One of the things I’ve been doing this week is learning about the Federal Desktop Core Config (FDCC).
You’ve probably read about it this past week. The short version is that it is a Federal government wide configuration standard for XP and Vista.
Under FISMA, you just had to have a standard and apply it. With FDCC they are all supposed to have the same standard. The FDCC falls prey to a number of fallacies. It seems the developers are tweakers, that is to say they seem to believe the more changes made the more secure the computer is. That is just never a good idea. They appear to have started with a standard to the right of the SSLF policy (Microsoft’s policy for standalone really-secure computers) and only made changes where they absolutely had to.
The mistake I wanted to write about in this blog entry is the setting “Use FIPS Compliant Algorithms for Encryption, Signing and Hashing”. This setting is required for both XP and Vista under the FDCC. This policy should never be used.
The policy enabled FIPS140-1. This is kind of funny since the government requires FIPS 140-2. What isn’t so funny is you will be unable to use SSL. Only TLS_RSA_WITH_3DES_EDE_CBC_SHA is supported. EFS encryption will be lowered from AES to 3DES.
When applying a security hardening policy understand what the settings will do. Test first in a non-production environment. Document your explanations for any exceptions from the standard that you are following.
Archive for January 2008
Use FIPS Compliant Algorithms for Encryption, Signing and Hashing
JAVA 1.6 Update 4
SANS blogged about the latest JAVA 1.6 Update 4 release back on January12th. Brian Krebs today wrote a piece in his Washington Post blog Security Fix.
I admit it. I have no idea whether or not this update is critical. SANS seemed to say ‘you might want to do this soon.’ Brian said ‘it contains some security fixes. You should update.’ I’m looking around to see how SUN categorizes this fix. Microsoft would be letting me know if its critical or important, if exploits are available and how an attack might occur. Cisco would use the CVSS standard, which is pretty cool. Even after reviewing SUN’s release notes I dont have a clue.
I kind of want to say no news is good news. We need to keep the enterprise wide reboots caused by software updates to a minimum. I just hope I dont open my RSS reader one day and read about a exploit in the wild that would have been patched if I had deployed this. I’ll keep this one on the back burner and deploy it if Adobe, Flash and Quicktime slow their vulnerability circus for a while.
NAC Predictions
I’m staying up way to late tonight and reading some NAC literature. I thought this quote was pretty funny.
By year-end 2007, 80 percent of enterprises will have implemented network access control
policies and procedures
John Pescatore, Gartner Inc
J Pescatore et al, Protect your Resources With a Network Access Control Process. Gartner Inc., 2004
That quote was in the Sophos literature.
How’s that one turning out?
Symantec Eraser Engine update
Perhaps the following explains the trouble I had with SEP11 and Vista.
From a email sent to platinum customers:
Update: Eraser Engine update – 01/18/07
Symantec has released an Eraser Engine update today, January 18th US Pacific Time. This update replaces a planned AV Engine update that was announced in a previous Platinum Bulletin. It addresses an issue seen by some customers using Symantec Endpoint Protection 11 on Windows Vista which in rare circumstances could cause the system to become unstable. Following this update, the AV Engine and Eraser will have the following versions:
naveng32.dll: 71.4.0.23
ccEraser.dll: 107.4.1.2
Scary SCADA FUD
At a SANS SCADA conference in New Orleans, CIA senior analyst Tom Donohue reported that cyberattacks have caused multi-city power outages outside the United States.
Rob Rosenberger writes a good article about this here.
It is pretty scary to know that there are forces out there plotting to keep us in the dark with no heat or AC. But why am I getting sidetracked with what some people want to require in California.,
This reminds me of another time SANS reported that hackers had threatened the life of scientists at the south pole. They purportedly hacked an environmental control system and attempted to extort payment or all the scientists would freeze to death. According to this Kevin Poulsen article, a FOIA request uncovered a memo about that incident which said it was minor. “Given the fact that no financial records or systems were compromised, no safety or loss of life was threatened, and no critical system corrupted” by the Romanian hackers, “we need to balance legitimate security needs with the legitimate needs of our scientists at the Pole.”
It sounds to me that in both this south pole case and this new report of blackouts that the threat of cyberterrorism is being promoted in order to advance an agenda. Without details its just FUD.
Of course utilities should be taking precautions, but if the past decade is any indication the public has more to worry about from hurricanes (New Orleans) and general screwups (northeast blackout).
Comments
I have installed the AJAX comment system. It has the side effect of requiring javascript being enabled in your browser to submit a comment.
I’ve also re-enabled anonymous comments. Hopefully the javascript will throwoff some of the automated comment spammers.
I’ve seen a press release from Yahoo stating they are implementing an OpenID beta at the end of the month. Hopefully shortly after that there will be a plugin to make using Yahoo accounts to comment here just as easy as using AIM accounts.
Good for Office 2003 sp3
David LeBlanc takes the occasion of a Excel zero day to say see I told you so. Excel 2003 SP3 is not vulnerable.
I’d like to know if SP3 is not vulnerable because of the disabling of support for old file formats, or if its not vulnerable due to the other assorted fixes in the service pack. David implies its that latter saying ” We did a _lot_ of work fuzzing our apps and fixing bugs. While I’ll never claim that SP3 is unbreakable, it’s a lot more robust than Office 2003 was previously, and this probably won’t be the last time we see an advisory over something that affects SP2 but not SP3.”
I was just thinking if its not vulnerable because obsolete file formats are disabled (security over backwards compatibility), then people who follow information in this KB to enable those file types are still vulnerable. I guess we’ll find out when the patch is released and more information is available. Until then I’m going to go put a bug in someones ear at work about upgrading to SP3. We can’t afford to wait until all of our other apps support Office 2007.
Quicktime 7.4
Quicktime 7.4 is out
For detailed information on the security content of this update, visit http://docs.info.apple.com/article.html?artnum=307301
The spam filter has run amok
My MovableType spam defenses have kind of run amok. It was letting through a ton of spam which led me to disable anonymous comments. For its next trick it decided to trash valid comments.
The first method used for trashing valid comments was a rule that http:// shouldn’t appear in the commenter’s name field. That wasn’t a problem until openID. The crappy OpenID plugin I’m using doesn’t put the OpenID displayname in the name field. Instead it pulls a URL including the name and the server. A quick tweak to the ruleset fixed that problem.
The next issue I found was when my own comments were getting blocked (when using a test account not my regular comment account which is set up as a trusted commenter). The Spamhaus zen filter was blocking me. Back in July, MovableType reported that one of the old blocklists was going away and they recommended using zen.spamhaus.org instead. Since I like spamhaus I accepted that recommendation uncritically. Now I find out that “ZEN is the combination of all Spamhaus DNSBLs into one single powerful and comprehensive blocklist to make querying faster and simpler. It contains the SBL, the XBL and the PBL blocklist”. The problem is the PBL is he policy block list. Its like the DUL. Its designed to prevent end users from sending mail directly to recipient mail servers. They should go through the ISP mail server. That is not the sort of list you should be using with HTTP. Endpoint computer should be browsing directly to my website and making comments.
A better Spamhaus list to use is the XBL. Be aware however that according to Spamhaus, “The XBL contains mostly dynamic IP addresses, meaning the user you would be blocking is probably not going to be the user with the exploited computer. Please do not block innocent users.”
You’re probably better off forcing the user to prove they are human with a Captcha rather than using (misusing) block lists.
Wachovia Bank Robbery
According to the WJLA evening news, there was a bank robbery earlier today at the Wachovia branch across from FBI headquarters. A guy in a Brinks uniform walked in and was given the days pickup. The theft was discovered 6 hours later when the real Brinks guy showed up. The thief got away with several hundred thousand dollars.
What are the odds that this was a former Brinks employee who the bank employees knew?
Are your employees trained to not fall for false authority syndrome. Just because someone has a uniform and seems to know what they are doing, that does not mean you shouldn’t be checking ID. Perhaps the lack of armor car could have been a clue. I read about a similar incident earlier in the week where bank employees became suspicious that the armor car guy was driving his personal car for a bank pickup.
