This months meeting of the Northern Virginia chapter of ISSA is at Oracle’s Reston campus on Thursday, November 18th at 6:00 pm. Guest Speaker is Dr Steven Crocker, long-time leader in the Internet community, speaking on the upcoming rollout of the new DNS Security Protocol. As usual, the meeting is free and open to all security professionals. Doors are open at 5:30 for food and networking.
That sounds pretty interesting. its tough to get away during the semester. Right now it looks like I have a project due the next day.
Archive for October 2005
November ISSA-NOVA Meeting Details
Using Senderbase
If you don’t use senderbase to keep an eye on your outgoing mail volumes you probably should. You can go to senderbase and search by IP, Hostname or domain name to see how mail volume has averaged for the past day and the past 30 days. For example, you might notice that a system that is not supposed to be sending mail shows up with a lot of mail being sent. If you saw something like that you might want to check into it further.
Of course senderbase only reports about mail that it sees. A full blown NIDS would probably be a better choice. But you have to make do sometimes. The blacklist lookup at senderbase is fine, but I prefer the one over at www.dnsstuff.com
Rights Management Services
Microsoft seems to be pushing the Rights Management Services (RMS) lately. They pushed it at a meeting I was at between my management and Microsoft. Reports from the MVP conference make it sound like it was pushed there as well.
RMS is a service on Windows 2003. With Office 2003 you can use RMS to restrict what people can do with your documents. In one way its better than encryption because it isn’t an all or nothing proposition. Yet, Microsoft is carefull to make no claims about the security of RMS in spite of it using AES encryption.
For us it sounds like a internal solution only. External users would need to have a .net account and web access to our RMS server. Telling people to get a hotmail account so they can read our documents, really is a nutty idea. Of course if the partner company also had a RMS server we could federate them together. But then we have a really tight inbound traffic firewall policy that probably wouldn’t allow that.
While it would be nice to have the ability to set a “do not forward” in an Outlook message that is meaningful, I’m not sure its really worth it. I’ll be looking at RMS more the next few months as time allows.
IM Virus part 2
Symantec responded to my virus submission, reporting that they are calling it spybot.worm. And the virus defs are in the latest rapid release defs. The response took long enough that I think it wasn’t an autoreply. If its the autoreply, I know its not something new. I tried the rapid release defs on my own computer and then set xdbdown to download rapid release defs.
I also downloaded the file (img0099.com) and ran it on a vmware machine. Of course good viruses know when they are in a virtual environment and dont do everything. I also didn’t set up a fake network connection, so I dont know what network downloads it may have tried. I’m tempted to try that, but I dont want to hose my real computer.
It did a lot of registry lookups. The main thing is that it created is c:\winnt\system32\express.exe and starting that with HKCU run and HKLM run/runservice. That file is also detected by the rapid release defs. The file is set as a hidden and system file so you may need to go into dos and run attrib -h -s express.exe (in the system32 directory).
The rapid release virus definitions I am using from Symantec is 10/26/2005 rev25
IM virus
I had some users passing around an IM virus today. I’m still trying to get a handle on what virus it was to make cleaning it easier.
The users sent “YAY!! http;//home.earthlink.net/~lzingelmann/IMG0099.com” to each other. I downloaded img0099.com and submitted it to Symantec (haven’t heard back yet) as well as virus total. Virustotal.com saw a few heuristic detections and one detection as a kelvir.
I see over at Harry’s blog that there is a new IM virus out today called virkel. That’s really not good. It does more than attempt to spread. It tries to download other updates and act as a bot. I tried to be the nice guy and let the user take the laptop home with them instead of taking it from them (with the caution that they not log into aim). What a bad choice that was.
I’m still waiting on a useful IM security writeup. I may have to run this in a vm environment just to see what it does if the antivirus industry doesn’t get off their collective butts.
The funny part about this is some of the people who got infected were part of my Facetime evaluation. The version of Facetime that I am running did nothing to help this other than create a log trail for later cleanup. 
IE Blog lists HTTPS Improvements in IE7 beta 2
Get the shovel. It looks like SSL2 is done. On the heels of Firefox’s announcement a few months ago that they were removing support for SSL 2, it will now be disabled by default in IE 7 beta 2. SSL 2.0 has many native vulnerabilities such as the ability for a MITM to downgrade your encryption to something more breakable.
Another change is the default behavior when dealing with bad certificates. In the past you’ve all seen a dialog box everyone says yes to. This will now take you to a redirect page that explains the problem in more detail. Should you choose to continue, the address bar will change to red to highlight that you are doing something unsafe. I suppose this is a good compromise. A lot of vendors use self signed certificates that will be blocked by this since I never access the site using the url they want (I use fqdn and they put only the host name in the certificate for example).
Also the error relating to a mix of https and http content on a page will be changed so that you will now be prompted by the information bar.
More information at the IEblog site.
Kerio drops desktop firewall
I saw over at news.com that Kerio is dropping their personal firewall product because they are unable to compete with bundled services offered by their competitors. McAfee, Symantec, and Zone Labs all bundle their personal firewall with other product making it a more enticing product. Doesn’t Microsoft get fined and sued for activity like this? I think Kerio has overlooked a new profit center for their company. Suing the people who put out better products. hey its worked for SUN and Real.
Cisco NAC extended to switches by November
http://news.com.com/Cisco+extends+NAC+security+to+switches/2100-7355_3-5898169.html?part=rss&tag=5898169&subj=news
I have an assignment in
I have an assignment in school to model a mutual authentication protocol using CSP. So to get some boilerplate about csp for my intro, I went over to Wikipedia and searched for CSP. My result:
CSP is an abbreviation that can be interpreted as one of the following:
Communicating Sequential Processes
Certified Safety Professional
Compulsive skin picking or chronic skin picking
Chicken Slayer Productions
Concentrating Solar Power (Technology)
um, I think I want the first one. lol
