retry after a transient error. (In my opinion non-RFC compliant mail servers should fix their stuff). Also in business use where a retry interval might be 4 hours minimum, it could really slow delivery. The auto-generating whitelist and manually generated whitelists for business partners would really help that. It remembers which tuple combinations “reattempted” delivery and adds them to a temporary whitelist. The greylisting server I use also adds people I sent mail TO to my whitelist.
I can see problems caused by things like SPF and ways around it. Greylisting has some interesting potential.
Check out the following links for more info. I certainly cant say everything about greylisting in a brief blog entry. I’m just trying to introduce a cool concept.
www.greylisting.org
http://projects.puremagic.com/greylisting/
George Gardiner – News Flash
George Gardiner weighs in a with a news flash. Not all blacklists are equal. I think the rest of us figured that out a few years ago. But George is a lawyer, so we’ll give him a few years to catch up. He’s still blustering about his right to be heard being hurt by these blacklisters. How there should be clear steps to exonerate his IP address. Apparently he cant deal with each IP address only having one strike.
The point he doesn’t address in this article is why he is sending mail directly from his IP address. As I wrote earlier this week. I think that is a terrible idea. If his mail is so professional and so important, perhaps he should be sending it to a mailserver that can be trusted to attempt delivery.
Many people just flat out don’t want mail from dynamic IP blocks. Stopping that mail slows down the spammers quite a bit. Many ISPs are already on board with this concept. They no longer allow their customers to sent mail out. These ISPs include Cox, Bellsouth, Earthlink, Mindspring, Verizon, Mediaone, and MSN.
I wonder who the intended audience is over at vnunet if this sort of article is actually informative. “Black-lists can backfire.” Thanks for the newsflash.
Right next to this article is a job posting for a Sysadmin with a Security Specialty in the Cayman Islands. Pay is $47k-58k. Unfortunately applications were due by June 23rd. I thought that was kind of funny. Out of date advice regarding blacklists and out of date job posting information. All available at vnunet.com.
ActiveX Security Change Released by Microsoft
Microsoft today released a configuration change that addresses the recent malicious attack against IE known as Download.Ject.
This configuration change disables an ActiveX control known as adodb.stream. Disallowing this functionality prevents an attacker from placing malicious code on a PC hard drive and will prevent the Download.Ject attack. It can be downloaded from www.microsoft.com/downloads/details.aspx?FamilyId=4D056748-C538-46F6-B7C8-2FBFD0D237E3&displaylang=en
In addition, KB article 870669, provides information to implement this change manually: http://support.microsoft.com/default.aspx?kbid=870669.
This change has the potential to effect legit apps that use ADODB.Stream functionality. The KB article does show how to role back the change if you find that it effects your corporate applications.
For more information on the Download.Ject attack: http://www.microsoft.com/downloadject.
Comcast’s smtp disconnects ineffective
Back on May 24th I wrote about Comcasts plan to combat spam originating on its network. Comcast reported that they planned to terminate the ability of some users to send mail out via port 25. Unlike Cox Communications who turned off port 25 for all customers forcing them to use Cox’s SMTP server, Comcast only did this to users who appeared to be used to send high amounts of spam.
News.com reports that spam from Comcast has dropped 35 percent since that time.
The news.com article played it evenly, but I felt that Comcast was trying to trumpet this as a great victory. To my way of thinking that it only dropped 35% shows that targeted disconnects are effective or aren’t being done aggressively enough. Comcast should just do what the other major providers have done already. Cut off port 25 to all. That will stop 100% of the Comcast spam, not just 35% of it. If they want to be nice, they can then turn 25 back on for the people who really need it.
As a disclaimer, my ability to send mail outbound not using Cox’s server has been cut off by Cox. At the time, I didn’t like it. But now, I think its just good internet citizenship. Too many trojaned home systems are spewing forth spam. Its got to stop.
