Archive for the ‘General’ Category.

« Previous Entries

Deploy critical patches within 48 hours

May 17, 2012, 1:55 pm

Critical Control 4: Continuous Vulnerability Assessment and Remediation lists as a “quick win” Any vulnerability identified should be remediated in a timely manner, with critical vulnerabilities fixed within 48 hours.

Unless you’re paired up with Nick Nolte, 48 hours isn’t a very long time.   It seems to conflict a with later requirement: Critical patches must be evaluated in a test environment before being pushed into production on enterprise systems.    That is one quick eval cycle.

So what is critical?

In my vulnerability scan report vulnerabilities are listed 1 through 5.   Every month there are new level 5 vulnerabilities.

PCI says that things with a CVSS score greater than 7.2 (if I remember correctly) need to be patched.   Is that what critical is?

Does critical mean “was mentioned on the evening news”?

FISMA 800-53 rev 3 RA-5 leaves it up to the organization to define.

I think I should just update my vulnerability management doc to say that critical updates are defined as those accompanied by four horsemen.   Those must be patched within 48 hours.   If the server can be found in the smoking crater.   All other patches shall be deployed within 30 days unless otherwise instructed.

Category: General  |  Comment

The case of the reconfigured product

May 13, 2012, 10:27 pm

Can you claim “King of the Lab” even when the problem you solve is self-inflected?

The phrase King of the Lab originated on the U.S television series “Bones” where the scientist who found the key evidence that week was king of the lab.

We’ve noted an odd issue at work where the event logs on multiple systems  would report:

Windows Installer reconfigured the product. Product Name: <ProductName>. Product Version: <VersionNumber>. Product Language: <languageID>. Reconfiguration success or error status: 0.

for every installed application.   This set of logs would show up repeatedly.  We were kind of hoping it would go away when systems were migrated from Windows XP to Windows 7 but it is still occuring

Our Bing-fu must be weak because I stumbled across a KB article tonight that explains it.

http://support.microsoft.com/kb/974524
Event log message indicates that the Windows Installer reconfigured all installed applications

This is caused by using group policy with WMI filters that use Win32_Product.  It can also be caused by applications that use that WMI class as well.   GuardianEdge documentation instructed me to use that WMI class in a filter to deploy GuardianEdge settings so they would only apply to clients with the specific product version.

The “Ask the Directory Services Team” blog at Microsoft recently had a post which linked that KB and reported that use of Win32_Product will (could?) result in slow boot times.  The reason this WMI Class is an issue is that it uses a DLL to actively query each installed application.   This trigger the reinstall.   Additionally if any of the installed apps are installed remotely this can really slow things down.

The Microsoft blog lists some workarounds.    I’m not sure any of them are perfect for me.   Until I implement a fix this case isn’t closed.   But it is enough for me to do a happy dance while yelling “king of the lab”.

Now where is my trophy?

Category: General  |  1 Comment

Dirty Disks Done Dirt Cheap

April 27, 2012, 10:44 pm

Content Information security has a nice writeup of tests they performed on a few cloud security providers.

What happens when you delete a virtual server in the course of its lifecycle?   At some point you’ll leave a provider, turn down a server, or just get moved to another server.

On the computers you have control over, hopefully you’re already running some sort of disk wiping.  What about the computers you don’t control?

As any forensicator will tell you, deleted files aren’t necessarily gone.   The table of contents telling you where the file is may be gone but the data is there until it is overwritten.    It turns out that due to some process problems, old servers weren’t overwritten and they were able to access data with a simple dd command on their newly provisioned virtual server.

When the data goes to the cloud you  give up a measure of control.   When you’re at least aware of what can go wrong, you can ask the right questions.

Do check out the article http://www.contextis.com/research/blog/dirtydisks/
Hat tip to Office of Inadequate Security

Category: General  |  Comment

Not Dead Yet

April 21, 2012, 8:18 am

While playing around with John the Ripper the phrase “password are dead” came to mind.  In the realm of Information Security how many items have been declared dead?

Passwords are dead.
“IDS is dead.” – Gartner
“Gartner is dead” – IDS
The firewall/perimeter is dead.
Antivirus is dead.
SSL is dead.
SIEM is dead.
Corporate IT security is dead.

It starts to look like if you put in any product, idea or compliance regime into google, add on “is dead” and you’ll find results.

Sometimes it is marketing (EIQ and SIEM).  Sometimes predictions.   Occasionally its exasperation at the continuing fail of a product type.  In each case, so one comes out looking like Kreskin.  But the pixels don’t write themselves and those stances generate traffic.

Category: General  |  Comment

WordPress 3.3.2 Security Update

April 20, 2012, 8:18 pm

WordPress 3.3.2 is out to fix multiple vulnerabilities.  If you have a WordPress site somewhere on the internet, it is important to keep up to date.

 

Plupload (version 1.5.4), which WordPress uses for uploading media.

  • SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
  • SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.

WordPress 3.3.2 also addresses:

  • Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances.
  • Cross-site scripting vulnerability when making URLs clickable.
  • Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs.
Tags:
Category: General  |  3 Comments

Remotely Recovering Windows Passwords in Plain Text | CYBER ARMS – Computer Security

April 18, 2012, 11:22 am

http://cyberarms.wordpress.com/2012/04/16/remotely-recovering-windows-passwords-in-pl/

Category: General  |  Comment

Acrobat and Reader Updates: APSB12-08

April 10, 2012, 6:26 pm

Today Adobe released security updates for Adobe Acrobat and Adobe Reader.

An entry to the Adobe Secure Software Engineering Team (ASSET) Blog discusses several aspects of this security bulletin.

First, Acrobat and Reader 9 will no longer be using a special version of Flash bundled with those products.   Instead they will look to use what I call the plugin version of Flash.   That is the version for non-Microsoft browsers other than Chrome (Firefox, Opera, etc).   Chrome bundles its own special version of Flash.

Adobe has written the Netscape Plugin Application Programming Interface (NPAPI) to allow Acrobat and Reader to access the plugin based Flash in your Operating System.

The good news is no longer will you have to install an update to Acrobat or Reader every time there is a Flash update.   The bad news is this is only applicable to version 9.   Version 10 is still being developed.  The other bad news is if you don’t have the plugin version of Flash installed, you will be prompted to install it if you open a PDF with Flash content.

In general having Reader and Acrobat X is much more secure than having 9.   But if you’re hanging on to 9 for some reason this is good news for you.

Adobe announced that no longer will they have quarterly patches by default.   Instead scheduled releases may occur on Microsoft patch Tuesdays.   They will preannounce three days ahead of time if a patch will occur that month.   So-called out-of-band updates will be released as necessary.   I read this at less frequent Adobe Acrobat and Reader patches.

Check the Adobe ASSET blog for information.

Tags: ,
Category: General  |  Comment

Dreamhost Adds One Click Cloudflare Option

April 7, 2012, 2:19 pm

Regular reader of this blog may remember that back in August I looked at both Cloudflare and Incapsula to protect an accelerate infosecblog.org.

Webmasters are faced with two huge challenges.  The first is keeping the blog secure.   There were many examples recently of WordPress blogs, even security related ones, compromised.   While it is always easy to just blame the webhost, vulnerabilities in TimThumb proved to be many blogs undoing.  If you run a blog and you haven’t searched to see if you use timthumb unbeknownst to you in one of the many plugins you’ve added, you’re blog is probably already compromised.

The second major concern for webmasters is site speed.   All these plugins we install slow the site down.   Search engines penalize your page rank for slow loading.   Users are unlikely to return.   First time visitors may have their ADD kick in and just move on to the next site.

Cloud based mini Content Delivery Networks (CDNs) like Cloudflare and Incapsula provide answers to both problems.

With these types of services the webmaster changes the DNS to point to the cloud based service.   In the cloud, they block the bad and accelerate the good (to steal a phrase from BlueCoat).   You no longer have to mess around with complicated WordPress caching plugins (although some are designed to work hand in hand with CDNs).   If you were slack on security and had a vulnerable version of TimThumb, both of these solutions would block that attack and let you know about it.  The webmaster should still stay on top of all WordPress upgrades including the plugins.   Additionally the password should be strong.

One of the challenges with using these services at Dreamhost was they lock own the A (and AAAA) records for infosecblog and www.infosecblog.org.   Even to use Incapsula’s free service, I had to pay for a third party DNS provider so I could have full control over the DNS.  With Cloudflare at least, this problem is now solved.   Dreamhost has partnered with them to allow integration with just a checkbox.   I set it up one of my other domains in minutes.  I’ll continue to use Incapula on this domain and compare the two services.

Tags: , ,
Category: General  |  Comment

Java exploitation on the rise

March 28, 2012, 10:05 pm

The deadline for getting up to date on the latest Java has come an gone.

Microsoft posted on the 20th that they were seeing exploit code attacking the vulnerability in Java which Oracle patched in February.

Yesterday Brian Krebs posted that an exploit for this vulnerability is now in one of the more popular exploit kits.  Exploit packs are malware distribution for the script kiddie.  You purchase code that will try multiple exploits based on the type of computer that comes to a website.   This means it is far beyond targeted attacks, and into the general distribution.

The same advise as always, applies with Java.

1.  If you don’t need it, remove it.
2.  If you do need it, always run the most recent version.
3.  Watch for older versions hanging on.   Remove them.
4.  For safety only run Java in one browser, and use another browser for day-to-day browsing activities.   This lowers the attack surface area.
5.  In addition to antivirus, have some sort of URL filtering that blocks malicious sites such as the free consumer BlueCoat K-9.

 

Tags: ,
Category: General  |  Comment

Update for the Flash Updater

March 28, 2012, 1:34 pm

Adobe today released a new version of Flash with two critical security updates.  For those keeping score at home, that is the third security related Flash update this year and the second of this month.   Adobe AIR also needs updating if you have that.

In addition to the security fixes, this update also changes the behavior of the Flash updater.   After installing the update, you will be prompted to choose an update method.   The default is to install updates when available.   Most security updates will install silently while any update that additionally makes changes to the configuration will require user interaction.

Flash is a highly targeted application.  This effort should boot the installation timeliness for required security patches.

To change your update settings later, go to the Flash icon in the control panel.   The existing method to disable autoupdates using a mms.cfg file is still supported.   Companies that deploy software using a centralized means like ConfigMgr may prefer to disable autoupdates until the application has been tested and deployed using their regular means.

Link – http://blogs.adobe.com/asset/2012/03/an-update-for-the-flash-player-updater.html

Tags: , ,
Category: General  |  Comment
« Previous Entries