Roger's Information Security Blog

Earlier this week I was discussing password resets with one of my co-workers. Common password reset questions are discoverable, guessable or disclosed on your social networking site..
Mother’s Maiden Name – public record
Street you grew up on – can be findable.
Place of Birth – discoverable
Name of Pet – guessable (top list of pet names on Internet, or just check their facebook)
Users “improve” on security by putting something else their. They’ve effectively created a second password when they couldn’t remember the first. Now its likely they’ll forget both.
In a discussion of users at a non-security forum where I’m a member, one user reports “I just have stock answers for all of those things. My favorite movie? movie. My favorite actor? actor.”
Here’s another person’s response:

It drives me nuts. Stupid questions like the “favorite” stuff – what am I five years old? I don’t have a f&*(&*ng favorite color you stupid POS website!!! And then there’s the “What street did you grow up on?” “What was your Math teacher’s name?” “What is your childhood pet’s name?” ********. I’d moved six times by the time I got to high school. I didn’t grow up on ONE street, nor did I have a SINGLE math teacher and I didn’t have a pet growing up!!! All these questions are so retarded. And frequently they make you choose a whole bunch of them…
.

Then there is the problem that most of these systems are looking for exact answers. So New York, NY is not New York, New York. The system that was supposed to prevent password reset calls is generating more calls.
While reading on ITWorld.com I ran across a different approach to password reset.
I-forgot-my-password.com is a password reset system based on likes and dislikes. Given a list of items you choose 16 things you like or dislike. It doesn’t need to be a emphatic like or dislike. They feel that studies show that you wont have to remember anything. When it comes time to reset your password, you will naturally select the same items.
I watched a video of the researcher’s presentation at Google.
I think the key questions are does it scale and does it protect against the right sort of attacks. It takes longer to register. I can’t imagine doing that everytime I have to sign up for an account at a new site.
I think it fails a couple of tests
1. If I register for this form of password reset on my bank site and then on a phishing or otherwise bad-actor site, then the bad guy has the same answers as for a the valid site.
2. It fails the psycho ex-girlfriend test. She may know you well enough to pass the test.
Interesting work on a real problem. Check out the video link

Caught up with this one via Digg
Earlier this week Jesus Diaz posted on Gizmodo how to bypass the iPhone login pin/password protection.
Its kind of funny the typical comment response to that article is “who uses a password on their phone anyway.” My opinion is more with the commenter who pointed out that “whether the typical user used a password or not if this was a Microsoft vuln the reaction would be different.”
It is serious. Apple is trying to position themselves as the new Blackberry, not just from the functionality and the coolness, but also the security. They need business customers, otherwise they wouldn’t be licensing ActiveSync. No business that values its data is going to put the data on a phone that doesn’t have encryption (iPhone doesn’t) and doesn’t even have an effective login password.
The article says that rumor is this will be fixed in the next iPhone firmware update. With the Blackberry I’m pretty sure you could push out required updates wirelessly (not positive I”m not a Blackberry admin). With the iPhone you have to ask your users to synch with iTunes (not a iPhone admin either, but thats my understanding).

I am planning to upgrade to Guardian Edge Hard Disk Encryption 8.7. Its been over a year since we deployed 8.2.4 and I wanted to get some of the assorted fixes out to our computers.
While reading the release notes, I noticed a known issue with Symantec Endpoint Protection 11.

“Following the installation of GuardianEdge
Hard Disk on the Client Computer, a
Network Threat Protection message may
be displayed, alerting the end user to a
change in the EAFRCliADSI application.”

The solution is to allow IP6 over IPv4.
Personally I am not a big fan of this solution. Until I have a personal firewall that works with IPv6, I think we should default deny it. Until there is a need for IPv6, we should default deny it.
The solution doesn’t adequately explain the problem to me. I don’t use SEP11 to monitor what applications can go out (management overruled me). I’m thinking users would never be alerted if an application changed. Thus their workaround should be unnecessary.
I called support but that only resulted in a guy reading the release note back to me. I guess I’m going to upgrade the server and install 8.7 on my computer and see what happens.

Last night, I went to a Fishnet Security event. Fishnet is a nationally focused information security solutions provider.
The features speaker was Suzanne Hall CIO of the Washington Nationals and Lerner Enterprises. She has had some interesting experiences. Opening Nationals Park. Having the Pope at Nationals Park. (talk about security!)
The topic of her talk was moving CSO to CIO, but it was really relevant to anyone that has to sell their projects to C-level people.
The regulatory approach (FISMA PCI HIPPA SOX GLB says we have to) only goes so far. Meeting regulations is really the bare minimum. Its not about Return on Investment. Security protects your ability to generate revenue. It does not generate revenue itself. FUD (“The sky is falling” also known as Fear Uncertainty and doubt) doesn’t work any more. The sky already fell and we’re still here. Risk based approaches are great. Suzanne working for a private company doesn’t have regulations to blame for needing this security stuff. Instead she appeals to “Core Values”. To me that puts a much more positive spin on it. Imagine that, doing the right thing. Appealing to that wouldn’t have worked at Enron, but at companies where the motto is more than just something on the corporate letterhead that has some promise.
After the featured presentation we heard from some sponsoring vendors.
Bradford Networks spoke about NAC.
Crossbeam is a virtualization/consolidation solution that uses blade systems and working with security companies so you have one platform that could house your firewall, url filtering, gateway antivirus, IDS, etc. Currently many datacenters have an over abundance of appliances. And if the network grows the solution is to add another appliance. If you’re running out of space or running out of power then that might be an interesting solution.
Secure Computing presented and I spoke with one of their people for a bit. Since I first heard of them in the HTTP area that is how I think of them. They feel they have a great application layer firewall.
I also spoke with a rep from Varonis. They make a really interesting product to report on access to file shares. Many years ago I had looked for this exact feature set, couldn’t find it and cobbled something together using a Access database and dumpsec exports of permissions. It would be good to replace that homebrew with something a little more solid. Additionally Varonis will be adding support for Sharepoint next year.

A couple weeks ago a patch came out for WebEx Meeting Manager for Internet Explorer. Symantec’s Security Response Blog is reporting sightings of exploits for this vulnerability in the wild.

Users running the vulnerable version of the Webex control who happened upon a Web site distributing the exploit would become infected. The first exploits that we have seen so far have been served via gaming sites that have had the exploit package injected on to them

Computers will be patched automatically if they connect to a patched WebEx server. Otherwise you can install WebEx Meeting Manager from the WebEx website or just uninstall via Add/Remove Programs in the Control Panel.

Greg Playle’s article “The Seven Week Get Healthy Plan for Small Business” in this months ISSA Journal (ISSA Membership Required) outlines 7 security steps for small businesses to consider.
One of my friends recently received a telephone call from his doctor asking if he had an appointment. An upgrade of the appointment system had gone south and they were reconstructing the appointment book by calling all patients and asking them if they had an appointment. Whoever is handling the IT duties at these small businesses apparently doesn’t know to take a backup before starting a upgrade.
I’ve wondered many times just what the Mortgage guy or my Dentist is doing to protect my personal information. I feel like I don’t know them well enough to give them this article, at the same time as a customer don’t I have the write to be proactive in making sure my data is protected.
There are a couple of errors in the article. The first I hope was an editors mistake. While describing how to gather the physical address to use to whitelist what servers are allowed on the wireless network, the example given is an IP address.
The bigger problem is that the author has apparently not read George Ou’s Wireless Security Myths that Will Not Die. If the author had read that he would not be making some of the wireless security recommendations that he makes.
Do not broadcast the Service Set IDentifier (SSID). Kismet will reveal hidden SSIDs. Not broadcasting it doesn’t gain you much except against the causal browser. The casual browser is already stopped by your use of WPA2.
Worse yet, your client computers will now have to probe for that network everywhere you go.
See also Josh Wright’s article Issues with SSID Cloaking.
PCI 1.2 no longer requires the disabling of SSID broadcast. The message is starting to get out.
Turn on Wireless Security to at least 128 bit WEP
You’re only buying time by using 128 bit WEP over 64 bit. As the retailers have learned, NEVER USE WEP if you have something to protect. Since this article assumes you need to protect the small business, I think the recommendation needs to be a bit stronger. I think even WPA-PSK is suspect for a work environment.
It seems like some of the things suggest are belt and suspenders solutions. Others are more like belt and Hawaiian shirt. The belt is doing the work, the shirt is just there for looks. If you have WPA2 do you really need DHCP reservations and MAC address filtering? If they break your encryption are those things really going to help? Probably not.
The article over all is good. The experience of finding wide open wireless at a small business is far too common. This article will help.

Jesper Johansson writes about Antivirus XP 2008 with some really good screenshots in a article in TheReg.
You don’t need a zero day when users have admin rights and can be tricked into installing the malware.

Robert Graham writes in Errata Security that “Google recently made a change that allowed you to configure your Gmail account to force SSL.”
In Gmail click on Settings. On the General Tab under Browser Connection select Always Use HTTPS. Without this I believe the behavior is SSL during login only which has been shown to not protect a authentication cookie.
Google Help warns that you’ll need a patch for Google Notifier and it may break mobile applications that check Gmail.

Websense blogged about this a couple days ago and I just saw it in our email today.
Here’s the info on the messages that our email scanner stopped heuristically.
Subject: Fedex Tracking N_
File WD6128922.exe

Link
We all know that malicious ads can be hosted by legit sites. Generally being fully patched (including third party apps) is a good protection against most attacks other than social engineering.
Ryan Naraine of The Zero Day Blog over at ZDNet reports that malicious Adobe Flash ads are being used to hijack the clipboard until the browser is closed.
I kind of expected to be protected against this because I set IE to prompt before allowing programmatic access to the clipboard. A proof of concept quickly disproved that theory.
Further searching the feeds I read regularly finds mention of this a week ago in the Spywaresucks blog.
Then this guy says he’s seen it back in July.
The domain injected into the clipboard is for rogue software antivirus 2008 xp. The domain has been used for bad going back to at least April 2008.