Johannes Ullrich has a piece in the SANS Internet Storm Center Diary that I’m sure will provoke much discussion. Entitled “Out-Share or Die”, Ullrich posits that Information Security professionals must learn to collaborate and share information in order to protect their environment from the attackers. There are many parts of this article, some I agree with and some I don’t. In this post I comment on a single sentence that sparked some thought.
Ullrich quotes Clausewitz in his book “On War” as saying “Defense is the stronger form of waging war”. Not having read Clausewitz, I have no idea if this is in context or not. But I can ask, is this truly analogous to Information Security? A war can be prevented by having a strong military and a demonstrated willingness to use it. How does that translate to information security? The Cold War was won with a peace through strength plan implemented by Ronald Reagan. The missile race initiated the concept of mutually assured destruction. How does that translate to information security? Intrusion Defense Systems, Firewalls and Anti-virus do not strike fear in the hearts of hackers the way the Strategic Defense Initiative struck fear in the hearts of America’s enemies.
Ignoring the thrill-seekers, today’s computer attackers are more like the Russian Mafia. (Wait, in many cases today’s attackers are the Russian Mafia.) They are like terrorists. They have time and resources to keep prodding until they find an opening. They only have to win once, defense has to win every time. A strong defense deters rational people who are afraid of reprisal. In the world of computer attacks a strong defense is necessary, but bringing these people to justice will do more to deter. This role belongs to law enforcement and potentially to the military if it can be proved that a nation-state initiated a computer attack on our interests.
Archive for July 2006
ISC: Outshare or Die
Third Brigade Seminar
I went to a seminar put on by Third Brigade on Thursday. It was a good summary regarding the need for HIPS (Host-Based Intrustion Prevention Software). I also got some hands on lab time with their product.
I agree with them that their product is lightweight, and takes less time to deploy than other products like CSA or McAfee HIPS. I am concerned about whether it will work in our environment. Or I should say, in a heterogeneous environment where everyone is a local admin I wonder if any HIPS work. Our users already don’t like the limited changes they are allowed by the current personal firewall. This product wont allow them to whitelist anything in the packet filter, but still allows them to disable it completely. And of course ultimately, I want a HIPS product to protect against zero day attacks. It is my opinion that this product cant do that. I expect to be doing a eval install in a couple of months so that is something I’ll be verifying.
HIPS products have a high pain potential, and are thus likely to turn into shelfware. That is something I dont think would happen with the Third Brigade product. I think this product would improve our level of protection and give us much greater reporting than what we see now.
SAV Scanning and SMTP over SSL
I was having problems sending email through my ISP earlier this week. The error message I was receiving from Outlook Express was
Your server has unexpectedly terminated the connection. Possible causes for
> this include server problems, network problems, or a long period of
> inactivity. Account: mail.example.com, Server:
> ‘smtp.example.com’, Protocol: SMTP, Port: 587, Secure(SSL): Yes,
> Error Number: 0x800CCC0F
This mail account requires username and password in order to send mail. To protect against sniffing, I prefer to encrypt my authentication traffic in IMAP and SMTP. To narrow down the issue, I disabled SSL and found that I was able to send email successfully. Next I attempted to send a message with SSL while connected to a different network. This time I got a different error with a link to a Symantec Knowledgebase article.
“An encrypted email connection has been detected. Please see help for more information on how to transmit encrypted email.”
It turns out, that Symantec says:
If your Internet service provider uses the SSL in email protocol, you might have problems sending email messages. In this case, you might need to disable Symantec AntiVirus email scanning.
In order to be able to send email and use SMTP over SSL, I had to disable the Internet Email scanning within Symantec Antivirus. This is still secure because the file system real-time protection will still scan any file attachment. Message bodies will no longer be scanned, and the message will be scanned at attachment open/save rather than when the email message is open. For years Symantec didn’t even have a Internet Email scanner in their corporate product, so I don’t think disabling it is a huge risk.
The Case of Port 110 and 25
About a month ago, my manager asked me for some help in interpreting the results from a scan she had run using Foundstone Superscan. She is in a security course as part of her Master’s degree at GW. The scan results strangely showed port 110 and 25 open. This didn’t make any sense to me. These ports shouldn’t be open on a end user’s desktop or laptop. I used SuperScan on my own desktop and laptop and obtained the same result. I tried to verify the results with Nmap but it kind of bombed out on me. Next,I looked at the most recent STAT results and saw that it too was seeing those ports opened. Multiple scanners agreed the ports were opened, but I couldn’t determine why.
I tried to connect to the ports manually using telnet and netcat but no banner was displayed. It looked to me like I was not able to connect to the port. This remained a mystery unsolved until this week. I was at a HIPS seminar put on by Third Brigade and I read the readme for their product. It reported that Norton Antivirus will cause 110 and 25 to appear to be open because of the way it proxies those connections so it can scan Internet Email. I cant find confirmation in the Symantec Knowledge Base, but I have found confirmation through a writeup from GFI.
Shouldn’t Symantec only be proxying outbound requests? This internet mail scanner plugin is intended to be only on end user computers. By answering requests from external scanners, they are opening the computer to any vulnerability in their SMTP and POP scanning service. Defense in depth would use a personal firewall to block such access.
This SMTP scanner seems to be more trouble than its worth. We’ve had issues sending email to some mail servers with it enabled. I’m going to post later about my experience with SMTP over SSL and this scanner. The computer will be protected by the File System Real Time Protection. This Internet Mail protection does little but preserve a clean inbox.
Upgrading Symantec IM Manager
I spent most of my Saturday upgrading Symantec (IMLogic) IMManager. We have two servers running that, one acts as a proxy for public IM traffic and the other looks at LCS traffic. Prior to implementing IMManager we had a track record that once a month a user would get their computer infected through IM and then spread it to their contacts inside and outside the company.
The upgrade process wasn’t the smoothest thing I’ve experienced. I didn’t follow their advice to try it in a lab environment first. I felt like it would take me more time to set up the lab environment and even then it wouldn’t prove that I could upgrade production successfully, only that I I could upgrade the lab successfully. I decided it would take about the same amount of time to fix whatever problem occurred on the production machine
I backed up the database to allow for a fall back position, I reviewed the release notes and all available documentation and jumped in. Symantec provides a lot of information in the documentation, the release notes, and in knowledge base articles, so I was able to create a decent upgrade plan.
I received an error on my update indicating “an error has occurred in the installation of the IM Manager. Description: Failed to install the IM protocols engine. Would you like IM Manager setup to continue.” There was a support article with a few things to try. (missing dll, Windows Installer not started, and you’re just screwed). None of those suggestions were relevent. I’m wondering now if I the problem was a failure to stop the upgrade service as they recommended.
To resolve the problem, I had to uninstall by hand. There is a knowledge base article for this, but its pretty obvious what to do. Delete the install directory. In the registry, remove the uninstall key and the service keys. I then installed 9 from scratch. Since I had a SQL database on another server, the configuration was preserved.
I am still missing support for Yahoo Messenger 8 (they are working on that for a future release), and I had had a weird problem where I had to reboot to get the server to listen for AIM traffic, but other than that I’m pretty happy. Hopefully it will continue to work on Monday when the users come back.
IMManager is integrated with Microsoft (Sybari) Antigen for IM to provide antivirus scanning. I upgraded that a minor build number as well. The only new development there is to allow encrypted LCS traffic and also support LCS 2005 sp1.
U Fairfax Access
I was checking out the University of Fairfax website again tonight to see if they’ve received any accreditation that would make it more likely that my company would pay for the courses.
I thought it was kind of funny that an Information Security program isn’t using SSL to protect the username and password credentials when logging into webmail or the online classroom.
Cisco 871 router
I’ve been considering purchasing a Cisco 871 router for a while. It looks like it has the ability to do inbound VPNs and also IDS. Cost has been the main thing holding me back. The second consideration is that I have a wireless mesh implemented using Linksys and third party firmware. I’m not sure how this router would fit in. Recently, I’ve been thinking about setting up a system to run SNORT and placing it on a hub between the cable modem and my router. By doing that I gain the IDS fun that I want, and dont have to worry about screwing up my existing router implementation.
George Ou blogged about the 871 today. I didn’t see too much of interest in what he wrote today, but I’d like to see his future articles as he writes more about its general use and less about its feature list.
I think the 871 is a good SOHO device for when a “hacked” Linksys would not be acceptable.
That Just Hurts
Reviewing my RSS feeds this morning, I see that Jesper Johansson has announced his resignation from Microsoft. He is going to a security position at Amazon.
Jesper has been a primary source for me in determining the best way to secure my Windows network. The book “Protect Your Windows Network From Perimeter to Data” by Jesper and Steve Riley is the first thing I turn to, followed by Microsoft’s Windows 2003 Security Guide (which he had a hand in), and then I look at Steve Fossen’s SANS course material.
Microsoft is losing a great resource. Although I’ve never even met Jesper, I feel like i”m losing a valued colleague.
CA accuses F-Secure of Mobile Malware FUD
http://news.zdnet.co.uk/communications/3ggprs/0,39020339,39279551,00.htm
“A spat has erupted between the two security services companies
following CA’s accusation that antivirus vendor F-Secure was
overplaying the threat of mobile malware.”
Amazing, I actually agree with CA about something.
