Last week NIST released Federal Desktop Core Configuration settings Major Update 1.
40 settings have changed.
Archive for June 2008
FDCC Major Update 1
Security Update available for Adobe Reader and Acrobat 8.1.2
I think its one of those immutable laws of security: The day you finish patching a product, a new patch will be released. Perhaps it just seems that way because of Quicktime.
We just sent out notices last week for our users running Adobe Acrobat (not reader) to update. While I deploy Adobe Reader updates since its part of the default install, users have installed Adobe Acrobat on their own, thus they need to patch. Left to their own devices many were found to still be running 7.0 or worse yet 6, or worse yet 5.
Since we’ve made good progress, it only makes sense that anyone running 8.1.2 will need to update again.
From the adobe bulletin:
A critical vulnerability has been identified in Adobe Reader and Acrobat 8.1.2. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Acrobat 8 and Adobe Reader install the 8.1.2 Security Update 1 patch.
Fortunately 7.1.0 users are already cool.
SecurID and SEPM
Symantec Endpoint Protection Manager Console (SEP11) allows authentication through local accounts, Active Directory and SecurID. SecurID is a two factor authentication system which combines a user known PIN and a token generated 6 digit code for authentication. The token is generated every 60 seconds.
Because the SecurID passcode is always changing imagine my surprise when I attempted to log into SEPM and I received an error that my password has expired. After checking the KB and the Symantec forums and not finding an answer, I opened a case with support. Support tells me that this is a known issue that should be fixed in a future maintenance release.
For now I’m either going to have to configure AD authentication for people requiring access to the SEPM console (such as admins and helpdesk). If I continue with SecurID accounts I’ll have to recreate their accounts every 90 days.
I think its a really good idea to use AD or SecurID for authentication so that each administrator doesn’t end up with 50 accounts with bad passwords that are never changed. It would be preferable however if the authentiction actually worked correctly.
Tech Support Bakeoff
No conclusions can be drawn from this single instance comparison. I called both Sophos and Symantec tech support to ask them a simple question. Are there any known interoperability issues between your product (SEP11, and Sophos AV/AF) and PGP. We have seen conflicts in the past between some personal firewall clients and PGP and we’d like to know of any issues.
First I checked the knowledge base articles for each vendor. A search for ‘PGP’ returned nothing on each website.
Next a call to Sophos. I got the phone number off their public website. This was not a support line for evaluation customers. I called, went through the phone menu and was talking to tech support after maybe a minute of hold time. He knew there was a potential issue and read me a KB article from their internal system. There is an issue when PGP is installed after Sophos. Couldn’t expect much more, although I dont see why that article wasn’t in the Public KB.
Next a call to Symantec. It took 3 minutes to get to the call pre-screener. This person couldn’t find my contact information…asking me if I’ve called before. Yeah for the past 8 years. 9 minutes into the call I finally escape the pre-screen and get into the real phone queue. The recording says the customer waiting the longest has been on hold for 7 minutes. That is incredible. I was expecting to be on hold for 2 hours, since I called in the afternoon. In about 5 more minutes, I talked to the tech who was not aware of any PGP issues. I pointed out that PGP interoperability problems would occur most when managing what applications can run, which is off by default. He checked with other people and no one was aware of any issues.
This difference in support on this one call as not as great as I expected. I could live with either one. I just need to get my Symantec account straightened out so I don’t have to fight with the prescreener so much.
My SEPM Update Issue
I’m currently performing an eval with Symantec Endpoint Protection MR2. (refered to here as SEP11).
The testers surprisingly didn’t have any complaints. I did notice however that the Symantec Endpoing Protection Manager (SEPM) was not downloading updates. Not good.
At first I thought that SEP had locked up so I rebooted SEPM. New definations were downloaded once, then it went back to not working.
It turned out that since a image was used to create the server Symantec Antivirus 10 was installed and I hadn’t removed it. Since that was managed, liveupdate pointed to my internal liveupdate server. That server wasn’t updated to handle SEP11 updates and that caused my update flakiness with SEP11.
“No Major Changes”
“We’re really focused on growing the business so we dont want any changes that will interfere with people’s ability to do their work.” Or relayed another way, “no major changes”.
This new CEO mandate has brought all of my projects to a screeching halt as we try to determine exactly what that means. I wrote yesterday about how it was effecting my S/MIME project. Its going to prevent me from fully implementing the NAC project and its certainly going to effect my endpoint security project.
Is there a time where we wont be interested in growing the business? Is there a time when user disruption shouldn’t be minimized? Won’t stalling all my projects have serious security implications that may result in more user disruption later.
I’ve often said the company I work for is headed toward only having maintenance windows from 3am to 5 am on December 25th. I finally could see all of my projects making serious headway, and last Thursday they completely took the wind out of my sails.
update- I forgot part of the story. Less than two months ago the CEO reviewed our budgeted projects and the unbudgeted projects that people were demanding of us in order to reset our priorities. I’d like to know what changed between then and now.
Blackberry and S/MIME
We’re in the early stages of rolling out digital certificates for signing and encrypting email (S/MIME). In what seemed like a stroke of good timing, Blackberry is no longer charging a separate Client Access License to use S/MIME. Prior to June 2nd, it would have cost us $10,000 to purchase 100 S/MIME CALs.
One might think that because they were charging such an exorbitant rate that S/MIME support would actually work. Sadly this is not the case. We’re running what I believe is the latest S/MIME for Blackberry client, and users regularly get a message that “an unexpected error occurred” when they attempt to open some signed or encrypted messages. Thanks that’s very a helpful error message.
Blackberry Enterprise Server v4.1 SP 5 (which we are already running) provides support for encrypted attachment viewing in version 4.5. Unfortunately Blackberry 4.5 is sort of like the Locke Ness Monster. Some people claim to have seen it, but no one knows when it will officially be discovered.
At this point, I’m not sure the problem is even consistently reproducible, but it seems to be enough that my Director wants to stall my project until Blackberry 4.5 is out. That’s just great. This project began over three years ago and hundreds of thousands of dollars have been spent. Lets not deploy because 5% of the company might not be able to open 1% of their messages.
Renewing GCWN
I renewed my GIAC certification in Securing Windows today. When renewing a GIAC for the renewal fee you also get access to course materials (mp3s and the course books). I found it a bit dificult to listen to the MP3s. I did notice that when I took the course live I think there was some “you need to know this” where as this time around the only guidance toward the test was “everything in the workbooks.”
GIAC certifications now require proctored tests. They are still open book, but you can’t use electronic books. The answer isn’t as easy to find when you can’t just find it by searching PDF files. The test is 150 questions and you have a four hour limit.
I struggled a bit with IPSec, RRAS and PKI, but did fine over all. I’m glad I don’t have to do that again for another four years.
Iconix Phishing Protection
A couple days ago I received email from Paypal titled “New PayPal Plug-In – Shop anywhere online.” That struck me as kind of suspicious so I looked at the mail headers. The headers showed the message did originate with Paypal’s servers, and more importantly it contained a domain key (DKIM). According to Wikipedia, “DomainKeys is an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity” through the use of a cryptographic hash.
If I had to dive into the headers to determine the message validity, how would the normal user do? Are there mail clients that would have automatically verified DomainKeys and SPF for me?
A quick Google found a product called Iconix. Iconix works with Outlook, Outlook Express and a bunch of webmail providers (No Thunderbird support) to take the guesswork out of which messages are real.
Once installed, Iconix looks at SPF/SenderID and DomainKeys to determine message authenticity. Next it looks at message identification- this is a list of companies that have paid Iconix and registered with them. If both are verified, then the message’s “display From” will be altered to present a logo of the sending organizations choosing. This allows recipients to tell at a glance that the message is from who it says it is.
Iconix at first appeared to be a great solution. Its been reviewed in several trade publications. I didn’t immediately find anyone disparaging them online. Iconix is installed software. As such you do wonder a bit about privacy and security implications. Their FAQ does say that the sender’s email address is sent to Iconix.
The problem is that they only provide this service for the companies that have signed up. I would expect that they could validate the DomainKeys or SPF for anyone using those email technologies. While this product does solve my original question, “how can ma and pa kettle obtain a reasonable level of trust in email”, it only does so for companies that have paid Iconix. That is an extensive list, and it provides better assurance that SPF and DomainKeys alone could.
While Iconix is not available for Thunderbird, there are other solutions that plugin to Thunderbird for SPF and DomainKey validation.
- update – 6/11 – fixed above where I refered to Firefox when I meant Thunderbird. Firefox can be used just like IE in conjunction with Iconix at many webmail providers.
