» 2007 » January - Roger's Information Security Blog

Archive for January 2007

Mandatory Screensaver

January 31, 2007, 8:35 pm

At our company we implemented a mandatory screensaver about a month ago. In my testing I found that if I allowed the user to select the screensaver, that they could select “none” and no screensaver would run. Obviously that isn’t something you want to happen. I also found if a computer did not have the specific mandatory (corporate logoed) screensaver then that was the equivelent of not having a screensaver.

We rolled it out using logon.scr as the default intending to later change that. I figured that if we named the new screensaver logon.scr then systems that had received the new screensaver would run that, otherwise they’d have the default flying windows screensaver.

Tonight I was looking into it, and it seems that logon.scr is protected by Windows File Protection. Not sure what the next step is.

UPDATE: in Windows 7, the screen will now lock correctly even if NONE is selected as the screensaver.

Category: General | Comment

Recovering Cached Credentials

January 30, 2007, 11:12 pm

In Windows Domain Cached Credentials are a local hash of your password, which allows you to log into the computer in case the domain controller isn’t available.
CacheDump is a tool that allows you to easily extract that cache, for offline password cracking. You could use John the Ripper (with a plugin) or PasswordsPro ($$ for full features).
CacheDump pulled my own credentials and another set of credentials. While I haven’t tested further than sounds like anyone with local admin rights would be able to export the cached credentials of anyone who had logged into that computer. So say a support person’s account is local admin on all desktops, and they do support work at a user’s computer. That user could export the hash and attempt to crack the password.
Of course a strong password helps.

Tags: Passwords
Category: General | Comment

Vista Released, Where’s my SAV 10.2

January 29, 2007, 7:16 pm

Windows Vista is available for purchase through retail channels beginning January 30th. Its times like this that make me wonder, “where is my serial number for Symantec 10.2?” To my knowledge, I haven’t been sent a serial number by Symantec. As a result I don’t think I can download SAV 10.2 which is the version you need to use with Vista.
This is the Tao of Symantec. One serial number for 10.0, another for 10.1 and another for 10.2. God forbid you want to use the latest release and you’re not a platinum customer. I’ve just about had it.
To deploy 10.2 clients, I’m going to have to upgrade my parent server first. It is not good SAV mojo to have the server be a lower version than any of the clients.
With the release of Vista, I think the pressure for us to provide SAV for Vista clients will grow. It started with the volume licensing release of Vista, and grew from there. I don’t know how I’m going to find time to work with SAV 10.2 unless I come in on the weekend and do it. That assumes I’ll have found a working serial number.
Miles to go before I sleep, Miles to go before I sleep.

Tags: Symantec
Category: Antivirus | Comment

“somebody set up us the bomb”

January 26, 2007, 10:30 pm

Crazy day at work today. I got into work early. My office is right over the main entrance so I tend to notice any odd occurrences. Around 9:30 , I noticed multiple Fairfax Country police cars parked at the front door. I had to get ready for a meeting, but I heard at 10am that the east side of the building from 1-3 had been evacuated due to a suspicious package. Since this didn’t effect the room we were in (and I really wanted to have my meeting) we went ahead with the meeting. Around 11:30 we wrapped up the meeting. I went back to my office and found just about everyone outside the window.
It seemed like a scene from a movie, you look out the window and there are cops, feds, firetrucks, the bomb squad, and a schoolbus (we have a nursery in the building). It was incredible. We were advised over the company’s internal intercom at 11:30 am that the building was being evacuated and that we should go home.
According to FCW.com after the employees evacuated, a bomb detection robot removed the package from the building, and they imploded it. We received an email at 3:45 pm that everything was safe. The suspicious package contained only papers. I haven’t heard if the papers were just normal papers, or if there were threats. FCW reported that there have been a string of suspicious packages delivered to my company. We haven’t evacuated for previous suspicious packages, so either the police were exceedingly careful, or there was more to this one.

Tags: eMail
Category: General | Comment

GoDaddy Pulls seclists.org

January 25, 2007, 9:33 pm

It seems that GoDaddy is now acting as internet content police. They disabled the domain registration for Seclists.org based on a complaint from myspace.com. Seclists.org is a web archive of many security lists. I use their RSS feeds to follow many security discussions.
It seems part of this content included the list of 53k usernames and passwords found to be collected on a phishing site. Myspace didn’t like that.
I’m of two minds on this. When I’m trying to take down sites hosting malicious content, it’s often beneficial to send a desist email to every possible link in the chain. On the other hand this is a slippery slope where a domain could get yanked for any reason.
People enticed by cheap domains held their nose when reading the fine print. GoDaddys ToS says they “reserve the right to terminate your access to the services at any time, without notice, for any reason whatsoever.”
You still shouldn’t mess with Fyodor.

Tags: eMail, Passwords, Phishing
Category: General | Comment

Eschelbeck Slams Windows Defender

January 25, 2007, 8:11 pm

I was a fan of Gerhard Eschelbeck when he was with Qualys. He’s been pretty much off my radar sense he took the CTO position at Webroot. Today he comes out swinging against Windows Defender as reported in Information Week.

“If you look at the [Defender] data points, they speak for themselves,” says Eschelbeck. “Defender didn’t block 84% of the tested malware. That’s not the kind of performance users are hoping for.” Eschelbeck says that his firm’s research team tested Defender against a suite of Trojan horses, adware, key loggers, system monitors, and other unwanted programs, all of which were gathered from in-the-wild threats. Webroot’s own Spy Sweeper blocked 100% of the threats.

Hmm, so in tests where they gathered the malware, their own antispyware program detected everything and the competitors didn’t do so well. That’s quite a shock.
Take a look at Sunbelt Software’s response when Webroot and Veritest released results last spring.

Eschelbeck also slammed Windows Defender, and by connection, Vista’s security, for infrequent updates. Microsoft currently issues spyware definition updates every seven to 10 days, he says. Webroot, meanwhile, identifies approximately 3,000 new traces of spyware every month. “Users can’t wait for a week or so to have their anti-spyware signatures updated,” says Eschelbeck.

So Eshelbeck is comparing frequency of updates to number of detections added. Apples/Oranges anyone? Hopefully that is the writer’s mistake.
I know nothing about Windows Defender frequency of updates. I do like that it uses an established update channel like Windows Update. However, I prefer my anti-malware apps on the desktop to check for updates hourly.

Tags: AntiSpyware, Apple, Microsoft, Webroot
Category: Spyware | 2 Comments

Mystery of the Quicktime Update.

January 24, 2007, 9:47 pm

Apple has provided a fix for the RTSP exploit announced during the month of Apple bugs. Unfortunately, the update is quite hidden for Windows users. The Apple security document only has a link for Apple users, there is no link for Windows 2000 and XP users. Interesting.
The ISC diary has posted some instructions to download the patch, but you need to have Apple Software Update installed. If you have it, its probably on the start menu. You need to have recently gotten iTunes or Quicktime to have this installed. I only have it on one of my computer. I cant figure out where to download the patch for the other computers. I ran the “check for updates” from within Quicktime and it says I am up to date! This is not going to be good for enterprise software updates. We were already asking why Quicktime is on our ghost load.
I used Microsoft Process Monitor while downloading the patch on the one computer with Apple Software Update installed. That allowed me to capture a MSI file from my Temporary Internet Files; %userprofile%\Local Settings\Temporary Internet Files\Content.IE5\M7CLQPIX\SecurityUpdate2007-001[1].msi (your location will probably vary).
After installing the patch, my Quicktime was still version 7.1.3 when I checked the help, about quicktime from within the program.
The update creates a registry key HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Security Updates\2007-001 Version=7.1.3.191 (need to double click on version to see the value). The quicktimeplayer.exe is now version 7.1.3.191 as well. Previously the version was 7.1.3.100. These two items will help differentiate patched systems from unpatched systems.
Now, I need to figure out how to deploy this. Next, I will check if the 7.1.3 version from www.apple.com/quicktime is the new version. If so, I’ll probably update my install package and do a bit of testing. Hopefully it won’t be necessary to slipstream or daisy chain this SecurityUpdate2007-001.msi and the existing 7.1.3

Tags: Apple, Microsoft, Quicktime
Category: General | 2 Comments

Just Don’t Call Symantec

January 23, 2007, 10:08 am

My manager asked if we had any news on when Symantec IM Manager (formerly IMLogic) will support AIM 6 and Triton. Its been over two months since Symantec sent out a notice saying that AIM 6 will not work when IM Manager is used. Its been over four months since the customer advisory that AOL Triton 1.3 and 1.5 will not work.
When you invest in a vendor (such as Akonix, Facetime or Symantec) you are betting that they will continue to develop the product. There are always new client versions, and if the vendor doesn’t move to support them, your users will be left in the IM stone age.
My call to support to ask about their progress in supporting these products did not begin well. After waiting on hold for 15 minutes, I spoke to the person who collects the info necessary to route the call. My call was answered by the technical guy who said “hello.” What the hell is that? Who am I talking to? It sounds like I was routed to the janitors closet. Next he asks me for my case number. Shouldn’t he already have that in front of him? So I ask my question, when will AIM 6 be supported by IM Manager? His response? “What’s that.” Well that instills confidence that this call will go well. So I tell him, that AIM 6 is not supported and does not work with current versions of IM Manager, I have checked the knowledge base and read the article on what is supported already. What I want to know is are they working on it, and what is the timetable. His response? He tries to read the KB article about supported clients to me.
I then tried to call Symantec customer service both to comment on this idiot and to try to get the answer. Unfortunately customer service has a hold time of 45 minutes thanks to the “new” licensing process. The licensing process is not new, I fought with that abomination in November and December.
Symantec has done as I predicted. They have bought and ruined yet another good product.

Tags: Symantec
Category: Antivirus | Comment

JAVA install/uninstall

January 22, 2007, 10:28 pm

Posting some links I might need later for silent install of JAVA.
1.3
http://java.sun.com/products/plugin/1.3/docs/silent.html
1.4.2
http://java.sun.com/j2se/1.4.2/docs/guide/plugin/developer_guide/silent.html
1.5
http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/silent.html
http://java.sun.com/j2se/1.5.0/docs/guide/plugin/developer_guide/installation.html

Category: General | Comment

Bye-Bye Bank Account

January 22, 2007, 6:30 pm

It looks like bank account and retirement account theft are going to be this years “stolen laptop.” By that I mean it will be the story that is reported with increasing frequency.
Today’s story is found in Techworld. It seems that some participants in the Governments Thrift Savings Plan had a keystroke logger installed on their computers. The bad guy used the login and account information to electronically transfer cash to other accounts.

“External penetration testing has demonstrated that our system has not been breached,” the TSP said. “There is no evidence of any successful attacks against the system to identify a PIN and thus obtain access.”

This is kind of a strange quote. The failure of an external pen test to identify any holes does not demonstrate that the system hasn’t been breached. To determine if the system has been breached, you would need to examine the system logs, IDS logs, etc. To trust those logs it would be necessary to have used a third party log server to preserve the integrity of the logs. A forensic examination of the systems may be needed.

Category: General | 1 Comment

Roger's Information Security Blog