Roger's Information Security Blog

Authentium Command Antivirus on Friday detected a handful of Office documents  as MSWord/Dropper.B!camelot.   I ran a couple of the files through VirusTotal and found Authentium was the only company detecting the file as a virus.   In some cases that would be a sign of being on the cutting edge of detection, but in this case its a sign of a false positive. 

Friday, I tried to submit the false positives to Authentium using the instruction on their site but received to reply.   Today I followed up and was told since I wasn’t a customer, they had no interest in fixing their false positive.   I could however report the false positive to Microsoft who would then report it to them.    Going to argue with Authentium support a bit more.

[update:]
This will be fixed in an update later today.   Frustration relieved.   Probably partially self-inflicted.

I deployed Adobe Flash 10.1 through System Center UpdatesPublisher (SCUP).  Its kind of sad how excited this makes me.

SCUP is a framework that allows you to integrate third-party update deployment into your SCCM/WSUS server.   Companies can provide a CAB file that you import into SCUP, approve updates and publish them to your SCCM server.  From there, to the SCCM admin they are deployed like any Microsoft patch.   The user experience is just like Microsoft patches as well.  

While I have only deployed SCUP in a test environment.  I think it has the potential for there to be less work in deploying updates.   A more consistent user experience can be achieved by deploying these updates through the same methods.   Currently I have a separate wrapper script that tells the user an update is available.   Even if I don’t ultimately deploy all my patches using SCUP, I can use it to deploy Dell and HP BIOS, firmware and driver updates.   As people try to do more with less, computers are being used longer.   It is thus more important to not ignore security and bug fixes in these items.

When you obtain a license to distribute Flash, Adobe sends you a link to download the MSI, EXE or CAB file.   I pointed SCUP directly at the CAB file.   The first time I tried to deploy to a client the install failed.   WindowsUpdate.log reported the error as 0×80070667.   Google (or Bing) tells me that error indicates bad command line switches.   The log file showed the switches as “/qn reboot=reallysuppress allusers=1 msirestartmanagercontro=disable reboot=reallysuppress”.   That has duplicate commands.   I recalled a Jason Lewis blog entry recommending the command line switches be left blank in the CAB file.   SCUP will automatically add silent install switches.  After removing the command line switches in SCUP, I published the change back to SCCM, synced everything and Flash installed without any further problems.

While I haven’t used SCUP in-depth yet, I am excited about what I do have in place.   My thanks go out to Jason Lewis, Program Manager at Microsoft,  for his great blogcasts showing how to set up SCUP.   I also found a PDF from Dell – Dell Catalog to Support Microsoft System Center Configuration Manager for Dell Hardware Updates by Dustin Orrick and Angela Qian to be very helpful.

According to Qualys, 50% of enterprise Windows XP computers are still running Service Pack 2. This was reported by Byron Acohido in a USA Today article.
This matters because MIcosoft will stop providing security patches for computers with this service pack in July. If you’re running XP, you must have service pack 3 to continue to get Operating System and IE patches.
These issues don’t just occur with operating systems. You need to keep your Office applications and other MS apps up to date on their service pack or eventually you’ll find yourself not getting updates. For home users, Windows Update will take care of that. But in a corporate environment where updates are managed, the patch admin might not “approve” all needed service packs. If you dont have a secondary method of checking for patches (e.g. a Qualys) you wont know you’re out of date. An individual in a corporate environment could run Windows Update (select the options to go against the Microsoft server rather than the internal server) or run MBSA. Even if you dont tell MBSA to run using Microsoft’s server, it will tell you if a patch isn’t approved by your administrator.
The end of life for Windows 2000 (all versions) and Windows XP prior to SP3 has been out there for a while. I’ve been using Forescout to find people running old service packs so we’ve caught everyone up on XP and Vista service packs. Windows 2000 has been hanging on on a couple of servers. An upgrade this weekend should take care of one of those.

Here’s a roundup of patch Tuesday.
Microsoft Patches
There are two patches this month from Microsoft. One in Outlook Express/Microsoft Mail. One in Microsoft Visual Basic for Applications
Adobe released an update for ColdFusion.
A security update for Shockwave.
This one is listed as critical.
Not a bang-your-head-on-the-desk as last month, but I could have gone a month without updating an Adobe product.

Like many organizations, we skipped Vista. So with Windows 7 we are facing the question “is Windows 7 good enough” or do we still need to pay for a third-party full disk encryption (FDE) product.
This question was asked back in 2006 at the SANS Desktop Encryption Summit. The FDE vender’s felt their product was better because:
1. Better Management tools
2. Mature product
3. Multiple OS support
4. No requirement for TPM.
BitLocker is no longer a first gen product. Let’s look at today’s reasons for purchasing or continuing to use a third-party FDE product.
BitLocker Minimum Requirements
“BitLocker stores its own encryption and decryption key in a hardware device that is separate from your hard disk, so you must have either a computer with a Trusted Platform Module (TPM) or a removable USB memory device.”
USB memory devices would tend to be stored in the laptop bag, so that isn’t a secure solution.
TPMs are an additional thing to manage. Perhaps it’s not as difficult as I envision. When I did a WAVE eval, I had to go into the BIOS to enable the TPM and set a master TPM password. That doesn’t scale.
“The computer must have been configured with an additional separate active partition to be used as a system partition.”
This extra step now happens automatically, so I don’t think that is a big deal.
“The BIOS must be compatible with TPM and/or support usb devices during computer startup”
It may be necessary to upgrade the BIOS. While probably not an issue on the newer computers we would be using, this could be an issue on upgrades in place.
None of these prerequisite requirements is particularly burdensome. However it leaves out one key minimum requirement: Vista or Windows 7 Enterprise. Our XP systems would still be on the current FDE product requiring two management methods.
OTHER BitLocker Considerations
1. Provable Encryption
With the current FDE product, if a computer is lost I would be able to tell that it was actually encrypted when it was last seen on $date $time. Can BitLocker say the same? I don’t know.
Many states have an encryption state harbor. Meaning if the lost system was provably encrypted, breach notification provisions do not apply.
2. Usability
The current FDE product syncs the domain password to the pre-boot environment. The user does not need to know a second password. The normal password requirements apply.
With BitLocker the PIN is just that. An enhanced PIN can be required but it is possible that some system BIOS will not support alphanumeric entry in the pre-boot environment. Does this PIN ever expire? It doesn’t seem like it.
3. Recoverability
The standard recovery method is to use a recovery password. This is a 48 digit number backed up to Active Directory. Enjoy typing that in when the user forgets their password.
This method is not FIPS compliant and must be disabled. Instead there are other two options
A recovery key is a 256 bit key that is saved to a flash drive. This method must be done by the end-user and they need to store the key securely. Obviously that isn’t enterprise ready.
The third option is a data recovery agent. A public key is distributed to all BitLocker protected devices. Someone with the matching private key (e.g. me) would need to be physically present at the computer. Apparently even then the OS drive must be installed on another computer running Windows 7 as a data drive.
So basically no recovery options work for us.
4. Standby
BitLocker protection is in effect only when the computer is turned off or in hibernation.
Our current FDE product protects in standby, hibernation or when the computer is off.
5. Enterprise Manageability
While BitLocker has caught up with third-party encryption products in its ability to encrypt USB drives there are still other areas where FDE vender’s shine. Many FDE vender’s can also encrypt phones and managed hardware based encryption products. It’s a lot more convenient to manage these devices through one vendor.
From my limited reading it seems that there are still a number of items that argue for the continued use of a non-Microsoft FDE product.

Last week a user reported trouble reading a message on his blackberry. He would get an error “This S\MIME message was formatted using an encoding that is not supported on handheld.” He could still read the message correctly in Outlook 2007 and in Outlook Web Access.
It turned out the commonality to the problem was him. On this Blackberry, he couldn’t read S/MIME signed messages where people were replying to him. Others couldn’t read his S/MIME signed messages on their Blackberry.
Since the error referred to the encoding of the message, I wanted to see what the encoding was. The headers in Outlook didn’t seem to include that so I opened the message in Thunderbird. In there, it was clear that the message body encoding was Cyrillic. Kind of weird that the Blackberry reads the message just fine if its not digitally signed but gets the error above when it is digitally signed.
RIM wasn’t much help. Their support gave the same answer found in a knowledge base article. Their choices are

,li>Do not sign and encrypt the message.
• In Microsoft Outlook, go to Tools > Options > Mail Format > International Options and select Auto select encoding for outgoing message.
• In Microsoft Outlook, go to Tools > Options > Mail Format > International Options > Preferred encoding for outgoing message and select Unicode UTF-8 encoding.

Not signing the email isn’t much of a solution. I worry that changing the encoding options in Outlook would effect the readability of email in other situations.
Microsoft has an article on configuring message encoding options in Outlook 2007. There we read that “Outlook uses automatic message encoding by default, scanning the entire text of the outgoing message to determine a minimal popular encoding for the message. Outlook selects an encoding that is capable of representing all of the characters and that is optimized so the majority of the receiving e-mail programs can interpret and render the content properly.” The KB has a table showing supported encodings and whether they are considered for autoselection by Outlook. The article does not state whether we could remove an encoding option however.
Through some trial and error, I found that the problem was in the signature (footer not the digital signature) of the person reporting the problem. He had used what looked like a pipe to separate portions of the signature (like Title and Company). It wasn’t a pipe, it was actually a character inserted through the Symbol key. If I replaced this symbol with a standard pipe character the problem went away completely.
While this was a quick fix for this user, its not very satisfying. Most likely this user saw someone else’s signature and copied it for his own use. I doubt this user was using ASCII codes or hitting the symbol button. If others did the same they would have the same issue. I prefer a better solution than put it in our KB for next time it gets reported.

On Tuesday, as seems to be the custom, Microsoft released patches and announced a new zero day in Internet Explorer. MSKB 981374 is a remote code execution in IE6 and IE7. Who know that being on IE5 could ever be a good thing.
The KB says Microsoft released details to venders in their Microsoft Active Protections Program (MAPP) and Microsoft Security Response Alliance (MSRA) programs in order to provide protection to customers.
Within one hour Zscaler had protection in place for its customers. Zscaler offers web security company in a SaaS model. I would see them competing with Scansafe, Purewire and MessageLabs as well as any company trying to get you to put security appliances on your network for web security (bluecoat). Strangely, I didn’t get email from any of those venders bragging they are protecting their customers against this zero day. If they were protecting their customers would there be any reason not to use it for PR? Its not like they are making a Oracle Unbreakable (or was that Apple Unbreakable) claim.

Microsoft published a security bulletin for Flash 6 which is included in Windows XP. MSKB 979267 recommends removing Flash 6 and installing the latest version of Flash from Adobe.
Maybe its just me, but I think since Microsoft included Flash 6 in the default XP install, shouldn’t they be responsible for patching it? Flash should be part of Microsoft Update.
Fortunately Flash 6 is ancient. I believe a lot of Flash content will prompt you to upgrade to Flash 8 or 9 rather than allow you to use such an old version. Even so, a lot of vulnerable Flash remains.

I’ve had my own rants about the tech media. I particularly enjoyed Ed Bott’s ZDNet article on “What the Black Screen of Death Story says about Tech Journalism”. check it out.

We have the beginnings of a Windows 7 deployment project. As part of that I’ve been asked to develop a presentation for the director regarding local admin rights.
At our company it seems local admin rights is sacrosanct. On the other hand, I was once told Universities couldn’t have firewalls because of academic freedom. Now I understand that is no longer the case.
We last tried limiting user rights under Windows 2000. That involved a limited group of users, mostly secretaries and the corporate division. It fell apart quickly as the helpdesk was able to give users admin rights to get around problematic applications rather than taking the time to fix the application.
Applications and operating system support has improved for limited rights accounts has changed significantly since Windows 2000. Nevertheless it remains a political and technical hot potato.
The Federal Desktop Core Configuration (FDCC) requires the use of limited rights. This process is more about reminding senior management of the problems with users doing whatever they want, and getting them to sign a waiver for the FDCC requirement.
Right now I have what I think is mission impossible.
1. Demonstrate the problems caused by users being able to do whatever they want. Unfortunately our helpdesk is allowed to work without recording tickets accurately. Also virus incidents are not fully investigated so it is impossible to say x virus incidents occurred because the user was an administrator or Y systems were reloaded because the user installed a bunch of crap.
2. Show that our customer (the Federal government) is not giving users local admin rights. I can say what is required. But I really have no connection into the CSO office at each customer to determine their FDCC compliance.
3. Show that companies like us are limiting local user rights. Again, I’m not sure how I can do this. I dont see a Gartner report on this.
I have a month to put this together so we’ll see what I can come up with.