In an episode of Community a couple of week ago Brita was laughed at for pronouncing bagel with with two Gs. (bag- gle) As in, rhymes with “haggle.”
I found it hard to believe that anyone could possibly pronounce it that way and think it was right. (although I’ve sense read a NY Mag recap of the episode and that actually happens in New York.
Read more: Community Recap: Pool Party — Vulture http://nymag.com/daily/entertainment/2010/03/community_recap.html#ixzz0iDAkjftM
Bringing this post back to Information Security, over the years I’ve found that I have words that I can’t say right. But when you generally only see a word on paper you can easily make up your own pronunciation. Then later get embarrassed at the trade shows.
Retina. You’d think since the product is from eEye I’d be able to pronounce it. I always say it Ret-tina.
Ethereal – i always said it ether-real. You know like ethernet. Apparently everyone else says it like the word “lacking in material substance”. Of course now we all pronounce it “Wireshark” so its not such an issue anymore.
Archive for the ‘Uncategorized’ Category.
Say that Again
The Mentalist and Iris Readers
Eric Cole he told a story of an engagement where a security bigwig was showing off on a tour of their facility. The bigwig was very proud of his biometric iris readers that protected access to the data center. That is until Eric put his eye up to the reader and was provided access. It seems the Iris readers had a troubleshooting mode where any eye was accepted. In their implementation, no one had ever verified that the Iris reader correctly denied access. If they had they would have investigated this problem and turned off the troubleshooting mode.
I was reminded of this story this week as I watched CBS’ The Mentalist. A bored Jane put his eye in front of the reader and suddently the door that shouldn’t be opened was opened.
Woman steals WiFi, demands Leo Laporte return it to her
People’s sense of entitlement about things they are stealing.
Patching Adobe Acrobat and Reader
Adobe Reader 9.3.1 is a msp file that can only be applied to Adobe Reader 9.3. So what to do about the users that hadn’t installed 9.3 yet. I really didn’t want them to install 9.3 then have 9.3.1 install immediately after that. That sort of thing sets user revolt in motion.
So I searched and found an Adobe TechNote on deploying Adobe Acrobat and quarterly updates in one install..
If you’ve used MSPs before you’re probably already familiar with how to do this.
msiexec.exe /i ”[UNC PATH]\AcroPro.msi” PATCH=”[UNCPATH]\AcroProStdUpd910_T1T2_incr.msp;[UNCPATH]AcrobatUpd912_all_incr.msp TRANSFORMS=”1036.mst”
So I went to town, stringing together the path to all the MSP updates. Good Lord! There are a lot of them.
So after I did that for Reader and Acrobat 9, and tested it all out, I found another Adobe TechNote. “Install Acrobat 9 and all patches in one step with Adobe Bootstrapper (Setup.exe) and patch sequencing”. This method is much easier. No mistakes with quotes in the command-line. Users installing from the file server can just run the same setup.EXE they always have rather than running a bat file. The same problem exists in that if they run the MSI instead not only do they not get the custom config (MST), now they miss the patches.
This article has you list the patches in setup.ini. You just add the list of patches to the product section.
[Product]PATCH=AcroProStdUpd910_T1T2_incr.msp;AcrobatUpd912_all_incr.msp;AcrobatUpd913_all_incr.msp
This is really awesome. Now my helpdesk when they install Adobe Acrobat 9 wont accidentally leave the user with the 9.0.0. That is the version of the original install files. And when we upgrade Adobe Reader, it will be a lot easier for the users.
Unfortunately my day didn’t end there. I looked at our deployed systems. While there was very little Adobe Reader 8 (so I can skip that), we actually have more Adobe Acrobat 8 installed than Acrobat 9. So I sat down to recreate what I did for Acrobat 9. Guess what, it didn’t work! After trying many different things, I stumbled across another technote. “Install all Acrobat 8 patches in one step with Adobe Bootstrapper and patch sequencing”. Apparently the Adobe Bootstraper (setup.exe) in my 8.1 CD was customized. Once I downloaded the setup.exe linked in that TechNote, it worked. I was able to run the Adobe Acrobat 8 setup.exe and install the current 8.2.1 version.
Up next is writing a script to install Acrobat patches for the users. Currently because it’s not standard software, we ask the users to do the updates.
Up next after that is the next Adobe security updates. I’m sure there are some just around the corner like the Adobe Download Manager bug.
Dumb Ideas in Pentesting
Today’s SANS Diary reminded me of something that happened a while back.
The SANS entry New Risks in Penetration Testing was concerned that reputation scoring for an IP could be effected by pen testing from that IP address. I guess someone is taking the old Senderbase concept and applying it to all traffic.
The helpdesk received an issue a while back about an inability to communicate with a government website. After checking it out, it looked like they were blocking our external IP. We communicated with the government people and confirmed that their ISS IPS appliance had automatically blocked our IP because we were attacking them. I checked the logs and found that one of our people who pentests for a living had done some probing of XSS on a WordPress blog hosted on the government site. I turned that over to someone else to find out if he had authorization to be doing such.
Probing other companies from your companies main IP address is not such a good idea.
Dear Abby on Password Secrecy
Today’s Dear Abby contained a letter about passwords. It’s the third letter at this link
The letter writer warns against sharing your passwords with anyone. The writer recounts instances where a password shared at one point in a relationship becomes a weapon when the relationship turns sour. People, after the divorce is finalized you need to make sure your ex doesn’t have your bank passwords.
Didn’t expect to be getting security advice from Dear Abby. If these people had followed the standard security advice to use different passwords for each account and change them regularly that alone would have prevented this breach.
Mozilla Firefox 3.5.6
Another Christmas gift from a software vender.
Mozilla has released updates for Firefox. The current version is now 3.5.6 and 3.0.16.
Their security advisories are here.
There are three updates rated as critical.
Tech Support Engrish
“Are on the Internal network where the following IP addresses are reachble?”
How’s that again? The funny thing is when I glanced at this question on my blackberry I didn’t even notice anything was wrong.
Shmoocon 2009
I’m at Shmoocon 5 this weekend. Its my third time down there (missed 1 and 3). Always a good time.
This year’s event has 1500 attendees, 40% larger than last year. 30ish talks chosen from 100 submitted.
The opening remarks kind of paralleled what I’ve been thinking lately. The stakes are high. Yet any sort of targeted attack has a great chance of succeeding. Many of our defenses are the same layer repeated. “We’ve built a Maginot line…in depth.”
MS08-067 Worms on the March
I’ve seen reports from venders and fellow users about MS08-067 worm infestations.
If you’re not patched, what are you doing here?
