Roger's Information Security Blog

A growing number of users are mobile.   While I’ve heard some people say these people will VPN and thus get security updates, I think that many of them don’t VPN in.   They can do so much over on their phone, connect to mail over ISA, perhaps they are using a customers mailbox.   Some are at customer’s sites and not allowed to VPN out.  Others might be travelling and just not have the time.   What happens to the security of these computers?

One of the things I found with NAC was an ability to see what was unpatched on my network.   Problem is the NAC only works if the computer is on the network.   Even if I was using a software NAC agent such as the one in Symantec Endpoint Protection, that provides enforcement only.   It can’t report back to my management server inside my firewall.

As a Microsoft SCCM user, I looked at their configuration options to allow internet based computers to connect to a computer.   It seemed expensive, complicated and hard to implement.   Native mode requires digital certificates.   Our security policy would result in a duplicate SCCM environment on a border network.

I looked at Bigfix, but its seems they would require an inbound connection from the boundary server.  That violates our company policy, so I had to keep looking.

I wondered if Microsoft DirectAccess would solve this issue.   IPv6, and digital certificate requirements make this one a bit scary.   An always-up VPN into our network is a bit scary as well.

That’s when I received a cold call from Fiberlink a company that offers MAAS360 a product for mobile computer management, reporting, and patching from the cloud.  I’m interested in using SaaS where it can be done securely and will save money.   I signed up for an evaluation.   Even with only a few computers installed, I can see some nice reporting capabilities.   As we get a bit further in the evaluation, I”m going to see if this can solve problems also by deploying patches detected as missing.

We bought Cyber-Ark’s Enterprise Password Vault product last year to provide an enterprise-grade method of protecting passwords.   Administrator passwords to corporate systems are essentially corporate assets and its a big hassle when the password is forgotten or held hostage.   (no hostage taking here, but I have seen issues caused by forgotten passwords). 

Passwords are often kept in text files or excel files (hopefully encrypted).  Most admins here are using a consumer grade password safe installed on their local computer.   This can have issues in cases of sudden staff turnover or when the passwords aren’t adequately backed up.   For Disaster Recovery purposes passwords are stored in a safe in a sealed/signed envelope.   There isn’t adequate access control and logging on the use of those passwords.

Cyber-Ark is extremely complicated to implement.   It’s so complicated that you really need professional services.   Since the product isn’t cheap to begin with, that seemed like an insult.   I typically prefer products that are either straight forward enough to work  without professional services, or products that once implemented during the evaluation are ready to go.    I decided to bypass professional services.   Unfortunately for various reasons the virtual environment we had set up during the evaluation was deleted so I had to start from scratch.   Just over a year after buying the product, I ate crow and purchased four days of professional services.   Even now, I find implementing Enterprise Password Vault is so complicated that I wont be getting everything I’d like out of the vault right away.   And more $$$ for professional services may be needed.

There is a lot you can do with Cyber-Ark but its better to start out slow.  If I think it’s of interest, I”ll blog about what I’m doing as it moves from proof of concept to full implementation.

Cyber-Ark is really expensive and excessively complicated in my opinion.   However, the potential is there to do great things.   I’ve also enjoyed my dealings with sales (now gone from the company), the pre-sales engineer, and professional services.   I only hope I find support as cool when I end up having to work with them.

Back in 2007 I posted a blog entry about catching our auditors violating company policy by putting their company’s computer on our network.   Today, new group of FISMA auditors, same issue.  

If the auditors were a bit slicker, I”d believe them when they said they were testing our controls for unauthorized computers.   (trust me, this guy was busted cold)  After Alanis, I hesitate to call something ironic, but it sure seems ironic that the people verifying our security policies routinely violate our security policies.

Adobe has released a security bulletin for Shockwave.  

Version 11.5.8.612 fixes multiple vulnerabilities that could be used for code execution.

Because it is open outbound from the firewall, many applications send their traffic across port 80 to avoid firewall issues.   This has led to port 80 being called the Firewall Traversal Exploit.   Port 443 then is the Secure Firewall Traversal Exploit because it allows traffic out in an encrypted fashion.

Because its encrypted users bypass protections in place for HTTP to download viruses, access forbidden sites and leak confidential information.  This is limited only by the availability of SSL sites.     In recent years webmail like GMail has gone to full SSL sessions.   Bad guys can easily set up SSL as well.  Without a SSL proxy, all you can do to address these concerns is block by IP address.   IP addresses change frequently and are less likely to be categorized in a URL block list.

When you use a SSL proxy, the web traffic is terminated at the proxy server and a new request is made to the remote server.   The client browser uses a certificate from the proxy to secure data during the first leg of this transaction.   This will result in a certificate error if you don’t deploy the proxy’s self-signed certificate as a trusted root.   Because the client never sees the certificate of the remote server, the user does not get information about the trustworthiness of that certificate.  For this reason it is necessary to either block all bad certificates or make sure your SSL proxy can pass on that certificate info when the certificate is expired or does not chain to a trusted root.

The SSL proxy can use the hostname (CN) in the server certificate to make a  URL categorization decision to intercept or tunnel the traffic. 

Because you can intercept based on URL categorization, you could choose to intercept (and block) only websites that are in your blocked categories.  This is the simplest implementation of a SSL proxy.    It blocks site that wouldn’t have been blocked before and it doesn’t interfere with anything else.   If a computer doesn’t have your certificate in their trusted root, it’s not that bad because the site would have been blocked anyway.

A slightly more intrusive step is to also intercept webmail sites.   Webmail sites have the potential to download malware although the site itself is valid.   By intercepting the site the download is scanned by the antivirus layer.   A related idea is intercepting all uncategorized sites so they can be scanned.

A full implementation involves intercept everything not categorized as a financial site.  It is not recommended to intercept financial websites for obvious reasons.
Intercepting everything allows you to scan all downloads for viruses.  The main drawback is you’ll have more issues with web applications not conforming to HTTP standards.  

I think the simplest option of only intercepting websites classified in categories on your block list is best.   It provides additional security without potential for complications.  You’d have to make a security decision for your own environment.

There are security considerations to intercepting traffic.   When you only intercept a site to block it you don’t have sensitive data but as you intercept other categories, you must take care.  Sensitive data may now be exposed in clear text.  You may want to think twice about what you are logging and caching.  If any offbox analysis is performed you need to encrypt the connection and make sure nothing is on the remote box. 

A lot of attacks occur over the web and its important to provide the best defense.  It’s no longer good enough to ignore 443/TCP.

Since it’s not obvious, the blog title is an allusion to Jules’ big speech in Pulp Fiction.

I read a couple interesting blog entries on Friday.  John Pescatore asks “Are Security Professionals Like Stephen Slater.”  In another blog, Foilball asks us to look in the mirror and see if we’re more Sullenberger or Slater.

Slater is the air-raging flight attendant who let the frustrations of life take over, stole a couple of beers and headed down the emergency slide.  He made Joanna’s method of quitting Chotchkie’s in Office Space look quite reasonable.

Pescatore  doesn’t actually compare Slater and information security personnel.   Rather than anything specific to this situation, he compares infosec people to the typical condescending flight attendant who does not explain the rules and only gives you a half can of Pepsi.

Is it really necessary for the flight attendant to explain that you need to leave the seatbelt on so you don’t become a human projectile mid-flight.   Or that your laptops need to be stowed not just for dubious electronic interference problems but so they don’t smack someone in the head during take off and landing.   Why does the sun visor need to be up during take off and landing.  I don’t know, but I have enough sense to know that having that discussion as we’re first in line for take off isn’t a good idea.  

You can get 20 years for interference with flight crew attendants and members.  Don’t even think of disabling the smoke detector.   I wonder if I can arrange similar penalties for disabling the antivirus or interference with infosec personnel.

The foilball article caused deeper thought.  Going through life, there are days when you’re hit in the head by luggage or cursed out by  a passenger.  There are days when you want to escape down the slide and it takes every ounce of control not to.   I’ve heard it said you can’t control your circumstances, but you can control how you react to them.   I look in that mirror and I see more Slater than I’d like to admit.   But I’m trying real hard to be a Sullenberger.

This week saw a large number of Microsoft patches

Additionally Adobe released updates for Flash and Adobe Air. Acrobat and Reader updates expected for this week will occur next week.

Apple patched the iPhone and released an update for QuickTime.  iTunes users were not given the QuickTime update as of this post.

To stay up on all these updates, home users should install something like te Secunia Personal Software Inspector. Sysadmins should wave the dead chicken and hope for the best make plans to deploy these updates if the software is present in the work environment.

The last Friday in July is System Administrators Day.

My new computer from Puget Custom Computers arrived via FedEx on Wednesday.  I am very happy with my computer and with the service provided by Puget.   From my first visit to their website to the pictures they sent of my computer prior to shipping, I’d have to say they are first class. 

I purchased the new computer mainly to perform GPU Bruteforcing.   The Graphics Processing Unit on video cards can be used quite effectively for some operations.   Right now I am using InsidePro’s Extreme GPU Bruteforcer to crack some NTLM hashes.   Its humming along at 1406 Million passwords per second.  I’m using 3 NVIDIA GeForce GTX 460 video cards.   In the last computer I used for the same function I had a single Geforce 8800GT that only operated at 320 Million passwords per second.

If my math is right this means it would have taken about 8 days using my old computer to search for a 8 character password consisting of uppers lowers and numbers.   With the new system it would take 1.8 days.

As I warned, I attended a BlueCoat seminar on Wednesday and I’m getting a few days worth of blog posts from that.

In March of 2009, I blogged that I was testing the BlueCoat ProxyClient.   The ProxyClient provides URL filtering via WebPulse and also attempts to provide acceleration to VPN users and users on slower network sites.   Each feature can be enabled or disabled automatically depending on location.  Last year I had ProxyClient deployed to the IT department for quite a while until it was time to test some HTTP SaaS solutions.  At that point I uninstalled ProxyClient from all computers.   I didn’t return it after I completed my HTTP bake-off.   I only renewed with BlueCoat for one year and didn’t want to roll out something and then switch it only a year out.

Looking at this months desktop virus reports, its pretty clear that a large number of the infections occur while systems are remote.   Outside the facility they currently only have SEP11 as protection.   For a long while I felt that if I was going to offer protection, URL filtering wasn’t good enough.   I needed antivirus.   But from what I wrote about yesterday with WebPulse, I am now thinking this is a significant step up security wise.   Also it doesn’t have the SaaS risk. 

To be sure some of our users might revolt if we put one more security product on “their” desktop.   But I a strong case can be made for deploying ProxyClient.   If you own BlueCoat and you pay for BlueCoat WebFilter, then the ProxyClient is no charge.  At most companies, users are increasingly mobile.   Unless you’ve got some other strong protections (such as only allowing browsing through an always tunnel vpn connection, and also removing local admin rights) I’d take a strong look at adding this protection.