Archive for the ‘General’ Category.
I don’t plan to mention every security related thing I see in TV, but this one made me chuckle.
On The Finder, a new show on Fox, Michael Clarke Duncan’s character, finds a character logged into the computer as him. He asks in his booming voice, “How do you know my password?”
The answer, “you say it to yourself as you type it in.”
I’ve caught myself doing that a few times. The worse is when the password is a phrase from a song.
This is just a case of bad timing.
Back in August, BlueCoat implemented some changes to the BlueCoat WebFilter. It introduced some new categories and renamed some other categories. On the ProxySG, no change was necessary for the renamed categories. However for ProxyClient (the client side install that provides protection when off the corporate network), you needed to manually update the config.
Unfortunately for us, no one bothered to update that config. While reviewing some BlueCoat best practices, I doublechecked our existing settings and found that we still had the old categories selected in ProxyClient. I made the required changes and saved to server. On my client, ran the updater and got an error back, “Received status 400 from server”. I received the same error testing directly from my browser.
Opening a case with support they directed me to a Technical Alert – ProxyClient Installation is Failing with HTTP 400 response from server. I’d seen that before running into this problem, but hadn’t read it since I wasn’t installing ProxyClient. Didn’t remember the error 400 tiein. It turns out, the problem occurs when making the SSL connection from the client to the server to pick up the configuration. This is true of a new install or an updated configuration.
The cause of the problem is MS12-006. Since this contains SSL fixes for the BEAST vulnerability, I’m going to have to ignore BlueCoat’s suggested workaround of uninstalling the Microsoft security update. Not sure if this can be fixed with a new ProxyClient version or if I’ll be waiting for a ProxySG release which would involve much more testing.
“Prevention is ideal but detection is a must.”
That is what my immediate reaction was to DreamHost announcing it has detected an intrusion. I love that.
How many companies would even notice before all their customers were calling asking why they were owned?compan
How many companies would refuse to talk about security incidents or blame the customer?
How many would take the PR hit to preëmptively perform password resets immediately instead of waiting until the investigation was complete. A week, or a month from now we could know that the passwords were’t gotten, but in an abundance of caution action is taken now to prevent damange.
Maybe I’ve drunk on the koolaid, but I think DreamHost did the right things from the reports I’ve seen.
Does anybody really care (about time)?
This Chicago song came to mind for today’s blog post about NTP.
I was walking down the street one day. ok, I’ll stop. I was reviewing my firewall logs and I noticed systems going to external services for NTP.
It is best practice (and company policy) for all systems to be using the same time source. It is very difficult to match up logs from different systems when they may have different times.
It turns out there were two problems at play. The first is default configurations. People setting up specific equipment didn’t update NTP or assumed because it was set on one system it would replicate to other appliances part of that “group”. The other thing that happened was an issue with the internal NTP server caused the Unix admin to point his servers elsewhere for time.
Your internal NTP server needs to be rock solid.
Another item that still needs to be addressed here, is secondary NTP. People are going to the same primary NTP server and then using whatever was default on the device as the backup NTP. Yeah, not such a good idea.
If you haven’t logged into your WordPress today, this is news to you. Version 3.3.1 has been released to fix a XSS vulnerability.
According to ThreatPost, this is only a vulnerability if you installed WordPress by browsing to the IP. Most installs are hosted and you would browse to the site FQDN to install. These systems aren’t vulnerable.
The update also fixed 15 bugs. So review the release notes and determine if you need to update. Or just do it.
Wi-Fi Protected Setup (WPS) is a method common on home access points for users to connect without having to type in a long encryption key. Instead a PIN is printed on the access point and anyone with physical access can add themselves to the wireless. This has always seemed kind of hinky to me so I disable WPS after all my devices are setup.
Research posted earlier this week by Stefan Viehbock reports WPS design flaws and implementation flaws that can result in an attacker accessing your network.
Flaw #1 – WPS is vulnerable to brute force attacks
Flaw #2 – The access point sends a authfail if the first half of the PIN is incorrect. Uh huh.
A brute force tool has been written but has not been released at the time of this posting.
Where possible, users should disable WPS on their home access point when they are not actively adding new wireless clients.
F-Secure generated a lot of traffic in the blogosphere with their post declaring Java harmful and better to not be installed on computers. To me the only surprising part is the discussions this generated. Isn’t this old news? Principle of least privilege says to remove it if you don’t need it. So when you’re regularly updating an application for security fixes it may be time to consider alternatives.
F-Secure links Larry Seltzer’s month without Java from 2010. Brian Krebs posted a blog article around the same time recommending Java be removed. I couldn’t find an earlier article, but I thought Krebs had been banging this drum for much longer.
Removing software you don’t need certainly lowers the attack surface area. At work, I’d caution that you’re likely to find groups of users using Java for internal applications. If you don’t put Java on your system image, they are going to install the ancient version of Java supplied by their application developer. I found a couple users with Java 1.6.0 update zero. When I removed that and installed the latest Java 1.6, the application still worked fine. If you’re actively patching your environment having Java installed may not be that bad.
The articles liked mention alternatives such as only allowing Java to run on specific sites. Sometimes I install Java only for use on my non-day-to-day browser. I’m not sure either solution scales into the enterprise where you have to account for all sorts of computer literacy.
Take This Lollipop was a viral video, interactive website that was released in time for Halloween.
I stayed away from it at the time since the site requires users to use Facebook Connect, the site was of unknown trustworthiness, and it seemed a bit silly to have to give access to my Facebook account to get a lesson in Facebook privacy.
Tonight I ran across a Dreamhost blog post where they interviewed the creator. He was also behind the “elf yourself” website. The site does not store data or post to your account. This is in line with their posted privacy policy.
Suitably curious, I allowed it the site to connect to my Facebook account.
If you wish to remain spoiler free, stop reading here
Take This Lollipop is delightfully creepy. The music and the filming location is perfect. The video shows a stalker logging into my account. That is what the account pull down menu indicated. I’ve seen many people comment that they are going to tighten their privacy settings after watching this video. If you think that, you’ve missed the point. Not that there is necessarily a point being made.
Once in the account, he sees my pictures, my wall, my friends and my location. Looks up my current city on-line (Google Maps?) and gets in his car. As he exits the car you see he has my profile pic taped to the dashboard. The video ends suddenly.
I was really expecting the video to make use of Google Streetview. I don’t believe that could actually happen as I don’t recall Facebook having my street address. Would have been off the hook nuts if they had pulled GPS info from the pictures in my Facebook account or made use of my Facebook Check[ins.
I found the video awesomely entertaining. It would be orders of magnitude more disconcerting if I was a woman. Just the same, I think I’ll doublecheck the locks tonight. If you don’t have Facebook or are unwilling to do the Facebook Connect, you can watch someone else’s experience on Youtube.
It has been shown that people will give up their password (or at least pretend to play alone and give A password) to get a chocoloate bar. In this case even you know a website is most likely trying to social engineering you into giving Facebook access to teach you a lesson , you’ll still give up that information when the hook is strong enough. You want to see something entertaining your friends are all talking about so you give up information. If there is any lesson here that is what it is. This app has nothing to do with you accidentally leaving all your photos set to public (although you should fix that), it only uses the access to your Facebook account that you specifically gave it.
To see the promised dancing bears, users will always compromise their own security. And I did too. But only have trusting the site owners to adhere to their policy policy and seeing the list of Facebook actions allowed. As a reminder you should periodically check your Facebook application permissions and remove any that are no longer needed. Since I don’t see a need to access this site again, I will go to Facebook, select application settings and apps and click the X next to TakeThisLollipop to delete the application permission . You can always add it back if you return to the site.
Adobe released a security update for Shockwave last night brining the current version to 11.6.3.633.
Unfortunately, the link to the MSI on the enterprise distribution page still has an older version of the update. I thought we were past this nonsense with Adobe. A couple years ago this sort of thing was frequent.
