Why you should wipe the hard drive on any computer you dispose of. Particularly if you’re trying to rip someone off on ebay.
http://www.amirtofangsazan.blogspot.com/
Archive for May 2006
Life’s Lessons: Wipe your hard drive before disposing of it
Symantec Patches Remote Exploit in SAV part 4
I dont see it reflected on their public bulletin yet (give it some time), but the ftp site now has updates for 10.0.2.2000 and 10.0.2.2001 to patch them with the resulting version of 10.0.2.2002.
ftp://ftp.symantec.com/public/english_us_canada/products/symantec_antivirus/symantec_antivirus_corp/10.0/updates/
These patches keep trickling out, if you are running an earlier build of SAV 10 than is currently patched, keep waiting, I’d expect it out in the next couple of days.
ISC is reporting that the exploitation occurs through the management port that is opened on managed SAV clients. I haven’t seen a source for that. If your personal firewall policy is really granular, for example listening to only the parent server on that port and no one else, then you may be in good shape.
If Marc had simply informed the manufacturer of the problem, and told no one else, we’d be in about the same shape as we are now. Their version of responsible disclosure does little to allow people using this product to protect themselves other than hope for fast patching. That isn’t always feasible in an enterprise environment. I suspect most people are working on patching flash and quicktime still, that is if they bother to patch applications at all.
Symantec Patches Remote Exploit in SAV part 3
SANS ISC is reporting that
Some have reported that the patching process is not trivial, and can be difficult to roll out in some environments.
What exactly does this mean? In the not so distant past patching Symantec has meant testing and rolling out an entirely new version of the product. If you know anything about mst files, this is much simpler. I guess some people are expecting this to be deployable through liveupdate. Not sure where they’d pick up that expectation. Deployment of this patch will require a reboot, but if you used an enterprise ready method of deploying SAV in the first place, deploying a patch isn’t that difficult. The biggest problem I expect is the user revolt that requiring another reboot will cause.
Symantec patches remote exploit in SAV part2
Here’s the breakdown for those like me who know version numbers better than this mr mp pp versioning system.
For SAV Corporate Edition the following versions have patches available.
Unpatched-> patched
10.0.2.2010->10.0.2.2011
10.0.2.2020->10.0.2.2021
10.1.0.394->10.1.0.396
10.1.0.400->10.1.0.401
Surprisingly Symantec has not patched the initial release of SAV 10.0.2.2000. I dont know if a patch is coming for them or not. Apparently 10.0.2.2001 users need to upgrade to 10.0.2.2010 or 10.0.2.2020. Basically its applying one mst file for the initial update and then another mst file for the point patch. (can be combined in one command such as msiexec /p “patch1;patch2″) I guess that is easier than doing a full upgrade to 10.1 although that would at least get some new features.
Additional patches for localization and platform specific (does that mean 64 bit?) has an ETA of Tuesday. I find that approach interesting because Microsoft chooses not to favor its English speaking customers, prefering to patch systems at the same time.
Myitforum.com mailing list migration
If you take part in the mailing lists over at myitforum, you need to resubscribe. They’ve moved to a new server and are not migrating subscriptions. If you’re not subscribed, your missing some great discussion.
http://myitforum.com/cs2/blogs/myitforum/archive/2006/05/27/20658.aspx
Oracle CSO Opens Mouth, Inserts Foot
As reported by news.com, Oracle CSO Mary Ann Davidson got near a microphone and begin pontificating on the state of security.
First she blamed the “culture of patching” that software people need to think in terms of safety security and reliability instead. The commenters at news.com reacted the same way I did. Perhaps she needs to start in her own house first. Critical Oracle vulnerabilities seem to be routine. Yet the communication about the contents of the patches is spotty.
Next she pulled out security analogy comparing bridge building with software security. I’ve written before specifically about the bridge analogy here and again just last week here.
Next Davidson gives away her political affiliation by advocating government regulation. Cause its worked so well in other areas. Sigh. Innovation dies with regulation. Costs skyrocket. Look at what HIPPA, SOX, GLB, and FISMA have done. Better security through paperwork.
Symantec Patches remote exploit in SAV
Symantec has released patches for Symantec Antivirus. The files are on their ftp site but the support site isn’t updated yet.
It looks like since I’m running 10.0.2.2001 that I’m going to have to apply the 2020 build mst file (MR2, MP2) before I can apply this fix. 
I guess I have to learn a bit about mst files. I think I should be able to chain the two files together but I’m not sure of the exact syntax to use when pushing that out with SMS.
Secunia: Another Awstats vulnerability
There is a vulnerability in awstats allowing the configuration file to be changed.
http://secunia.com/advisories/20164/
eEye Reports Critical Vulnerability in SAV
Eeye is reporting that
a remotely exploitable vulnerability exists within the Symantec Antivirus program. This flaw does not require any end user interaction for exploitation and can compromise affected systems, allowing for the execution of malicious code with SYSTEM level access.
This is reported in SCS 3 and SAV 10. Currently it is not known if they have tested earlier versions or not.
Something Foreign
So I had one of the oddest experiences I’ve had at work for a really long time.
I had a vendor coming in to do a pitch on their product. Originally they were going to do this online as a webdemo, but they realized they’d be in town so they might as well come by and do it in person. A couple months ago I got yelled at by security for bringing a foreign national by for a meeting without filling out some paperwork first. In that instance they let the person upstairs for the meeting. I wanted to do it right this time so I look on the company intranet for the proper procedures and find the Foreign National Visitor Form. It pretty much has 5 things. Their name, their nationality, their company, my signature and my directors signature. I turn the form into security and ask if that is everything they need. They respond that it is. I also provided date of visit and purpose of visit although there is not a place on the form for that.
My meeting was about 4 business days later. On the morning of the meeting, I get a phone call telling me they will have to have their passport xeroxed. First of all, it does not seem like a good practice to have people xeroxing identification papers. Second of all, its the morning of the meeting. Its too late to contact them and ask them to bring a passport. I had told them to bring ID such as a drivers license. At least of the people works locally and of course only brought a Virginia drivers license.
So security has a freaking cow because they dont have the correct identification. I was told they would not let them upstairs. To that I asked I could use a conference room on the first floor. Since outsiders are allowed in the cafeteria on the first floor, could I use a conference room on the first floor not in the secured area. Security responded that the conference room is in a controlled area. I asked how it could be in a controlled area when there is not a locked door separating it from the “public” areas of the building. They responded that I could meet in the cafeteria. The cafeteria is certainly a great place to meet with a vendor. I wonder if I could set up a projector and a screen in there. I’m seriously thinking about next time just hooking their computer up to the plasma screen in the lobby and using that for our meeting. I asked to speak with their Director in the hopes that he would allow us to meet in the conference room on the first floor which is in a non-secured portion of the building. That is when things began to get interesting.
Rather than listen to my concerns about the Foreign National Visitor process, or my experience in getting foreign nationals into the building in the past, the Director cut me off and repeatedly said I was not within policy. He would not answer my questions as to why I was not informed of a passport requirement before the morning of the meeting when I had turned in my visitation form the previous week. This Facilities Director basically called me a liar by denying events that I have experienced (having foreign nationals visit without this hassle), he then made up policy that is not recorded on the company intranet, and basically belittled me. Somehow he managed to do all this while making sure to only say things about how he wanted to help. It was a thing of beauty how he was able to humiliate me while at the same time verbally maintaining his desire to help. He put the cherry on top by sending out an email to me about how much he wanted to help. He certainly knows how to play the game of politics. If only he actually desired to help people with the same ardor. For people like this power is their aphrodisiac. And the wielding of it better than any sex they can have. The satisfaction that comes from crushing power games is still there even when wielded against people many pay grades below. This is a man to be pitied. For he is nothing if not a Dilbert cartoon character.
I understand that given the nature of the facility that we have requirements regarding foreign nationals. But policies need to make sense. I’m just trying to talk to a couple of vendors, not make a huge production number of it.
I still dont know exactly what a foreign national is. Is it a non-U.S. citizen? What if they have permanent residency or a work permit here? I guess I could have learned something if the Facilities Director didn’t have such a huge attitude problem. So now I’m supposed to attend a reeducation session with security. That was the trade off for getting my vendors into the building. Right. I dont think so. I cant wait to see what happens next. Will they lock out my badge (again)? Will they “write me up”. Will they try to yank my clearance (if I have one, you aren’t supposed to admit to having such)? Or perhaps they will merely slow walk the renewal process for it.
I thought about putting this in my personal blog. It would have less potential to cause trouble. I keep that one under password protection. But this issue directly relates to what we do in security. Make the security irrational and people are going to resist it. If you respond by protecting your sandbox and lashing out as this Director did in his passive aggressive way, you will find your kingdom despised. Sooner or later the important things you are trying to do will be trivialized, marginalized and ignored. Piss off enough people and you’ll be on the outside looking in.
