I recertified my GIAC certification in Securing Windows this week. According the the certification description, GIAC Certified Windows System Administrators (GCWNs) have the knowledge, skills and abilities to secure and audit Windows systems, including add-on services such as Internet Information Server and Certificate Services.
Archive for August 2004
Somewhere Steve Gibson is smiling
Nmap, the widely used scanning tool, does not work under XP sp2. Of course there are those that will say that Nmap has never worked under windows, its a bastardized port of a good UNIX tool. They may be right, but it was a good scanner.
On a Microsoft XP SP beta newsgroup the following was posted:
“We have removed support for TCP sends over RAW sockets in SP2.
We surveyed applications and found the only apps using this on XP were
people writing attack tools. ”
Fyoder has posted that since he has a port for Windows 95 he can do it without raw sockets, but he’s working on other things right now.
Gibson’s press campaign to gain notoriety, um I mean warn people about the HORROR of Raw Sockets in XP has finally born fruit and support for TCP Raw Sockets has been removed by Microsoft. In June 2001 Gibson warned that complete Internet meltdown was imminent if Windows XP were allowed to exist with raw sockets. Gibson is right, zombie attacks are dangerous. But I dont mean 0wn3d Windows XP boxes, I mean an army of zombie followers who uncritically click on a “tell Microsoft to remove raw sockets” link.
So we can all breath a huge sigh of relief. The scourge of TCP raw sockets has been lifted. Of course Gibson must have publicity, so I guess he’s say that step was worthless with out removing UDP raw socket support as well.
Whether or not the raw socket “problem” is solved or not really isn’t the point. Raw sockets never were a problem is ISPs performed proper egress filtering. Removal of raw socket support from one Operating System is insignificant when other Operating Systems support it.
I liked this post over at MSDN (a user not a employee):
You’re damned if you do and damned if you don’t. That’s what you get for being successful.
Notably, however, support for sends over raw sockets has been removed in SP2. There is absolutely nothing to stop a third party library such as WinPCap being installed to regain this ability, except running as a non-admin.
Steve Gibson is happy. However, has anything really been gained? No. Which only goes to indicate that MSFT were better off ignoring his advice in the first place.
The Paris Hilton DoS
I was going through the outbound viruses last night. Most were false positives on ESPN or CNN web pages that were pasted into an email message (the scanner didn’t like the javascript). But one was called Exploit/BigEmail. That sounded kind of interesting. First I did a search to look for AV vendors with a virus named that. It sounded to me like the vendor was stopping large messages to avoid denial of service attacks.
Extending Group Policy
Group Policy is the Swiss Army knife of the Windows Security Administrator. But what about when you want to change a registry setting and it isn’t a preconfigured option in Group Policy? That was my task over the past few weeks.
AOL Instant Mayhem
iDefense announced today a vulnerability in AOL Instant Messenger. It seems there is a buffer overflow in the Away Message feature which at best will cause a denial of service condition, at worst will allow an attacker to run code of their choice.
Since AIM hooks the browser allowing the user to use aim:// commands like http:// commands, this is exploitable by links you might follow and by remote websites.
When an I.T department loses control of its computers often the first sign is personal use IM clients showing up. Many companies don’t have the fortitude to fight that battle. Now as a result there is the potential for a network worm exploiting this vulnerability.
Everything Old is New Again?
Over at Slashdot, they have an article on a new form of wireless hijacking.
They’ve written an applet to sniff wireless traffic and replace specified responses with their own content. So when you pull down a website it is replaced by something else.
In theory its similar to a man in the middle attack, but its more interesting because it is grabbed out of the air.
Their writeup is here. I’d highly suggest not following the links to images or videos on that site.
CSI/FBI Computer Crime Survey Results
The 2004 CSI/FBI Computer Crime Survey results are available. You can download them at www.gocsi.com or bypass the registration here.
You can find papers on the misuse of computer security statistics over at attrition.org. I recommend Julie Ryan’s article
Too often people cite material that backs up their beliefs, ignore the rest and that passes for corporate scholarship. For example, people know that Mi2g’s virus damage estimates are a bunch of crap, but they cite them anyway because it can get them more money come budget time.
Just remember, 83% of all statistics are made up.
Spybot Search and Destroy
Spybot Search and Destroy has gained legitimate accolades as a anti-spyware tool. Some people have tried to take advantage of that by pretending to be Spybot but offering a different product and charging for it (Spybot S&D is free).
Make sure that your friends and family are getting the real deal from Patrick Kolla at http://security.kolla.de/ or www.safer-networking.org (same site). The software is also available from tucows and download.com. Dont fall for fakes
FCC rules on text message spam
The FCC has issued a ruling on text message spam. It requires that cell phone and pager service providers provide the FCC with a list of domains used exclusively for text messaging. The FCC will ban spam to these domains. However, with written or oral permission a company will be allowed to send these messages.
One thing that is odd is this does not include SMS messages, those text messages sent directly to the phone rather than via an email address. The FCC says that autodialers are already banned for this purpose thus new rules are not necessary.
Another thing that is a bit funny is that its the opposite of CAN-Spam. In the CAN-SPAM act the default is to allow spam until you opt out. In this ruling, the default for mobile spam is to not permit spam until you opt-in. Of course in the United States there is often a charge per message (or at least a charge per message over a base amount) for text and SMS messages. This is a much more tangible cost to the consumer for spam than occurs with telemarketing or email spam.
I do kind of wish that the FCC had looked at Bluejacking as well. It will not be long before you are walking down the street and your phone gets a message with an offer of 25 cents off at the Starbucks you just walked past. That sort of thing needs to be stopped before it gets started.
