When I was reading about the Google Desktop Search vulnerability over the weekend, Google’s rep was quoted as saying it would all be fixed silently without the user doing anything. I took that to mean it was done. This mornings vulnerability scan of HQ shows we have a significant amount of Google Desktop that needs updating.
Here’s a link to the “Help Center” article on the vulnerability. I
Why isn’t the Google Desktop Blog posting on this subject? It says it is “The official source for information about Google Desktop.”
Archive for February 2007
Google Desktop
Browning Notice
I received an email today about a settlement notice regarding a class action lawsuit over some credit monitoring. I read the email over, googled the web page given, and checked out snopes, butt didnt’ find anything. Next I opened my RSS reader and found that Brian Krebs has an excellent writeup. His summary, its very suspicious looking, but its actually a legit settlement notice.
JAVA Patching
JAVA is a very difficult program to manage in the enterprise. It seems to have its share of vulnerabilities. Multiple branches continue to be used (1.3,1.4,1.5,1.6). Its not a matter of upgrading to the latest version and removing everything else.
Applications may be hard coded to use a specific version and will break if you uninstall. Since in most cases we did not provide the JAVA, the administrators don’t know in which instances old JAVA is required.
SUN recommends keeping older versions of the JAVA Runtime Environment (JRE) on your system.
Then there is this later articlewhich says with 5.0 Update 6 and later installed on the Windows platform, all applets are executed with the latest version of the JRE. I wonder how the applications hard coded for earlier verions of JAVA would continue to work?
I notice that my vulnerability scanner detects the older versions of JAVA even though a newer version is installed. I’m trying to figure out whether I need to remove these earlier versions to be safe. Even then do I dare remove them if earlier versions are needed by my users.
“Experts” Gush over Google Office Security
SCMagazine reports that the new Google Office won’t have security problems like Microsoft Office.
1. Security will be more robust
2. Updates will Appear Automatically
3. Less Features mean more security
Amol Sarwate, manager of vulnerability research at Qualys, says “You never have to patch anything, so hackers would be reluctant to target,” You won’t even know if a patch is released. Whenever you log in, you’ll get the newest version they have.”
Does that sound like a good thing? One of the complaints about Google Desktop Search was secret patching. Shouldn’t you know what’s going on? Qualys offers a software as a service vulnerability scanner and they announce major version updates. I wonder if they are silently patching security problems as well.
Eric Ogren, an analyst at Enterprise Strategy Group, told SCMagazine.com that Google will protect the software in its data center, and it will not be vulnerable to typical client-side vulnerabilities.
I wonder if this means my data would be kept forever, and available for search warrants, and also available to be accidentally disclosed.
The SC Writer buried the lead in my opinion. Amol Sarwate also said this service could be “could be vulnerable to an emerging set of web-based threats such as cross-site scripting and SQL injections.”
That’s what made this article jump out at me. In a week where it is reported that Google Desktop Search is inherently insecure it seems this article is trying to tell me that Google Office is secure by default.
Myspace and Secondlife have been targets. Who is to say similar issues won’t be found in Google Office.
FISMA
Richard Bejtlich sets out to write a book review, and instead writes a screed about FISMA in his latest blog entry. Its a shame too. I would like to know if this book is a good resource for those who are forced to participate in FISMA. We are currently under an Interim Authority to Operate and the auditor is coming in next month to extend that. People where I work create C&A packages and audit them for customers.
When we looked for an outside auditor for our C&A package we had a hard time. Most of the companies we were considering were strong in the technical writing or strong in technical knowledge. We didn’t find a company that was strong in both areas. Both skills are necessary.
Anyone who has been involved with a C&A knows its one big paperchase. Does this mean its a bad thing? I would argue no. Documentation is important. FISMA forced us to update our documentation and create new documents. This is necessary. Due to the tyranny of the urgent that occurs in an I.T. shop this wouldn’t have been done otherwise.
All of the commenters on Richard’s entry disparage the C&A. They say that it offers no improvement in security. They argue that instead its a jobs program for C&A writers. Based on my own experience, I would say you get out of a C&A what you put into it. If it is an antagonistic relationship between the auditors and the System Administrators, then you have a problem. The problem is exacerbated when management just wants to check off C&A boxes rather than actually examining security and making things better. At my company we are better than some but we have a long way to go. The C&A has helped us get there.
Back Online
I had to get my webhost to fix the Internal Server error. When they migrated servers last summer they did something special to make the CGI work, I think that was blown away. At any rate, they got it fixed relatively quickly, so I’m happy.
After that was brought up, I think my autoban script blew away the .htaccess file. But I fixed that as well so the default doc is back.
Its pretty late, I”ll see about posting some actual content tomorrow.
RSA Conference Wireless
Over at vnunet, Tom Sanders writes about the RSA conference.
More than half of the computers used by security experts attending the RSA Conference in San Francisco this week lack the proper protection and may have been compromised, according to wireless security firm AirDefense.
The company scanned all wireless traffic on the first day of the conference and found a total of 623 Wi-Fi enabled notebooks and mobile phones.
Some 56 percent of these devices were configured automatically to log-on to networks with common names such as ‘Linksys’ or ‘T-Mobile’, a feature known as an open access wireless account.
So the first first paragraph is an improper summary of the statistics. “More than half of the computers used by security experts” weren’t misconfigured. It was half of the computers with wireless enabled.
So the vendor has interesting statistics and I liked the article as a whole but for me it almost got overshadowed by a misleading opening paragraph.
It is extremely important to not connect to unencrypted wifi and then leave those profiles enabled when you go anywhere else. Further, Evil twin access points do occur. Your computer leaks all sorts of passwords. Its not just when you’re browsing. The second your network connection comes on line, your mail client, IM clent and RSS reader may be logging into things in clear text. Its a danger you need to be aware of, and keep your clients from launching and sending passwords, until you have established a secure encrypted tunnel, whether is an ‘always tunnel’ vpn back to work, or a ssh tunnel back to your home.
Solaris Telnet Authentication Bypass
The SANS Internet Storm Center diary has an entry a telnet authentication bypass vulnerability in Solaris 10 and 11. They don’t mention any useful details, but if you’re the type who prefers to see for yourself, you might check out a place that likes to fully disclose this type of thing.
I found we only have one Solaris 10 server running telnet. Its one of the Unix administrator’s desktops. You can only access root from the console, but I was able to get in using the ‘adm’ account. Good times, good times.
Symantec IM Manager Upgrade
This afternoon I upgraded Symantec IM Manager from 8.0.12 to 8.1.4. I needed to upgrade to allow the new Live Messenger 8.1 client to work. IM Manager 8.1 is a different code branch than 8.0, but I wanted to see what was new in it as long as I was upgrading.
As I installed I noticed that it was adding .Net 2 to the server. After the install, I ran a Microsoft Update, and sure enough, Symantec installed .Net 2 without the latest security patches.
The 8.1 has a different web design than 8.0. I kind of like it. While browsing through the options, I notice that liveupdate is one of the listed update methods. The IM Manager updates are still separate. They have embedded the Symantec scan engine into the product so if you enable it (enabled by default on new installs) it will use Symantec AV to scan file transfers. I currently use Microsoft Antigen for this purpose. Because we don’t have a lot of file transfers via IM, I may save some money at renewal time by ditching the Microsoft Antigen.
