Archive for April 2006

« Previous Entries
Next Entries »

Symantec Tries its hand at SMTP zero day protection

April 18, 2006, 10:32 am

Protection against the zero day attack has been a buzzword in anti-malware software marketing. Its an important thing to have. You can’t run a business while waiting multiple days for virus definitions to be released covering the latest attack.

Symantec Mail Security for SMTP 5.0 is an new email gateway solution that attempts to provide such protection. It combines Brightmail antispam technology with Symantec antivirus and content filtering.
http://www.securitypipeline.com/185303122?CID=rssfeed_pl_scp

One key new feature is zero-day protection against threats, which uses information on emerging exploits gathered from Symantec’s network of more than 3 million e-mail addresses. When a suspicious e-mail arrives at the server, this feature can be configured to automatically strip off and quarantine the attachment until a virus definition is released, or simply delete the message, said Caccia.
Many vendors are attempting to enable zero- day threat protection by adding multiple virus engines in order to maximize detection, but that doesn’t offer the same level of protection as Symantec’s new offering, said Tom MacArthur, principal of Storbase, a solution provider in Waltham, Mass.
“Although you get some incremental benefit from the [former] approach, it is always better if you can catch viruses early on,” MacArthur said.

Hopefully there will be a bakeoff between this product and those that use multiple engines. It will be interesting to hear more about this approach. I wonder if it is using technology similar to the Real Time Threat Protection Service they just bought when they purchased IMLogic.

Neither approach is going to get 100% of the viruses. They are each vulnerable to targeted attacks. Message Labs on the otherhand uses a heuristic scanner (Skeptic) in addition to three scan engines. Even targeted attacks will have a difficult time penetrating this defense.

Tags: , , , , , ,
Category: Antivirus  |  Comment

Did you know…

April 14, 2006, 12:45 pm

Did you know that Microsoft update and Windows update are not the same thing?
I knew that Microsoft was providing office updates outside of going to officeupdate.microsoft.com but I didn’t know why I wasn’t seeing those updates at windowsupdate.microsoft.com. I typically select Tools > Windows Update from within Internet Explorer. Turns out there is a update.microsoft.com, which must be where I had gotten updates for Microsoft products, not just windows. A tip of the keyboard to F-Secure and Sunbelt for writing about that this week, and thus reminding me.

Tags: ,
Category: Microsoft  |  Comment

Terminal Services Mis-configured

April 12, 2006, 8:11 pm

I’m not sure if I’ve posted about this or not. During March and into April we had a pen-testing project as school. At the beginning of the semester we had a project to configure our server (Windows 2003, or Red Hat Enterprise AS 4). Next we had to perform reconnaissance on our classmates and a collection of cannon fodder servers set up by the instructor. This led into the pen testing assignment.
Going into the assignment, my main concern was not getting hacked and not embarrassing myself. It actually turned out better than that. I didn’t get hacked, and I was able to hack more servers than anyone else in the class.
What differentiated my results from those of my classmates were a series of application attacks. The foundation for these attacks were laid when Terminal Services was installed. You see Terminal Services has asks at install if you want high security or application compatibility. If you select application compatibility, then any terminal server user has modify rights to c:\program files\* and some important registry keys. The administrator of those servers should have looked at the terminal server settings and changed it to the high security, or looked at the file ACLs and removed unnecessary permissions.
Although my “guest” account only had user rights, because I was a terminal server user, I was able to modify some key files. Luall.exe is Symantec Liveupdate. When a scheduled liveupdate runs, it runs with SYSTEM permissions. By replacing luall.exe with my own version of the file, I was able to escalate my rights and own multiple servers.
This is another case of application compatibility mode causing security troubles. Of course this is not the preferred configuration for Terminal Services. So hopefully this isn’t an exposure that you have on your own servers. So if you have Terminal Services, even just for remote admin mode, make sure that you check your security level. Otherwise a Terminal Server User is just an admin who hasn’t promoted himself yet.

Tags:
Category: Hacks, Microsoft  |  1 Comment

InfosecMag Article: The Maginot Network

April 12, 2006, 8:57 am

M. W. Meyer and Eric Sager write in the April 2006 issue of Information Securtiy Magazine (free subscription required) about the Maginot Network. Making a comparison to the Maginot Line of defense built by the French. There is a comparison with our current network firewall defenses. Sure its fortified, but you can just drive around it and attack the soft inside.
The authors advise hardening the endpoints first and using perimeter security as as secondary tactic. Instead of a self-defending network, we need self defending clients. They argue that the primary means of protection should be HIPS, client firewalls, encryption, forensic agents and client hardening. There is a need for communication between your devices in case of attack.

Category: General  |  Comment

InfosecMag User Education Point Counterpoint

April 11, 2006, 7:30 pm

In the April 2006 Information Security Mag (free subscription required) Marcus Ranum and Bruce Schneier have a Faceoff on User Education. Actually they dont have much of a faceoff since they both agree that security education has not helped.
Ranum, “Security practitioners have shouted themselves hoarse trying to educate users. But has it helped? Obviously, no: Phishing scams are still raking in money, viruses are still spreading, and countless users continue to use their cat’s name as a password for their online bank account. In fact, it looks like the situation is getting worse rather than better.”
Schneier, “I’ve met users, and they’re not fluent in security. They might be fluent in spreadsheets, eBay, or sending jokes over e-mail, but they’re not technologists, let alone security people. Of course, they’re making all sorts of security mistakes. I too have tried educating users, and I agree that it’s largely futile.”
You’d think they’ve have a counterpoint from one of the security awareness companies.

Tags: ,
Category: Awareness  |  Comment

Complaince Drives I.T. Spending

April 8, 2006, 1:52 pm

A recent Information Week article reports that compliance drives I.T. spending, not the threat of malware. What causes this?
Perhaps its that criminal and civil penalties grab the attention of the head of the company more than pleas from the I.T. department.
Perhaps that in order to be compliant, expensive audits are often required that set the I.T. budget on its ear.
Perhaps the new regulations require a more holistic view of the business and security that is more meaningful. Where as the threat of security intrusions (and actual security intrusions) are treated on more of a case by case basis. The solution for malware is seen as technology. Thus its an I.T. department problem. Compliance on the other hand is a full company need leading to more money.

Category: General  |  Comment

Article: Trend Micro data revealed due to virus

April 7, 2006, 6:51 pm

http://www.networkworld.com/news/2006/040306-trend-micro-data-revealed.html
My favorite portion of the article ” an employee, who is no longer with Trend Micro,”.
A Trend Micro employee, puts company reports on his home computer. He doesn’t run antivirus on his home computer. But he does run a P2P program on the computer. Then the employee goes for the idiot trifecta and gets infected with a virus. The virus shares out the entire hard drive, and the Trend Micro reports including company data are shared on Japan’s most popular P2P network. Good work.
Do we even need to stop an think about the lessons to be learned here or are they so obvious its hard to miss…

Tags:
Category: Antivirus  |  Comment

April Security Patches from Microsoft

April 6, 2006, 1:40 pm

Microsoft has released advanced notification that they will be releasing five security bulletins for Windows on April 11, 2006. The highest severity rating for these issues is Critical.
- – One bulletin for Microsoft Office and Microsoft Windows. The highest severity rating for this issue is Moderate.
- – Four bulletins for Microsoft Windows. The highest severity rating for these is Critical.
Further details about these issues are not currently available.

Tags:
Category: Microsoft  |  Comment

Hwaldron on public betas for MS security patches

April 6, 2006, 1:24 pm

hwaldron comments on whether or not Microsoft should have a public beta for security patches.

Tags:
Category: Microsoft  |  Comment

Symantec IMloigc 8 is out, or is it?

April 5, 2006, 9:58 am

This week I keep seeing reports in the media that IMlogic 8 is out. Yet when I log into my IMManager download site, I dont see any new versions. Oh well, I’m pretty busy and don’t know what I’m missing anyway. Actually since I use Sybari with their product, I would need to wait for a Sybari green light that they will support the newer version.
[update] I found another article that says “slated for release before the end of the month. Not sure why the hoopla now… I have see version 8 articles in the tech support knowledge base for a couple weeks now, so I’ve known this is coming. The article goes on to mention support for Google Talk.

Tags: ,
Category: General  |  Comment
« Previous Entries
Next Entries »