» 2006 » October - Roger's Information Security Blog

Archive for October 2006

Just change the grading system

October 20, 2006, 10:37 pm

The Department of the Interior wants a new grading system. The Government as a whole got a D+ on their report card, so rather than improve they blame the grading policy and dismiss it as being check-box oriented.

Certainly, FISMA is a big paper chase, but at the end of the day security is improved and risks are accepted or mitigated if people take it seriously. The problem comes in when System Administrators bunker down to protect their turf and management goes to Tom Davis to get FISMA changed rather than focusing on improving the security program.

Agency CIO Tipton noted that his agency did not score well on the most recent report card but said Interior’s cybersecurity has never been stronger…”We look at FISMA and I noted that we fended off four billion probes, scans, attacks last year without any significant breaches.”

You fended of four billion probes. That sounds awfully impressive to the casual listener. It sounds like a number a CIO would use if he were trying to prove that all that money spent on security is actually worth it. Does that number prove defense in depth or does it prove you have a firewall?

Of course its not hard for the Department of the Interior’s cybersecurity to have never been stronger. Look at 2004 when a Judge forced them off the Internet for 4 months due to their Information Security bungling.

Category: General | Comment

Scansafe versus MessageLabs in the HTTP Security Arena

October 20, 2006, 6:51 pm

Mondaq.com has an article on the Scansafe v. MessageLabs lawsuit. The website requires free registration.
MessageLabs was under an agreement to rebrand Scansafe’s HTTP security as their own. After about a year of that, MessageLabs decided to take it in house, giving two months notice.
I’ve had great fun in my HTTP Security project as I’ve dealt with both vendors, and am fully aware of the back story. I would guess that the vast majority of MessageLabs customers have never heard of Scansafe.
Scansafe sued alleging the contract requires longer notice than a two month notice, and also that MessageLabs in creating their in house version is living off the ScanSafe good name.
I agree with the Judge in this case. Its kind of hard to be accused of misappropriating someone else’s goodwill when you are licensing their software to use under your own name. You are authorized to appropriate the goodness of their software as your own. The problem comes in when there is an implication that the new in house version called version 2.0. They say that implies its based on the original software.
So now MessageLabs is required to tell prospective customers that the Web Security is not based on Scansafe. Apparently they are free to then tell the users horror stories about Scansafe’s product and why MessageLabs had to bring it in house to do it right.

Tags: MessageLabs
Category: Antivirus | Comment

Spam image technique

October 20, 2006, 12:48 pm

John Graham-Cumming blogs on a new animated gif techniques spammers have used to thwart OCRing. His entry a day earlier is interesting also.

Tags: Spam
Category: Spam | 1 Comment

Email Message Size Limit

October 19, 2006, 10:56 pm

We received a notice from our email provider that the new default maximum message size will be 50 MB. The previous default was no published limit.
That reminded me of the Paris Hilton divx file story, but I see I already blogged about that in 2004.
We’ve had various mail size limits through the years. In 2002, I found the firewall admin had used the SMTP secure server to set the maximum size to 16 Mb.
Although the mail provider is changing the default, we are still free to set our own limit (even a ridiculously high limit). So we’re taking a look at the email logs to see what has been sent lately. There is a report that a Lotus Notes administrator sent a 500 Mb file. Clearly a quota needs to be set to avoid denial of service attacks. However, we have a preference to keep the environment as open as possible. I’d suspect that a limit of 100 Mb will be set, maybe 50 Mb if I’m lucky.

Tags: eMail
Category: General | 1 Comment

Adobe Reader Updating

October 19, 2006, 10:40 pm

I got to thinking tonight about which desktop software we should be looking to update next. Adobe Reader seems to have a number of hits in my vulnerability scanner results, so I was thinking that might be a good option.
A quick inventory shows that we’ve got a full spectrum of Adobe Reader installed. I even found some version 3 installed. Now how does that happen?
First I checked out appdeploy.com where I got some tips about install switches and disabling the Yahoo search bar. I was also reminded of the Tuner for Adobe.
Next, I went to Adobe and read their article on deploying Adobe Acrobat with SMS. I also watched a 50 minute session on using the Tuner to customize Adobe Reader and Acrobat Professional.
Lastly, I stopped by myitforum.com and did a search on the front page, and in the sms mailing list. I forgot to search the forum and the blogs there.
What I’ve found is that I should be able to remove Reader 6 automatically while installing 7.0.8 because it also uses the Windows Installer technology. However, for removing version 3-5, I’m on my own. Fortunately, I found some helpful command lines. I think I’ll create an SMS Installer package to remove the earler versions.
Some of my computers have Adobe Reader and Professional installed. That may make things interesting. I’m also concerned because we tend to move the Adobe Reader icon into its own folder. An upgrade will probably result in an empty folder with users wondering how to start adobe.
It looks like Adobe Professional 8 is out. I dont see a Adobe Reader 8 available yet, although I see one reference to a pre-release copy. Its an age old question. Should we spend time deploying 7.0.8 when 8 is around the corner. We really shouldn’t deploy 8 immediately when it is released, so maybe we do need to do 7.0.8 now.
So it looks like there is a lot of work to do. Hopefully, I’ll be able to make time for this.

Tags: Adobe
Category: General | Comment

Practicing Safe Surf

October 18, 2006, 10:49 pm

In other news the sky is blue. Porn sites are sleazy. and everything isn’t as it seems on myspace.
http://sourcewire.com/releases/rel_display.php?relid=27686&hilite=

A survey of over 600 UK respondents showed that young men are significantly more likely to be infected with spyware than their female counterparts. The likelihood of infection was increased by the risky online behaviour of young males, such as opening instant messages (66%), downloading files (65%) and visiting adult entertainment sites (56%).

“The chances of becoming infected with spyware rapidly increase when performing certain online behaviour, such as visiting adult entertainment sites or social networking sites such as MySpace.com”, said David Moll, CEO of Webroot. “These sites have become a breeding ground for spyware.”

Tags: AntiSpyware, Webroot
Category: Spyware | Comment

Upgrading to XP

October 18, 2006, 3:00 pm

The Help Desk has decided the best way to upgrade systems to Windows XP SP2 from Windows 2000 SP4 is to take the computer to the helpdesk and put in a CD.
Who knows what kinds of problems this will cause in the future. I wish that these computers contained some sort of mark of the beast to indicate that they were upgraded in place rather than doing a clean install with a data restore. Compounding this bit of bad news is the decision by the largest Center to hold onto computers for a third year instead of doing a two year lease. That means these unholy computers will be in production longer.
I’ve found a handful of computers with Microsoft Virtual Machine installed. They are running XPsp2. We have no way of knowing if the users actually need this for some obscure product or if its a remnant from an upgraded Operating System.

Tags: Microsoft
Category: General | Comment

Apple Rant

October 18, 2006, 12:55 pm

Apple somehow manages to blame Microsoft when Apple ships a virus preloaded on some IPods. Gee, I thought Apple was super secure and didn’t need any of that fancy stuff like antivirus. Most companies have learned that scanning for viruses before shipping is part of quality control.
I expect that soon User Friendly will have a comic strip showing how the Microsoft blackops team planted this virus on the iPods.
Here’s F-Secure’s take.

Tags: Antivirus, Apple, F-Secure, Microsoft
Category: Antivirus | Comment

A whole new kind of bluejack

October 17, 2006, 3:39 pm

Johnny Cache has uncovered flaws in bluetooth implementations from Toshiba. Brian Krebs reports in his SecurityFix blog.
Apparently its a Toshiba bluetooth driver that is also used by Dell.
In a refreshing change from how Apple responded to their wireless driver vulnerability,

A Dell spokesperson said SecureWorks shared an exploit with the company that worked against any of nine different Dell Latitude laptops, and that the company’s engineers were able to reproduce the reported problems in-house. Dell said it has shipped updates to fix the problem on Latitude Models D820, D620, D420, and D520. Other Latitude models also are vulnerable, including the D810, D610, D410, D510 and X1 versions, but the company doesn’t expect to ship updates for those models until Nov. 4.

I keep my bluetooth disabled, but I’ll be checking the Toshiba site soon to see if my M400 is vulnerable.

Tags: Apple, Bluetooth, Brian Krebs
Category: Uncategorized | Comment

Michael has a bad password

October 17, 2006, 9:51 am

How great is it that not only does Michael Scott have a password of 12345, but its written on a post-it note. (The guy in the turban is the I.T. guy if you haven’t seen him on the show before).

Tags: Passwords
Category: General | 2 Comments

Roger's Information Security Blog