I’ve added Kevin Lam’s blog at Impacta to the list of blogs I regularly follow. In a recent entry, he blogs that he’s been seeing companies use the same company that designed their website to perform their web pen test.
I think it is possible for a company to be great at both things. But you’d have to trust them an awful lot to believe you were getting a fair deal. In this instance, the part that jumped out at me more was their “pentest” basically consisted of running some vulnerability scanners. His scan on the other hand used custom tools they developed and manual techniques.
I’m reminded of something Dave Aitel posted recently on the Daily Dave. That is some cool detail a consultant running the standard vuln scanner just isn’t going to know.
The funny thing is the original company performing the vulnscan fulfilled their mission. They checked a PCI checkbox, and missed a handful of SQL injection, XSS and blatant configuration issues.
Why is it that I can attend a Washington Nationals game and bring in food and water yet when attending a Washington Capitals game, such items are prohibited?
Obviously, people bringing in food affects their food sales.
An usher gave me the usual “security” malarky as an explanation. If I’m a security risk because I’m bringing in a 20 oz container of water, then that Dasani truck driver must be on the ten most wanted list.
SEP11 MR4 release notes have been posted here.
I suspect this is now available on the platinum site. I’ve been told by our sales guy that we should have access to that, but all I can ever get to is fileconnect. Rumor is January 6th for Fileconnect. I’m more interested in the msp update files than the full CD for a full SEPM install. I dont see those on the KB or via FTP right now.
Here’s one fix that I’m waiting for.
Wireless connections at 104Mb/second do not register with Location Awareness as Wireless connections.
Fix ID: 1441489
Symptom: Auto Location Awareness does not work when using 104Mbps wireless network.
Solution: Added 130Mbps/117Mbps to the list that detects when the wireless speed is not stable.
That information would have been helpful to me last week. I wasted quite a bit of time troubleshooting a users problems with 802.11N.
I think I have more issues with smc.exe than rtvscan.exe. However every lowered amount of CPU helps. Constant 5% Rtvscan CPU usage.
Fix ID: 1389006
Symptom: Constant 5% Rtvscan CPU usage seen from Process Explorer or Task Manager.
Solution: Changed to cache the state of Auto-Protect ,thus reducing excessive calls which gather state information. The state is now updated once on startup, on change notification from Auto-Protect, and occasionally on the main timer, eliminating this issue.
You had me at EHLO wrote about new functionality introduced in Exchange 2007 Service Pack 1, Rollup 4. Exchange is now offering friendly error messages (DSNs). Oh joy.
While it is a funny write up, I’m reminded of the friendly error messages in Internet Explorer. It exchanges one set of technical mumbo jumbo (that is accurate) for something the user still can’t understand (and is less accurate). That’s not progress.
Worse yet, with IE friendly error messages, a webmaster can still use their own custom error messages overriding the browser choice (by having the custom error exceed a certain size). I only see a way for the admin on the server receiving the DSN to enable or disable this translation.
I guess I should wait to see this in action before passing judgement but it sounds worrysome. We should be able to have a custom error.
By now you’ve probably read that Microsoft has released patches as scheduled for the second Tuesday of the month.
Hopefully if you’re a home user you have the computer set to update these patches automatically and if you’re a corporate user, your company is on schedule.
When I got up this morning I found that Secunia Personal Software Inspector was giving me a false positive on MS08-072, a Microsoft Word patch. Oddly, PSI was reporting my winword.exe version correctly and it matched the patched version posted in the Microsoft bulletin. [update] this has been fixed by Secunia.
Its one thing to have false positives in corporate vulnerability scanners. I’m kind of used to those. But this software is targeted at your typical end user. Too many of these and the software will be ignored or uninstalled.
It looks like people need to apply Office 2003 SP3 before they can apply MS08-072. That has nothing to do with my Secunia problems. I’m just noting it because I’m sure there are many companies where there are pockets of computers that missed the service pack. Microsoft Office 2003 Service Pack 2 — Support Ended October 14, 2008,
Brian Krebs reports on a attack on CheckFree in todays Security Fix blog.
It looks like someone used phishing to get credentials for their Network Solutions account. Brian says “This may seem like a logical stretch, and perhaps it is.” I dont know about that. If they just phished the email address in the whois record they would probably get the right person.
Once they had the login credentials it was a quick update to change the authoritative DNS servers and redirect users to a malicious server.
Avivah Litan, a fraud analyst with Gartner seems to think that other (unnamed) security mechanisms should be in place besides username and password. “If all that’s protecting a bank’s Web site is a user name and password, that’s kind of like having a massive vulnerability in the core of the Internet,”
I’m not sure the solution is some call back mechanism where NetSol verifies the change request. Why is a user name and password supposed to be good enough to protect my stuff but not theirs.
I noticed that as of this morning CheckFree.com now shows clientUpdateProhibited in the whois record. I dont know enough about that to know if its a solution. The RFC says it means “ignore all updates except to turn off clientUpdate Prohibited”. That doesn’t sound like much defense.
While it is a reactive defense, it doesn’t cost much to monitor your domains so you are alerted about DNS errors and changes.
Also if Network Solutions had emailed a change alert to the address of record this could have been caught earlier as well.
To me the bottom line is personnel need to be trained not to fall for phishing attacks.
Sun has released alerts to address multiple vulnerabilities
affecting the Sun Java Runtime Environment. The most severe of
these vulnerabilities could allow a remote attacker to execute
arbitrary code.
II. Impact
The impacts of these vulnerabilities vary. The most severe of these
vulnerabilities allows a remote attacker to execute arbitrary code.
III. Solution
Apply an update from Sun
These issues are addressed in the following versions of the Sun
Java Runtime Environment:
* JDK and JRE 6 Update 11
* JDK and JRE 5.0 Update 17
* SDK and JRE 1.4.2_19
* SDK and JRE 1.3.1_24
Back in June I wrote about the Blackberry and S/MIME.
There was a BES upgrade that fixed the “an unexpected error has occurred” message. We still can’t open attachments on signed or encrypted emails. To me this is a trivial thing, but to the Management this is a horrible horrible thing.
The 4.5 software has been released by some vendors on some models. As expected phones with this software didn’t have the problem with attachments. Although Verizon has not yet released the 4.5 software for the 8830, I downloaded a rogue copy and installed it. It resolved the attachment problem. Unfortunately for me although SecurID for Blackberry was supposed to work on this build, I can’t get it to work.
None of this actually helps. Waiting for Verizon to release 4.5 is like waiting for Godot.
