Roger's Information Security Blog

Pretty nice article in the AP today about spyware. Users Often Invite Spyware Trouble.

Over the weekend a document connecting a Russian writer of spam software with the Sobig virus appeared on the Internet.
This document is further evidence of virus writers with a for profit bent. Viruses open smtp proxies that are then used by spammers.

I read over at the Spyware Warrior Blog that Aluria has certified WhenU as “spyware safe.” Aluria is an antispyware company with a fat contract from AOL to provide its customers with software. WhenU is best known as an adware program. AFAIK, WhenU is generally installed by users who know they are getting ad supported software.
Adware is a pain, but if you dont like it and can choose to uninstall it, and it uninstalls cleanly, I just dont see what the problem is.
Adware and spyware are two different things.

According to SC magazine FUD (Fear Uncertainty Doubt) is still a prime persuasive technique used by IT pros when talking to senior management.
In a unscientific survey of 150 network and security administrators, 49% admitted to pushing the IT Security Booga Booga factor rather than pushing facts.
It is much easier to talk about what might happen using worst case scenarios than to collect facts and statistics. Its easy to be a purveyor of FUD. All you need to do is be imaginative and create an apocalyptic scenario to back up what you want to do. Then when the scenario doesn’t occur, it must be because you saved the day. The problem with this is that sooner or later people catch on.
ROI is the language of the boardroom. While its not always possible to show the ROI to buying antivirus or SecurID without talking about the problems that will occur if it is not purchased. Your prime sales pitch shouldn’t be fear.

Back in June, The Register screamed that US-CERT recommends not using Internet Explorer. Why in the face of a never ending cycle of patches would someone continue to use Microsoft Internet Explorer? Here’s what I’ve been able to put together.
1. Business Use Case
Internet Explorer is the best browser for use with our intranet which uses Sharepoint and our future use of Microsoft Project. Alternative browsers do not have the same feature rich experience when dealing with Sharepoint and OWA. Additionally the integrated windows authentication would not be available with other browsers.
2. Ease of updates
Currently updates for Internet Explorer are performed using the SMS SUS FP. Its rather easy. Operating System patches and Internet Explorer patches can be done at one time. Third party browsers often require an install of a new version rather than a patch.
3. Vulnerabilities in alternative browsers are increasing in occurrence and severity.
4. User Education
Switching browsers doesn’t address the true problem, the educated user.
5. Usability
Internet Explorer as the dominant browser works on most sites.
6. Manageability
Internet Explorer is enterprise ready. It can be configured via Group Policy. How will you centrally manage a third party browser.
7. Support
Who supports the third party browser? We would go from being Microsoft Premier customers to relying on newsgroups for help.

I was standing in line for lunch at the company cafeteria when someone commented to me that their Windows 98 system was more secure than their Windows 2000 system because it required less patching at Windows Update.
I’m not all that sure that number of patches is really a reliable metric for the security of a computer. Windows 98 was not designed with security in mind. There is just so much that you can do with it security wise. There is one patch for Windows 98. Its comes on a CD labeled Windows XP. I’m not sure if Windows 98 is even supported anymore.

I was pretty surprised to click on the title “trojans send message” and receive an article which said “Top-ranked Southern California makes a statement with a dominating 45-7 victory over fifteenth-ranked Arizona State on Saturday. by AP on 10/16/2004 10:18 PM”
What?! Took me a second to realize this article has nothing to do with internet security.

A couple weeks back, I was driving over to Taco Bell listening to the Kim Kommando show. (Crappy tech show on the radio aimed at the masses). When I heard a commercial for gotomypc.com. That reminded me that I needed to check if that was being used in my company. Gotomypc is a web based remote access solution that allows you to access your computer remotely using them as a proxy. Your remote computer will carry a client software that connects to the proxy as well. And so when you log in with your password, you can connect into your desktop. This is pretty slick, but also against our security policy. The corporate VPN with SecurID or digital certificate are the only allowed remote methods of access.
When I got back to work, I installed an eval copy of gotomypc.com (You have to provide a credit card number even for the eval). I found that I was able to connect to that computer from outside the firewall. The next step was to look at who else might be using it. There are two ways to do this. One is to look at the firewall log and see who is going to poll.gotomypc.com on 80, 443, or 8200. The next step is to use SMS or similar softwarae to check for the presence of g2svc.exe.
Your company can contact gotomypc to register for free and block these types of connections, or block poll.gotomypc.com. Unfortunately if they change the IP of that server, you’ll be vulnerable you just wont know it. So it would be better to register with them. I suppose you could write a script that verifies the resolution of the name so you are notified when the change occurs. Its also a good idea if anyone was using the product to talk with them and explain why the corporate vpn solution must be used. Otherwise they may find another hole through the firewall using even less secure methods.

The October issue of Information Security Mag came this week and has come interesting articles.

• Help – a test of 5 antivirus vendors tech support prowess
  
• Power Grid – a look at self defending networks. Is it just marketing hype. A question not answered by the article
  
• Beware Spyware – No new ground covered, but a good article.
  

Ran across a cool article over at cybercrime.gov. It originally appeared in Newsweek last year. In it, the author comments about rites of passage in growing up. Huge effort in training is put into drivers ed. There are sex ed classes. But when it comes to computer security, many parents never have “the talk” with their kids.
Its the same at work. Many employee’s have never been given “the talk.” They think they are too old to be lectured about online safety. So instead they play fast and loose with their privacy giving their email address to every tom dick and harry who has a bag of seed to trade. They download all sorts of unknown games leaving the computer infested with God knows what.
Before you have to take their computer down to the clinic for a shot, give your kids, give your employees THAT talk about safe computing.