The message that you need to sanitize public content to remove tracked changes, comments and other private work product hasn’t filtered out to the State Department.
It seems the State Department was caught holding a course on business open to citizens of “Algeria, Bahrain, Egypt, Iraq, Israel (limited to Israeli Arab citizens), Jordan, Kuwait, Lebanon, Morocco, Oman, Qatar, Saudi Arabia, Tunisia, the United Arab Emirates, West Bank/Gaza and Yemen.”
When news of this United State State Department program that excluded Israeli Jews leaked, they edited the word document that announced that program, and reposted it. Unfortunately they had left “track changes” on and not purged that prior to reposting.
Let that be a lesson, when trying to cover up a program that discriminates based on national origin, make sure you remove hidden data before posting a document to website. Additionally LGF reports, that one of this sites hosting information on that program was serving up the Tibs-Dialer as well.
Archive for September 2007
Sanitize those documents meant for public release
DIE Hard 4: Someone needs a bigger budget
I saw this article linked from the drudgereport.
US Video Shows Simulated Hacker Attack
A government video shows the potential destruction caused by hackers seizing control of a crucial part of the U.S. electrical grid: an industrial turbine spinning wildly out of control until it becomes a smoking hulk and power shuts down.
Apparently the US Government has obtained a copy of the latest Die Hard movie.
“They’ve taken a theoretical attack and they’ve shown in a very demonstrable way the impact you can have using cyber means and cyber techniques against this type of infrastructure,” said Amit Yoran, former U.S. cybersecurity chief for the Bush administration. Yoran is chief executive for NetWitness Corp., which sells sophisticated network monitoring software.
“It’s so graphic,” Yoran said. “Talking about bits and bytes doesn’t have the same impact as seeing something catch fire.”
So this is like the Day After Tomorrow, Super Volcano or the disaster movie of the week on SciFi. All that talk of a digital pearl harbor just wasn’t getting enough attention or money, so now they are creating videos about what could happen.
Even after Y2K, its quite popular to Speculate Creatively About Dastardly Attacks.
SPAM, or is that spam, I’m sure Hormel will correct me
My morning got kick-started when I noticed that over the weekend a Venezuelan ISP had passed along an abuse complaint from one of their users. Apparently an IP on our network is spamming. The complaint included full headers of the original message so I was able to determine that the IP was in the DHCP range for the network outside the firewall. Servers would normally have static addresses. Guests should be on the guest wireless. But on the rare occasion we do approve direct access to the Internet outside the firewall, and in most of those cases the client computers are set up with DHCP.
It would have been better if a static address were assigned. Then I would have known who I was dealing with immediately. Instead I had to do some investigating. A trusty nmap scan revealed that the box was likely windows. It was running VNC and it had all the typical windows ports opened. A “nbtstat -a
There were not any credit union personnel on-sight, but we were able to verify that the computer in their office was the computer in question. It was quickly removed from the network.
A scathing email was sent to the credit union and they called me late this afternoon to find out what could be done to get their computer back with Internet access of some sort.
Lessons learned:
-Having a dhcp range for this section of the network makes it difficult to track down computers. Perhaps I need to have access to the dhcp server for this range.
- We need to have an IDS covering this segment. You dont want to find out about badness from strangers.
- When you approve an access request and include a stipulation that a personal firewall be used followup and make sure one is used.
This access request as approval memo number 419. I thought that was kind of funny since it lead to spamming.
Filezilla 3
Filezilla is my favorite client for ftp and sftp so when I read over at mrtech that a version 3 was out of beta I wanted to try it out. More importantly I wanted to know if there were any security issues that would hasten my upgrade. I didn’t immediately see that info on the filezilla site, so I decided to check out their forum.
From some comments on their forum it sounds like version 3 is a good thing to stay away from for a while (even if you take the complaints with a grain of salt).
- Using 40% more memory than before, still a small number but a notable increase
- Opening more slowly than before
- Drag and drop not working in vista
But the main reason I stopped to blog about this is the discussion over password storage.
How do you want your applications to store your passwords? With Firefox or IE or Outlook Express you can save a password. Its starred out when you type into the password field so its secure right? Not so fast. With tools downloaded from the Internet those passwords could be revealed in seconds.
The same apparently is true for the password obfuscation used in Filezilla 2. For version 3 Filezilla has decided to remove the pretext of security and just store the passwords in clear text. Since I haven’t installed version 3 yet, I don’t know if they bother to warn anyone about that small little detail.
This has sparked a lively debate in the Filezilla Forums. Or rather people try to ask about it and they get a response like this:
Go back into your cave. If you actually had the technical understanding on how computers work, you would now that password obfuscation is pointless.
In another post, the forum admin dismisses a request that filezilla be password protected. He says that it is the Operating Systems job to protect the file.
The problem with that theory is that you can’t rely on file system access control lists. Too many people might have administrative rights on a corporate computer. EFS might lock the file down to one user, but what if a virus is running in the user’s context? Further not all companies allow EFS.
It would be nice if there were a setting we could deploy to all systems to disallow the saving of passwords in filezilla.
For myself, I guess I’m either going to have to enable EFS for this file or make sure I only save passwords in passwordsafe.
Phishing ADP
ADP posted the following on Friday.
Beginning yesterday, certain ADP clients and other parties started receiving fraudulent e-mails that appear to be sent from ADP. They were not.
If you receive these e-mails DO NOT OPEN, FORWARD, LAUNCH OR RESPOND TO THEM. IMMEDIATELY DELETE THEM. The e-mails and their attachments are malicious and could harm your computer. We believe they are attempting to compromise your data.
WHAT YOU NEED TO KNOW:
Here is what you should be on the lookout for:
The “from:” address in these e-mails may have been spoofed to look like it is coming from ADP such as “emplservices292823@adp.com ” or “adpcomplaintcenter@adp.com”.
The subject line may read: “Agreement Update for [Your Company Name (Case id: ______)]” or “Complaint Update for [Company Name (Case id. #)]“.
The e-mail may have an attachment named either Agreement.rtf or Agree.rtf or may instruct you to “download a copy of your complaint.”
These attacks are sophisticated and you may receive other fraudulent e-mails. Please be careful not to open any suspicious attachments or to download any files.
ADP will continually update the information on its website to help you identify and avoid problems from these suspicious e-mails. You will be able to visit http://www.adp.com/about_fraudulentemail.asp for the latest information.
WHAT YOU NEED TO DO:
If you received one of these suspicious e-mails do not open the attachment and do not provide any information of any kind. Delete the e-mail and any attachment immediately.
WHAT IS ADP DOING ABOUT THIS:
ADP’s security team is working with law enforcement as well as outside experts to identify those responsible for this attack. If we identify any further steps needed to protect your computer, ADP will immediately post this information on our website.
We appreciate your understanding as we work with law enforcement and you to resolve this matter.
Auditors and Company Policy
It’s always nice when your own auditors follow company policy. We have an external auditor in for the next 6 week in order to obtain FISMA certification. At the kickoff meeting, we told the auditors that they were not allowed to put their computers on our internal network, but they were more than welcome to use our guest wireless. This information was also on the account request form that they signed.
I had a feeling that they weren’t going to follow our policy. We don’t currently have a technical mechanism in place to enforce such a policy. I opened our DHCP management console and sure enough 5 computers had a DHCP lease with a computername and domain giving away that their owner was this auditing firm.
So I was able to bust them on that, and prove to them that we do review the logs and record anomalies in servicedesk.
Cox adds SSL for Webmail
Back in February I repeated Rob Pegoraro’s announcement that SSL for Cox Webmail would be occurring in the first quarter of 2007.
In July, Cox enabled POP3 over SSL and indicated that SSL for Webmail was coming soon as well.
Cox has finally enabled SSL for Webmail, but it is only protecting the credentials at login.
There are several problems with this.
1) When you type in your login credentials, you are at a non-SSL site. You cannot verify the authenticity of the site to which you are providing credentials.
2) When you read your email it doesn’t go over a encrypted link.
3) It may be vulnerable to a cookie replay attack such as the one announced against Google Mail at Blackhat 2007
Remembering Rick Rescorla
On this somber day, I pause to remember Rick Rescorla. On September 11, 2001 he helped guide the Morgan Stanley employees in his care out of the World Trade Center. His foresight as a security officer saved many lives that day at the cost of his own life.
God bless Rick Rescorla.
