Roger's Information Security Blog

Last week Forescout announced a program to credit Lockdown customers for their orphaned NAC equipment when they make a Forescout CounterACT purchase.
Lockdown is a NAC vendor that announced it was ceasing operations. Forescout is an up and comer in the NAC market. Personally, I think they are the best NAC choice, and when I get some time, I’ll have an entry about why I think that.
I think this is a great way for Forescout to get their name out there. At the same time though the death of Lockdown does make me even more wary about using a smaller player. Its a classic trade off. Going with the established name means they probably wont go out of business. At the same time, their feature set may not be as good and they wont have good support or response to enhancement requests. With Forescout, there is a risk they will go out of business or be bought by “XYZ Company you hate”. But they will tend to be more responsive and thus have better features.
Different companies have different opinions on the best approach to take. Even if you go with an established “name” company, they may drop your product line when they purchase a smaller named company that has a better product. Its a risk that needs to be considered.

I was surprised to read that George Ou is out at ZDnet as a result of corporate restructuring. I’ve enjoyed his writing and have learned from them. I also got a big kick out of how angry he made the Mac people.
I’m assuming that corporate restructuring is the usual code words for layoffs. I can only hope that Mary Jo Foley made that list as well. Ok, so thats a bit mean.
I hope George lands on his feet.

I’m over at a SANS conference this week, learning about wireless security. One thing I found interesting is the instructors comment that Netstumbler is the most useful tool for war-driving. He felt it handled multiple sessions and a lot of data better than the alternative. I think the GPS integration was better as well.
I hadn’t considered Netstumbler since I upgraded to Vista and couldn’t get it to work any longer. I wrote about that here. As a side note, it looks like I need to do some search engine optimizing. A search for ‘vista Netstumbler (not in quotes) shows a Security News Portal of my RSS feed on page one, but doesn’t have my own entry. If I narrow that search to my website, Google finds an old version of the post. An upgrade changed all the underscores in urls to dashes and removed the old style sheet. So even using Google to search only on my site results in a bad result. But back to the topic at hand…
When I got back from day 1 of the conference, I installed Netstumbler, and again no joy, even when I ran with admin rights. I think Netstumbler needs to stop Microsoft’s wireless zero config, and I suspect that Vista isn’t letting it do that. That is just a theory however. After that didn’t work, I installed the drivers for a card using the Atheros chipset. I plugged that into the PCMCIA slot, and Netstumbler was able to use that no problem.
I haven’t nailed down the exact cause of the onboard card not working, but at least I know that with the right card Netstumbler can work with Vista.

Last Friday, one of the guys in the department noticed that when he signed into Cox webmail he would access Cox mailboxes belonging to other employees. He was even able to open messages in those accounts.
I went back to my office and created a test account. There is an awful lot of potential confidentiality violations here. Although I never repeated the results I saw on my co-worker’s screen, I did find I would see the cox inbox for other employees when I selected logoff.
We use BlueCoat SG 810-B to provide HTTP/HTTPS security in web browsing. This additionally provides a proxy cache which in theory saves on bandwidth costs. We haven’t had problems previously with Cox Webmail, nor have we had problems with any other webmail or logon based website.
To resolve the problem, I disabled proxy caching on the BlueCoat for webmail.east.cox.net. Immediately the problem went away.
Just to be on the safe side, I checked with my BlueCoat Sales Engineer. He says that cookie based webmail normally works fine as the cookies are non-cacheable by default. Otherwise the webmaster needs to do a better job marking things a non-cacheable. By marking the entire site as non-cacheable I resolved the problem quickly.

Trend Micro has a blog entry on calendar invite spam. I’ve been seeing that as well.
My biggest problem is reporting the spam. How do you get headers out of a meeting invite in Outlook? If I open the msg file the user forwarded, the headers are hidden by outlook. If I look in notepad, the text is encoded. Perhaps another mail client will be nicer.
In the examples I’ve seen the invite is from Google Calendar. Its another example of spam from a semi-trusted host.

Over the weekend I received a benefits summary from work. They mail it out to remind people of all the non-salary related benefits that we get. The company doesn’t pay as well as others, but the retirement benefits are the golden shackles.
They provide retirement projections assuming x,y, or z rate or return and a inflation rate of a. In addition it assumes that my contributions remain porportionally the same, that the retirement program doesn’t change, and I get a 4% raise (cost of living adjustment) each year. Looks like I may be working until I’m 65.
Can you imagine working for 30 more years? Looking back at what has changed in the past ten. Looking at what will change in the next 30. Fortunately you dont have to listen to my cracked crystal ball (how do you listen to a crystal ball). Bruce Schneier had some interesting comments in the latest Information Security mag.
In a fit of optimism Bruce says that security will become a requirement of the products. It will be baked in, instead of an add-on solution. One thing that will drive this is SaaS. “IT is infrastructure. Infrastructure is always outsourced. And the details of how the infrastructure works are left to the companies that provide it.”
As that happens Bruce sees a consolidation in the security industry. Bad new for us Infosec guys. We’ll be replaced by an Indian call center. Just kidding. It doesn’t sound good though Richard Bejtlich’s blog entry on this subject predicts small companies will jettison their IT staff, and a lot of us may end up working for service providers. That sounds like a net loss of security jobs to me.
Will that happen? Have most companies outsourced their helpdesk? I dont think so. Many that have, found that external helpdesks didn’t provide the same level of service. Have most companies outsourced log review? I dont think so. The external company doesn’t have the same interest or personal responsibility. Infomation security policy and implementation is still extremely important.

SC Magazine has a whitepaper from MessageLabs titled The Online Shadow Economy – A Billion Dollar Market. It reports on the research of MessageLabs Senior Architect of Development Maksym Schipka into the online criminal underworld, particularly Russian websites and forums.
You can buy customer written malware for as little as $250. Support is available for an extra $25 a month to ensure your malware continues to evade detection. As others have also reported, malware writers test their products against anti-virus software before release to guarantee that existing signatures will not detect it. This is where MessageLabs as been so great. The combination of established antivirus scan engines and their own Skeptic engine, a heuristic scanner, prevents malicious email attachments from getting through.
Schipka’s research suggests that malware authors can produce new, unique malware every 45 seconds
in order to keep it undetected. Signature based protections are not going to stand up to that attack.
If you do go to that link to read the research paper, be aware that SCMag will force you to register (I didn’t find a bugmenot account). Also they will email the password you input in clear text. SCMag, thanks for cleartexting my password. I almost forgot the password in the one second between registering and receiving the “welcome” email.

After reading about a firewire memory attack against windows (also effects other operating systems). I figured it wouldn’t take long before someone demonstrated the use of that against full disk encryption. After all, why bother booting to USB, or freezing the RAM if you can just hook up a firewire connection and access the memory.
Today, I saw a Dark Reading article where a group/vendor has penetrated a Pointsec encrypted computer through the use of the firewire technique.

This simple attack takes advantage of the FireWire protocol and its ability to directly access and modify the RAM of a target machine with a FireWire port installed. Using a simple and readily available forensics software tool, it is possible to connect a FireWire cable to a computer, and within seconds bypass the Windows authentication and log in as a local administrator.

It is important to note that pre-boot authentication was not enabled on this computer. If it had been the attack would not have succeeded. I can’t imagine deploying FDE without pre-boot authentication. This article could have described an attack against any FDE vendor not using pre-boot authentication.
I’ve disabled the firewire port on my laptop. I haven’t looked at what it would take to disable the firewire port in an enterprise. Perhaps its time for more spelunking in devcon. Or may google will have an easy answer. I wonder how many “port control” products include firewire.

While reviewing the results of the latest windows domain password audit, I noted that there was an increase in the number of lanman hashes stored. We had two domain controllers blow up recently and they had to be rebuilt from scratch rather than restored from backup. I correctly figured that on one or both of those DCs the disable lan man setting had not been implemented correctly.
I knew that on a Windows 2000 domain controller this setting needed to be added manually. The Group Policy setting only effects XP and Windows 2003 computers. I didn’t remember what the registry setting was so I sent to http://support.microsoft.com/kb/299656,
I read

To add this key by using Registry Editor, follow these steps: 1. Start Registry Editor (Regedt32.exe).
2. Locate and then click the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. On the Edit menu, click Add Key, type NoLMHash, and then press ENTER.
4. Quit Registry Editor.
5. Restart the computer, and then change your password to make the setting active.

In my haste, I forgot about the difference between a Key and a Value. I saw that the domain controller had HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa with Nolanman hash set to dword value 1. I compared that to the other domain controllers and didn’t see why that domain controller wasn’t working.
It took a second to realize that was the Windows 2003 setting set by Group Policy. For Windows 2000, you need to go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and create a key of nolmhash. That isn’t the same thing at all. A quick check verified that this setting was missing on the new DCs and existed on the old DCs. We set the registry key and scheduled a reboot.

MessageLabs Intelligence report for February 2008 reports that ” 4.6% of all spam originates from the major web mail-based services and the proportion of spam from Google increased two-fold from 1.3% in January to 2.6% in February.”
They speculate that this increase in Google spam occurred because hackers have recently compromise Google’s CAPTCHA. A CAPTCHA is used to prevent automated account registrations by spam bots. Yahoo and Hotmail’s CAPTCHA method was previously compromised.
Mail from the major webmail services (Google, Yahoo, and Hotmail) are from legitimate servers, and domain key signed or have a SPF record. A spam filter then can only act on the content of the message and not the reputation of the sender.
Spammers are in it for the money and they aren’t going to slow their attack. Webmail providers need to continue to work to be good Internet citizens and prevent their servers from being part of the problem.