Symantec IMmanager (Imlogic) support slipped further this month. They implemented further changes to integrate the IMLogic purchase with their exisitng support framework.
The knowledge base was integrated into Symantec’s existing knowledge base. Before it was possible to sort the responses by relevancy, date modified, and by how many customers used an answer. It was also easier to restrict the search results by version and product.
It is no longer possible to enter tickets via email.
Creating a ticket online has migrated to a new system, and I have not been provided with a password.
Calling support is now as annoying for IMLogic as is for the antivirus product.
It was easy to communicate with IMLogic. I am afraid that this has been lost in the Symantec purchase.
Archive for August 2006
More comments on the transition from IMLogic IMManager to Symantec IMManager
More on MS06-042
SANS mentions the MS06-042 problem that I spoke of here. They are reporting that Internet Explorer crashes when accessing some websites while using WINXPSP1 or Windows 2000. They mention Peoplesoft web applications in particular.
A hotfix is now available at http://support.microsoft.com/kb/923762/en-us
Perils of Encryption
Today’s SANSBITES email has a blurb on the Department of Transportation laptop that went missing while holding data on 133,000 Floridians. Apparently the data was originally encrypted, the later it wasn’t.
John Pescatore of Gartner comments, “Who knows what really went on, but rushing out encryption of stored data without thinking through all the issues (like indexing and archiving, just to name two common problems) often results in self inflicted wounds or the encryption being disabled.”
That sounds familiar. After OMB M-06-16 required encryption, many government agencies have been running around implementing ill-considered encryption plans.
I have been trying to hold off this groundswell for encryption until we can implement it correctly using a Certificate Authority. Now suddenly we’ve uncovered a major problem. The backup software only allows you to restore encrypted files to yourself. If you lose your computer, and get the administrator to restore the files to a new computer, the backup software will not allow restoration of encrypted files. This is a huge problem. You can protect your important data with encryption, but don’t plan on getting it back in case of disaster. We’re pressuring the vendor to change this behavior.
Lanman hash shoe drops
Regular readers might recall last month we finally disabled storage of the lanman hash in our Windows domain. It was about time, too.
This week, I ran SAMInside and found that I couldn’t crack any passwords for accounts where only the ntlm hash was stored. Dictionary attacks and brute force take a lot longer than rainbow tables. That wasn’t the shoe that dropped though, that was expected and good.
I heard that our Accounts Payable check-cutting computer is running Windows 95. After we disabled the lanman hash storage, and they changed their password, suddenly these users weren’t able to log into the domain at this computer. (Windows 9x requires the AD services client to be able to log into the domain when lanman hash storage is disabled.) I of course thought that was pretty freaking hilarious. I have a feeling though that it will make it harder for us to get approval to push through other security tweaks.
I’m glad it broke the computer. Now we know that something critical is relying on Windows 95 and we can rectify the situation. Sure it caused some people to run around like chickens with their heads cut off, but in the long run things will be better off.
Bill’s Security Blog
I just saw that one of my former classmates has taken up blogging since we graduated with our Masters Degree in Information Security. The address is here. I hassled him into getting the rss feed link onto the main page, because that’s how I follow all these sites.
Check it out.
ISC Tip of the day: surviving patching
As part of its August “advice-a-day” series, ISC offered some tips on surviving the monthly patch releases. The advice is somewhat contradictory, but at least for once they present a spectrum of suggestions for dealing with a problem rather than pretending there is only one way.
- Patch now – if there is any pain from patching it will be less than the pain from getting hit by a virus before getting patched.
- Deploy to a representative group, monitor, deploy to wider group. But still the total time-frame needs to be quick.
- Patch critical services, and laptops which are more vulnerable.
- Deploy to a representative group, monitor, deploy to wider group. Taking 4-6 weeks to get it done.
It seems like their advice is lacking in preventative steps. I suppose such as “use a personal firewall” or “login as a limited rights user” only work for specific types of attack. Seriously, the best way to address the patch cycle isn’t to run faster. Its to get off the exercise wheel all together. Virtual Patching may be the answer. That is where you use a HIPS product to prevent the client from being vulnerable to the attack in the first place. Products like CSA, McAfee HIPS, ISS, and Third Brigade should be closely examined. I’d be interested in hearing from anyone with one of these products. Do you agree that the need to patch is less once HIPS is deployed? Or have you found that not to be the case.
MS06-042 Issue on Windows 2000
I first saw this over at myitforum and verified it in my own testing. After applying MS06-042 to a Windows 2000 sp4 computer, I am unable to go to www.theregister.co.uk using IE6sp1. IE crashes and offers to send a report to Microsoft.
I’ve checked over the known issues and caveats, and I dont see the problem listed clearly there. It could be that TheReg needs to clean up their code a bit. I also called my TAM who hasn’t heard of that being a known issue (other than the caveats regarding activex and java). The Register is a major tech news site, so I’m expecting to hear more about this.
This could be interesting because 35-40% of my enterprise has Windows 2000. How many sites could potentially have similar problems. What’s odd is that the front page of www.theregister.com doesn’t have this issue, its only when I click on links which then call the mothersite that a problem occurs. I think its something in their advertising.
UPDATE – My TAM has recommended disabling HTTP 1.1 as a workaround. I wasn’t able to reproduce the problem today, so I didn’t try that. I have heard that the problem is with sites using compression and that an update will be out this week.
Third Party Device Drivers?
Should Microsoft Update Patch Third Party Device Drivers? Alan Paller says yes.
Would the patches be deployable through SMS SUS Security Updates or ITMU? I’m not sure they could do that before the next SMS update. If its only available through Microsoft Update, that doesn’t do me a lot of good.
I’m not sure why Alan thinks that Microsoft should patch everything on the system. Perhaps they should update drivers that came on their own Windows distribution CD, but in most cases the drivers are installed by the OEM not Microsoft. Its like asking Microsoft to provide patches for Winamp.
Its already incredibly difficult for them to fully q/a their own patches. Imagine trying to q/a third party device drivers. I think the emphasis should be on using SMS to make it easier to deploy these third party apps. The SMS 2003 R2 CAB system that Flash 9 is taking advantage of is probably the right direction.
A Few Good Metrics
Here’s a link to a CSO article from last year providing some Information Security metrics. Good stuff
Intel Proset Wireless Hack
By now, you’ve read about the vulnerability in the Intel Wireless Drivers. If you haven’t make sure you read this, and then check with your vendor for their version of the Intel update.
What I found funny was that Johnny Cache who presented a similar (or the same) vulnerability on a Macbook is quoted as saying,
The likelihood that you’ll encounter this particular exploit is small. “You have to have some economic gain,” said Cache in an interview after the event. Right now, there’s little gain in hacking into an individual laptop at short range.
There are just so many things wrong with that statement. I wonder if he would have said the same things about the Sybian OS phone attacks, or bluetooth address book harvesting. Short range attacks are fairly likely to be attempted at conferences, airports, and other large gathering of geeks. Has he forgotten so quickly that some attacks are done just because it can be done? Money doesn’t have to be the prime motivating factor. Of course I can think of many examples where money could be gained by using this exploit. Its a new spin on war driving, war automated hacking! Or worse yet, its industrial espionage. You role up in my parking lot and install a bot through the this wifi driver attack. You’re now a privileged computer on my network.
I think this weekend I’m going to go watch the video of the hack (I think sunbelt has it linked), and then check on the Dell and Toshiba driver situations. I think my tablet is using a vulnerable wireless driver.
