Archive for the ‘General’ Category.

« Previous Entries
Next Entries »

F-Secure on Java

December 23, 2011, 9:37 am

F-Secure generated a lot of traffic in the blogosphere with their post declaring Java harmful and better to not be installed on computers.   To me the only surprising part is the discussions this generated.   Isn’t this old news?   Principle of least privilege says to remove it if you don’t need it.   So when you’re regularly updating an application for security fixes it may be time to consider alternatives.

F-Secure links Larry Seltzer’s month without Java from 2010.   Brian Krebs posted a blog article around the same time recommending Java be removed.   I couldn’t find an earlier article, but I thought Krebs had been banging this drum for much longer.

Removing software you don’t need certainly lowers the attack surface area.   At work, I’d caution that you’re likely to find groups of users using Java for internal applications.   If you don’t put Java on your system image, they are going to install the ancient version of Java supplied by their application developer.   I found a couple users with Java 1.6.0 update zero.   When I removed that and installed the latest Java 1.6, the application still worked fine.    If you’re actively patching your environment having Java installed may not be that bad.

The articles liked mention alternatives such as only allowing Java to run on specific sites.   Sometimes I install Java only for use on my non-day-to-day browser.   I’m not sure either solution scales into the enterprise where you have to account for all sorts of computer literacy.

Tags: , ,
Category: General  |  Comment

Santa Gets Hacked (video)

December 9, 2011, 10:38 pm

Santa Gets Hacked! from Twist and Shout on Vimeo.

Category: General  |  2 Comments

Take This Lollipop

November 13, 2011, 1:00 am

Take This Lollipop was a viral video, interactive website that was released in time for Halloween.  

I stayed away from it at the time since the site requires users to use Facebook Connect, the site was of unknown trustworthiness, and it seemed a bit silly to have to give access to my Facebook account to get a lesson in Facebook privacy.  

Tonight I ran across a Dreamhost blog post where they interviewed the creator.   He was also behind the “elf yourself” website.   The site does not store data or post to your account.   This is in line with their posted privacy policy.

Suitably curious, I allowed it the site to connect to my Facebook account.  

If you wish to remain spoiler free, stop reading here

Take This Lollipop is delightfully creepy.   The music and the filming location is perfect.   The video shows a stalker logging into my account.   That is what the account pull down menu indicated.   I’ve seen many people comment that they are going to tighten their privacy settings after watching this video.   If you think that, you’ve missed the point.   Not that there is necessarily a point being made. 

Once in the account, he sees my pictures, my wall, my friends and my location.   Looks up my current city on-line (Google Maps?) and gets in his car.   As he exits the car you see he has my profile pic taped to the dashboard.   The video ends suddenly.

I was really expecting the video to make use of Google Streetview.   I don’t believe that could actually happen as I don’t recall Facebook having my street address.   Would have been off the hook nuts if they had pulled GPS info from the pictures in my Facebook account or made use of my Facebook Check[ins. 

I found the video awesomely entertaining.   It would be orders of magnitude more disconcerting if I was a woman.   Just the same, I think I’ll doublecheck the locks tonight.   If you don’t have Facebook or are unwilling to do the Facebook Connect, you can watch someone else’s experience on Youtube.

It has been shown that people will give up their password (or at least pretend to play alone and give A password) to get a chocoloate bar.  In this case even you know a website is most likely trying to social engineering you into giving Facebook access to teach you a lesson , you’ll still give up that information when the hook is strong enough.   You want to see something entertaining your friends are  all talking about so you give up information.  If there is any lesson here that is what it is.   This app has nothing to do with you accidentally leaving all your photos set to public (although you should fix that), it only uses the access to your Facebook account that you specifically gave it.

To see the promised dancing bears, users will always compromise their own security.   And I did too.   But only have trusting the site owners to adhere to their policy policy and seeing the list of Facebook actions allowed.    As a reminder you should periodically check your Facebook application permissions and remove any that are no longer needed.   Since I don’t see a need to access this site again, I will go to Facebook, select application settings and apps and click the X next to TakeThisLollipop to delete the application permission .  You can always add it back if you return to the site.

Category: General  |  Comment

APSB11-27 Security Update for Shockwave MIA

November 9, 2011, 9:27 am

Adobe released a security update for Shockwave last night brining the current version to 11.6.3.633.

Unfortunately, the link to the MSI on the enterprise distribution page still has an older version of the update.   I thought we were past this nonsense with Adobe.   A couple years ago this sort of thing was frequent.

Tags: , ,
Category: General  |  4 Comments

Fireeye

November 8, 2011, 9:26 pm

I attended a lunch and learn today on Fireeye and BlueCoat.   I’ve used BlueCoat for 5 years, so I’m familiar with that.  I was interested in learning more about Fireeye.  I’d never looked at them before, but had heard good things from peers.

The have appliances that look at HTTP or SMTP.   They don’t replace  existing security technology like Firewall, IPS, AV proxy, URL filtering, or desktop security suites.   Rather Fireeye acts as supplemental detection.   Those technologies rely primarily on signatures and have some heuristics.  Fireeye uses virtualization to execute inbound files, look at the results and determine if bad things are happening.   I used to manually upload suspicious executables to places like the Norman sandbox and get back a report on the files dropped and registry files changed or network connections attempted.   This does that but at wired speed for everything.   In addition to that, there detection of exfiltration.

This is just a report of a lunchtime seminar, not a hands on eval, so  I present much of a critical eye.

Another attendee asked a common question.   “Isn’t it common for malware to have anti-analysis features such as virtualization detection.   How does Fireeye deal with that?”  The response in the seminar was that it is hardware virtualization.   It isn’t as simple as detecting the hypervisor.   From other comments I’ve seen, there is added obfuscation occurring to prevent that detection.  

In the game of spy versus spy, you wonder what the man in black will do next once you “check” him with this appliance.  If the bad guy knows you have this watching 80, why not send a phish with a link to FTP .   Also what happens if the bad guy uses another allowed port for HTTP?  

 There are some purchases where years and years later you still feel smarter than the average bear.   Then there are other purchases where sooner rather than later that technology is absorbed back into the standard product.   How many people still buy antispyware software in addition to antivirus?   

Fireeye sounds like an interesting product.   If you’d like to share your experience with that or even a competitor share your comments below.

Tags:
Category: General  |  Comment

Zumocast zooms security

November 6, 2011, 9:05 pm

The commercials for Droid Bionic talk about remote access to the files on your PC.  They are doing this through a Motorola app named  Zum0cast.  The Zumacast is one of many apps preinstalled on the Driod Bionic.   To get started, I registered for free at Zumocast, and installed their software on my home computer.

When installing the software, I was notified that I didn’t have JAVA which is mandatory, and they offered to install it.   Best practices would probably dictate installing the freshest JAVA from JAVA.com.   Instead they installed 1.6 update 17.   The current release at the time of this writing is update 29.  JAVA didn’t even seem to check for updates after install.   When I opened the JAVA applet in the Control Panel and went to the update tab, it was set to check for updates once a month.   I think it was going to check next around the 23rd.   At least Secunia PSI would have notified me if I hadn’t patched it manually.    The average home user isn’t going to think twice about this.

ZumoCast must be running so you can access the files (music, video, docs) on your system remotely.   When you install you select what directories are published.   I haven’t looked but I suspect they have the app from the desktop and the phone both talk to their servers.  You’re authenticated with username/password and then you can see the published files.   This would just as easily publish my files on the work computer.

How is a security guy supposed to keep up with all the apps like this?   I get it.   The primary method of stopping it is telling the users we dont want our files on their phone.   But it is always better to have a technical means in place.

Category: General  |  Comment

Feds Concerned about Hackers Opening Prison Doors

November 4, 2011, 9:00 pm
Category: General  |  Comment

METRO Opens Doors, So Employees can take home all the equipment

November 4, 2011, 8:47 pm

Recently, a Washington DC prosecutor declined to prosecute a former Washington METRO employee accused of theft.   He was found to have taken home nine laptop computers, a power generator, a DVD player, a BlackBerry wireless device, a color printer, a digital camera, lots of tools and a computer monitor.   The prosecutor wrote that the absence of enforcement of policy “served to create an atmosphere where such behavior, although not explicitly condoned or excused, was part of an implicitly tolerated practice.”
Source: The Washington Times

 There is a lesson there for us in IT Security.   It is a bad idea to have policy that doesn’t match practice.  Additionally better asset management should be in place to prevent such activity.

Category: Cyberlaw, General, Policy  |  Comment

Removing Old JAVA

October 27, 2011, 3:00 pm

As part of deployment of JAVA 1.6 update 29, I decided it was time to take a closer look at removing older versions of JAVA.

At one point in time, new JAVA installs left all previous versions installed on the system.   In 1.6 update 10, JAVA began installing JAVA into %programfile%\java\jre6.   Each subsequent update would replace the version there before it in that directory.   I became a bit slack in removing older versions.   Even in June (the previous quarterly update), I only removed versions of JAVA older than update 10.  In my post about that, I say “Later versions should be removed automatically.”   This is incorrect.

Versions installed normally will behave this way.   But it is still possible for an application to install in “static” mode so that its version remains.   There are also automatic rules that JAVA uses to determine if an install is static or not.   This document for JAVA 7 describes the behavior that I believe also occurs in JAVA 6 (aka 1.6)

By default a new version of JAVA is installed patch-in-place.   In other words it replaces the version already there.   If you attempt to install a older version of JAVA it will automatically become a static version.   And of course a (bad) programmer can bundle an old version of JAVA and make it static.   So older versions of JAVA can still crop up.   And these older versions are vulnerable, and often unnecessary.

At first I was going to update my existing script to remove all 1.6 versions of JAVA.    It quickly became apparent that this was going to take forever and also have issues with 64 bit computers.

This is where the community helped out.   On the MyITForum SCCM email list there were several suggestions for better ways to remove old JAVA.   I’m going with a uninstall script posted over at AppDeploy.   I’m using the one marked version 3.   It is a well commented VBScript with a help section and logging.   Two gotchas.   One is don’t forget you might need to whitelist the JAVA 7 clients.   I also needed to check SCCM to see if there were any false positives.   In other words would it remove any items that just happened to have JAVA in the Add/Remove Programs Display name.   The script already handled 5 things like that.   I added around another 5 based on what software is in my environment.

Tags: ,
Category: General  |  Comment

SCUPing JAVA (or not)

October 26, 2011, 8:14 pm

Back in June I wrote about my methodology of deploying SCUP and how I wished I had the time to work out deploying JAVA with SCUP.   The quarterly update for JAVA was released last week, so it was time to go another round.

When deploying JAVA in an interactive manner, the install will prompt the user if the browser is running or anything else is running that prevents access to files.    That in itself is annoying, because I’d often see computers at a screen prompting the user days later.   Further installs are blocked.   Not good.   So I in a /qb type of install, I would prompt the user to close the browser and when they don’t,  I close it for them.

That doesn’t really work in a silent install.    SCUP is a method of adding third party updates to the corporate update server.   The Windows Update Agent doesn’t appear to want to do things interactive with the user.

There isn’t a lot out there about SCUPing JAVA.    Kent Agerlund’s guide for installing SCUP 2011 has a example deploying JAVA, but it is the most vanilla example you could think of.   It doesn’t take into account any of the things I would do to deploy JAVA.   I’m shocked it works for anyone. (no offense intended Kent, I do love the SCUP 2011 instructions are great.)

I found a Oracle Forum thread and a Request for Enhancement that describe the problem perfectly.   When the browser is open and installing silently you’ll get an error “Error 25099. Unzipping core files failed.” 

“Inside the %PROGRAMFILES%\Java\JRE6\bin folder is the Microsoft Runtime Library file MSVCR71.DLL that gets locked if a browser is open. During installation, the older JRE6 version is removed (unless it was installed with the STATIC switch) except for MSVCR71.DLL. Then the silent installation begins, with the core.zip expanding in alphabetical order until it comes to the letter m where it finds MSVCR71.DLL and just stops (in a non-silent mode, the user would be thrown a dialog to quit the browser / jqs, etc.). No roll back, no repair, etc. So now your left with some residual files, some reg entries but no control panel, no entry in the ADD/Remove Programs list (ARP), no regsvr32 registration has occurred.”

 
Most installations that find a file in use would mark the file for replacement during reboot and then ask for reboot at the end of the installation.   Wouldn’t that be a better way to go?

The workaround provided in the discussion thread is to use the STATIC=1 flag.   That will install the new version of JAVA into its own directory.    This scenario was rejected by my management because this essentially reverts JAVA to its behavior prior to update 10.   The version installed with a static flag would remain forever until removed manually.

After all that, I went back to deploying through SCCM Software Distribution rather than SCUPing a software update.

Tags: ,
Category: General  |  Comment
« Previous Entries
Next Entries »