Archive for July 2007
I’m reviewing our Site Security Plan in preparation for an audit. In the section for Physical and Environmental Protecton Policy it says “an active fire safety program with continuous training for all staff.
“
has an active fire safety program with continuous training for all staff.”
Its a wonder we get anything done if the fire safety training never ends.
Due to a some over enthusiastic checkbox checking by a SMS admin who was rolling out patches through ITMU, IE7 was deployed to our users this week. We have had a package for IE7 created with the IEAK that had been deployed to test groups, but it wasn’t yet the scheduled time for deployment. Because this went out early we didn’t have a chance to educate users about differences in IE7 which lead to a rather amusing complaint.
It seems if you go to http://www.us.army.mil it redirects you to a SSL version of the page. The site is using a DoD issued certificate which of course is not in the trusted root. As a result the user gets the new dire warning about the certificate and calls the help desk. As with most louts, this one was stridently anti-Microsoft, proclaiming if the Army security isn’t good enough for Bill Gates, I don’t know what would be. Rather than pointing out the many hacks of Army computers, we let him know that he saw a similar message when using IE6 and would see a similar message even if he used Firefox. This has nothing to do with Bill Gates not trusting the Army. It has everything to do with the Army not rooting to a commonly trusted CA. Its working exactly the way it should be. If he has reason to trust that certificate and trust its issuer he can certainly choose to trust it and not see that message again.
I imagine shortly the users will ignore the IE7 dire warning the way they blindly choose yes when prompted in the past.
Looks like another Firefox vulnerability is going to lead to another patch.
As Jesper says,
We recommend people use Internet Explorer in Protected Mode on Windows Vista and practice safe browsing habits to protect themselves against these vulnerabilities in Mozilla Firefox.
In George Ou’s blog entry titled “Email Security Has been around forever, you just have to turn it on” George asserts
“My current DSL provider AT&T like most ISPs supports SSL encryption on POP3 and SMTP and it’s as simple as a checkmark and using ports 995 for POP3 and 465 for SMTP instead of the usual ports 110 and 25″
I wasn’t aware that my ISP, Cox Communications, offered POP over SSL so I decided to give it a try. Its actually listed in their support site. I just wasn’t aware of it. It looks like they started this about a week or two ago.
I placed a check in the “this server requires a secure connection” box and changed the pop3 server name to spop.east.cox.net and I was set.
Now if only cox would enable ssl for webmail communications like they said they would do 7 months ago. According to posts from Cox employees at Broadband Reports webmail SSL will be coming soon.
Some users would like SMTP over SSL. Currently Cox does not use authentication for SMTP so what is there to protect? If you argue the data of the message, I would suggest if the data is so important use S/MIME. Because Cox SMTP is used on network only, you’re less likely to be sending mail from a insecure location requiring client to server SMTP encryption.
How many times have I gone over to a friends house and ended up working on their computer. Sometimes its fixing something, but often its making sure their third party applications are patched. Microsoft makes it really easy to deploy their patches, but every other application is often ignored. For a while now, I’ve used Secunia’s software inspector which is a web based tool to check for vulnerable software versions. Now Secunia has released a software version of this product. Its free for home use and includes a privacy notice that should make most people who aren’t software pirates sleep easier about allowing this inventory.
Personal Software Inspector 0.1.0.0 Beta installed easily and quickly performed a software inventory. It didn’t find anything on my system. I dont know of anything that is out of date right now so that is probably accurate.
It checks more than 4,200 applications. According to the website, if it had found something, I would have been prompted with a link to the update. That might be easy enough for the non-techies to follow.
Their web version does tend to complain about old versions of flash. The only way to fix this is to download and run a Flash uninstaller, then immediately install the latest version of Flash.
Normally, I wouldn’t tell my friends to install a version 0.1 beta product but this seems like the benefits will outweigh the risks.
The initial scan actually hadn’t completed before. It turns out that Secunia gives me a score of 74% on my home system!
Some of these things are old flash files in the i386 directory or an old version of SAV (not installed mind you) that I had extracted for packaging.
I wish the product would allow a user to export all this information so I could have a less knowledgeable user export this info and mail it to me for clarification.
Apparently the Apple fanboys are continuing with their mantra, ““its not a vulnerability until there is a public demonstration”. Of course we know that’s not true. Even after public demonstrations of a wireless vulnerability last year at Blackhat, Apple and its defenders mounted a smear campaign against the researchers. It also ignores that the reporters are associated with Johns Hopkins, which leads credence to the “researchers”. It has also been demonstrated to the reporters at the New York Times.
This fanboy response reminds me of the head-in-the-sand response of Microsoft and its defenders until slammer, sasser and blaster made it hard to mount a defense. There is a difference between denial and taking a wait and see attitude.
The bad guys I worry about don’t wait for a public demonstration.
Securityfocus has an interview with DCT a developer of MPack.
DCT says, “Well, I feel that we are just a factory producing ammunition.” Ammunition can be used for multiple purposes. You can hunt game and provide food for your family. You can shoot targets and have hours of entertainment. You can defend yourself and others against bad guys. You can commit a 187. Mpack can’t make that claim. Its sole us is criminal. Exploit as ammunition is a argument that metasploit can make. That can be used for legitimate purposes. I don’t see that with Mpack.
DCT also tries to push the idea that they are just a bunch of guys having fun in their spare time. He/she scoffs at the idea that Mpack is related to the Russian Mob.
I received what appears to be yet another false positive in Symantec Antivrius. Adware.cpush was detected in c:\program files\filezilla\uninstall.exe.
Filezilla is a ftp/sftp program from Mozilla. This has been on my computer for a while, so I tend to believe it is a false positive. I’ll update this thread if I see anything from Symantec on this subject.
update 7/16 12:20pm:
Symantec sent ouf the following email
—–Original Message—–
From: symalert@symantec.com [mailto:symalert@symantec.com]
Sent: Monday, July 16, 2007 12:13 PM
Subject: LiveUpdate posting to correct False Positive
The July 16, 2007 LiveUpdate posting will correct a false positive detection
on some installers or tools created using the Nullsoft Scriptable Install
System (NSIS). This FP caused such files to be incorrectly detected as
Adware.CPush. This FP was first introduced in
RapidRelease definitions build number 70817 (version 07/14/2007 revision 32)
and in the 07/15/2007 revision 2 LiveUpdate and Intelligent Updater
definitions. It was corrected in RapidRelease definitions build number 70822
(version 07/15/2007 revision 4).
Today’s LiveUpdate and Intelligent Updater definitions will also correct
this FP. These definitions will have the version 07/16/2007 revision 21.
Current ETA for posting is 10:30AM PDT. An additional message will be sent
approximately 30 minutes before the LiveUpdate virus definitions are
available for download.
Symantec sent an email early today to its Platinum customers reporting that they are working on a tool which will update the decomposer engine in Symantec AntiVirus Corporate Edition and Symantec Client Security.
The tool will update all supported versions of SAV and SCS to the latest decomposer engines to address the SYM07-019 vulnerability.
They estimate this tool will be released by the end of the day on Wednesday July 18th, 2007 US Pacific Time.
I wasn’t particularly looking forward to upgrading my 10.0.2 clients to 10.1.6. So hopefully this will make it possible to easily upgrade the vulnerable component.
