People tend to not prioritize their risk correctly. SANS Top Cyber Security report in September 2009 pointed out that people are not patching third party applications or taking care of web servers correctly.
I recently ran across the image below (click for full size) that showed the number of deaths in the last 300 days broken down by category and compared that to the number of deaths for H1N1.
(not sure who to credit on the photo, it wasn’t giving to me in context, here is the original link..
Archive for October 2009
Understanding Risk
Cisco buys ScanSafe
I was surprised to read this evening that Cisco is buying ScanSafe.
I have been evaluating Web SaaS venders and looked at ScanSafe in September. To me ScanSafe has always been the market leader in web security as a service. I just had some issues that prevented us from going with them. According to a techtarget article, this purchase brings Cisco into the Web SaaS market and should play with their IronPort. I hope this purchase improves both companies.
As was stated when Barracuda bought Purewire, this validates the web SaaS market. It seem to repeat the recent acquisition phase of email SaaS venders. Is Zscaler now the odd man out, not yet having found a dance partner? I think not. There are still plenty of companies that think they need to buy into a SaaS presence.
VanMorrison.com Iframe
Saw a virus alert today. A user performed an AOL Search (that alone should be banned in our end user behavior policy) on “van morrison” (another termination offense). He/She clicked on a link for www.vanmorrison.com. The antivirus detected an iframe attack.
Manually looking at www.vanmorrison.com’s source, I currently see a iframe loading ‘http://iqsp.ru:8080/index.php’. Perhaps someone can remind me, aren’t there sites like virus total where you can send them a link and they’ll tell you what’s up. I haven’t yet learned javascript deobfuscation but that didn’t look like good stuff was happening.
So I took a sacrificial lamb system. (still dangerous don’t try this at home). And went to www.vanmorrison.com using various security systems to see what the result was.
Bluecoat – detected the virus on the site. Blocked Access to the entire site.
Scansafe – detected the virus on the site. blocked access to the entire site.
Purewire – site loaded. Wanted me to install Flash (seemed legit but I didn’t do it). Java started up. I was prompted to download a file and run a ActiveX control. I chose not to install the ActiveX control but I did download the file. It was a pdf file.
Virus total saw the pdf file first on October 16th (today is the 21st). Currently 13 out of 41 venders are detecting this as a virus. Did I mention signature detection is dead dead dead.
Did you notice the link to the Russian site is on port 8080? I wonder how many HTTP security implementation are proxying 8080 traffic in addition to 80.
Update 10/23/09
I see Sophos and eweek have linked to this article. Thanks!
Pob is correct, the infection changed after I posted this entry. I went back yesterday to see if anyone cleaned it. I found the site on Google’s naughty list and the site had obfuscated code like he screenshots. Didn’t check on it today.
Adobe Reader update
if you’ve reached this post looking for info about adobearm.exe check out a newer post here.
I am in Adobe update hell right now. Adobe released their quarterly security update for Adobe Acrobat and Reader and I have more questions than answers.
Adobe says that it is adding a dormant updater in Reader that they will use to test a new updater methodology. A post on another board mentions BITS. I suspect that is the new tech. I’d like to know if I disable updates via the Adobe Customization (Tuner) tool will that disable this new method as well? I haven’t seen any info.
When 9.1 released, it was possible to download a version without Adobe Air. I dont see that option anymore.
Adobe Reader 9.2 is both a full update and a msp (patch update). According to this “The Adobe Reader MUI 9.2 patch can be deployed over any of versions 9.1.0, 9.1.1, 9.1.2, 9.1.3 directly.” However I’m getting an error applying to 9.1.3. A bit of searching finds this article. While it is talking about AIPs (Administrative Install Points) the consensus seems to be that you can’t put 9.2 on 9.1.3 because its a security patch.
And lastly, while tuning the full version of 9.2 for deployment, I found a new exe in the HKLM Run key. AdobeArm.exe is now starting at each boot. I typically delete reader_sl.exe when I’m creating a Adobe Reader install. I’d like to know what AdobeArm.exe is before I deleted it.
Sorry about posting more questions than answers. I try not do that too often. I’m off to check Adobe Forums for answers.
Comcast to warn of infected machines
This week numerous sources reported on news that Comcast will deliver popups to alert customers with infected machines.
I agree with Phil Lin, marketing director at network security firm FireEye Inc as reported in the linked AP story above, if this catches on we’ll soon see this used in social engineered attacks.
According to Brian Krebs in his Washington Post blog Security Fix, the alert is a
“so-called “service notice,” a semi-transparent banner that overlays a portion of whatever page is being displayed in the customer’s Web browser. Customers can then either move or close the alert, or click “Go to Anti-Virus Center,” for recommended next-steps, which may include downloading and running the McAfee anti-virus tools the company offers for free, or purchasing a cleanup package and allowing a Comcast technician to attempt to remotely diagnose and fix the problem.”
I’d love to see an escalation so that ignored notices eventually put you in a walled garden until remediation occurs.
There is debate in the industry about the responsibility of the ISP. Techies want a pipe. They dont use the ISPs email server, webhosting, or news server. They dont want blocked ports or managed traffic. There is another side that demands a clean pipe. I’ve seen this more in the business area where a business ISP partners with a Security as a Service vender to clean up or montior the Internet Traffic. John Pescatore takes this position in his post saying warning about a problem isn’t as good as preventing the problem from reaching the user in the first place.
I think its good to see a ISP want to be a good citizen. ISPs want to be more than just dumb pipes. Trying to clean up the neighborhood is a good start. This is a logical next step from blocking ports such as outbound SMTP other than through the ISPs mail server.
Now that is strong
I’m trying to install a enterprise password management product. The software installs onto a Windows 2003 server. The prerequisites caution:
“Make sure that the Administrator password for this server is appropriately strong. For example, it should contain a minimum of 6 alphanumeric characters.”
6 characters strong. Wow this must be really important.
Web Security – The Problem
Web security has changed a lot in the past few years. It is no longer good enough to take a desktop antivirus scan engine and scan web content. URL filtering isn’t enough. It is not enough to put HTTP security on your corporate gateway.
The reason its not good enough to have a HTTP security gateway should be rather obvious. People go home. People travel. People work at client sites. People work at the Starbucks. An increasingly mobile workforce necessitates a mobile security solution.
URL filtering isn’t enough. URL filtering is reactionary and there are many new sites each day. When a legitimate site is compromised, URL filtering can categorize it as a malware serving site and block it. But how quickly will the site be rechecked after the virus is clean? Viruses are showing up on otherwise legitimate sites. Sites can be compromised through lack of patching, through SQL Infection. In several cases advertising networks have inadvertently included malicious content. Some sites are potentially insecure by design. Web 2.0 sites accept user provided content with little controls in place. While some URL filtering solutions are better than others, it is an incomplete solution at best.
Some web security solutions are merely URL filtering combined with a desktop antivirus engine. I don’t think I need to rehash the failure of the antivirus engine. But there is better technology. The best web security solutions include zero day protection as more than a marketing term. A web malware scanner is looking at the context of the file. The site its on. The number of requests for the file. The history. Its then running it through heuristics in a way much more accurate than any desktop heuristic.
The web is a ready avenue of attack. Strengthened defenses against email and network attacks have left http the prime target for attackers.
Its a good time to be looking at alternative solutions. I think that SaaS web security has hit the sweet spot in what Gartner would call the hype cycle. Its at that point where you’re still on the leading edge but not on the bleeding edge. I’ll be trying to get a “why SaaS” post out.
Local Admin Rights
We have the beginnings of a Windows 7 deployment project. As part of that I’ve been asked to develop a presentation for the director regarding local admin rights.
At our company it seems local admin rights is sacrosanct. On the other hand, I was once told Universities couldn’t have firewalls because of academic freedom. Now I understand that is no longer the case.
We last tried limiting user rights under Windows 2000. That involved a limited group of users, mostly secretaries and the corporate division. It fell apart quickly as the helpdesk was able to give users admin rights to get around problematic applications rather than taking the time to fix the application.
Applications and operating system support has improved for limited rights accounts has changed significantly since Windows 2000. Nevertheless it remains a political and technical hot potato.
The Federal Desktop Core Configuration (FDCC) requires the use of limited rights. This process is more about reminding senior management of the problems with users doing whatever they want, and getting them to sign a waiver for the FDCC requirement.
Right now I have what I think is mission impossible.
1. Demonstrate the problems caused by users being able to do whatever they want. Unfortunately our helpdesk is allowed to work without recording tickets accurately. Also virus incidents are not fully investigated so it is impossible to say x virus incidents occurred because the user was an administrator or Y systems were reloaded because the user installed a bunch of crap.
2. Show that our customer (the Federal government) is not giving users local admin rights. I can say what is required. But I really have no connection into the CSO office at each customer to determine their FDCC compliance.
3. Show that companies like us are limiting local user rights. Again, I’m not sure how I can do this. I dont see a Gartner report on this.
I have a month to put this together so we’ll see what I can come up with.
