Archive for July 2009
Flash Zero Day
I wrote about a Flash zero day yesterday.
Its important to note that while it may be possible to disable Flash (and other multimedia) content inside of Adobe Reader PDFs (in fact that may be the default setting, its not clear to me) (this setting has no effect) the attack has been seen as straight Flash on websites. You’d only be mitigating against one attack vector.
Symantec’s writeup is here
Adobe has updated their security advisory.
One mitigation listed is to “Delete, rename, or remove access to the authplay.dll.” At the time of this blog entry, Adobe did not say what side effects this would have.
Updates for Adobe Flash are expected by July 30th for Windows, Mac and Linux. Updates for Solaris are bending. Updates for Adobe Reader and Adobe Acrobat are expected by July 31.
I just started the process for updating Adobe Shockwave. Looks like Adobe is keeping me busy.
Keep an eye on that Adobe Security Advisory link as well as http://blogs.adobe.com/psirt/
Flash zero day
iDefense has seen a Flash zero day exploit within a PDF file during a recent zero day attack investigation.
Its hard to believe that at one point in time PDF files were considered safe.
Erin Andrews Malware
Erin Andrews apparently is a sideline reporter for ESPN. I hadn’t heard of her before tonight. The story is some tool used a peephole reverse viewer (allows a person ouside a door to use the peephole to look in) and a camera to record her in a hotel room without her knowledge. This is obviously both illegal and not cool. The video was posted to youtube before lawyer letters were sent demanding the take down.
The news of this has ignited a mad mad search of the internet for copies of the video that may have been downloaded and reposted other placed before Google was able to comply with the removal request.
As with most big name events, malware is involved. Searching for Erin Andrews keyhole will likely lead you to attempts to install malware. Just a reminder, its not cool to make or watch upskirt videos. This is on that level. Another reminder, when you go to watch a video be very suspicious if you are prompted to install software. Get your media players and codecs from known sources!
Enterprise Vulnerability Management
The Gorilla CISO has a blog post about vulnerability management that is worth reading. It sounds really familiar, though I’m dealing with it on a much much smaller scale.
” The way we manage patch and vulnerability information is something out of the mid-80′s.”
Tell me about it. Today I read RSS feeds (US CERT, SANS ISC, vendors, white hats, bloggers etc) and emails from vulnerability alert services (Deepsight, Microsoft Technical Account Manager, random people who read about a patch/virus in the Wall Street Journal). That gets entered into a spreadsheet with the CVE, Bugtraq, and vender reference ID. Once Qualys releases a detection the Qualys ID gets added as well along with the detection count.
This is a tediously manual process that no one seems to actually give a damn about. The auditors didn’t like the way we were (are?) managing vulnerabilities (it may still be a POAM item). And the reports seemed to mean nothing to management. It worked better when I didn’t bother creating the spreadsheet, and just told them what patches we deployed this month, and the detection count for a few key vulnerabilities that I felt required management attention, (Adobe Reader, MS08-067, etc).
At the Gartner Information Security Summit in National Harbor, MD (near DC) I attended a track titled “Qualys, Inc.: Using SaaS to Build Full Life Cycle Program for Security and Compliance.” I was hoping this might have a suggestion for how to do this. Unfortunately it seemed like the solution was creating a home grown database and correlating the results of multiple scanners. I’m sure that works great, but without instructions on building such a database, its a lot of work to build from scratch.
iDefense is now integrating the your Qualys vulnerability scan results into their vulnerability intelligence. If you could afford such a thing (apparently we can’t), you’d still have a problem. Vulnerability scans run at set times and systems may not be online when the scan is run. While its great for scanning servers, Qualys alone does not give an accurate reflection of all vulnerabilities for your end user equipment. While talking with Forescout, I found that they had a plugin for Retina. Forescout is a NAC product. When a computer comes online, the plugin would check with Retina and find out when the device was last scanned. If its longer than your configurable setting (hasn’t been scaned in X days), then it fires up Retina to initiate a scan. Qualys provides the appropriate APIs to do this as well, so I asked Forescout to look into improving their Qualys plugin.
The combination of iDefense, Qualys and Forescout (if Forescout updates the plugin) would be quite formidable in vulnerability lifecycle management. What’s left is desired configuration monitoring. Are my systems continuing to conform to my security policy. I am not currently scanning that regularly. Once I get a tool for that, then its one more thing to integrate.
There is no simple solution. I may have to polish up the SQL skills and take a run at building something myself.
MS09-031 Authentication Bypass
I was reading this morning about an ISA authentication bypass that effects a very specific configuration scenario. (Doesn’t effect my setup). Read more about it on the ISA blog.
It put a smile on my face to think that somewhere Thomas Shinder is kicking a hole in a wall.
#sansforensicssummit Day1
I’m taking SEC508 at #sansforensicssummit in Washington DC through next Tuesday.
Day one covered basics of the file system. I had some serious flashbacks to dealing with hexadecimal in the JMU Masters level Infosec program. In that program we had plenty of classes using Internetworking with TCP/IP Vol.1 by Comer. Actually one of my worst courses was Forensics taught by Florian Buchholz. It was in the last semester, and we were checking out mentally (ready to graduate)
Its fun to take a week long conference on the subject. Hopefully it will stick better than the college course. I do fear that since I wont be doing forensics every day, I’ll lose a lot of this knowledge quickly.
A couple of interesting tidbits from today.
1. A single pass is good enough when disk wiping. That would save a lot of time for us if true. The instructor says the idea of wiping 7 times comes from a Guttman paper in the late 90s. It theorized an electron microscope could be used to recover if wiped less. This is purely theoretical. Never been done. Forensics people will call it a day if its been wiped once.
Of course what is technically correct isn’t always what auditors or policy requires. Trying to change that is difficult. The instructor says NIST recommends one pass. I’ve read the document he mentions. Apparently I need to re-read it because I dont recall one pass. I recall a preference for the UCSD Secure Erase which uses ATA commands to wipe. I recall degausing or destroying also preferred. I think for over right utilities they were still recommending 6+, but I will have to verify.
2. The second interesting thought had to do with “limited personal use” allowances in corporate policies. Companies don’t want to have policies they wont enforce, so they allow limited personal use. I thought the big danger in that was not defining exactly what that meant. According to the instructor, limited personal use is a forensic nightmare and a potential legal liability. The claim is that the limited personal use gives the user an expectation of privacy for that personal use. Since it is company policy it trumps the logon banner that says “no expectation of privacy”. Interesting thought, and one I’m going to have to run by legal. They took a year when I asked them to approve the login banner, so I expect to hear back from them around 2015.
Some People Really Need to Look Into NAC
Over the weekend I was talking to someone who has a mandatory requirement at work to have their computer inspected by the helpdesk every 60 days. If the computer is not inspected the computer is not allowed onto the network.
I’ve heard of such requirements for remote users. Remote users who don’t connect to the company using a VPN are tough to check up on. Requiring a periodic check-in could be a good idea for those users. However, physically checking computers that are manageable devices on your internal company network seems like a waste of time to me. If this story is accurate, I’d like to introduce them to NAC.
I know what you’re saying. First they are using a form of NAC if they can keep unapproved people off the network, and force them to go to the helpdesk to reauthorize themselves every 90 days. Second, some people think of NAC like they think of PKI. It just hasn’t taken off yet and some people think it is one of the more useless “useful technologies.”
NAC is actually useful for quite a bit more than keeping people off the network. If you manually check computers every 60 days, a computer that has broken patching mechanisms or is infected will not be detected for an average of 30 days. NAC would be able to detect this as the computer is connected to the network and on an ongoing recheck schedule. Even if you don’t want to send the user to a remediation page you could alert the helpdesk. Better to be fixing known problems immediately than inconveniencing everyone else every 60 days.
If you do have a NAC project, I’d suggest checking out Forescout. I have been happy with our selection. When we looked at other vendors it wasn’t even close in my opinion. Don’t feel like you have to buy NAC from your network switch vendor or your desktop antivirus vendor.
Alternatives to Desktop Lockdown
This is another post based on notes from the Gartner Information Security Summit. Neil MacDonald gave a talk titled Five Alternatives to Desktop Lockdown: Balancing Control and Creativity.
Desktop Lockdown has failed.
But so has complete freedom.
So what do you do?
From an operational perspective, desktop lockdown was performed to reduce the number of disk images the helpdesk had to maintain. It reduced application conflicts and visits by the helpdesk. IFrom a security perspective, lockdown was performed to prevent malware and prevent users from disabling security applications.
Lockdown has failed for a number of reasons. In XP, the locked down experience is lacking. You can’t change the timezone or install a printer driver. Its not workable for the traveling user.
Locking down computers failed because new technologies bypass local controls. For example it doesn’t prevent the user from using Google Apps and other forms of cloud computing in a insecure manner. Being a standard user doesn’t even prevent all software installs. Google Chrome installs as a standard user. Microsoft was pressured to make Silverlight install without administrative rights. As long as the software only writes to your user profile and your portion of the registry, it can install as a standard user. Malware writers will not be deterred by lack of admin rights.
Its almost a cliché at this point but the consumerization of IT has led to a new workforce. Generation Y digital natives. They may not be better at not falling for fake AntivirusXP but they expect full access all the time.
Does IT really know what people need to do their jobs? Locking down was supposed to be a means to an end, not an end itself. Protecting the data is the primary goal.
Saying that lockdown has failed, does not mean that complete freedom has succeeded.
The cost of managing end user computers are far greater for unmanaged computer. The risk of virus attacks is much greater with administrative rights.
So what do you do? The talk reviewed multiple alternatives.
Alternative 1De-Privilege Admins – UAC
UAC prompts to elevate rights when admin rights are needed.
As you already know, that can be annoying if you have a lot of applications that are poorly written and need admin rights. Also depending on the user this can barely be a speedbump in stopping malware.
Alternative 2White list
While basic whitelisting is currently available in Windows XP and later as well as most Endpoint Protection (AV) applications, newer offerings from companies like Bit9 make it easier to whitelist. They maintain the lists so you dont have to manually update each time a new version is released. They also can use reputation services that make a judgment about any new/unknown files.
One user when told we were considering this technology stated as an engineer they install all sorts of software and really important work would stop if he couldn’t install every random file he found on the Internet.
Host Based Intrusion Detection Systems (HIPS) also fall into this category. They are much more complex, and can cause instability issues depending on how it is integrated.
Alternative 3Remote Presentation
In this scenario users log into a remote server such as vmware or terminal server. Of the local computer and the remote session one is managed and one is unmanaged.
This scenario requires solid network connectivity. It also isn’t clear how the network is protected from the unmanaged computer.
Alternative 4 Multiple Virtual Machines running locally
Unlike the previous example, the user can work with remotely. The virtual machines are on the local computer.
The major drawback to this approach is licensing cost, patching, and extra hardware cost.
In the future the hypervisor may make it to the desktop for better performance, but we are not there yet.
Alternative 5Workspace Virtualization
In this alternative the risky applications are put into their own sandbox.
Ringcube, Creedo, and InstallFree are three vendors in this space.
Alternative 6 Hybrid
A few from column a and a few from column b.
Alternative 7Employee Owned PCs
I’ve read the articles on companies that are providing dollars for people to buy and support their own computer. I also read about a smaller company where the owner considered the computer like a toolbox. The craftsman provides his own tools. Not a great analogy because a craftsman power saw isn’t going to get infected and DDoS the network. (Although cheap worker provided power tools could break spectacularly in a particularly liable fashion).
The analogy provided during the presentation was a road. A trucker provides the truck. He can buy the truck he wants, but it must meet certain requirements. Then while used on the road he must obey traffic laws. Officer Friendly is waiting to write a speeding ticket.
Those are seven alternatives to desktop lockdown. I think that application whitelisting will become the most mainstream the fastest. Although virtualization is moving fast. XP mode within Windows 7 is virtualization. I believe Macs have a virtual MS Windows. The question I would have is what gets virtualized. Every Internet facing application?
For the longest time, vender’s made me feel like I was at the only company in America to allow Administrator rights to users. (Neil MacDonald, if you head this way I’d love to know what percentage of companies in general and Federal Contractors in particular lock down the computers by restricting admin rights as required by the FDCC). It is very interesting to hear about some other solutions. Obviously antivirus is not working but we still need to provide protections.
Useless Useful Technology: IP6 #GartnerSecurity
These are notes from the last session at the 2009 Gartner Security Summit; a tongue in cheek look at the worst best practices in IT.
We’re all familiar with the upcoming change to IP version 6. The main impetus for performing this migration is the IP space crisis.
The reality is few enterprises have a lot of public IPs. The migration to IP6 is costly and fraught with questions.
This item I almost question including because I think its more widely believed that IP6 is not worth the trouble than believe it will be a cure-all.
By 2014, 20% of remote and mobile employees will connect via a IP6 enabled ISP. That necessitates our action.
