For some reason the Cisco VPN client was available in both an Installshield package and a msi package. It became time to upgrade recently so I reluctantly re-entered the realm of Cisco software. This is something truly to be feared.
The installshield version is rather easy to install and brand, although it appears to be impossible to import two root certificates. The MSI version requires creating a transform file and has some really bad instructions about using Microsoft Orca to do this. I also found out that if you have an installshield version of the Cisco VPN installed that you must remove it and reboot before attempting to install the MSI version (and then reboot again.)
Unfortunately Cisco has pulled the installshield version of the latest release and they report that no further installshield versions will be released. I guess I’ll have to figure out how to package the MSI version, because I just don’t want to deploy an older, slightly vulnerable Installshield version, particularly when no further Installshield versions will be released.
Archive for August 2007
Packaging the Cisco VPN Client
ngix, Stormworm and Cisco IDS
On August 21, the SANS Internet Storm Center noted that the storm worm was now be hosted on servers using ngix in the lastest wave of attacks. They further noted that signatures based just on that server name were a bad idea because ngix is a legitimate web server.
I notice that my Cisco IDS is reporting instances of the Storm Worm. A lookup of that signature in the Cisco IPS signature database found that “the signature triggers on seeing the string “Server:ngix”in the return web traffic.” While it does note that this could be legitimate traffic, this really wastes my time.
One Monster of an Attack
There are several lessons to be learned from the recent penetration of monster.com and the subsequent phishing attempts. In this attack, recruiter accounts were compromised and used to download around a million monster user records. These records were used to created targeted phishing attacks purported to be from interested employers.
The first thing I’m wondering is how these recruiter accounts were compromised. Was the account bruteforced? If so, why did Monster allow the use of weak passwords? Why didn’t Monster lock the account after numerous bad password attempts. I sure hope the people whose accounts were compromised didn’t use that password anywhere else, or if they did, they should be frantically changing them.
Even if the account(s) were compromised through the use of a keystroke logger on the recruiters system, why were they able to download so many records. Shouldn’t that raise some sort of red flag?
In the case of the phishing, users need to be aware that requests for their personal, bank and credit information needs to be treated with suspicion. Beware what information you make available on such a site in the first place.
SAV and ccapp part 2
As I wrote about this morning, I’ve had some issues with SAV 10.1.6.6010 and ccapp.exe.
The first issue with ccapp and vptray not loading was traced to bad permissions on the files msvcp71.dll and mcvcr71.dll. The logged on user didn’t have rights to the files. They were needed for ccapp.exe and vptray.exe to run. That problem is solved. Lets here it for process monitor from Microsoft.
I called Symantec about the SMTP issues. They suggest that I remove the internet email scanner where it is a problem. Seems odd after all these versions that I’d suddenly have a problem with it. I checked with my fellow Symantec Admins over at myitforum but no one else has had this happen. Looks like I’ll be deploying without the Internet email plugin.
I had one other problem on one computer. ccapp.exe – Application Error. The instruction at “0x010e1feo” referenced memory at “0x010e1feo”. The memory could not be read.
After uninstalling the internet email scanner the problem did not return in our brief testing. I’ll have to keep an eye on that.
SAV and ccapp.exe
I’m trying to upgrade my Symantec Antivirus CE to 10.1.6.6010. In the small test group I’ve got going right now I’ve got two issues.
1. the error “The application failed to initialize properly 0xc0000022.” for both ccapp.exe and vptray.exe occurs when the guest account logs in. (I need to do some checking to see what happens when I log in as a regular user).
Investigation with SysInternals Process Monitor shows that it checks for msvcp71.dll in c:\program files\common files\symantec shared\ not finding it there, it finds the dll in system32. After opening it, it then tries to write to it. Of course regular users cannot write to dlls in system32. Actually on my computer, it looks like the user who did the installation gets full control and no one else gets any access.
Another user reports that ccapp crashes at logout and the account never successfully logs out.
2. I’m also having reports of trouble sending email, but I haven’t checked into that yet.
I’ll either update this post when I get to a solution, or create a new post with a trackback to here.
Security as a Product Requirement, or not
On paper, security is supposed to be a consideration in determining what products are purchased at my company. That message hasn’t filtered out to all parts of the IT department unfortunately. Its not that I want to have to be at every vendor meeting, it would just be nice if the security considerations came before the purchase order is created rather than as the product is deployed to the test bed.
The latest product that leaves me scratching my head is Hummingbird DM.
Hummingbird DM is a document management solution that we have purchased as part of a decision to move away from home grown Lotus Notes databases.
To use Hummingbird DM you have to install a client that digs in deep and takes over much of the computer. What I’ve noticed is this client opens a website on port 81. I’m not sure of the purpose, but it seems very unnecessary. Permissions also seem to be an issue. I’m sure there are more folders than the ones I have access to. In the folders I can see, I can see sensitive data. What I’m told is, it is up to the user to set permissions when they upload a document. This goes against the best practice of not leaving security in the hands of the end user.
Guardian Edge Configuration Administration Weakness
Guardian Edge Encryption Anywhere Hard Disk is Full Disk Encryption product that in the words of their website offers a “unique integration with Microsoft Active Directory for Group Policy Object based policy management “.
Some policies can only be set at installation, but other settings can be configured through Group Policy. They provided Group Policy Administrative Templates (ADM files) that are imported into Group Policy and deployed to the users. Guardian Edge recommends that access to these Group Policy snap-ins be restricted (which can be done in group policy). This prevents a local administrator from importing the ADM file into their local group policy and modifying settings themselves.
By opening the ADM files in a text editor, it is apparent what registry keys are modified by each policy. I haven’t tested this out since enabling the Group Policy snap-in restriction, but I am reasonably sure that no Group Policy snap-in restriction will prevent me from directly creating these registry keys. Malicious code, or a user trying to escape perceived encryption slowness could then bypass the normal administration methods and decrypt the hard drive.
Disabling security products is often step 1 for malware when it finds a new computer to infect. Why not decrypt the drive too? That sort of thing wouldn’t help an attacker motivated by money, but there are still plenty motivated by mischief making.
I approached Guardian Edge support to ask them if this was indeed a viable attack. Is it desirable to place an ACL on this registry key? Could an ACL even be placed on the registry keys used by a policy? They responded:
“We totally depend on the Windows/Active Directory Security models. As of today, Microsoft has provided fixes for all the publicly known security holes for those models.”
Do you really want your Full Disk Encryption totally dependent on Windows for security?
The bottom line is that Guardian Edge’s Full Disk Encryption does what its designed for. A stolen computer will be protected by the pre-boot logon as long as the user has shut the machine done.
By the skin of their teeth
Over at BroadbandReports, I ran across a thread linking a wilderssecurity thread with screenshots to just about every antivirus product. One of the posters noted that some of these antivirus products allow you to “skin” them.
Call me an old fuddy duddy, but skins have no place on antivirus products. I seem to recall both Winamp and Real Player having security vulnerabilities due to their skins. That may be acceptable for media players which need to be hip. I just expect my antivirus to work. I dont want to know its there.
Mozying along
Last month, I read a blog entry over at zatznotfunny about Mozy that got me thinking. Perhaps its time to give in to best practice and backup my stuff. I last backed up my home computer in 1995. It was an AST computer with a built in tape drive of some sort. That computer has been in a closet for 8 years.
Backing up to a USB (or preferably eSATA) hard drive is fine, but if you don’t take the drive to another location you still have potential data loss issues. Once you’ve done that, how do you guarantee a reasonable schedule for backing up?
Some people suggest that I back up to the extra disk space provided by my web provider. If I did that, I would have to somehow schedule backing up, encrypting the data and copying it to the remote server. My web provider’s Terms of Service state that the storage space is for files necessary to the website. So that is not allowed anyway. Others mention Google Mail or Amazon’s S3 service as a great way to store data cheaply. I think its important to have software that you can count on to back the files up. I don’t want a kludge.
So that brought me to Mozy. Free for the first 2 GB of data or 4.95 per month for unlimited. That sounded pretty good. If you exclude your media the free account may be good enough. If you want to backup the videos of the kids first recital, than cough up the dough for the unlimited account. ArsTechnica had a review in July of several similar products and Mozy came out on top. After checking out their site, I googled to get the other side. A CNet blogger doesn’t like it, but I think he’s being unusually picky.
As I mentioned, data privacy is a concern when you send you data away. With Mozy there is an option to backup with their key or with a key you provide. The more paranoid would say that since it is their software doing the encryption, either key could really be known and stored by them. I chose to go with them picking the key for easier recoverability. I’ll choose to trust their privacy policy that they do not look in data files. Hopefully controls are in place to prevent low level, uncleared employees from obtaining access.
My data is encrypting now. So far I’m pretty pleased. I’ll have to test recovery (they say it may take some time to create the recovery set for you).
As I say, I just installed it, so I’m not giving a full recommendation. However, you do need to be doing something with backup. If you do choose to try out Mozy, please use this link https://mozy.com/?ref=M447CB. If you sign up from that link and begin backing up data, we’ll both get a free256 MB bump up.
