The Microsoft Malware Protection Center reported earlier this week a sighting of a malicious PDF file exploiting CVE-2010-0188. Adobe released 9.2.1 and 8.2.1 in February.
Users can pull down the 'help' menu and click on 'check for updates' to ensure that they're running the latest version.
One lesson learned here is don't skip deploying a patch just because no exploits are out for it. it will leave you scrambling later.
Adobe's next scheduled Reader and Acrobat update is due April 13.
Adobe has released a Security Advisory for Adobe Reader and Acrobat (APSB10-07).
Adobe is planning to release updates on 2/16/2010 to resolve critical security issues.
Adobe has released a security update for Adobe Flash and Adobe AIR.
Does anyone really think that sneezing into your arm is common sense? I suspect that if you do you must have small kids and have been trained by some sort of Elmo video. I dont recall any mass agreement on sending snot flying into my shirt sleeve as a method of good hygiene.
At Shmoocon Bruce Potter compared the common sense of sneezing into your sleeve (to him apparently a good thing) with common sense security steps. Maybe he's right, a password policy is kind of like getting snot all over yourself.
My notes seem to have mangled the opening remarks from Shmoocon 2010. The general summary is that its a waste to spend a boatload of money on security when you dont have your policies and procedures clear. You've got to start with the basics.
A password policy needs to be applied consistently across all systems. Often the development can be compromised and then hop back across to the production systems. The dev systems need policy as well.
Network segmentation is important. Soft guey center anyone?
Auditing. If you aren't watching, how do you know something bad happened.
We laugh at the TSA, but they have fair less fail in their results.
Shmoocon is this weekend. The city is starting to look like something from The Day After Tomorrow.
I live in the DC suburbs, and had considered grabbing a hotel room to take part in what has to be the crazyest Shmoo ever. The hotel rates when I checked online were lower than the Shmoo rate. But then I'd still have to pay a insane rate for hotel garage parking. And the Donner party jokes were worrying me too. I could see the hotel running out of food and everything else being closed.
I drove into Ballston on Friday. In December Metro closed the above ground stations without a lot of warning. I knew they'd do it again if snow got to 8 inches, Ballston is the last underground station on the Orange line. Metro didn't close the above ground lines until 11 pm so that move was unnecessary. The drive back from Arlington out to Clifton was fun.
Today there is no way I'm getting out, so I'm watching what I can on live streaming. I'll review my notes from yesterday and post if I can come up with anything semi-coherent.
After a fairly light December patching load, January took no prisoners.
Microsoft's patch Tuesday had just one patch, MS10-001. But they made up for that with an out of band update later in the month MS10-002. They also put out a bulletin warning about old flash installs.
Adobe and Oracle piggybacked on patch Tuesday to release updates as well. Vendors pretend its more convenient for people to get all their patches at once, but Its more about losing their own vulnerability announcements in the crowd. Adobe Reader is installed on most machines, so deploying Reader and Acrobat updates is kind of a big deal.
To keep admins on their toes, Adobe also released security updates for Shockwave and Illustrator.
Real Player kept its name in the news with a security update of its own. While it lacks its once ubiquitous presence, it is another thing to watch for.
Firefox released 3.6. Fortunately , this was about new features not security fixes.
Apple not wanting to feel left out released a mega security update rolling up multiple patches.
Wireshark 1.2.6 came out with a couple of security updates.
If you're responsible for patching in the enterprise looks like you picked the wrong month to stop sniffing glue.
For home use, I use the Secunia Personal Software Inspector in advanced mode. They are now a bit better about prompting you to exclude directories like i386 to avoid nagging you about things that aren't a problem.
Adobe has released an update for Shockwave to patch security vulnerabilities. A security bulletin was released today.
As usual Adobe is giving enterprise admins the finger by advising to upgrade Shockwave, you must first uninstall old Shockwave versions, reboot and then install the new version of Shockwave. Does anyone actually do that? I dont know about anyone else, but I try to minimize the disruption of my patching program. Part of that is limiting reboots. I can't think of another application that makes such unreasonable demands. Fortunately I've ignored rebooting while upgrading Shockwave and it hasn't caused me any major issue yet.
I also wonder where Shockwave fits into Adobe's security program. If its so important that Adobe Reader only be upgraded on a planned quarterly basis, then why isn't Shockwave updated in the same predictable manner? (BTW, I dont find it helpful to have all my patches released on the same day. I dont find it feasible to deploy all these patches at the same time, so some items will not be patched as quickly. When a patch is released (assuming there wasn't already a zero day) there is a mad dash by the bad guys to reverse engineer the patch, find the vulnerable code, and develop an exploit. So releasing the patches any week other than the second week would be preferable.)
if someone finds a Flash zero day next week, I'm going to think someone declared an unofficial "Month of Adobe bugs".
Looks like Purewire has taken a page from AOL's AIM Fight and have put up Tweet Brawl
AIM Fight attempts to determine how popular you are right this second by looking at your online buddies and their online buddies out to the third degree of separation. It actually uses people connected to you so you can't game the system by friending the world (like that stupid Luke Wilson AT&T ad).
TweetBrawl is merely follower based. The results aren't going to change unless someone loses or gains a lot of followers.
If you want to follow me at @infosectweet maybe I'd have a chance of wining one of these things.
Back in October, I expressed my frustration with Adobe Reader updates. After updating Reader 8 and 9 too many times to count, suddenly in 9.2 I was left with more questions than answers. Part of that post was wondering what adobearm.exe was. That post is still strangely popular so I thought I'd post an update.
Adobe still has nothing about adobeARM.exe in its knowledgebase.
When you Google adobeARM.exe after finding the link for this site, you find some sites claiming adobeARM.exe is malware. Hard to believe since this file is part of the installation package from Adobe Reader.
The best info I've found is in this Adobe Forum thread.
Ignore the usual misinformation about Flash for ARM powered mobile devices, and the ubiquitous advice to just switch to FoxIT.
You find the same info that we had a commenter post in October. "AdobeARM.exe is a part of new Adobe Acrobat\Reader updater. If you manage updates yourself, it is absolutely safe to remove it from Run registry."
Whil this info is far from authoritative, I would suggest home users leave it alone. In corporations that manage updates, I'd continue to disable updates via the Adobe Tuner and remove this exe from the startup directory.
You dont have backups unless you have successfully recovered from them. Sometimes you just have to learn lessons the hardway if you dont take the time to learn them from others.
I've heard a lot of commercials lately pushing Mozy or Carbonite that pretty much guarantee that everyone has a hard drive failure at some point. This month the hard drive in my Dell Optiplex 755 at work gave up the ghost. Two weeks short of its end of lease. Very frustrating. But it was about to get more frustrating.
The enterprise desktop backup product we use is configured to backup the user profile, c:\data and c:\lotus. Unfortunately Vista is not a standard supported operating system at work, and the backup admin made a mistake when he configured the backup product to backup c:\users. It didn't backup my user profile at all. So all I have is the backup I made in July when I migrated from XP to Vista. So I'm out quite a bit of work.
This really makes me wonder about all of my data. The trust is just gone right now. For my work computers, Should I be using Windows Easy Transfer to backup my files on a regular basis. Should I just take a ghost image on a scheduled basis, so I can recover easily? Hmmm, side note, I should check the software inventory for evidence of users performing rogue backups with Carbonite/Mozy etc.
For my home computer, I realize that only using Mozy's free service I have a lot of mp3s and photos not backed up. That is important stuff to me. I also have never tested recovering even one file from Mozy. Need to do the due diligence.
Well, anyway if you've read all this and you want to check out Mozy for your home backups click on this link. We'll both get 256MB extra storage space once you start using Mozy. Like I said though, I"d suggest verifying even a rudimentary recovery.
Its so easy to assume that things work correctly. Most of us dont have the time to verify that other people have done their jobs correctly. But when its going to really hurt if backups fail, it doesn't take that long to do a test restore. Particularly if you have access to initiate the restore yourself.
Facebook has rolled out new security settings this week. It seems designed to confuse and lead people into sharing more info than ever.
If you are one of the 20% of Facebook users who as adjusted their privacy settings previously than Facebook will make your old settings the default but encourage you to change it. For everyone else the default security permission is Everyone. In an effort to be more like twitter they want your status updates available to everyone, not your friends, not friends of friends, not your networks, not even just authenticated users. Every anonymous Internet user including search engines will be able to read your status updates. Like twitter data, anything you post could be mirrored permanently somewhere else.
Of course the best policy is to not post anything to the internet you wouldn't want public knowledge. Web 2.0 security just isn't that trustworthy.
Graham Cluley has a good blog entry and video on his blog regarding these new Facebook privacy settings. That is geared for the average end user. Dont forget to check application privacy as well. I found that applications my friends use could see my Birthdate. Not cool.
I was rather perturbed to find that I can't restrict the world from viewing the Pages where I'm a fan. These fan pages announce my beliefs, affiliations and preferences. Facebook says Everyone gets to see your "publicly available information. This includes your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages." I was kind of hoping this meant that there was a place where I could make that information not public. Unfortunately that is not the case. Check out this posting from the EFF (Electronic Frontier Foundation). According to the EFF, Facebook says my membership in a Page was already visible on a page so its not different. I certainly see a difference. While before you might take the time to see if I was a member of a few controversial Pages, now you can see all my pages. Hopefully this will change and I can make Page membership non-public.
If you use Facebook, take a moment to review your privacy settings
As you've no doubt read other places, Adobe has released updates for Flash and AIR. The security bulletin can be read here, the software can be downloaded from adobe.com.
I've found a bunch of our users have installed Adobe Air. Either they downloaded Adobe Reader 9 with AIR on their own or someone has screwed up the Ghost load. I'm leaning toward investigating how to deploy AIR updates rather than just emailing the users needing the AIR update.
It sure would be nice if the Enterprise distribution page included the file version. I either have to download and unpack the MSI to see if it is the new version or use another tool to check the modified file date on the webserver. Using http://headerviewer.com/ I see the last modified date is November 16th so it looks like I'll be waiting a bit for the MSI version to be released.
Recently we implemented a product to do content control on email. One of the main uses I have is looking for Social Security Numbers (SSN) in outgoing email. I did not like what I found.
I expected to just find the occasional person emailing their SSN to a spouse for benefits enrollment. I've talked with people who said expect to find business processes that are mailing around SSNs like mad. I guess the result is somewhere in the middle.
It looks like part of having a government clearance is having your SSN emailed around in the clear. The Director of physical security says that when setting up a cleared visit at a Army base it is mandatory to email SSNs in clear text. I find this hard to believe.
People dont get what a social security number is. It a (generally) unique identifier but people use it as an authenticator.
The Social Security Administration Reports (http://www.ssa.gov/pubs/10064.html) that:
Identity theft is one of the fastest growing crimes in America. A dishonest person who has your Social Security number can use it to get other personal information about you. Identity thieves can use your number and your good credit to apply for more credit in your name. Then, they use the credit cards and do not pay the bills. You may not find out that someone is using your number until you are turned down for credit or you begin to get calls from unknown creditors demanding payment for items you never bought.Someone illegally using your Social Security number and assuming your identity can cause a lot of problems
The Social Security Administration protects your Social Security number and keeps your records confidential. We do not give your number to anyone, except when authorized by law. You should be careful about sharing your number, even when you are asked for it. You should ask why your number is needed, how it will be used and what will happen if you refuse. The answers to these questions can help you decide if you want to give out your Social Security number.
Seems like the kind of thing you'd want kept secret. I know some people have given up. With the amount of people that you legitimately (or not) give your SSN to, is it really just a lost cause. I'd say given the trouble that identity theft can cause I'd take caution.
But that's the problem, even if you knew enough not to email your SSN to your buddy so he can get you into the White House Christmas tour, your manager is emailing your SSN and everyone elses so that access to a cleared facility can be arranged. Your Tax preparer is emailing your 1040. Your dentist didn't wipe the hard drive before selling old equipment on ebay.
Ultimately you can only control what you control. Make sure surrendering your SSN is necessary. At thie point I might even ask how it is stored/transported. Only provide the number over a secure medium.
Moments ago I received a virus alert for Downloader.SWF.Agent.bv on a user's web request.
Referer: http://www.real.com/player/index.html
Destination: http://ke-el.com/download/checkout_confirmation.php?s=ZJxmRSLB&id=3
That either means the user clicked on a link on real.com that took them to a virus page or the virus page is a element of the real.com page. Either way not good. I went to the real.com page and didn't see any funny business. It would be a good story if Real.com was infected. I think it had to be for my user to get this result, but I couldn't spot the trouble myself.
Next I checked out the ke-el site. Scansafe detected that page as Gumblar.x. I opened the page up using a online HTTP viewer and say the following
Adobe has released Adobe Shockwave 11.5.2.602 to fix multiple security vulnerabilities.
You can install this version at http://get.adobe.com/shockwave/. if you've taken the time to license Shockwave for redistribution in your company, the MSI file isn't available on the licensed distribution site.
People tend to not prioritize their risk correctly. SANS Top Cyber Security report in September 2009 pointed out that people are not patching third party applications or taking care of web servers correctly.
I recently ran across the image below (click for full size) that showed the number of deaths in the last 300 days broken down by category and compared that to the number of deaths for H1N1.
(not sure who to credit on the photo, it wasn't giving to me in context, here is the original link..
I was surprised to read this evening that Cisco is buying ScanSafe.
I have been evaluating Web SaaS venders and looked at ScanSafe in September. To me ScanSafe has always been the market leader in web security as a service. I just had some issues that prevented us from going with them. According to a techtarget article, this purchase brings Cisco into the Web SaaS market and should play with their IronPort. I hope this purchase improves both companies.
As was stated when Barracuda bought Purewire, this validates the web SaaS market. It seem to repeat the recent acquisition phase of email SaaS venders. Is Zscaler now the odd man out, not yet having found a dance partner? I think not. There are still plenty of companies that think they need to buy into a SaaS presence.
Saw a virus alert today. A user performed an AOL Search (that alone should be banned in our end user behavior policy) on "van morrison" (another termination offense). He/She clicked on a link for www.vanmorrison.com. The antivirus detected an iframe attack.
Manually looking at www.vanmorrison.com's source, I currently see a iframe loading 'http://iqsp.ru:8080/index.php'. Perhaps someone can remind me, aren't there sites like virus total where you can send them a link and they'll tell you what's up. I haven't yet learned javascript deobfuscation but that didn't look like good stuff was happening.
So I took a sacrificial lamb system. (still dangerous don't try this at home). And went to www.vanmorrison.com using various security systems to see what the result was.
Bluecoat - detected the virus on the site. Blocked Access to the entire site.
Scansafe - detected the virus on the site. blocked access to the entire site.
Purewire - site loaded. Wanted me to install Flash (seemed legit but I didn't do it). Java started up. I was prompted to download a file and run a ActiveX control. I chose not to install the ActiveX control but I did download the file. It was a pdf file.
Virus total saw the pdf file first on October 16th (today is the 21st). Currently 13 out of 41 venders are detecting this as a virus. Did I mention signature detection is dead dead dead.
Did you notice the link to the Russian site is on port 8080? I wonder how many HTTP security implementation are proxying 8080 traffic in addition to 80.
Update 10/23/09
I see Sophos and eweek have linked to this article. Thanks!
Pob is correct, the infection changed after I posted this entry. I went back yesterday to see if anyone cleaned it. I found the site on Google's naughty list and the site had obfuscated code like he screenshots. Didn't check on it today.
Last Friday Purewire blogged about a fake Microsoft Outlook update that one of their employees received via email.
Typically when a security company blogs about an email virus they've seen in the wild, it clear that its something the research team found, or something that got through to a home address or to their wife's company etc. In this case I didn't see any attribution like that. In fact, the redacted cut and paste clearly shows it sent to a @purewire.com address. That says to me Purewire's corporate email security is kind of lacking. Not the message you want to post to your company's blog.
A virus making it to a end user via email is not the sort of thing I would expect to see at my company much less a security company. The email had a zipped attachment which contained a EXE file. That right there would have been stripped at many companies. How many times has a EXE in a Zip been a good thing. I'm not a big fan of stripping attachments, even by file type or extension. Regular readers know I recommend MessageLabs for email security. Obviously Purewire couldn't use them for email since they compete in the web SaaS space and just got bought by Barracuda.
So what type of email security does Purewire have currently? It looks like their mail server is Zimbra. I could be wrong from my two minutes of searching, but it appears that ClamAV is the antivirus protection used with Zimbra. As Steve Spurrier said when he coached the Redskins "not too good."
While I wrote this mainly to tease them, I am thinking now its more serious. These guys expect me to send my web traffic through their SaaS towers. I need to believe their internal processes are mature.
Now they may come back and say that the message actually did get stopped before reaching a users mailbox. That would render my post moot. But it doesn't say that now. It says " a Purewire employee received an email."
The 451 Group has a blog entry on the Barracuda's purchase of Purewire. I am currently evaluating Purewire. This article had some tidbits I hadn't seen in other analysis.
I had noted that the Security as a Service webspace was getting a bit crowded. ScanSafe as this article notes is the granddaddy of them all. Anyone who uses MessageLabs for email should be checking them out. Webroot has an offering. ZScaler and Purewire are two names I'd come across this year. While it appeared a bit like Purewire latched onto the first warm body they could find, selling early does make sure you aren't left standing alone at the end of the night.
The 451 Group makes an interesting comment that perhaps BlueCoat would have been a better fit. That would have been very interesting to me. I'm not such a big fan of Barracuda. Venders with radio ads are not targeting infosec people like me. That didn't turn me off on them so much as the Backscatter they've caused with their (previous) default settings.
451 says Purewire has 200 customers. That is beyond small. Larger companies see a lot of web traffic. Even if something were going to escape detection, odds are good that they would be reported by another company first and protection added. Hopefully Barracuda will add more viability than Purewire has currently
451 stated "bake-offs are the exception rather than the rule" in web security. I find that kind of hard to believe. As critical as web traffic is people dont look at multiple venders? Its so easy to set up an eval.
Ultimately my evalutaion of this purchase is "at least its not CA."
if you've reached this post looking for info about adobearm.exe check out a newer post here.
I am in Adobe update hell right now. Adobe released their quarterly security update for Adobe Acrobat and Reader and I have more questions than answers.
Adobe says that it is adding a dormant updater in Reader that they will use to test a new updater methodology. A post on another board mentions BITS. I suspect that is the new tech. I'd like to know if I disable updates via the Adobe Customization (Tuner) tool will that disable this new method as well? I haven't seen any info.
When 9.1 released, it was possible to download a version without Adobe Air. I dont see that option anymore.
Adobe Reader 9.2 is both a full update and a msp (patch update). According to this "The Adobe Reader MUI 9.2 patch can be deployed over any of versions 9.1.0, 9.1.1, 9.1.2, 9.1.3 directly." However I'm getting an error applying to 9.1.3. A bit of searching finds this article. While it is talking about AIPs (Administrative Install Points) the consensus seems to be that you can't put 9.2 on 9.1.3 because its a security patch.
And lastly, while tuning the full version of 9.2 for deployment, I found a new exe in the HKLM Run key. AdobeArm.exe is now starting at each boot. I typically delete reader_sl.exe when I'm creating a Adobe Reader install. I'd like to know what AdobeArm.exe is before I deleted it.
Sorry about posting more questions than answers. I try not do that too often. I'm off to check Adobe Forums for answers.
This week numerous sources reported on news that Comcast will deliver popups to alert customers with infected machines.
I agree with Phil Lin, marketing director at network security firm FireEye Inc as reported in the linked AP story above, if this catches on we'll soon see this used in social engineered attacks.
According to Brian Krebs in his Washington Post blog Security Fix, the alert is a
"so-called "service notice," a semi-transparent banner that overlays a portion of whatever page is being displayed in the customer's Web browser. Customers can then either move or close the alert, or click "Go to Anti-Virus Center," for recommended next-steps, which may include downloading and running the McAfee anti-virus tools the company offers for free, or purchasing a cleanup package and allowing a Comcast technician to attempt to remotely diagnose and fix the problem."
There is debate in the industry about the responsibility of the ISP. Techies want a pipe. They dont use the ISPs email server, webhosting, or news server. They dont want blocked ports or managed traffic. There is another side that demands a clean pipe. I've seen this more in the business area where a business ISP partners with a Security as a Service vender to clean up or montior the Internet Traffic. John Pescatore takes this position in his post saying warning about a problem isn't as good as preventing the problem from reaching the user in the first place.
I think its good to see a ISP want to be a good citizen. ISPs want to be more than just dumb pipes. Trying to clean up the neighborhood is a good start. This is a logical next step from blocking ports such as outbound SMTP other than through the ISPs mail server.
I'm trying to install a enterprise password management product. The software installs onto a Windows 2003 server. The prerequisites caution:
"Make sure that the Administrator password for this server is appropriately strong. For example, it should contain a minimum of 6 alphanumeric characters."
6 characters strong. Wow this must be really important.
Web security has changed a lot in the past few years. It is no longer good enough to take a desktop antivirus scan engine and scan web content. URL filtering isn't enough. It is not enough to put HTTP security on your corporate gateway.
The reason its not good enough to have a HTTP security gateway should be rather obvious. People go home. People travel. People work at client sites. People work at the Starbucks. An increasingly mobile workforce necessitates a mobile security solution.
URL filtering isn't enough. URL filtering is reactionary and there are many new sites each day. When a legitimate site is compromised, URL filtering can categorize it as a malware serving site and block it. But how quickly will the site be rechecked after the virus is clean? Viruses are showing up on otherwise legitimate sites. Sites can be compromised through lack of patching, through SQL Infection. In several cases advertising networks have inadvertently included malicious content. Some sites are potentially insecure by design. Web 2.0 sites accept user provided content with little controls in place. While some URL filtering solutions are better than others, it is an incomplete solution at best.
Some web security solutions are merely URL filtering combined with a desktop antivirus engine. I don't think I need to rehash the failure of the antivirus engine. But there is better technology. The best web security solutions include zero day protection as more than a marketing term. A web malware scanner is looking at the context of the file. The site its on. The number of requests for the file. The history. Its then running it through heuristics in a way much more accurate than any desktop heuristic.
The web is a ready avenue of attack. Strengthened defenses against email and network attacks have left http the prime target for attackers.
Its a good time to be looking at alternative solutions. I think that SaaS web security has hit the sweet spot in what Gartner would call the hype cycle. Its at that point where you're still on the leading edge but not on the bleeding edge. I'll be trying to get a "why SaaS" post out.
SANS Top Cyber Security Risks report shows application patching is much slower than Operating System patching.
Why does this occur?
Is patching applications more difficult? In some cases patching JAVA may be cause issues with internal applications. But I haven't seen a case yet where a Flash or Adobe Reader update has caused an issue. (I'm talking security bulletings not major releases).
Is the problem culteral? It took people a while to get in the habit of rolling out Operating System patching. Perhaps they just haven't crossed the Application hurdle yet.
Is it the tools? SMS/Config Manager doesn't seem to make deployment easy. Perhaps I'm doing it wrong, but with third party applications I have to use a script I downloaded from myitforum.com in order to customize the user install experience (ability to postpone). Having to update that for each application I'm pushing is a pain. My impression is that ConfigMgr's competitors are much better at doing this. ConfigMgr is also quite difficult to use under our security policy if you want to patch remote users who don't use the VPN.
I suspect a lot of mid-size and smaller businesses have just set up a WSUS server. WSUS lacks the capability of deploying application updates. (although googling shows an interesting add-on from a third party to add this functionality).
Applying third party application updates is time intensive. I deploy them one at a time. With Microsoft patches they are all deployed at once. Upgrade fatigue sets in much more quickly due to the greater frequency of these individually deployed third party plugins.
Improving application patching requires more than telling the administrator to work harder. The tools need to be improved so we can do our job. Microsoft needs to step it up with ConfigMgr. It needs to be easier to patch non-Microsoft products or customers will start checkout out competitors.
There is a certain overlap between sci fi fans and infosec.
I saw RSnake tweet this link: What Star Trek Predicts About the Future of Information Security.
I agree with one of the commenters, if it hasn't already been done (and they can fair use the video rights) there is a conference presentation waiting to be made there. At the very least update the post with some illustrative Youtube clips.
That was so awesome I hurt myself laughing (I should problably have that checked out.
Firefox recently announced that a soon to be released version will check for Flash updates in addition to updating Firefox. That should be helpful for end users.
As with any news people of course have their own axe to grind and put their own spin on things. Wolfgang Kandek writes about this development in a Qualys blog adding "Now we just need to convince Hillary Clinton to let the Department of State use Firefox."
I dont see how this change would cause an enterprise to switch browsers. In an enterprise this Firefox Flash update reminder should be pretty much worthless. If an Enterprise has deployed Firefox then it has probably deployed Flash for Firefox. If its deployed Flash for Firefox, than the company should be deploying updates for it. Enterprises have patch cycles and testing. They often disable built in update mechanisms and deploy updates through SMS/Patchlink/Bigfix/etc. Is it possible for enterprises to disable this functionality, perhaps through FirefoxADM?
Far from being the crowning achievement in Firefox security, I think this Flash update checker could potentially be a problem. I notice the screenshot taken by Wolfgang does not show a SSL site in use when the user is prompted to upgrade. It seems to me that this Flash update mechanism is prime for Phishing. Spyware for Firefox has already masqueraded recently as a Flash update. I think this update mechanism's delivery method as shown in Wolfgang's screenshot primes phishing victims.
Patching WordPress becomes even more urgent reports CNET. A worm is now in circulation exploiting unpatched Wordpress installs.
Todays Hot Trends based on top Google Results.
1. gmail down
2. gmail outage
3. gmail not working
4. people of walmart
5. gmail problems
6. gmail down september 1 2009
7. what s wrong with gmail
8. leah lust video
9. tropical storm erika
10. gmail server error
Not a strong day for Google
"Step back, I'm certified." I just passed the test for the GIAC Certified Forensic Analyst (GCFA). So I'm certified at the Silver level. I was happy to pass and happy to get the score I was shooting for.
The GIAC certifications now have a Silver and Gold level. Back when I first received my GCWN there was only the Gold level. The Silver level certification is what you receive when you pass the test. The Gold level is attained by additionally writing a practical (technical paper).
When this requirement was changed, Richard Bejtlich of TaoSecurity blogged "Of course students will perform this assignment. Who would want to drop $3000-$4000+ and end up with a "Silver Certification?".
I think time has proven that wrong. If I'd blogged about that I back then I would have disagreed with him concluding most people would stop at Silver. Silver gets GCFA on the resume. My experience shows that Human Resources and HIring Managers do not understand certifications. They often dont bother to verify that they were really earned. In addition to not verifying them, they dont know what they mean. I've seen resume after resume claim MCSE. MCSE in what? Windows NT 4.0? This says to me that HR and Hiring Managers wont know the difference between a GIAC Silver and a GIAC Gold unless I take the time to explain it to them. GIAC Gold wont help get me through the HR resume filter. Once I make it to the Hiring Manager and future co-workers, the emphasis should be on skills not credentials; can I actually do forensics.
It looks to me like the market agrees with me. Unless the SANS listing of certified professionals is horribly out of date, no one has obtained a Gold GCFA in about 9 months. People haven't gone Gold regularly since the requirement was dropped.
I'm a sucker for resume bling, so most likely I'll be dropping my $300 for the Gold attempt . Or maybe I should just spend that on a professional resume writer.
I thought this was an interesting anecdote in todays Washington Times Inside the Beltway column.
An observer who works near the White House comments Obama staffers. Unaware that people might be listening in they discuss forthcoming White House policy.
Rather than discretely hiding their White House badge as Bush staffers did, it remains on display as a trophy. (reminds me of this scene from Jake 2.0 http://www.youtube.com/watch?v=t-vh9vNLMRY#t=3m50s )
High security environments often have a policy of not displaying badges outside of work. Certainly talking business as you wait for your barista is a security risk.
Adobe Acrobat and Reader updates came out on July 31st as you no doubt already know. I believe I tweeted that but didn't do a longer post.
I find myself wondering if Gartner or Forrester have done a survey of FoxIT Reader adoption. Is that all security noise or is a significant number of companies making the switch? I find myself wondering what obscure processes would break if I moved the enterprise to FoxIT Reader for security purposes.
Adobe has implemented security initiatives similar to Microsoft's Secure Development Lifecycle. However, I kind of expect not to see the benefit of that for quite a while. Its like when people expected XP sp2 to be the fully formed implementation of Microsoft security initiative. Some things you have to develop more from the ground up, a service pack doesn't do it. So when does Adobe Reader 10 come out?
Adobe continued their habit of issuing incremental updates. Its nice to have smaller updates. As I recall 9.1.3 was about 1.5 MB and a full install of Reader might be 85 MB. Incrementals however it creates update issues. As Secunia writes, if you go to Adobe and install Reader, you get 9.1. After installation you can open Adobe Reader and you should be prompted to upgrade. In my experience with Acrobat, you might be prompted to reboot after each incremental update. Oh joy. Has anyone tried to slipstream the updates into 9.1?
The other fun part occurs with corrupt installations. I have some Reader 9 installs where Adobe Reader isn't listed in Add/Remove programs so the update isn't pushed by ConfigMgr. Then if I manually create the reg key the update will not apply, says it isn't needed. The only solution is to install 9.1 full and then you can patch. I suppose the good news is if the Reader 9 install is that munged maybe the user wont be able to open the program.
So Adobe patching seems like a full time job lately, no?
Do you guys have a lot of Acrobat Standard and Professional installed in the enterprise? Does I.T. patch it or is the onus on the user since its not deployed on every system the way Reader is.
I wrote about a Flash zero day yesterday.
Its important to note that while it may be possible to disable Flash (and other multimedia) content inside of Adobe Reader PDFs (in fact that may be the default setting, its not clear to me) (this setting has no effect) the attack has been seen as straight Flash on websites. You'd only be mitigating against one attack vector.
Symantec's writeup is here
Adobe has updated their security advisory.
One mitigation listed is to "Delete, rename, or remove access to the authplay.dll." At the time of this blog entry, Adobe did not say what side effects this would have.
Updates for Adobe Flash are expected by July 30th for Windows, Mac and Linux. Updates for Solaris are bending. Updates for Adobe Reader and Adobe Acrobat are expected by July 31.
I just started the process for updating Adobe Shockwave. Looks like Adobe is keeping me busy.
Keep an eye on that Adobe Security Advisory link as well as http://blogs.adobe.com/psirt/
Erin Andrews apparently is a sideline reporter for ESPN. I hadn't heard of her before tonight. The story is some tool used a peephole reverse viewer (allows a person ouside a door to use the peephole to look in) and a camera to record her in a hotel room without her knowledge. This is obviously both illegal and not cool. The video was posted to youtube before lawyer letters were sent demanding the take down.
The news of this has ignited a mad mad search of the internet for copies of the video that may have been downloaded and reposted other placed before Google was able to comply with the removal request.
As with most big name events, malware is involved. Searching for Erin Andrews keyhole will likely lead you to attempts to install malware. Just a reminder, its not cool to make or watch upskirt videos. This is on that level. Another reminder, when you go to watch a video be very suspicious if you are prompted to install software. Get your media players and codecs from known sources!
The Gorilla CISO has a blog post about vulnerability management that is worth reading. It sounds really familiar, though I'm dealing with it on a much much smaller scale.
" The way we manage patch and vulnerability information is something out of the mid-80's."
Tell me about it. Today I read RSS feeds (US CERT, SANS ISC, vendors, white hats, bloggers etc) and emails from vulnerability alert services (Deepsight, Microsoft Technical Account Manager, random people who read about a patch/virus in the Wall Street Journal). That gets entered into a spreadsheet with the CVE, Bugtraq, and vender reference ID. Once Qualys releases a detection the Qualys ID gets added as well along with the detection count.
This is a tediously manual process that no one seems to actually give a damn about. The auditors didn't like the way we were (are?) managing vulnerabilities (it may still be a POAM item). And the reports seemed to mean nothing to management. It worked better when I didn't bother creating the spreadsheet, and just told them what patches we deployed this month, and the detection count for a few key vulnerabilities that I felt required management attention, (Adobe Reader, MS08-067, etc).
At the Gartner Information Security Summit in National Harbor, MD (near DC) I attended a track titled "Qualys, Inc.: Using SaaS to Build Full Life Cycle Program for Security and Compliance." I was hoping this might have a suggestion for how to do this. Unfortunately it seemed like the solution was creating a home grown database and correlating the results of multiple scanners. I'm sure that works great, but without instructions on building such a database, its a lot of work to build from scratch.
iDefense is now integrating the your Qualys vulnerability scan results into their vulnerability intelligence. If you could afford such a thing (apparently we can't), you'd still have a problem. Vulnerability scans run at set times and systems may not be online when the scan is run. While its great for scanning servers, Qualys alone does not give an accurate reflection of all vulnerabilities for your end user equipment. While talking with Forescout, I found that they had a plugin for Retina. Forescout is a NAC product. When a computer comes online, the plugin would check with Retina and find out when the device was last scanned. If its longer than your configurable setting (hasn't been scaned in X days), then it fires up Retina to initiate a scan. Qualys provides the appropriate APIs to do this as well, so I asked Forescout to look into improving their Qualys plugin.
The combination of iDefense, Qualys and Forescout (if Forescout updates the plugin) would be quite formidable in vulnerability lifecycle management. What's left is desired configuration monitoring. Are my systems continuing to conform to my security policy. I am not currently scanning that regularly. Once I get a tool for that, then its one more thing to integrate.
There is no simple solution. I may have to polish up the SQL skills and take a run at building something myself.
I'm taking SEC508 at #sansforensicssummit in Washington DC through next Tuesday.
Day one covered basics of the file system. I had some serious flashbacks to dealing with hexadecimal in the JMU Masters level Infosec program. In that program we had plenty of classes using Internetworking with TCP/IP Vol.1 by Comer. Actually one of my worst courses was Forensics taught by Florian Buchholz. It was in the last semester, and we were checking out mentally (ready to graduate)
Its fun to take a week long conference on the subject. Hopefully it will stick better than the college course. I do fear that since I wont be doing forensics every day, I'll lose a lot of this knowledge quickly.
A couple of interesting tidbits from today.
1. A single pass is good enough when disk wiping. That would save a lot of time for us if true. The instructor says the idea of wiping 7 times comes from a Guttman paper in the late 90s. It theorized an electron microscope could be used to recover if wiped less. This is purely theoretical. Never been done. Forensics people will call it a day if its been wiped once.
Of course what is technically correct isn't always what auditors or policy requires. Trying to change that is difficult. The instructor says NIST recommends one pass. I've read the document he mentions. Apparently I need to re-read it because I dont recall one pass. I recall a preference for the UCSD Secure Erase which uses ATA commands to wipe. I recall degausing or destroying also preferred. I think for over right utilities they were still recommending 6+, but I will have to verify.
2. The second interesting thought had to do with "limited personal use" allowances in corporate policies. Companies don't want to have policies they wont enforce, so they allow limited personal use. I thought the big danger in that was not defining exactly what that meant. According to the instructor, limited personal use is a forensic nightmare and a potential legal liability. The claim is that the limited personal use gives the user an expectation of privacy for that personal use. Since it is company policy it trumps the logon banner that says "no expectation of privacy". Interesting thought, and one I'm going to have to run by legal. They took a year when I asked them to approve the login banner, so I expect to hear back from them around 2015.
This is another post based on notes from the Gartner Information Security Summit. Neil MacDonald gave a talk titled Five Alternatives to Desktop Lockdown: Balancing Control and Creativity.
Desktop Lockdown has failed.
But so has complete freedom.
So what do you do?
From an operational perspective, desktop lockdown was performed to reduce the number of disk images the helpdesk had to maintain. It reduced application conflicts and visits by the helpdesk. IFrom a security perspective, lockdown was performed to prevent malware and prevent users from disabling security applications.
Lockdown has failed for a number of reasons. In XP, the locked down experience is lacking. You can't change the timezone or install a printer driver. Its not workable for the traveling user.
Locking down computers failed because new technologies bypass local controls. For example it doesn't prevent the user from using Google Apps and other forms of cloud computing in a insecure manner. Being a standard user doesn't even prevent all software installs. Google Chrome installs as a standard user. Microsoft was pressured to make Silverlight install without administrative rights. As long as the software only writes to your user profile and your portion of the registry, it can install as a standard user. Malware writers will not be deterred by lack of admin rights.
Its almost a cliché at this point but the consumerization of IT has led to a new workforce. Generation Y digital natives. They may not be better at not falling for fake AntivirusXP but they expect full access all the time.
Does IT really know what people need to do their jobs? Locking down was supposed to be a means to an end, not an end itself. Protecting the data is the primary goal.
Saying that lockdown has failed, does not mean that complete freedom has succeeded.
The cost of managing end user computers are far greater for unmanaged computer. The risk of virus attacks is much greater with administrative rights.
So what do you do? The talk reviewed multiple alternatives.
Alternative 1De-Privilege Admins - UAC
UAC prompts to elevate rights when admin rights are needed.
As you already know, that can be annoying if you have a lot of applications that are poorly written and need admin rights. Also depending on the user this can barely be a speedbump in stopping malware.
Alternative 2White list
While basic whitelisting is currently available in Windows XP and later as well as most Endpoint Protection (AV) applications, newer offerings from companies like Bit9 make it easier to whitelist. They maintain the lists so you dont have to manually update each time a new version is released. They also can use reputation services that make a judgment about any new/unknown files.
One user when told we were considering this technology stated as an engineer they install all sorts of software and really important work would stop if he couldn't install every random file he found on the Internet.
Host Based Intrusion Detection Systems (HIPS) also fall into this category. They are much more complex, and can cause instability issues depending on how it is integrated.
Alternative 3Remote Presentation
In this scenario users log into a remote server such as vmware or terminal server. Of the local computer and the remote session one is managed and one is unmanaged.
This scenario requires solid network connectivity. It also isn't clear how the network is protected from the unmanaged computer.
Alternative 4 Multiple Virtual Machines running locally
Unlike the previous example, the user can work with remotely. The virtual machines are on the local computer.
The major drawback to this approach is licensing cost, patching, and extra hardware cost.
In the future the hypervisor may make it to the desktop for better performance, but we are not there yet.
Alternative 5Workspace Virtualization
In this alternative the risky applications are put into their own sandbox.
Ringcube, Creedo, and InstallFree are three vendors in this space.
Alternative 6 Hybrid
A few from column a and a few from column b.
Alternative 7Employee Owned PCs
I've read the articles on companies that are providing dollars for people to buy and support their own computer. I also read about a smaller company where the owner considered the computer like a toolbox. The craftsman provides his own tools. Not a great analogy because a craftsman power saw isn't going to get infected and DDoS the network. (Although cheap worker provided power tools could break spectacularly in a particularly liable fashion).
The analogy provided during the presentation was a road. A trucker provides the truck. He can buy the truck he wants, but it must meet certain requirements. Then while used on the road he must obey traffic laws. Officer Friendly is waiting to write a speeding ticket.
Those are seven alternatives to desktop lockdown. I think that application whitelisting will become the most mainstream the fastest. Although virtualization is moving fast. XP mode within Windows 7 is virtualization. I believe Macs have a virtual MS Windows. The question I would have is what gets virtualized. Every Internet facing application?
For the longest time, vender's made me feel like I was at the only company in America to allow Administrator rights to users. (Neil MacDonald, if you head this way I'd love to know what percentage of companies in general and Federal Contractors in particular lock down the computers by restricting admin rights as required by the FDCC). It is very interesting to hear about some other solutions. Obviously antivirus is not working but we still need to provide protections.
These are notes from the last session at the 2009 Gartner Security Summit; a tongue in cheek look at the worst best practices in IT.
We're all familiar with the upcoming change to IP version 6. The main impetus for performing this migration is the IP space crisis.
The reality is few enterprises have a lot of public IPs. The migration to IP6 is costly and fraught with questions.
This item I almost question including because I think its more widely believed that IP6 is not worth the trouble than believe it will be a cure-all.
By 2014, 20% of remote and mobile employees will connect via a IP6 enabled ISP. That necessitates our action.
These are notes from the last session at the 2009 Gartner Security Summit; a tongue in cheek look at the worst best practices in IT.
The real problem here isn't with all two factor authentication, rather it is with bad implementations. Inconsistent definitions of two factor authentication allow implementers to do whatever they want. Not every method is equally strong and it may be possible to pick two factors that are not as secure as another single factor authentication. The level of assurance and accountability in each factor of authentication should be considered.
In reality even a password by itself can be two factor. Its something you have (company laptop) or some place you are (work) in addition to something you know.
We've all logged into our bank where we've been asked something we know (our password) and something we know (personal info). When used like this, two factor authentication is security theater.
Use more than just a password when performing two factor authentication. Or the reverse, you must have a PIN when using a token for authentication. Otherwise authentication would be provided by the mere possession of the device.
The Gartner Information Security conference is over so I have a chance now to catch up on some blogging. I'm planning to spread my posts out over a few days.
The last session was a tongue in cheek (or sometimes just truthful) look at the worst "best practices". People have dumb ideas accepted as gospel. Times change and what was once an OK idea now just needs to go away. In addition to ideas, there are also technologies that aren't as useful as they are billed.
First on the list of questionable security best practices is Default to Deny. Default deny is ingrained in security culture. The discussion leader said that is the problem. What was meant as a technical rule became a cultural mantra. It was a repeated refrain during the conference, "Infosec is known as Dr No". We need to be aligned with the business first and foremost.
A " default deny" Infosec is one that is innovation phobic. When Infosec says "no" business will circumvent and now you're in a doubly worse situation. The activity is taking place, and its completely unmanaged. As an aside, my goal is to allow users to do it, but make it secure. In the case of IM, you get IM security and block IM that circumvents. You provide a VPN and block GoToMyPC.
The presenter argued that default enable supports innovation. You block known bad, you monitor the reset. And here's the worst part of the argument in my opinion. You use a honeypot to look at what the bad guy is trying to do to your open port and you learn. (This is a horrible argument because you are potentially destroying your companies security for your personal edification. Also honeypots can still exist in other network locations. Default allow on the firewall is not necessary for that.
Ultimately, this presenters goal wasn't Jericho. Removing default denys goal is expunging Dr No rather than removing the last rule on everyone's firewall.
The discussion was interesting as well:
1. If you think you're doing "default deny" you are wrong. The universal firewall traversal exploit (80/TCP) and the secure universal firewall traversal exploit (443/TCP) let through plenty. Beyond that users seem to work to circumvent default deny through other methods accidental and intentional.
2. This talk of needing to align ourselves with business is wrong. We 're a part of business.
3. If we don't assume badness and default deny, then we will be drilled by innovating bad guys who are always a step ahead.
4. Control is an illusion of your personal experience
5. How many companies have failed due to a Infosec breach? (I think this was an argument for default allow).
6. Sometimes you have to let them fail. I hear infosec people say this but what about due care? You can't just wash your hands and wait for them to shipwreck. Make sure you have a get out of jail free card.
My thoughts:
I hate the concept that if I can't prove something is insecure than it must be secure. You run into that all the time with patching or with any new service. To these people it is not enough to have a concept of how a service would be exploited, you have to demonstrate the exploit. It will be a challenge going into the future as services become more dynamic, technology more consumer oriented and access to data needed anywhere.
The second talk I attended on Sunday at the Gartner Information Security Summit was Debra Wheatman on How to Sell Yourself to Management. Debra is the Chief Career Strategist with ResumesDoneWrite.
At work one of our stated goals is "to grow and live the $company brand." In this talk Debra reminds us "You're always selling something." I should be worrying about my brand. Do I have PR agents who are repeating the news of my success? Am I consistently putting forward a good image?
The concept of a career map was new to me. Basically its determining where I am and establishing short term goals. Since finishing a Masters in Computer Science in 2006, I've been coasting a bit. My progress at work seems to have been side-tracked. Creating a career map sounds like the sort of thing that would help me think some things through. I am going to Google to get more on that.
You may find upon creating a career map, that your dream job or desired role doesn't exist in their organization. When this happens there are two possibilities; build a case for creating the post or get out. Changing the status quo is not easy.
The bulk of the time was spent on discussing the resume, the cover letter, and interviews. In spite of all I've read on resumes I got some new ideas. I have enough trouble writing a few sentences for the 'about me' on this blog or on linkedin.
Probably the thing I'll remember most from this talk was the suggestion that its ok to ask what their budget is. Its funny, they would essentially ask you the same question, yet it will be awkward when the applicant asks.
A new Gartner Magic Quadrant covering Data Loss Prevention was released this week. Eric Ouellet spoke on this at Pre-Conference for Gartner's Security Summit.
In spite of several years of DLP hype, Ouellet indicated that it is not yet at the sweet spot in the security product hype cycle. People who implement DLP often don't have fully formed goals, they leave the product in monitor only mode and they are disappointed with the results.
It is important first to define terms, Garnter has begun calling it Content Aware DLP. This is a DLP that is content or context aware. Many vendors say they have Data Loss Prevention. To a specific definition this is true, anything that prevents data from leaking is DLP. Under this definition vendors have claimed that USB port controls, Enterprise Digital Rights Management, hard disk encryption, and file tagging are DLP. None of those devices are aware of the content of the data. To differentiate those products from the traditional DLP product space, Gartner uses the term Content Aware DLP.
Two trends have occurred since I've looked at DLP last. Antivirus vendors have taken the lead (through purchase) and added client DLP agents to their suite. Also it is no longer Network based agents versus the desktop agent. It is necessary to have both unless you are only after a specific monitoring purpose.
With DLP I have always struggled with the use case. Its pretty easy to install and report on credit card or social security numbers. But how does the DLP find what is important to my company. I dont even know what should be protected. The limited FIPS data classification that we've done doesn't help either. I did learn that 90 percent of deployments are for compliance purposes (PCI, HIPPA) rather than for the protection of Intellectual Property.
The message I heard was 'if you don't know you need DLP, then you don't need it.' Too often people think they need it because its been written about in the tech press. If you are going to move forward, good general advice is don't let the vendors website write your RFP. Dont write in requirements you wont use. Certainly dont use requirements you wont use as a differentiator between vendors. Be aware of the false sense of security that DLP can provide.
Ouellet closed advising that DLP is like a magnifying glass and the corporation is Pandora's box. You're going to find out things you didn't want to know. Rather than being the impetus for budget justification, in some companies it has called the use of the existing budget into question.
I'm at the Gartner Information Security Summit in National Harbor for the first part of this week. The next few blog entries will be notes from the talks I attended.
I'm a bit surprised to be paying $18 a day to park outside the beltway. (National Harbor's website claims $11, I guess the hotel garage is more). It will be reimbursed, but still its annoying.
I wonder if there is a lot of crossover between people at this conference and people at Shmoocon? It gave me a chuckle anyway. Probably shouldn't break out the "I hack charities" t-shirt for this Gartner conference.
As I feared, the usual lack of power options was in full effect. In one room, I was able to right by outlets, in another only folding walls were nearby. I didn't see any power. Looks like my decision to not bring a laptop today was a good one. I'd love to use the tablet for handwritten notes, but at this point the battery life is barely an hour. My mini has some great battery life, but I'm not sure the small keyboard would allow me to take notes very fast. No big deal, its better to not have to protect a laptop.
I've blogged several times about the desire to disable the wireless card when the wired card is connected.
A comment on one of my older entries points out that there is free software to do this now.
http://www.wlanbook.com/disable-wireless-connected-lan-xp-vista/
http://www.wlanbook.com/bridgechecker/
I'm now using SEP11 for this but passing it on in case others are still looking for a solution.
My older articles:
New version of Autoswitch out
Disable Wireless when Wired Connected
SEP11 and Wireless Management
Disable Wireless on LAN Access
Trend Micro's blog entry about the Cligs blog url redirection takes a funny twist.
For those not reading all the other security blogs, Cligs is a URL shortening service like Tinyurl. They got hacked, so all of their URL redirections were sent to one specific, though fortunately not malicious, website.
Trend's blog entry was automatically posted to their Twitter account using Twitterfeed. Twitterfeed of course shortened the URL automatically using TinyURL. Could have been worse, they could have been shortening the URL with Cligs. LOL
This is interesting. After I wondered yesterday about the applicability of IM security products that ignore social networks, MessageLabs announced the launch of a new public IM security service. The solution does not address any of the problems I mentioned.
The press release mentions AOL's AIM, Yahoo! Mail and Microsoft MSN, but does not mention Google Talk. This service protects public IM protocols whereas the existing Enterprise Instant Messaging product (from the purchase of Omnipod) is a enterprise product competing with OCS/LCS.
As I upgraded my Symantec IM Security server last week, I thought about the state of Instant Messaging security.
These thoughts are based on my experience with Symantec's products. I only briefly looked at the websites of Akonix and Facetime to see what they could do. I'm not up on their current releases.
When we implemented IMLogic, which was later purchased by Symantec, we were looking to protect ourselves from malware spread via IM. Users were getting infected by each new IM worm and it needed to stop. Typically one person would get a message and a link via IM. The user would click on the link, and install the malware. The user's IM contacts would receive a message with a link to the same virus. Even if all the other recipients recognize the message as malicious, many would then call the helpdesk, leading to more wasted time. That's a long way of saying that we implemented IMLogic to provide IM security protection. We aren't under any logging requirement. Logging is a big driver for implementing IM security solutions at Financial institutions.
There are limitations in using an IM security product. Each time a new version of the IM client is released there is a great likelihood that the public IM vendor will change their protocol in a way that prevents the new client from being used until the IM security vendor updates their own product. AIM 6.8 for example used a new SSL based login that provided a lot of trouble for all IM security vendors.
As time went by, people's habits changed. Do you still have three IM clients installed on your desktop? Probably not. Most people found them to be pretty bloated pieces of drek. When online web IM offerings became feature comparable, most real people switched to using that. Meebo works great from what I've been told. How did the IM security vendors deal with that? They put out a list of URLs to block so that users could not use web IM.
Now public IM systems are bundling their chat with their webmail. That made it difficult to block web IM. For a while, to block Google Talk, you had to block Google Mail. There are now ways to do that. You can also block Yahoo Messenger within Yahoo Mail. I haven't yet found a way to block Live Messenger within Hotmail.
Users are doing more chatting on Facebook, Myspace and twitter. These are also outside the security environment provided by a IM security solution. Even if I could block just the chat component of Facebook, there would still be quasi real-time communication via the wall.
Symantec IM Manager is ignoring all of these problems. Facetime has a press release from more than a year ago that speaks of controlling 20,000 Facebook applications. That might be interesting to look at.
All the IM security problems seen today are HTTP links. If an adequate HTTP security solution was in place would it even be necessary to run a IM security product anymore? IM Security is not a big software maintenance bill. But it is man hours to update and maintain. Perhaps it is no longer necessary. Then again, if a computer gets infected with a virus that can worm through LCS/OCS, I'd hate to be the one that said its ok for the corporate IM server to go bareback.
Its nice that my cable and telephone company Cox is fixing a few their security problems, but it would be nice if they'd let people know that the ability to be more secure is available. Back in July 2007 I wrote about Cox adding POP3 over SSL. In November 2008, I wrote about Cox enabling SMTP/SSL. So I kind of laughed when I saw a Cox customer "Dave" complaining in cox.internet.discussion.email that not only did Cox not make a general announcement regarding these new features, their instructions are inconsistent in offering the option. Vista instructions include the secure options, Mac instructions did not.
I guess Cox figures that the few customers who know what this feature does will keep up on Cox news by reading forums. I admit, I figured it was Dave's fault for not keeping up with the news. Then it happened to me.
In March 2008, I wrote about my displeasure that Cox was putting my PIN number on my bill. I wrote Cox, explaining that I felt this was poor security. This month while checking out my Cox account settings, I found there is now an option to suppress including the PIN on the bill! After making the change, my bill now shows xxxx instead of the actual PIN. So now I'm echoing Dave. Why didn't you tell me this option, and why is insecure the default choice?
On Saturday I upgraded to the latest release of Symantec IM Manager, 8.4.11. This version includes limited support for Microsoft Live Messenger 2009. Prior to this upgrade users with this client could not log into Live Messenger from our network
The install went pretty clean. Before starting I had pruned the database to hold only the past 90 days of data. I backed up the database and the upgrade went like butter.
I updated the SSL cert used by AIM, the old cert was about to expire. I had a bit of a problem with importing the new cert. The problem was caused by NTFS permissions on the location where the certificates get installed.
The event log showed an error "error returned from calling imadminrunscheduledreport asp page=400". What happened is the reporting pages use "localhost" instead of hostname to access the IIS webserver. IM Security is configured with two IP addresses and the IIS is only on one IP instead of all IPs. This means the server doesn't listen to requsts for 127.0.0.1. Once I added that, it worked again.
Took a while to work through a few things that cropped up, but not too much trouble.
SANS has a course coming up in a few weeks in DC on implementing the Consensus Audit Guidelines. That caused me to take another look at www.sans.org/cag. Looks like they published an updated draft on May 9th. 2009. The name seems to have morphed from Consensus Audit Guidelines to 20 Critical Security Controls. What really drew my eye was the "critics" page.
The critics page contains solely glowing praise. Often that praise is from people who wrote the CAG. Maybe I'm taking "critics to literally, but I am reminded of the movie "critics" that write with the goal of their review being included in the advertising.
There has been plenty of criticism of the CAG.
Richard Bejtlich points out that it doesn't help keep score, its controls are reactionary. Additionally its controls map to the already existing 800-53 so its redundant if you're already doing that.
Guerilla CISO comments in LOLCats format. He also says "My initial impression is that CAG controls provide worthwhile recommendations but the framework for implementation needs development." Even that sort of mild criticism is missing from SANS CAG Critics page. Then again in this post, he tears into it more thoroughly. (Thats a lot of blog mileage from the CAG. I should take a lesson.)
I'm starting to think the CAG (sorry now its CSC - Critical Security Controls) is like the SANS FBI Top 20. Its not written for me. Its written to get in the press. Its written for people who have no clue where to start. For me, I'm taking away some idea on how to proactively audit some of the CAG items, but the box is already checked in FISMA for those items so buying anything new is a tough sell right now.
I'm still going to try to get the company to send me to the 20 Critical Security Controls: Planning, Implementing and Auditing 2009. I just found the SANS CAG Critics page amusing.
The Center for Internet Security released a secure configuration benchmark for the iPhone.
SCMag touts this as a good thing "For the first time, enterprises can apply security configuration best practices to Apple iPhones being used by their employees." I would argue that there are a couple things wrong with this statement.
First it seems to admit that the iPhone isn't secure and needs to be locked down. When Microsoft releases a hardening guide, Alan Paller of SANS goes ape and encourages the government to use their buying power to force Microsoft to apply a "secure" configuration prior to shipment. Second, reading the document, I'm not convinced that the CIS config allows enterprises to to enforce security best practices.
The first half of the CIS security guidelines are settings for the user to do on their phone. Fine for the individual, but not for a enterprise. The second half focuses on settings in the iPhone Configuration Utility. I've never used this utility and I dont own an iPhone, but it appears that this utility creates a config file you then mail to the user to apply or place on a website. Great way to distribute security policy. Doesn't seem like a mandatory security policy either. There are a few mentions of ActiveSync which would enforce policy, but it is not explored enough for my tastes in this document.
Recommendation: Keep firmware up to date.
Doing this requires the installation of iTunes. My skin kind of crawls when someone wants that buggy bloated software installed in a business environment in order to load phone firmware. But hey, at least the user gets to sync their music at the same time. The CIS paper does not report a way that the enterprise could verify the installed versions on each deployed iPhone.
Recommendation: autolock at 5 minutes I wish we could enforce an autolock at five minutes. Ours is a bit longer.
With the Blackberry you can set it to lock when holstered. I dont believe the iPhone can do that.
If you needed someone to tell you to set a PIN and a password timeout on a device with, you probably need someone to tell you to come in out of the rain.
Adobe's Product Security Incident Response Team (PSIR) has announced:
Adobe expects to deliver security updates for Adobe Reader and Acrobat versions 7.x, 8.x, and 9.x for Windows and Macintosh on Tuesday, June 9. This is the first quarterly security update for Adobe Reader and Acrobat as described in our May 20 blog post, and incorporates the initial output of code hardening efforts.
I dont know about you but I'm suffering some upgrade fatigue. I'm not sure why Adobe thinks its helpful to release the update the same day as Microsoft. I imagine some patching products must allow the deployment of Microsoft and third party updates all at once. The patching product we use does not.
Apple has released Quicktime 7.6.2 to deal with multiple security vulnerabilities. Their writeup is posted here.
Hopefully they also fixed the issue in their MSI file that was preventing installs on a few computers. We extract Quicktime.msi from Apple's installer in order to avoid having to deploy the Apple Software Updater to our computers.
At work, they've implemented a lockdown. They've enabled the badge readers and locks on doors as you leave the elevator lobby on each floor or come off the stairs. There is some construction work to be done on the 8th floor, so they want to make sure those workers aren't visiting other floors and helping themselves to cash left unattended in purses.
My office is pretty close to the elevator lobby, so I get a full day of false alarms.
-Door is opened, short beep as the badge swiped.
-Someone leaves, the seeing eye unlocks the door, it is opened, it swings shut, and beep as the door "bounces".
- Long beep as some freaking ignoramus pulls on the doors without swiping the badge. If they would release immediately there wouldn't be an alarm. But no, they keep pulling.
- And then there is regular security alarm that does off a couple times a day as well.
I'm thinking of setting up in the conference room to see what these people are doing wrong. Its not that hard to work a door people.
And I though it was annoying hearing the BING for the elevator all day.
I'm having trouble with the Adobe Acrobat 7 updater. When you open Adobe Acrobat 7 and select Help then Check for Updates, it is only offering the 7.1.0 update. That update is already applied so I should be getting offered the 7.1.1 and 7.1.2 updates. I am able to apply those updates manually. I'm not sure why the Adobe Updater isn't working. It sure would be easier for the users if it worked.
Alex over at the Sunbelt Blog shared a cool link to a video of Johnny Long.
Johnny is famous for Google Hacking, using Google to discover insecure servers or unsecured information. This video is an hour long presentation on his past, how he got into security and what led him to start Hackers for Charity.
The Long family is trying to raise support for a one year move to Africa. Check out the Hackers for Charity website as well.
Sase Sham has released a new version of Wireless AutoSwitch to support the upcoming Windows 7 release. It also supports Windows XP and Vista.
Wireless Autoswitch disables the wireless card when a wired connection is detected. Having multiple network connections is a security concern and it can also cause connectivity problems.
I evaled this product a while back, and it was kind of like the Holy Grail for me. I'd been searching for a solution like this for a long time. Ultimately, Symantec Endpoint Protection was released and I was able to approximate this solution and didn't purchase this.
If you dont already have a software solution to disable wireless cards when wired connections are made, I'd suggest checking out Wireless AutoSwitch XPV.
OpenDNS blogged about a new feature called SmartCache
If you ask for a DNS resolution, and it can't contact the authoritative DNS server or the server returns a SERVFAIL they will respond with the last known good IP address. They dub this "one of the most significant DNS innovations of the last 25 years." It is a opt-in setting.
Hmmm.
Trend Micro has bought Thrid Brigade. Trend has been licensing their software for the past couple of years.
The Adobe Product Security Incident Response Team blog has reported a security vulnerability in "all currently supported shipping versions of Adobe Reader and Acrobat (Adobe Reader and Acrobat 9.1, 8.1.4, and 7.1.1 and earlier versions."
The suggested mitigation is disabling javascript. We've previously disabled that using Group Policy.
Adobe notes that at this time, this issue is not known to be exploited in the wild. That can change.
For the third time in the past 30 days, there is a Firefox update including security fixes. Firefox 3.0.10 is out.
"And you want to be my latex salesman"
I dont mean to get all Jeff Jones here, but it seems to me there is a bit of tarnish on that "security king" crown that people give to Mozilla.
Software is going to have bugs. I'm glad Mozilla patches them but more than once a month is getting a bit annoying. Its highlighting a problem that Mozilla doesn't seem to care about. Enterprise patch deployment.
Mozilla loves to brag that their users apply patches. That's the problem, you've got to use it to get prompted to update it. Even then the end user may turn off checking for updates.
Currently to get Firefox/Thunderbird updates to occur, I can either pray or send out emails, or use NAC to block their access to the network until Firefox is patched.
I can't believe I'm saying this, but Quicktime and JAVA may have the better idea. JAVA has an always running updater process. I believe Quicktime (via Apple Software Updater) is using Scheduled tasks .
I'd love to just be able to use a logon script or NAC to be able to run C:\program files\Mozilla Firefox\updater.exe which would then prompt the user if a Firefox update was necessary. I've searched the Internet to see if this is possible. So far no dice.
Share your thoughts on keeping Firefox updated in the enterprise in the comments.
We're all familiar with the story of Flight 1549's landing in the Hudson River. This week's Mozy newsletter told a story of two sets of Jones (sorry, obscure Big Tent Revival reference). One man performed backups by copying files from one computer to another. He also used USB drives. The second man used online backup from Mozy.
After the plane crashed the first man lost both computers and the USB drives. The second man contacted Mozy and received the backed up date on DVD in four days.
Mozy of course is pushing this story to get their name out. Its been carried by a USA Today Technology Blog and at ComputerWorld. I've seen some people charge that it is somehow creepy to be using this in advertising. I disagree. First of all, no one died. Second, war stories have a way of getting through to people in a way that no amount of cajoling can accomplish.
I do kind of wonder about the details of this story. A Computer Associates employee lost 250 GB of data due to a haphazard backup scheme. Don't they use their own products? (lol perhaps that was the problem). The guy was a consultant. It should make you wonder if your backup software works for people that are constantly on the road. Does your security system and software patching work for road warriors.
If you're not using a backup solution, check out Mozy, Home users get 2 GB backup for free. If you click on this link and start using Mozy (signup, install and backup files), we'll both get an extra 256MB of free backup space on top of the 2 GB.
I know, I'm at risk of sounding like a commercial. This something I used and a story that I liked.
An AP story reports, that a bogus waiter collected $186 in cash from diners in two restaurants.
I received a bit of unsolicited commercial email from SmartDraw that claimed I can get the benefits of Microsoft Office 2007 without the costs and headaches of upgrading. In smaller type they claimed that the biggest improvements in Office 2007 over previous versions is new graphic and drawing tools. That you can buy their product and get those graphics improvements without upgrading Office.
I wonder how many people would agree with their premise. For me, I hadn't noticed changes in graphics, but as a security guy I think Office 2007 is a great security update. While many of the improvements have been backported to Office 2003 in service pack 3, 2007 is still safer as seen in the latest Powerpoint zero day.
I'm also pretty happy with Outlook since the Feb 2009 update.
Paying $80-200 for Smartdraw so you can stay on a 5 year old version of Office, just doesn't seem like such a good plan.
Sun has released JAVA 6 update 13. This release contains multiple security fixes 254569, 254570, 254571, 254608, 254609, 254610, and 254611.
Most of these are privilege escalation vulnerabilities. 254569 can allow malicious code to be executed.
My company is using a consulting firm to run a survey on employee engagement. The survey is supposedly anonymous and only aggregate data is viewed.
When I went to take the survey, I noticed that the URL was https://www.%externalvender%.com/Base/Custom/%company%/survey.asp?Survey=42&UserSessionid=23419&l=1
Being a security professional, I opened another window and started decrementing the UserSessionID in the URL. Sure enough, I began seeing other employees responses. Even in an anonymous response this should not happen. Users are prompted to supply their division, location, age (optional), length of tenure (option) and ethnicity (optional). If the optionals are supplied it shouldn't be hard to figure out who filled in the responses. Users shouldn't be able to see other users responses.
The URL is HTTPS so I figured it wasn't a caching issue on our end, but just to be sure I reproduced the results from an external computer.
So what lessons can be learned here? First, dont use a predictable session ID (in this case it was sequential). I'm not a web security guy, but I'm thinking a cookie could be used also to prevent this session browsing as well.
update- This problem was reported to the vendor when I discovered it. They found that it was caused by a recent update. The removed the update.
Thunderbird 2.0.0.21 is out.
The security fixes are listed here
MFSA 2009-10 Upgrade PNG library to fix memory safety hazards
MFSA 2009-09 XML data theft via RDFXMLDataSource and cross-domain redirect
MFSA 2009-07 Crashes with evidence of memory corruption (rv:1.9.0.7)
MFSA 2009-01 Crashes with evidence of memory corruption (rv:1.9.0.6).
http://www.adobe.com/support/security/bulletins/apsb09-04.html
As scheduled Adobe has released updates Adobe Reader 8.x and 7.x.
While Adobe has taken a lot of flack for their handling of this patch, I appreciate that they gave dates for releasing the patches and held to it. Its not like some previous Adobe patches where 7.x owners were urged to upgrade rather than waiting for a patch that might never get released.
I noticed today that Adobe Acrobat 9 Professional wasn't able to download updates when "Help .> Check for Updates" is selected from within the product. Using Wireshark, I obtained the URLs used to request updates from Adobe. Comparing the results inside my network to those outside of the network, I determined that the BlueCoat proxy on our network had older page cached.
The cached statistics for that page claimed that it had verified with the server that it had a current copy of the file. I blew away the cached content and set swupmf.adobe.com to 'no cache'. The Adobe Acrobat client was then able to see that updates were necessary.
The Adobe server used eTag. That should have prevented this problem.
Caching can cause issues. When it causes issues with autoupdate mechanisms, would you even notice.
You should already know this but Adobe released the 9.1 update. This patch needs to be deployed ASAP. Updates for 8 are expected by March 18th. I'm not sure if updates for 7 will come out then or later.
I checked SMS and found that around 10% of our systems have Adobe Reader 9. Our standard is 8.1.3. After I packaged 9 for deployment, I was told that Adobe Reader 9 has a conflict with another application we use. So I'm a bit surprised that this many systems would have 9.
So it looks like I'm going to have to deploy Adobe Reader 8 and 9 updates. For Reader, Adobe didn't release a MSP, so its a full upgrade.
Adobe does release a MSP for Acrobat, the update is only a single increment. So to upgrade from 8.0.0, several patches must be applied. I hadn't realized that until this week. We've been giving users some bad instructions.
I've been interested in extending HTTP security out to our remote users. When users are in the office their HTTP traffic is antivirus scanned and URL filtered. When remote, they only have desktop antivirus to protect them. As more and more users are mobile, I think it is important to address this.
BlueCoat offers a ProxyClient that can provide traffic acceleration and URL filtering. The URL filtering occurs the same was as with K9 or with a Phishing filter. The URL is sent to their servers and categorized then allowed or blocked accordingly.
Location based rules are created so that acceleration or URL filtering is enabled as appropriate.
I quickly found that the release notes weren't kidding. SMB signing is incompatible with CIFS acceleration. I was hoping that the traffic would still be accelerated through compression and byte caching. My tests seemed to show that traffic was a bit slower when acceleration was enabled.
Its bad enough when Google can't keep their G-Mail servers up. Its worse when they screw up causing all search results to have a security warning. Its worse again when they force you to fill out a captcha to perform a search because some algorithm has decided that you've searched to much, or searched for a suspicious term.
Now for the second time in two months I've been banned from G-Mail for up to 24 hours.
This account has been locked down due to unusual account activity. It may take up to 24 hours for you to regain access.Unusual account activity includes, but is not limited to:
Receiving, deleting, or downloading large amounts of mail via POP in a short period of time.
Sending a large number of undeliverable messages (messages that bounce back).
Using file-sharing or file-storage software, browser extensions, or third party software that automatically logs in to your account.
Leaving multiple instances of your Gmail account open.
Browser-related issues. Please note that if you find your browser continually reloading while attempting to access your Inbox, it's probably a browser issue, and it may be necessary to clear your browser's cache and cookies.
If you feel that you have been using your Gmail account according to the Gmail Terms of Use, you can troubleshoot your problem by clicking here.
Secunia has verified disabling javascript does not provide full protection against the zero day in all supported versions of Adobe Acrobat and Adobe Reader.
The current exploit seen in the wild uses javascript to perform a heap spray for code execution. The vulnerability is in in a non-javascript function call. The original alert put out by Shadowserver states:
There may be a method for populating the heap with the necessary shellcode without JavaScript, however if such a technique exists I am not aware of it.
Secunia reports that they have "managed to create a reliable, fully working exploit (available for Secunia Binary Analysis customers), which does not use JavaScript and can therefore successfully compromise users, who may think they are safe because JavaScript support has been disabled."
Even without this method of exploiting without javascript, a SANS commenter has pointed out the potential problem of disabling javascript. When a user opens a PDF containing javascript, they are prompted to re-enable javascript by clicking yes. How many users are really going to stop and consider the source of the file before re-enabling javascript.
I saw this linked from Lenny Zeltser's Twitter. Securology's So you think you want a job in computer security.
The security operations all too true. Here's part:
The worst part about SecOps is that you'll either realize you've hit your Peter Principle with that job, in which case it's time to spend all of your free time on backyard barbecues and retirement planning (nothing necessarily wrong with that -- ignorance is bliss), OR, you'll want out immediately because everyone around you has hit their Peter Principle highest job and you want more.
The post should be read in its entirety.
Adobe has posted a security advisory for the zero day in Adobe Acrobat and Reader that I blogged about yesterday.
They say they are
"planning to release updates to Adobe Reader and Acrobat to resolve the relevant security issue. Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates for Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7 and Acrobat 7 updates to follow"
Last time the updates for version 7 followed along about 8-10 months later if memory serves. Their little incentive for people to upgrade. I'm surprised they haven't sunset-ed version 7 already. I've looked for software support life-cycle information from Adobe and haven't found it.
The recommended mitigation for this vulnerability is disabling javascript until a patch is available. I've never seen anyone mention what effect that might have.
Every article says to disable javascript in Adobe through Edit -> Preferences -> javascript. In an enterprise you would want to know Is there a way to disable javascript in Adobe programatically (by pushing a registry entry via a login script, SMS or Group Policy).
Using Process Monitor from Sysinternals, I see that when you disable javascript in the GUI it sets HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableJS to 0. Googling bEnableJS, I found that SANS ISC has a ADM file (used in Group Policy for the non-windows admin types) they posted during the last Adobe exploits back in November. It disables javascript for 6, 7 and 8 Acrobat and Reader.
As linked from SANS ISC, shadowserver is reporting targeted attacks using a zero day vulnerability in Adobe Acrobat and Adobe Reader. Versions 8 and 9 are vulnerable.
Disable javascript in Acrobat/ Reader to avoid the code execution vulnerability, however the application will still crash.
eWeek has an article "Macs Rebound at RAND". The funny thing is the article says that this big rebound is from Macs being 20% of all systems to 22% of all systems. In their 2000 user environment this means this article was written because of 40 new Macs.
The article doesn't get into what software they are using to patch much less perform whole disk encryption.
The last couple of weeks I've been paying a bit more attention to our externally accessible systems (such as systems in the DMZ or systems on our external boundary). In the past I've run vulnerability scans weekly, but haven't really paid attention to the systems that come on-line and the systems that go away. I also haven't worried about whether the systems are authorized or not.
In just a couple weeks of paying attention, I've found some funny things. (not funny ha ha). A phone for conference calls was plugged into a jack that put it on the external network rather than the internal network. The best part, was the default admin password on the phone. OK, lesson(s) learned.
This week, a server came online on our DMZ that I hadn't seen online in the past 2.5 months. According to my records the approval expired in November and they reported they no longer needed access. Apparently the systems administrator turned the server off when it was no longer in production. They turned it on this week to "take a inventory." Unfortunately the system was still connected to our DMZ. Lesson learned, when approval ends, get the network guys to go to the patch panel and unplug that drop.
Fortunately neither case resulted in a problem, but it showed to me pretty quickly the need to pay attention to the hosts on that network beyond "is it vulnerable". Should it be there is key as well. :)
I must be the only Infosec blogger in America not to have blogged about the Fannie Mae IT contractor....until now
For those who don't know, a IT contractor at Fannie Mae was fired, but he was allowed to finish out the day. An indiictment alleges that he then planted malicious code inside a script. The code was placed at the bottom of a regularly scheduled script, with a page of blank lines designed to obscure the addition of new code from anyone who happens to look at the file. If run, it would have securely erased files and critical applications from the system. It would have replaced the shadow file to prevent their password management appliance from logging in. Lastly it disabled remote power-on, and shut the machine down.
A good writeup on the incident is provided by Larry Dignan at ZDNet. The complaint is located here.
I was thinking about that article this week because of a rumored RIF (Reduction in Force) occuring where I work. I've heard one person was informed on Monday that Friday is their last day. It seems to me that when you are allowing continued access for people layed off or fired that it would be a good idea to keep a close eye on what they are doing. If people are disgruntled, that is when they are going to plant logic bombs, create back doors or download all company files.
Even if you know who is disgruntled (due to layoffs, promotion denial or bad performance review), how do you track them? Varonis is one product that I'm interested in. From product pitch I saw, it would do a good job of letting me know if someone is trying to download everything on the file server or otherwise acting out of the ordinary.
Real change management would catch the malicious attacks. Something like Tripwire would report on the addition/modification of a file.
Just how important is it for the Security Professional to have social skills?
It seems like a broken record. In addition to having degrees, certifications and experience. We are now supposed to glide seamlessly into the board room and converse equally well about business units and legal briefs. Its not enough to be technically competent, you've got to have a good golf game.
At Shmoocon in the closing plenary an audience member asked for a talk next year on preparing a 30 second security elevator talk. If you're not familiar with the concept, it is that you have a brief elevator ride with an exec. You have their ear. How do you sell security before the door closes. My VP always asks "are we secure" when I see him. I've been told by my Infosec brethren that the answer is yes. Personally I think the answer is "HELL NO as long as users have local admin rights". Or perhaps a joke, "you aren't in handcuffs yet, so we must be doing something right.".
Bill Brenner of CSO online obtained a good quote from the Hoff, Chris Hoff of Unisys and the Rational Security blog.
"The notion that everyone involved in security needs to be able to put themselves out there, get up and give a presentation to the board of directors is ridiculous. We still need skilled operators in the trenches, continuing to do what they do in the basement. Do I want to discourage someone who is fantastic at pen testing by telling them their career will be limited if they can't put together a PowerPoint presentation for the board?
Enough with the Insanity: Dictionary Base Rainbow Tables
by Matt Weir
http://reusablesec.googlepages.com/
Defense against offline password cracking
1. salt
2. Make it computationally expensive, 100 X SHA1.
Unless of course you salt it wrong.
WPA and WPA2 keys are salted with the SSID. NTLM uses the username as a salt.
The Problems with Rainbow Tables
Traditional Rainbow Tables have been brute force attacks. However as Lanman hashes are increasingly disabled, and some organizations have implemented long password requirements (14 characters and up) we need to look at other methods. I've found NTLM Rainbow Tables to be massive. In my experience, any organization that has a strong password requirement can't use NTLM Rainbow Tables. Last time I looked there wasn't a Rainbow Table with length up to 8 and UPPERS, lowers and numbers. It would be too big.
So what do you do? Over at freerainbowtables.com you can download hybrid rainbow tables. From what I see its only really short passwords. I though Matt said they had a version of rcrack to generate your own hybrid rainbow table. That would be pretty cool.
I currently do this through bruteforce looking for the following.
Aaaa11122 where
A = UPPERS. So in this case the first letter is a upper case letter.
a = lower. In this case characters 2, 3 and 4 are lower case letters.
1 = lowers or numbers. So positions 5, 6 and 7 are lowers or numbers.
2 = lowers, numbers or ! So positions 8 or 9 have that.
I suspect a rainbow table looking at length 8 or 9 with that combination would save me time in the long run.
Matt has developed a dictionary based rainbow tables generator available at the URL at the top of this entry. It can take a dictionary and use common word wrangling rules to create rainbow tables. You can also check for common keyboard combos and double passwords. People often double their current password to meet lengthy password requirements.
I currently use Inside Pro's Extreme GPU Bruteforcer. (Its much cheaper than Elcomsoft.) The software is cheap and a NVidea GeForce 8800 GT is relatively cheap as well. While watching this talk I was wondering about GPU bruteforcing versus Rainbow Tables. If I can do a hybrid Rainbow Table, is it then possible to write software to do a hybrid attack using the GPU. Or does the way a GPU work make that a bad idea?
JSunpack
By Blake Hartstein
JS Unpack is a javascript unpacker available online at jsunpack.jeet.org
It may be available as a download to run locally at some point.
The Problem:
There is a large volume of malicious javascript files. These encoded/encrypted javascript exploits are difficult to analyze.
In the past you would need to manually attempt to decode it by downloading it, attempting to modify it to be 'safe' and then run it. This is kind of dangerous and requires a sacrificial lamb.
To defeat manual analysis the malware creater would use escape sequences, encryption based on tags (so if you change a tag, it wont decrypt), Environmental variables as an encryption key, version detection, timing, and blacklisting. Additionally exploit kits can set their website to only service the malware once to an IP.
After manual methods, more automated efforts have occurred such as JSDecode by Dave Zimmer, the Ultimate deObfuscator by Stephen Chenette of Websense and Malzilla.
JS Unpack has the following goals
ClamAV is used to statically unpack executables
Plenary Session: Tough Security for Tough Times
This is mostly random notes from the session:
Security spending is holding steady due to compliance requirements and increasing threats.
The half life of security knowledge is 18 months.
This came back in a discussion of security degrees. Engineering constants don't change. But very quickly the degree you received could be seen as useful as a diploma form the punch card era.
DLP is seen as taking off by one analyst. (I guess when everything is DLP, it must get a lot of sales)
Management needs to understand that security isn't overhead.
The bad guys have learned to stay below the radar. Business will ignore it as long as a threshold isn't exceeded.
How do you grow security talent that can relate to business.
I really shouldn't have to wake up at 7:30 am on a Saturday and take the Metro into DC. Fortunately I thought the 10am talk was worth it.
Phishing Statistics and Intuitive Enumeration of Hosts and Roles
by Sean Palka
This talk is about a tool he created/uses in corporate engagements. But as with most things developed on company time, its not free to be released. The presentation is to give you ideas. And it does make me realize that could be a fun side project if I can't get money for Phishme and I cant get ahold of Lunker.
The motivation for this tool is to justify to clients that phishing is a useful exercise. He also wanted the tool to gather reliable stats for reporting.
When phishing a company you may find that distribution lists are hit. You may find email forwarded from one user to another. Just as with a marketing campaign, webbugs, images and unique identifiers in URLs are used to determine who is following a link. Most mail clients no longer load images by default, so that cuts down somewhat on the capability to determine a message was read but the link was not clicked on. However, some companies may whitelist their own domain name allowing images to load automatically.
A bad guy phishing doesn't care who responds. He just wants the credentials. But whitehat phsihing needs reports and attribution. You want to know who just visited the site without providing the phished for information. Your phishing site could have contained a browser exploit just as easily.
Tagging or using unique identifiers in URLs does not solve the problem of message forwarding or when a single user has logged in at multiple locations. While time can be used to determine the person probably didn't drive home, that person could have used remote desktop. You just dont know if the message was forwarded or if the user is going from computer to computer trying the URL.
An audience member pointed out that you could use images and the client cache to determine if the same computer visits more than once. (I'm not sure how that would work if a proxy is used).
You may be able to determine "important" systems by the responses as well. If one computer has a higher than normal amount of responses it might be a helpdesk or admin checking our user reports. Obviously if NAT is involved, you need to do your phishing from internal.
Additionally you can determine social networks by seeing to whom the email is forwarded.
When a internal system is used for a phishing attack the following are pros/cons
- The firewall prevents external connections. Email may be forwarded externally and responses cannot get to your internal site.
- People may trust the internal IP and act differently.
- You don't have to worry about your other security filtering getting in the way. This isn't a test of your spam filter.
- you can build focused attack on victims.
Whitehat phishing attacks where the website is external have little ability to get the client IP. He said he hasn't had a lot consistent success using PHP. This limits reporting capabilities when NAT is used.
I didn't ask if he did customization to use the users names in the target emails.
He doesn't include training in the tools (as Phishme does) because the focus of his tool is pentesting not security training. While this is understandable given his role at BAH, I think most people looking to do whitehat phishing are going to want to provide the immediate user feedback/training that has been proven to be effective.
Stranger in a Strange Land: Reflections on a Linux guy's First Year at Microsoft
by Crispan Cowan
A lot of the talk, I felt I'd seen in either the SDL blog or from Jeff Jones' blog. Basically slides pointing out the success of the Security Development Lifecycle at Microsoft. Security at Microsoft comes down to before the 2002 Bill Gates Memo and after. For those who don't know, Microsoft shut down coding for a month and re-trained employees in secure coding practices. They then followed up and made sure people did it.
One of the big problems that isn't going away is legacy. There are a lot of applications that rely on doing dangerous stupid things that they have been allowed to do. There is so much breakage you can do before people start to push back. (side comment, it was a huge deal for Microsoft to disable IIS by default in a desktop operating system. Their application vendors expected it to be there). It is hard to fix architecture issues without screwing old applications. The application base is the value in Windows.
One of the big problems is the massive dependence on local admin. UAC is the stick used to cause programs to write their application so it doesn't require local admin rights. Its not UAC that sucks, its the crappy application that needs admin rights just to run.
88% of users participating in the feedback program leave UAC enabled.
Another metric they use is sessions that are UAC prompt free.
In Vista RTM, this was 50%.
With SP1, consumer desktops were at 65% and computers joined to a domain (work computers) was at 80%.
I assume this means the applications are getting improved to not need admin rights. It could mean people stopped using the crappy app.
Middling Everything with Middler
by Jay Beale
Obviously MITM is nothing new. What this project does is
The purpose of the tool is:
Middler is available on the InGuardians website.
The Agreement
A group of friends set up a framework of rules to govern as they attempt to 0wn each others computers. When no one else will set up a capture the flag exercise for you, you hack on each other.
http://www.jointheagreement.com/
The Fast-Track Suite
by David Kennedy
The Fast Track suite will be available in Backtrack 4. Or check out the Fast Track website..
All I seem to remember is "pop a box." ;)
Very interesting point and click hacking. As I understand it, some Metasploit attacks were only available for old specific service packs, he has made the attacks more universal.
In Pen Testing, I believe people use Windows debug to convert the uploaded hex into binary. There is a built in 64 kb limit. He automates a way to get around that by supplying a new debug util (at least that is how I understood it).
In the demos he'd run an exploit upload vnc server and connect to it.
I didn't get a chair during this talk so I dont have a lot of notes.
The next three posts will contain my notes from Shmoocon. This post contains notes from each session I attended on day 1. I'm not trying to necessarily reconstruct the notes into a coherent thought. Hopefully it will be somewhat readable.
Opening Remarks
by Bruce Potter
People are getting owned a lot.
Trends
What we have is a Maginot line...in depth
Of 66 million websites indexed by Google, 5 percent had drivebys.
These sites with drivebys weren't just the risky underbelly of the web. It was every category of website. I don't think that is surprising to anyone who has paid attention to security.
These findings were published last year in in USENIX.
The malicious content on these sites was then scanned using three top Antivirus vendors. The best detection rate among these three vendors was only 75%. The worst was 30%. These are untargeted attacks. Imagine the ability of an attack targeted at your organization to cut through your antivirus defenses.
So What do you do?
NAC? Most people don't have that deployed even if they've bought it.
Firewall Internally?
Token authentication?
Change jobs?
Digging ourselves out
As with most security talks and papers I felt like a solution wasn't really there. Fixing fundamental problems. I'm not sure if Bruce defined this. If he means teach everyone to code securely, then burn to the ground existing software and start over. Well, keep waiting for that.
The other talks on day one were quick 25 minute talks, I didn't always have notes.
Open Vulture - Scavenging the Friendly Skies
Open Source UAV Platform
Ethan O'Toole and Matt David
I didn't take a lot of notes on this one. The talk was put together fine. It pointed out the existing/competing projects and how they were different.
Building the 2008/2009 ShmooBall Launchers
by Larry Pesce and David Lauer
When building a pressure based launcher, you'll have problems with PVC tubing not being rated for the PSI.
The Day Spam Stopped (The Srizbi Botnet Takedown)
by Julia Wolf
We all know about McColo being taken offline in November and the corresponding drop in spam rates.
The bad guys lost their command and control of the botnet when McColo was taken down. The good guys figured out how the botnet was selecting the hostname/domain name used in the backup. (The exact math of that is probably available at blog.fireeye.com or look for the slides when available on the Shmoocon website). By registering those domain names they prevented the bad guys from regaining control.
Under U.S. law they felt they could not send out a "uninstall" command to the botnet army. It would also be risky since the botnet is in kernel and you could potentially BSOD the clients.
No one asked about the return of spam that has been reported in January. Is that other botnets taking up the slack? I thought I had heard that a Spanish ISP had brought the badguys ASN back online briefly allowing them to regain control.
Automated Mapping of Large Binary Objects
by Greg Conti, Ben Sangster, and Roy Ragsdale.
The goal of this project is to accurately identify regions in an arbitrary binary object.
Typically you would use a hex editor and a lot of elbow grease. This is trying to automate that, even to the point of identifying one type of encryption versus another.
I found the talk interesting. When you're doing manual static analysis of files, this could come in handy.
Decoding the Smartkey
by Shane Lawson
Quickset Smartkey attempts to allow the consumer to rekey their lock without removing it from the door. It is also resistant to bumpkeying. Here is a video from Quickset on how to rekey.
Unfortunately, as this talk demonstrates, because of the technology used to allow rekeying it is possible to determine key height compromising the lock.
HP is reporting that "a potential security vulnerability has been identified with certain HP LaserJet printers, HP Color LaserJet printers and HP Digital Senders. The vulnerability could be exploited remotely to gain unauthorized access to files."
CVE-2008-4419 adds that this is a directory traversal vulnerability.
In a post to Bugtraq, Digital Defense says an attacker can read arbitrary system configuration files, and cached documents.
HP Web Jetadmin should make quick work for printer admins needing to perform updates.
SRA warned employees, ex-employees and customers of a possible data breach.
In an letter ot the Maryland Attorney General's office, SRA reported that a virus on their network may have led to data disclosure.
I watched a MessageLabs HTTP Security Webcast earlier today. I have evaled their product both when they were reselling Scansafe and once since they implemented their own solution.
As anyone reading this site already knows, there was a big uptick in malware served by legitimate sites at the end of 2008. SQL injection and other tricks were used to get malicious code to load from legitimate websites. The old advise about "dont click on this or that" just doesn't work when its a common site compromised to serve the malware.
Spyware is even more sneaky. They use boxes that appear to be Windows Update. They pretend to be a needed codec. They masquerade as security software. They even get accepted as advertisements on legitimate banner ad networks.
As user details are stolen (such as in the Monster.com hack) or voluntarily disclosed on social network sites, a treasure trove of material for a targeted attack is put into the bad guys hands. That combined with public data found on genealogy sites and voter registration rolls, makes it possible to craft emails that appear to be legitimate because they already know so much about you. The questions used to reset the password on your accounts are easy to find answers to as many celebrities have experience much to their chagrin.
The need for advance web security is obvious. With MessageLabs web security, they use two antivirus engines and a pared down version of their Skeptic heuristic engine. Its my belief that this will provide better security than competitors.
What has kept me from implementing this solution in the past is the desire to avoid using a direct proxy. Transparent proxies work better in my opinion. MessageLabs provides a proxy for the corporate network so that internal usernames and IPs can make it to their logs (otherwise with NAT they'd only have your firewall IP as the source). I hear this proxy is a customized Squid proxy. While Squid supports WCCP, this is not something MessageLabs has supported to my knowledge. I looked at their instructions for Checkpoint to forward traffic transparently to MessageLabs. That did not solve the problem of their logs only having the firewall IP address.
While Direct versus Transparent is still a challenge, I did learn in this webcast that MessageLabs is going to be announcing a new feature next week that I've been looking forward to. While they didn't say not to pass it on, I'm going to self-embargo. So hopefully I'll get another blogging opportunity after I've check out the new features.
I'm referring to one of my favorite Dilbert strips in the title of this entry.
I passed the Certified Ethical Hacker ECO-350 exam this morning.
There seems to be a few set reactions to the CEH.
1. "Not the H(acker) word". These are the same people who get upset when colleges teach their students how to defend a network or system, by teaching them how to break into it. They probably think they are safer in a gun free zone.
2. HR departments and recruiters seem to love the cert.
3. Some think its a poser cert. I dont know about that. I think its a beginner cert, and I found it really easy. As with any certification the quality of the person holding the cert is not guaranteed.
4. Some think EC-Council (the group administrating the CEH) is a scam. That is traced back to a blog post by securitymonkey in 2006. Personally I think he makes a poor case.
The CEH does not require the classroom training or purchasing study material from them. Most of my studying is in being an information security professional for many years. There are a couple things that I'd point to as particularly helpful.
1. Sensepost - Hacking by the Numbers at Blackhat. That was at the first Blackhat Federal. I forget the year.
2. A Masters level course at James Madison University in which the semester was essentially a capture the flag/ defend the flag exercise. That was in 2006 (man time flies).
3. Read the Official CEH book.
I dont necessarily like getting too many certs, but its one way to demonstrate continued learning and development to management types. Unfortunately, I think career wise I'd be better off with a soft skills certification than any more technical ones. Anyone have any suggestions that wouldn't cause me to submit comic strip ideas to Dilbert because it is so absurd?
I finally deployed Quicktime 7.55 two weeks ago. So right on schedule Quicktime 7.6 is out.
Release details here.
Computer Associates blogged over the weekend on increasing attacks on the Wordpad zero day originally reported in December.
In the attack a malicious document is created with the extension .DOC, .RTF or .WRI. You must manually open the document for the attack to take place. If Office is installed, .DOC files will likely open in Microsoft Word which is not vulnerable. However .WRI files will likely still open in Wordpad.
Microsoft reports that this issue does not affect Windows XP Service Pack 3, Windows Vista. Really you should have that installed by now. To obtain this update go to http://update.microsoft.com.
Beginning yesterday, AIM 6.8 clients couldn't log in through Symantec IM Manager. This was caused by a change in AOLs SSL certificate for kdc.uas.aol.com and IM Manager could not longer validate the cert. IM Manager is an enterprise IM security and logging product.
A workaround is posted on the IM Manager knowledgebase.
I've added Kevin Lam's blog at Impacta to the list of blogs I regularly follow. In a recent entry, he blogs that he's been seeing companies use the same company that designed their website to perform their web pen test.
I think it is possible for a company to be great at both things. But you'd have to trust them an awful lot to believe you were getting a fair deal. In this instance, the part that jumped out at me more was their "pentest" basically consisted of running some vulnerability scanners. His scan on the other hand used custom tools they developed and manual techniques.
I'm reminded of something Dave Aitel posted recently on the Daily Dave. That is some cool detail a consultant running the standard vuln scanner just isn't going to know.
The funny thing is the original company performing the vulnscan fulfilled their mission. They checked a PCI checkbox, and missed a handful of SQL injection, XSS and blatant configuration issues.
Brian Krebs reports on a attack on CheckFree in todays Security Fix blog.
It looks like someone used phishing to get credentials for their Network Solutions account. Brian says "This may seem like a logical stretch, and perhaps it is." I dont know about that. If they just phished the email address in the whois record they would probably get the right person.
Once they had the login credentials it was a quick update to change the authoritative DNS servers and redirect users to a malicious server.
Avivah Litan, a fraud analyst with Gartner seems to think that other (unnamed) security mechanisms should be in place besides username and password. "If all that's protecting a bank's Web site is a user name and password, that's kind of like having a massive vulnerability in the core of the Internet,"
I'm not sure the solution is some call back mechanism where NetSol verifies the change request. Why is a user name and password supposed to be good enough to protect my stuff but not theirs.
I noticed that as of this morning CheckFree.com now shows clientUpdateProhibited in the whois record. I dont know enough about that to know if its a solution. The RFC says it means "ignore all updates except to turn off clientUpdate Prohibited". That doesn't sound like much defense.
While it is a reactive defense, it doesn't cost much to monitor your domains so you are alerted about DNS errors and changes.
Also if Network Solutions had emailed a change alert to the address of record this could have been caught earlier as well.
To me the bottom line is personnel need to be trained not to fall for phishing attacks.
Back in June I wrote about the Blackberry and S/MIME.
There was a BES upgrade that fixed the "an unexpected error has occurred" message. We still can't open attachments on signed or encrypted emails. To me this is a trivial thing, but to the Management this is a horrible horrible thing.
The 4.5 software has been released by some vendors on some models. As expected phones with this software didn't have the problem with attachments. Although Verizon has not yet released the 4.5 software for the 8830, I downloaded a rogue copy and installed it. It resolved the attachment problem. Unfortunately for me although SecurID for Blackberry was supposed to work on this build, I can't get it to work.
None of this actually helps. Waiting for Verizon to release 4.5 is like waiting for Godot.
Secunia accounced via their blog that Secunia Personal Software Inspector 1.0 is available.
Secunia PSI is installed on over 750k computers and has been in beta for more than a year.
You should be using a product like this to alert you to vulnerable third party applications on your Windows computer.
Cox has enabled SMTP over SSL and apparently is now allowing authenticated SMTP email from outside the Cox network.
Instructions are here.
Its a simple matter of changing the outgoing server port to 465 and checking the use SSL box. Additionally you need to enable authentication for SMTP (same credentials as POP3). Even from the Cox network, you must use authentication to send on port 465.
I dont really use the Cox email accounts for much. I primarily use my personal domains or my gmail account. While I'm not interested in sending Cox email while off network, I do like keeping the first hop of the messages journey encrypted. It would be nice if they offered opportunistic SSL/TLS if in addition to offering customers the chance to use SSL/TLS.
I wonder if they plan to implement DKIM now that Cox has provided the opportunity for customers to send email though Cox servers even when they are off network.
The vulnerability scan has been reporting vulnerabilities in the Installshield Update Service. This update service is bundled by some third party products. The first several times I looked at how to patch this all I could find was documents saying to wait for the original application that bundled Installshield Updater to update. That obviously wasn't acceptable. At that time I didn't even know which application put this on the system.
The first vulnerability was Macrovision InstallShield Update Service Multiple Insecure Methods. CVE 2007-5660. The vulnerability here was in the ActiveX control of the update service (isusweb.dll). I deployed ActiveX kill bits as a preventative measure, but I kept looking for a patch.
Next there was a vulnerability in InstallShield Flexnet Connect ActiveX. CVE-2008-2470.
I was able to look at the computers reporting the vulnerability and I found in most cases a database.ini file that indicated the GUID of the software package to be updated by Flexnet Connect. It appeared to be Roxio CD/DVD burning software cerca 2006.
More searching revealed that Roxio has published a KB for this here with a link to a security update.
I tested out the update and it looks like with a /v"/qb" switch I can deploy this pretty easily.
Secunia Personal Software Inspector reported a vulnerable version of Adobe Flash on my home computer.
It detected C:\Program Files\Common Files\Adobe AIR\Versions\1.0\NPSWF32.dll as version 9.0.124. Security bulletin APSB08-20 reports this is a vulnerable version.
I installed Adobe Reader 9 last week. I guess I forgot to get the AIR free version from ftp://ftp.adobe.com/pub/adobe/reader/win/9.x/9.0/enu/AdbeRdr90_en_US_Std.exe. AIR it seems has an old version of Flash, I'm not quite sure how to upgrade that. Since I didn't want AIR in the first place I'm uninstalling it.
update 11/17/2008
Adobe has now updated AIR
Exploit code has been seen in the wild for the vulnerability patched by version 8.1.3 for Adobe Reader and Acrobat.
http://www.us-cert.gov/current/index.html#adobe_reader_exploit_circulating
https://forums.symantec.com/syment/blog/article?blog.id=vulnerabilities_exploits&thread.id=176
http://feeds.feedburner.com/~r/zdnet/security/~3/445697063/
http://isc.sans.org/diary.php?storyid=5312&rss
Adobe has released 8.1.3 to resolve multiple security issues in Adobe Acrobat and Reader 8.1.2 and earlier.
LINK
An exploit for MS08-067 is now available for Metasploit.
While up to now, exploitation of MS08-06 has been considered minor this does lower the bar somewhat.
Bad timing here, I just got the people at work who have installed VLC media player to update to 0.9.4. So of course they have released Security Advisory 0809
The fix isn't out quite yet, but if you use it, keep an eye out for the update.
This week Steve Riley of Microsoft wrote that "customers have asked for a way to configure a computer to automatically disable the wireless NIC when Ethernet is in use." Nevertheless this will not be a feature in Windows 7, the next version of Windows.
Steve writes that this is only a security issue if the user is logged on as administrator and the two networks are routed. Since windows connection bridging isn't on by default, this is not a issue in his opinion.
When users are connected to both wired and wireless network, the user can experience network problems.
When computers are constantly looking for Ad HOC connections (or alerting you to connection opportunities) it just doesn't give you that strong secure feeling no matter what Steve says.
I will admit that absent a knowledgeable attacker a context aware personal firewall can effectively stop attacks of this sort.
Based on another blog post of Steve's I'm wondering if he's switched sides and now believes in default allow but secure it. I still believe in least privilege. Can anything good come from allowing wireless connections when Ethernet connected? I dont think so. Can anything bad occur when you disable wireless when Ethernet connected? There are some unforeseen consequences. Users with Ware look like they are Ethernet connected all the time unless they bridge the Ware adapters. Also it adds a big of complexity But that is a small price to pay.
I find it nice to not have the media considering articles because our computers connect to the fake AP they set up in the parking lot.
I've always said that with a context aware personal firewall, in many cases a more restrictive fw mode will go into place when the non-corporate network connection is detected. But does that mean in a perfect world I dont care that both connections are on? Heck no.
I've written before about Mozy the online remote backup solution.
Through the end of October, if you signup and begin using Mozy backup, we both get an extra 512 MB of backup space. (this is normally 256 MB).
Your account has 2 GB of backup space for free. This is an easy way to get a bit more. The software is relatively easy to use. Give it a shot so that later you aren't crying about your lost data.
Elcomsoft put out a press release about a new version of their password recovery software that cracks WPA/WPA2. I thought even this was old news. I thought I read months ago that Elcomsoft was doing that. Must have been the beta version.
What's going on here is not a huge leap forward. This is merely cracking pre-shared keys as cowpatty has done for years. This just makes it faster.
If you're already following standard security practice, nothing needs to change. Don't use WPA-PSK to protect access to a corporate network. At home, you probably are not running freeRadius and are suck with WPA-PSK. Use long and complex keys, and change them periodically.
Robert Graham has a nice debunking blog entry.
GPUs make password bruteforcing easier. However as I've found in bruteforcing domain passwords, using a strong password is still a good defense.
Did you hear about the bank robber who used Craig's list to select his patsys?
At first I thought it was this post
Bank Robbery Scene being filmed on Oct. 5th in Walpole, MA. for an action-comedy independent film. Want to be part of an exciting slam-bang scene? Please email with your headshot. No experience needed. Extras sought for background scenes. No pay, but coffee, donuts, and meals will be served.
But not, this robber arranged for a group of people to wear what he was wearing and gather outside the bank he robbed. Then he made his escape in a innertube via a nearby river. Hilarious.
Firefox 3.0.2 is out with 5 associated security vulnerabilities.
MFSA 2008-44 resource: traversal vulnerabilities
MFSA 2008-43 BOM characters stripped from JavaScript before execution
MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
MFSA 2008-40 Forced mouse drag
I've found some of the computers here don't have Security update 1 for Adobe Reader 8.1.2. There are two different causes.
In case 1, Adobe Reader 8.1.2 is installed but not actually listed in Add/Remove Programs. Because of the way our patch advertisement is written, the computer does not get patched.
In case 2, the security update is listed in Add/Remove programs but annots.api is not updated.
In case 1, depending on how you query the inventory you don't know you have vulnerable computers. In case 2 you think you are patched but you actually are not. Adobe sure makes things interesting.
Columbia Journalism Review's Megan Garber advises her fellow reporters how to get past security checkpoints at the political conventions.
Bascially she writes, it comes down to acting like an important person. Dont make eye contact (you're too important to acknowlege the littles), walk quickly (you've got somewhere to be), have a badge on you but not easily visible (turn it over so you're low rank isn't easily given away).
Interesting but nothing new there.
Earlier this week I was discussing password resets with one of my co-workers. Common password reset questions are discoverable, guessable or disclosed on your social networking site..
Mother's Maiden Name - public record
Street you grew up on - can be findable.
Place of Birth - discoverable
Name of Pet - guessable (top list of pet names on Internet, or just check their facebook)
Users "improve" on security by putting something else their. They've effectively created a second password when they couldn't remember the first. Now its likely they'll forget both.
In a discussion of users at a non-security forum where I'm a member, one user reports "I just have stock answers for all of those things. My favorite movie? movie. My favorite actor? actor."
Here's another person's response:
It drives me nuts. Stupid questions like the "favorite" stuff - what am I five years old? I don't have a f&*(&*ng favorite color you stupid POS website!!! And then there's the "What street did you grow up on?" "What was your Math teacher's name?" "What is your childhood pet's name?" ********. I'd moved six times by the time I got to high school. I didn't grow up on ONE street, nor did I have a SINGLE math teacher and I didn't have a pet growing up!!! All these questions are so retarded. And frequently they make you choose a whole bunch of them...
.
Then there is the problem that most of these systems are looking for exact answers. So New York, NY is not New York, New York. The system that was supposed to prevent password reset calls is generating more calls.
While reading on ITWorld.com I ran across a different approach to password reset.
I-forgot-my-password.com is a password reset system based on likes and dislikes. Given a list of items you choose 16 things you like or dislike. It doesn't need to be a emphatic like or dislike. They feel that studies show that you wont have to remember anything. When it comes time to reset your password, you will naturally select the same items.
I watched a video of the researcher's presentation at Google.
I think the key questions are does it scale and does it protect against the right sort of attacks. It takes longer to register. I can't imagine doing that everytime I have to sign up for an account at a new site.
I think it fails a couple of tests
1. If I register for this form of password reset on my bank site and then on a phishing or otherwise bad-actor site, then the bad guy has the same answers as for a the valid site.
2. It fails the psycho ex-girlfriend test. She may know you well enough to pass the test.
Interesting work on a real problem. Check out the video link
Caught up with this one via Digg
Earlier this week Jesus Diaz posted on Gizmodo how to bypass the iPhone login pin/password protection.
Its kind of funny the typical comment response to that article is "who uses a password on their phone anyway." My opinion is more with the commenter who pointed out that "whether the typical user used a password or not if this was a Microsoft vuln the reaction would be different."
It is serious. Apple is trying to position themselves as the new Blackberry, not just from the functionality and the coolness, but also the security. They need business customers, otherwise they wouldn't be licensing ActiveSync. No business that values its data is going to put the data on a phone that doesn't have encryption (iPhone doesn't) and doesn't even have an effective login password.
The article says that rumor is this will be fixed in the next iPhone firmware update. With the Blackberry I'm pretty sure you could push out required updates wirelessly (not positive I"m not a Blackberry admin). With the iPhone you have to ask your users to synch with iTunes (not a iPhone admin either, but thats my understanding).
Last night, I went to a Fishnet Security event. Fishnet is a nationally focused information security solutions provider.
The features speaker was Suzanne Hall CIO of the Washington Nationals and Lerner Enterprises. She has had some interesting experiences. Opening Nationals Park. Having the Pope at Nationals Park. (talk about security!)
The topic of her talk was moving CSO to CIO, but it was really relevant to anyone that has to sell their projects to C-level people.
The regulatory approach (FISMA PCI HIPPA SOX GLB says we have to) only goes so far. Meeting regulations is really the bare minimum. Its not about Return on Investment. Security protects your ability to generate revenue. It does not generate revenue itself. FUD ("The sky is falling" also known as Fear Uncertainty and doubt) doesn't work any more. The sky already fell and we're still here. Risk based approaches are great. Suzanne working for a private company doesn't have regulations to blame for needing this security stuff. Instead she appeals to "Core Values". To me that puts a much more positive spin on it. Imagine that, doing the right thing. Appealing to that wouldn't have worked at Enron, but at companies where the motto is more than just something on the corporate letterhead that has some promise.
After the featured presentation we heard from some sponsoring vendors.
Bradford Networks spoke about NAC.
Crossbeam is a virtualization/consolidation solution that uses blade systems and working with security companies so you have one platform that could house your firewall, url filtering, gateway antivirus, IDS, etc. Currently many datacenters have an over abundance of appliances. And if the network grows the solution is to add another appliance. If you're running out of space or running out of power then that might be an interesting solution.
Secure Computing presented and I spoke with one of their people for a bit. Since I first heard of them in the HTTP area that is how I think of them. They feel they have a great application layer firewall.
I also spoke with a rep from Varonis. They make a really interesting product to report on access to file shares. Many years ago I had looked for this exact feature set, couldn't find it and cobbled something together using a Access database and dumpsec exports of permissions. It would be good to replace that homebrew with something a little more solid. Additionally Varonis will be adding support for Sharepoint next year.
A couple weeks ago a patch came out for WebEx Meeting Manager for Internet Explorer. Symantec's Security Response Blog is reporting sightings of exploits for this vulnerability in the wild.
Users running the vulnerable version of the Webex control who happened upon a Web site distributing the exploit would become infected. The first exploits that we have seen so far have been served via gaming sites that have had the exploit package injected on to them
Computers will be patched automatically if they connect to a patched WebEx server. Otherwise you can install WebEx Meeting Manager from the WebEx website or just uninstall via Add/Remove Programs in the Control Panel.
Greg Playle's article "The Seven Week Get Healthy Plan for Small Business" in this months ISSA Journal (ISSA Membership Required) outlines 7 security steps for small businesses to consider.
One of my friends recently received a telephone call from his doctor asking if he had an appointment. An upgrade of the appointment system had gone south and they were reconstructing the appointment book by calling all patients and asking them if they had an appointment. Whoever is handling the IT duties at these small businesses apparently doesn't know to take a backup before starting a upgrade.
I've wondered many times just what the Mortgage guy or my Dentist is doing to protect my personal information. I feel like I don't know them well enough to give them this article, at the same time as a customer don't I have the write to be proactive in making sure my data is protected.
There are a couple of errors in the article. The first I hope was an editors mistake. While describing how to gather the physical address to use to whitelist what servers are allowed on the wireless network, the example given is an IP address.
The bigger problem is that the author has apparently not read George Ou's Wireless Security Myths that Will Not Die. If the author had read that he would not be making some of the wireless security recommendations that he makes.
Do not broadcast the Service Set IDentifier (SSID). Kismet will reveal hidden SSIDs. Not broadcasting it doesn't gain you much except against the causal browser. The casual browser is already stopped by your use of WPA2.
Worse yet, your client computers will now have to probe for that network everywhere you go.
See also Josh Wright's article Issues with SSID Cloaking.
PCI 1.2 no longer requires the disabling of SSID broadcast. The message is starting to get out.
Turn on Wireless Security to at least 128 bit WEP
You're only buying time by using 128 bit WEP over 64 bit. As the retailers have learned, NEVER USE WEP if you have something to protect. Since this article assumes you need to protect the small business, I think the recommendation needs to be a bit stronger. I think even WPA-PSK is suspect for a work environment.
It seems like some of the things suggest are belt and suspenders solutions. Others are more like belt and Hawaiian shirt. The belt is doing the work, the shirt is just there for looks. If you have WPA2 do you really need DHCP reservations and MAC address filtering? If they break your encryption are those things really going to help? Probably not.
The article over all is good. The experience of finding wide open wireless at a small business is far too common. This article will help.
Robert Graham writes in Errata Security that "Google recently made a change that allowed you to configure your Gmail account to force SSL."
In Gmail click on Settings. On the General Tab under Browser Connection select Always Use HTTPS. Without this I believe the behavior is SSL during login only which has been shown to not protect a authentication cookie.
Google Help warns that you'll need a patch for Google Notifier and it may break mobile applications that check Gmail.
The Washington Post's weekly traffic column has a article on a couple who received a ticket from photo radar for driving 100 MPH in their Toyota Echo. Photo radar tickets are supposed to be reviewed before being issued. Given the street, car and time of day, its hard to imagine this one passing the laugh test.
Upon review prompted by the Washington Post, it was reported that the traffic camera issues 'exceptional" speed tickets of zero or 100 to indicate to the ticket reviewer that there is a problem with the camera.
There has to be a better diagnostic alert.
In the year that has passed since the I-30 bridge collapse in Minneapolis, inspectors have struggled to doublecheck every bridge that had the same steel deck truss design.
The Federal government had a National Bridge database using data compiled from the states which showed 756 bridges of that structure. MSNBC reports that as inspectors began their process they found that 280 of those bridges weren't of that design at all.
Some of the bridges had been torn down years ago. Others were misclassified and were actually privately owned (not subject to inspection) A pedestrian bridge made the list as did 13 bridges using wood timbers.
With the data so faulty, how many bridges of this design were miscategorized and thus not given the emergency re-inspection?
Obviously the same holds true in the world of computers. The old adage "you can't patch what you don't know you have" is still true. You can't even watch out for vulnerabilities in things you don't know you have.
Last October, much ink was spilled regarding GPU password cracking. With GPU password cracking, the work is offloaded to the video cards Graphics Processing Unit. Due to the nature of the GPU, password cracking can occur at speeds previously only seen by people with a lot of computers working together.
Recently InsidePro makers of SamInside, released the Extreme GPU Bruteforcer. I love SamInside so I had work buy a GeForce 8800 GT video card and a copy of Extreme GPU Bruteforcer.
There were a couple of false starts. Not being much of a hardware guy, I made the mistake of not considering the power needs of a high end card. I upgraded my power supply, installed the new video card and began cracking.
Previously bruteforcing on my computer chugged along at 6.6 million passwords per second. With the new setup, I'm checking NTLM passwords at approximately 324.75 million passwords per second. If my math is correct, that means for a 8 character password that could have uppers, lowers or numbers, it would now take almost 8 days instead of taking 382 days. Not bad for less than $300 including the new power supply.
Happy sysadmin's day.
As usual I'm not in the office on sys admins day. (the last Friday every July). I can only assume the guys that are in today are being showered with gifts.
So Donna thinks that PC World is a victim of DNS Cache Poisoning.
What is the attack here? pcworld.com DNS resolves to 70.42.185.10 which according to an IPWHOIS is their IP address.
So what if removespyware.ru resolves to the same address. Unless they can modify the routing, I dont see what they've accomplished other than getting Donna to add the IP the Outpost firewall blacklist while invoking the name Dan Kaminsky.
If a site "malware.r.us" has a reputation for serving malware, and they change their DNS to resolve that URL to my website, why should my website be blocked. The biggest security problem here is the denial of service instigated by the Outpost personal firewall against a innocent website.
I guess when you're looking for a DNS cache poisoning attack, everything looks like a DNS cache poisoning attack.
I've seen more than a handful of snarky posts linking results from http://www.doxpara.com's DNS tester and complaining that their ISP is still vulnerable to DNS attack mere days after the patches were released.
The Verizon Business Security Blog has some good comments and reports they have recommended to their customers to patch within 30 days.
No not this one. I'm just falling into the classic blog trap of making a cutsey title rather than a descriptive one.
I've been thinking a bit about birthdates and identity theft. What is it they're going to do with my birthdate? I don't know but apparently I'm supposed to be afraid of anyone having data about me (watch out for Google) even if the data isn't personally identifying.
Sophos reported yesterday a bugin a beta version of Facebook (since fixed) . It would display the date of birth even when it was marked as private.
You've all heard of the "trade your password for a chocolate bar" test. Apparently many people are failing the "trade your date of birth for a scoup of ice cream at Baskin Robins" test.
I guess I'd rather have my friends wish me happy birthday on the right day. I'd rather not have to remember which day my fake birthday is so I can get my free scoup of ice cream. I'd rather not get busted for phony documents because I need a ID with my fake birthday on it to get a free meal (the the purchase of a second meal) at Texas de Brazil (coupon required).
Firefox 2.0.16 and 3.0.1 is out to fix the following security vulnerabilities.
MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not running
MFSA 2008-34 Remote code execution by overflowing CSS reference counter
UPDATE - looks like 3.0.1 isn't out just yet. Keep your eyes open for it. http://www.mozilla.org/security/known-vulnerabilities/firefox30.html
Secunia PSI has been alerting on a vulnerable version of zlib.dll in many of my applications on my home computer. In a security writeup from July 2005, Secunia reports
a vulnerability in zlib, which can be exploited by malicious people to cause a DoS (Denial of Service) against a vulnerable application.
The vulnerability has been reported in version 1.2.2. Prior versions may also be affected
This doesn't bother me so much when it is detected in old versions of Taxcut installed on the computer, but when it is reported in Wireshark 1.0.1 (not sure if this is fixed in Wireshark 1.0.2) and the latest version of iTunes, I wonder what the deal is.
UPDATE - See the comments, this is actually fixed in Wireshark in spite of the Secunia detection.
I renamed the old dll and replaced it with the latest version from http://www.zlib.net/. Secunia is happy, and it didn't seem to cause any issues with the applications.
Symantec has added device control in Symantec Endpoint Protection 11 (SEP11) MR2. This can be used to disabled wireless cards when connected to a wired connection.
Symantec has a KB article that explains "How to block all Wireless traffic when an Ethernet interface is active using Symantec Endpoint Protection 11.x"
Unfortunately it is not possible to disable all wireless cards automatically. Each wireless card has a device ID. You need to determine the device IDs to block. For me, I went into SMS to determine how many different wireless adapters are in use in the enterprise. Next, I used SMS to find online computers with each make/model of card. I followed the instructions in the Symantec KB to gather the device ID from the registry and add them to the block list. You'll have to ask the helpdesk to let you know when new wireless cards start showing up. (occasionally check SMS to double-check).
My biggest problem was that their KB described two locations - wired and wireless. That is the most vanilla configuration possible and it assumes you don't have any other firewall profiles. Most people I suspect are going to already have location profiles set up for their firewall rules. I already had CorporateLAN, VPN and External configured. To integrate this KB into my existing rules, I setup locations CorpLan-Ethernet, CorpLan-Wifi, VPN, External-Ethernet, External-wifi and default.
So far its working great in testing, and I plan to role this out to a larger group of testers after I make a couple changes. It is really exciting to be on the cusp of solving a security issue that has been lingering for years, that is the problem of wireless cards looking to make a connection even as the wired card is active on our corporate lan.
Today I went to check something on the condo association website and found the page was filled with ads. No, they weren't the latest SQL injection victim. They let their domain expire. If you have domains, you better make sure that you know when they expire so that doesn't happen to you.
If you do webdesign and you aren't offering full service for the non-technical, make sure you dont just set up the page and run. Your customers need to have the passwords to make changes, and they know when renewals need to occur.
Fortunately for the condo association, they didn't have that domain on all their stationary. Because they did a poor job of promoting the site in general, it will be easy to start over with a new domain name. Imagine if that occurred to your business domain name.
The latest Symantec IM Manager includes support for AIM 6.8. This is kind of a big change because previously there was no way to support AIM clients that required SSL logins.
AIM has provided a method whereby we register our domain names with AOL, so when the AIM 6.8 client attempts to log in, AOL directs the client to our internal IM Manager server. As part of setting this up I purchased a SSL cert for my IM Manager server. The client connects using our certificate, therefor the IM Manager server is still able to apply security and perform logging as appropriate.
This support is not retroactive to AIM Pro clients. In fact, I'm told that although this was originally designed for AIM 6.5 as well, AOL made some changes that aced out that client.
I'm not sure I trust AOL not to make major changes again and leave AIM 6.8 installs in the cold. But it is better than being stuck with incredibly old versions of AIM.
Is there an ethical and legal issue here as well? While users are advised that this is our network and our computers, might they argue that they have a reasonable expectation of privacy since AIM is using SSL?
Last week NIST released Federal Desktop Core Configuration settings Major Update 1.
I think its one of those immutable laws of security: The day you finish patching a product, a new patch will be released. Perhaps it just seems that way because of Quicktime.
We just sent out notices last week for our users running Adobe Acrobat (not reader) to update. While I deploy Adobe Reader updates since its part of the default install, users have installed Adobe Acrobat on their own, thus they need to patch. Left to their own devices many were found to still be running 7.0 or worse yet 6, or worse yet 5.
Since we've made good progress, it only makes sense that anyone running 8.1.2 will need to update again.
From the adobe bulletin:
A critical vulnerability has been identified in Adobe Reader and Acrobat 8.1.2. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system.Adobe recommends users of Acrobat 8 and Adobe Reader install the 8.1.2 Security Update 1 patch.
Fortunately 7.1.0 users are already cool.
Its hard to believe that three years have passed since I got my CISSP certification. It renewal time. I sent off my annual payment to ISC2 and I'm well past the minimum required Continuing Professional Education credits (CPEs).
Here's a link to an interesting blog entry, Do you Still Value your CISSP.I love the opening story.
Ryan Naraine took at look at the Google Analytics for a couple sites and notes that those visitors aren't patching their flash.
I'm seeing the same types of thing he's seeing when I look in the Google Analytics report for www.infosecblog.org.
Nearly 30% report that they are running unpatched Flash 9.0 r115.
You'd think if you were at a security blog, reading about Flash updates, that you might want to check if your Flash is up to date.
I'm a little surprised to hear people say that Adobe doesn't have a Flash update mechanism. Until I killed the updater in our environment, users where prompted to update if one was available at the time they accessed a Flash applet.
At Shmoocon, one of the sessions discussed passive vulnerability fingerprinting like this. If you don't have the ability to do authenticated scans on your look for opportunities like this to gather version information from the logs.
The past couple of weeks I've been working on implementing a PKI solution from Verisign.
Its been a long road. Its been a couple years at least since I first started working on PKI implementation products. The purchase was delayed a couple of times. Then the implementation was delayed. Once we got to doing the implementation, it was rather straightforward. I'm happy with the way things are going, and I'll be happier as we get the product deployed to larger test groups.
There are a couple of things we still need to work out:
1. I've got a couple users where they could enroll for the encryption certificate and it was escrowed correctly, but there was a cipher issue and the certificate couldn't be added to the browser.
2. The last two modays I've found the Luna SA (a HSM) were not bound to Active Directory. I'm still gathering information on this. I t hink when the domain controller reboots, the Luna fails to rebind on its own, but I need to verify this.
3. On the RA, if I do a service verification (-sV) nmap scan on its port (2003/TCP), the memory spirals out of control. Multiple scans will crash it. That issue will hopefully be fixed in the next version. For now, I'm just going to have to avoid scanning that port.
Professional Services said, "[the application] was designed to be deployed in a control setting. The service wasn't designed to be robust."
I really had a problem with that statement. I hope that was a off the cuff remark rather than official Verisign position. Internal networks behind a firewall aren't guaranteed to be a pristine environment. I'd like my security related services to assume they are going to be attacked and be able to preserve confidentiality integrity and availability.
Unfortunately we aren't well segmented internally. Perhaps I should consider using the Windows Firewall so that only devices that need to talk to the server on that port (such as the web server) are able to do so.
I am happy with the implementation. Any issues we've had are being address.
I was done in by the Lotus Notes Internet Password hash in R5 today (yeah its ancient).
I changed my domain password and used some words wrapped in parentheses like the following (my Blue shoe). Normally this would be a decent password. But at our company passwords are synched from Active Directory to the Lotus Notes Internet password field. In that field in Notes anything inside parenthesis is presumed to be encrypted already. So anyone in the company looking in the right place could see my password in plain text!
There were multiple reports today of an unpatched Adobe Flash vulnerability currently being exploited.
Symantec Bugtraq reports that this exploitation is fairly widespread.SQL injection has been used to insert code onto otherwise legitimate websites that results malware loading to exploit Flash.
Not a lot to be done. You could crawl into the Firefox/noscript cave. I'd suggest having that as an option, but in general keep the antivirus updated and make sure you you're Flash is patched so you aren't exploited by old attacks. Buckle your safety belts it could get bumpy.
UPDATE:
Further reports indicate that this is not a zero day vulnerability. It is exploiting unpatched versions of Flash. Make sure every browser installed is running the current version of flash. IE and Mozilla based browsers use a different Flash install.
On Monday, I went to a Fred Pryor Seminar (I think that used to be called Careertrack) on Managing Emotions Under Pressure. The instructor Dee Yoh has a very interesting story to tell. I wish she had a biography or autobiography available. She is a great presenter and someone who is living the principles taught in the course.
I didn't get a lot of new information to me, but what was important was time to think and reflect away from work and other distractions. I also realized how important it is to continue to work at managing emotions. Lack of emotional control is an impediment to career success. Successful people are always improving themselves. Its very easy for techs to focus on learning more information rather than learning the soft skills.
Rather than writing one really long blog entry today, I think I'll be following up with more details later.
Nitesh Dhanjani has reported to Apple three security issues in Apple Safari.
He has found separate issues that allow an attacker to steal files from your system, and write files to the desktop.
At long last Adobe has released security updates for Adobe Acrobat and Adobe Reader 7.x. Most Adobe Reader users should have updated to 8.1.2 when these vulnerabilities were first announced. Many users of Adobe Acrobat may not have had the funds necessary to purchase a upgrade. 7.1.0 is a critical update that should be applied immediately if you are using a 7.x version. If you are running 8.x, you should be running 8.1.2, released in February. Versions prior to 7 should be considered unmaintained and are not to be used on Internet connected computers.
The Washington Times reports today that "Some federal air marshals have been denied entry to flights they are assigned to protect when their names matched those on the terrorist no-fly list,"
One of our users complained that they did not receive a highly critical piece of email sent from a Comcast user. Other addresses on the recipient list at our company did receive the message.
Checking the logs we see that the recipients on the TO line of the email did not receive the message but recipients that were CCed did receive the message.
One of the mail admins has comcast so he logged in and sent him self a couple of test messages. Sure enough he received an error code 4.1.1. He tried again this time sending putting the his address as a CC and another address in the TO field. He was able to reproduce the users problem.
From googling, I see that some users were getting that error message when sending to certain domains back in February. It turned out to be a temporary problem for them. Not sure what that's all about.
We've all gotten a chuckle over the drones who would give up their password for a chocolate bar. Are we as security professionals any better? We give up all of our contact information (name, address, phone number, email, company name, job title), information on our company (security initiatives, budget, size, locations), and sometimes even contact information for our co-workers. We give it up for half-baked white papers that may be helpful or may be marketing tripe that will be discarded immediately. We give it up for a one hour webinar that again may be useful or may be worthless. We give it up for a half day seminar that allows us to escape the office temporarily.
Its expected that disclosing this information will result in sales calls. Did you realize that these companies also may be selling your contact information or trading it with other companies? I've been thinking about this since a couple of sales people called, and when told I wasn't interested responded "but you downloaded our whitepaper."
Janis Rose has an article on this in the April 2008 ISSA Journal (membership required). She focuses on the ethical aspect of using disposable email addresses when registering for whitepapers.
When signing up for things online, know that there is no such thing as a free lunch. Even when its a reputable company, you need to be aware of the potential consequences of disclosing data.
I think companies should include choices for how your data will be used. They shouldn't hide it in the fine print of a privacy policy. When they don't do that, we're forced to use temporary email addresses and phone numbers that go straight to voicemail.
Joshua Wright, author of the SANS Security Wireless course I took recently and presenter of one of the better talks a this years shmoocon has a 5 minute video on bluetooth phone earpiece hijacking.
As he says in the intro, as states require hands free devices more and more people are turning to bluetooth headsets. But what of the security? See his video below:
The SANS ISC Diary has a good write up of the Subpoena in a Civil Case malicious email. Wish I had seen that before investigating the copy our CEO received.
The message is from subpoena@uscourts.com with a display From of United States District Court. It says
YOU ARE HEREBY COMMANDED to appear and testify before the Grand Jury of the United States District Court at the place, date, and time specified below.
It has a link to download a document on the matter. The website prompts to install a malicious activeX control.
The malware we received doesn't seem to be the same file the ISC is reporting.
Our vulnerability scanner is causing the server backup software's we use on to crash.
After examining a crash dump, a developer for the backup software replied
"Looking at the logs it we are getting some corrupted packets and that is causing the
Does this security scanner corrupt our packets to test some of its features? If yes then they will have to stop it."
While not sending corrupt packets would stop the crashing, I'm not sure a bad guy would be so kind as to respect at request. I also wonder if there is a remote exploit in this defect.
To take it out of the realm of the vulnerability scanner, I used nmap's service fingerprint option to crash the service. Reviewing the packets with wireshark shows that nmap with the -sV option set is also throwing a corrupt packet. The hardest part in reproducing this is the backup software not staying on a predictable port.
Vulnerabilities in backup software are frequently targeted. Backup software often runs with full admin or system rights. Exploiting vulnerabilities in backup software can lead to information disclosure or an attacker fully compromising import servers. SANS has backup software vulerabilities in the SANS Top 20 list.
I never thought I'd be happy to see a Quicktime update. A few more of them and I was planning to create a uninstall package for Quicktime, roll it to the enterprise and remove it from the Ghost load.
It seems that in addition to the eleven fixes in Quicktime 7.4.5, Apple has added some hardening to make further attacks more difficult.
ASLR prevents hacker code from running because the code is unable to find stuff in memory. Quicktime disabled this feature, so I its layout is not randomized. Exploits for Quicktime vulnerabilities work because they know precisely where important bits are located. If Quicktime enabled ASLR, then most exploits for its vulnerabilities would not work.
According to Ryan Naraine at eWeek, Quicktime for Vista now supports ASLR.
"In addition to ASLR, QuickTime for Windows will also do stack buffer safety checking (Visual Studio 2005's /GS option) and support for hardware NX on Windows Vista."
This is really good news if you are running Vista (even if you're running a Mac you're getting improved protection). If you're still running XP, perhaps the NX will help (although the article only mentions Vista for some reason). I would suggest to you that there is more to Vista than having problems because your crappy peripherals are unsupported. There are security benefits to upgrading, particularly when the application supplier chooses to use them. Adobe you're at bat! How will you step up to improve Flash security?
update 4/9/08 David Maynor has written an update where he points out a couple of flaws in Apple's implementation. "Although most of the files are now marked as ASLR enabled there are still a few binaries that are not and could still provide an attacker a static location to utilize." As he said, its still a big step forward. Informative post, I'd suggest checking it out.
I was surprised to read that George Ou is out at ZDnet as a result of corporate restructuring. I've enjoyed his writing and have learned from them. I also got a big kick out of how angry he made the Mac people.
I'm assuming that corporate restructuring is the usual code words for layoffs. I can only hope that Mary Jo Foley made that list as well. Ok, so thats a bit mean.
I hope George lands on his feet.
I'm over at a SANS conference this week, learning about wireless security. One thing I found interesting is the instructors comment that Netstumbler is the most useful tool for war-driving. He felt it handled multiple sessions and a lot of data better than the alternative. I think the GPS integration was better as well.
I hadn't considered Netstumbler since I upgraded to Vista and couldn't get it to work any longer. I wrote about that here. As a side note, it looks like I need to do some search engine optimizing. A search for 'vista Netstumbler (not in quotes) shows a Security News Portal of my RSS feed on page one, but doesn't have my own entry. If I narrow that search to my website, Google finds an old version of the post. An upgrade changed all the underscores in urls to dashes and removed the old style sheet. So even using Google to search only on my site results in a bad result. But back to the topic at hand...
When I got back from day 1 of the conference, I installed Netstumbler, and again no joy, even when I ran with admin rights. I think Netstumbler needs to stop Microsoft's wireless zero config, and I suspect that Vista isn't letting it do that. That is just a theory however. After that didn't work, I installed the drivers for a card using the Atheros chipset. I plugged that into the PCMCIA slot, and Netstumbler was able to use that no problem.
I haven't nailed down the exact cause of the onboard card not working, but at least I know that with the right card Netstumbler can work with Vista.
Last Friday, one of the guys in the department noticed that when he signed into Cox webmail he would access Cox mailboxes belonging to other employees. He was even able to open messages in those accounts.
I went back to my office and created a test account. There is an awful lot of potential confidentiality violations here. Although I never repeated the results I saw on my co-worker's screen, I did find I would see the cox inbox for other employees when I selected logoff.
We use BlueCoat SG 810-B to provide HTTP/HTTPS security in web browsing. This additionally provides a proxy cache which in theory saves on bandwidth costs. We haven't had problems previously with Cox Webmail, nor have we had problems with any other webmail or logon based website.
To resolve the problem, I disabled proxy caching on the BlueCoat for webmail.east.cox.net. Immediately the problem went away.
Just to be on the safe side, I checked with my BlueCoat Sales Engineer. He says that cookie based webmail normally works fine as the cookies are non-cacheable by default. Otherwise the webmaster needs to do a better job marking things a non-cacheable. By marking the entire site as non-cacheable I resolved the problem quickly.
Over the weekend I received a benefits summary from work. They mail it out to remind people of all the non-salary related benefits that we get. The company doesn't pay as well as others, but the retirement benefits are the golden shackles.
They provide retirement projections assuming x,y, or z rate or return and a inflation rate of a. In addition it assumes that my contributions remain porportionally the same, that the retirement program doesn't change, and I get a 4% raise (cost of living adjustment) each year. Looks like I may be working until I'm 65.
Can you imagine working for 30 more years? Looking back at what has changed in the past ten. Looking at what will change in the next 30. Fortunately you dont have to listen to my cracked crystal ball (how do you listen to a crystal ball). Bruce Schneier had some interesting comments in the latest Information Security mag.
In a fit of optimism Bruce says that security will become a requirement of the products. It will be baked in, instead of an add-on solution. One thing that will drive this is SaaS. "IT is infrastructure. Infrastructure is always outsourced. And the details of how the infrastructure works are left to the companies that provide it."
As that happens Bruce sees a consolidation in the security industry. Bad new for us Infosec guys. We'll be replaced by an Indian call center. Just kidding. It doesn't sound good though Richard Bejtlich's blog entry on this subject predicts small companies will jettison their IT staff, and a lot of us may end up working for service providers. That sounds like a net loss of security jobs to me.
Will that happen? Have most companies outsourced their helpdesk? I dont think so. Many that have, found that external helpdesks didn't provide the same level of service. Have most companies outsourced log review? I dont think so. The external company doesn't have the same interest or personal responsibility. Infomation security policy and implementation is still extremely important.
SC Magazine has a whitepaper from MessageLabs titled The Online Shadow Economy - A Billion Dollar Market. It reports on the research of MessageLabs Senior Architect of Development Maksym Schipka into the online criminal underworld, particularly Russian websites and forums.
You can buy customer written malware for as little as $250. Support is available for an extra $25 a month to ensure your malware continues to evade detection. As others have also reported, malware writers test their products against anti-virus software before release to guarantee that existing signatures will not detect it. This is where MessageLabs as been so great. The combination of established antivirus scan engines and their own Skeptic engine, a heuristic scanner, prevents malicious email attachments from getting through.
Schipka’s research suggests that malware authors can produce new, unique malware every 45 seconds
in order to keep it undetected. Signature based protections are not going to stand up to that attack.
If you do go to that link to read the research paper, be aware that SCMag will force you to register (I didn't find a bugmenot account). Also they will email the password you input in clear text. SCMag, thanks for cleartexting my password. I almost forgot the password in the one second between registering and receiving the "welcome" email.
We just finished rolling out Java 1.5 update 14. As we've come to expect with all updates, that means another update is right around the corner. SUN has not disappointed.
Sun JDK and JRE 5.0 Update 15
http://java.sun.com/javase/downloads/index_jdk5.jsp
Sun JDK and JRE 6 Update 5
http://java.sun.com/javase/downloads/index.jsp
SUN SDK and JRE 1.4.2_17
http://java.sun.com/j2se/1.4.2/download.html
Multiple vulnerabilities have been disclosed:
- Two privilege-escalation vulnerabilities affect Java Runtime Environment Virtual Machine. An untrusted application downloaded from a website may be able to elevate its privileges to read and write local files or execute local applications.- A privilege-escalation vulnerability affects Java Runtime Environment
(JRE) when processing XSLT transformations. An applet may be able to
exploit this to read unauthorized URI, potentially execute arbitrary
code, or cause denial-of-service conditions.
- Three buffer-overflow vulnerabilities affect Java Web Start. These
issues may be exploited by a malicious Java Web Start application to
elevate privileges and perform arbitrary actions as the currently
logged-in user.- A privilege-escalation vulnerability affects Java Web Start. A
untrusted application may be able to grant read and write permission to
local files, or execute local application in the context of the currently
logged-in user.- An unauthorized-access vulnerability affects Java Web Start. A
malicious Java Web Start application can exploit this issue to create
files on the vulnerable system. It may then be able to execute those
files to run arbitrary code in the context of the currently logged-in
user.- A same-origin bypass vulnerability affects the Java Plug-in. An applet
may be able to exploit this issue to execute local applications that are
accessible to the user running the plugin.- A privilege-escalation vulnerability affects Java Runtime Environment
in the image-parsing library. A malicious applet may be able to exploit
this to read and write to local scripts and execute local applications in
the context of the currently logged-in user.- Two denial-of-service vulnerabilities affect the color management
library that may cause the Java Runtime Environment to crash.- An unauthorized-access vulnerability affects the Java Runtime
Environment that may allow JavaScript code to make connections to network
services. This may aid in further attacks.- A buffer-overflow vulnerability affects Java Web Start. A Java Web
Start application may be able to exploit this issue to elevate
privileges, read/write arbitrary files, and execute arbitrary local
applications in the context of the currently logged-in user.
Does your business have policies about forwarding email to external servers? You may think you have policies but will you catch users who create their own server side forwarding rules in Outlook/Exchange?
One of our VPs decided that he wanted to get work email onto his shiny iPhone whether it was supported/allowed or not. He created a rule to forward his email to Google Mail. With Google Mail, nothing is ever really deleted, and you really don't have any control over what Google does with the content. That 's not the place to be sending information the customer intends that you keep private.
There is a website Gmail is Too Creepy that covers some of the concerns of Google Mail. Strangely enough while googling for that URL, Google wouldn't give me the result. They said I must have a virus on my computer if I'm trying to go to that website. Too creepy indeed!
In February, Postmaster General John Potter sent a letter presumably to all addresses and enclosed a Identity Theft brochure from the Federal Trade Commission (FTC)
The Postmaster General's letter reported that according to a FTC survey only 2% of all identity theft victims believed the theft of their identity was related to mail. Even so they sent this letter to educate consumers.
So many times when dealing with users the response is "I've got nothing to hide" or "I wont be a victim" or "I've got nothing worth protecting". The Postmaster Generals letter points out that if someone steals your identity, it can effect your credit standing, your ability to buy a car or home, get a job or obtain medical care. Once victimized it is not easy to clean up.
The FTC brochure has a link to the FTC's Identity Theft Site.
The brochure has three key sections.
Deter
Defend
Defend against ID theft as soon as you suspect it.
Common Ways ID Theft Happens:
VLC Media Player 0.8.6e is available to release multiple security vulnerabilities.
Security Advisory 0801
Summary : Format string vulnerability in the Web interface
Stack-based buffer overflow in the Subtitles demuxer
String buffer overflows in the Real RTSP demuxer
CVE references : CVE-2007-6681, CVE-2007-6682, CVE-2008-0295, CVE-2008-0296
Security Advisory 0802
Summary : Arbitrary memory overwrite in the MP4 demuxer
CVE reference : CVE-2008-0984
Security Advisory 0803
Summary : Arbitrary file overwrite and other abuses
through M3U parser and browsers plugins
CVE reference :
I've seen VLC showing up in the vulnerability scans more at work. People install it because it supports a wide variety of multimedia formats. One more non-standard app to get patched.
Last week, some Princeton researchers demonstrated a technique for recovering cryptographic keys from RAM.
Here's their Youtube video:
The typical security hype cycle then followed with articles from SANS: In Memory of Hard Disk Encryption? and then the usual computer trade mags, and then ultimately an AP story: Blast of cold air can open computer to hackers.
That latter article began "Want to break into a computer's encrypted hard drive? Just blast the machine's memory chip with a burst of cold air." Gee that sounds really about as easy as opening a Kensington lock. I can just imagine the bulletins sent out by corporate security departments all over the country.
"If approached by Jack Frost,do not let him spray your computer with cold air. Flee and notify your IT Security Department as soon as possible".
The truth is a little less dire. Yes, data remains in RAM a bit longer than you'd expect. Yes cold air could be used to preserve the data in RAM. However in practice this means an attacker would have to physically compromise your computer within one or two minutes of turning it off.
Here's what I think is important:
1. Users should never use standby unless they are aware that their data is at risk. Personally I advised that before this came out. So this is nothing new.
2. The system is vulnerable when its online but screen locked. Again, I dont think this is new.
3. When you turn your computer off, wait two minutes before you let someone plug in a unknown USB device or spray down the RAM with compressed air. Duh.
Non-technical people read these articles and they think the pain of full disk encryption wasn't worth it. Anytime a bad guy has physical access to the computer, you've got a problem. It seems that this attack works best in the lab and can be defeated with a few steps that you should be following anyway.
Winamp 5.52 has been released to correct a Ultravox streaming metadata stack overflow reported by Secunia. Users of Winamp are encouraged to upgrade immediately.
Here are some notes from Shmoocon day 2. Today was a return to the traditional Build It, Break It, and Bring it on tracks. Here are some notes/summaries from the sessions I attended. It was another fun day.
Active 802.11 Fingerprinting, Bratus, Cornelius and Peebles
How can you identify if an access point is legitimate or rogue? Does two way RSA crypto solve the problem of a rogue AP? The speakers would argue that if you are communicating with a rogue AP, the use of certificates could actually cause more information to be given away to the rogue. You could certainly be exploited in your communication as well if your wireless drivers have vulnerabilities.
Just as with OS fingerprinting through TCP, the wireless protocol can be abused to send unexpected traffic to the AP and fingerprint how it responds. They built a tool called Baffle using Ruby to perform this test. They were able to verify that the access point was using the driver that is expected.
If you're expecting a linksys AP and I set up a rogue linksys AP, this isn't going to help you, at least from my understanding of the talk. An audience member asked if this could be used with adhoc (client-to-client) connections as well. It cannot be used for that because the APs are much more chatty and have more negotiation.
The remainder of the time was a presentation on access point hiding. I did not catch the presenters name. Basically anything that has some room inside and has sufficient power could be refashioned to contain an AP. This assumes that you need to be stealthy about placing a rogue AP in the first place. The take home for me from this section of the talk was the question, "if an AP enabled itself at 2 am (either to let the hacker in, or to move some data out) would you catch that."
Smarter Password Cracking; Weir, Glodek
Not a lot new here.
Password cracking is getting tougher. Sometimes users are forced to pick better passwords. Often developers are throwing in a salt or hashing multiple times. A salt makes a precalculated table attack difficult. Multiple hashes attempt to increase the calculation penalty when trying a offline password attack. For example while Word's password mechanism was once trivial to break, Word now uses 5000 SHA1 and a huge salt.
In the last year or two several password troves have become available to all. In the past researchers didn't have a way to report on user password selection. After a myspace phishers collected passwords leaked, researchers now had a large collection of legitimate passwords. Many of the passwords were tremendously weak and thus not comparable to the enterprise password.
When setting out to crack passwords, it is helpful to figure how how the users select the passwords. This allows the cracker to have a better chance at success.
I was hoping to take from this lecture a script to analyze a list of passwords and display the tendencies found. I would like to be able to easily run a report that says: 30% of users passwords were reveals in testing. Of those 90 percent were in the format Aaaaaa11 (A=upper, a=lower, 1=any number). I don't see that script on his website, I'm going to check back later.
They're hacking Our Clients, Why are we focusing only on servers; Beale
This talk had two major sections. The need for patching clients, and a poor man's way to find clients that need patching.
In the first section Beale said that in pentesting engagements they now attempt to get to the internal network through client side attack. Often they are limited by engagement rules to the computers belonging to IT staff or security folk. Even with this set of users they are consistently able to perform attacks on the browser, mail client, Office, Adobe Reader, etc. Core Impact and Metasploit are two tools mentioned.
The bad guys moved to client side attacks years ago. Their biggest problem is managing all their owned boxes.
The question is asked, isn't this just social engineering. There are two responses to this. No, sometimes attacks autorun without user interaction. Yes, but the human firewall is imperfect. Even the most educated users get fooled. Its still appropriate for a pentest.
Comment from the audience - Once it reaches the user, freakin game over.
The attackers only have to find one vulnerable human or one vulnerable software install.
Isn't this a patch management problem, Beale asks rhetorically.
He says yes, but not every organization has patch management.
Also patch management, needs know about every system to patch it. It needs rights. It often doesn't patch every product. Most people don't have that complete an inventory of what is on their network.
To address these issues, the speaker proposed using User-Agent strings to self identify vulnerable systems. That information could be collected in HTTP proxy logs, and email servers. Vulnerable clients could be denied further access.
While you could do further things such as implement something like the Master Reconnaissance Tool to gather browser plug-ins, there is still vulnerable software that you don't address in this way.
Another idea is to look at the metadata for recently created files on your fileserver, sharepoint, in email. Apparently you can determine the version of the software used to create the document. A vulnerable version and a recently created document equal a problem that needs to be addressed.
Since I do vuln scan all online systems, and I do have a patch management system, the second part of the talk wasn't as interesting. It seemed like a lot of work just to catch a small number that missed the patch management and vuln scanning. I do see the usefulness in a University or other similar environment.
VOIP Hopper; Ostrom and Kindervas
This was strong talk demonstrating their new version of their voiphopper program. Most people outside that room think that a vlan is a security separator. The talk showed how easy it is to get onto the voice vlan. In IT there is also a low awareness of VOIP threats. People think, "you can't access corporate data from an IP Phone."
voiphopper now includes a Cisco Discovery Protocol generator making it really easy to pretend to be a VOIP phone.
Mitigation-
1. Use Cisco's phone CDP Security provided in 12.2.36 SE. This requires a phone to have power or it will shutdown the port. (one wonders how that would work in my case where a bad blade wasn't providing power for some ports, and I was given a brick for my phone instead of using power over ethernet).
2. MAC address filtering
3. Disable the pc port on the phone. (this is the lobby phones that should be have a pc plugged into them).
Got Citrix? Hack it!; Gupta
One audience member correctly asked for less IE vulnerabilities and more about Citrix I agree. The vulnerabilities presented all existed because Windows was not secured for the role the system was playing.
Gupta has a good point that people think putting something behind Citrix is equal to securely serving it.
We did not get to see a couple of demos because the wireless network was down during this session. I'd recommend either not relying on a unreliable medium for a presentation or have a video backup. We were left with a session cut short, and a feeling of disappointment.
I'm down at Shmoocon this weekend. I've been to two of the four Shmoocons. Apparently I only go on even years.
Here are some notes. This is probably going to be even less coherent than usual as its getting late and I need to be back down there tomorrow.
David Hulton, "Intercepting GSM Traffic"
As I understood it, this talk described a "known plain text" attack on the session key between a GSM phone and the tower. It still requires massive computational power. although the hardware and time cost is much lower for this attack that other previous attacks. The solution will probably be more networks switching to 3G.
wiki
David Smith, Forensic Image Analysis to Recover Passwords
This talk described his attempt to recover passwords from coredumps, swap, memory dump, logs , deleted temp files, slack space and internal history.
He is currently working in perl to search for strings of a certain length and then gives them an entropy score.
A audience member suggested starting with a clean OS image to easily rule out the OS files from the gathered strings.
In terms of defenses, I would start with not saving passwords in easily reversible forms (browser saving password for example). Next, I would consider wiping the free space. Full disk encryption would be the best defense assuming you dont get caught while the computer is booted.
Syn Phishus, Unauthorized phishing exercise
This is talk I was most looking forward to. Syn, as a security contractor, decided to phish the computer security department (consisting of 200 employees). He created a phishing campaign announcing the companies ID theft insurance vendor signup. If users clicked on the link in the email, they were prompted to log in using domain credentials, if they hit submit or cancel they were counseled not to be so dang gullible.
The goals for this project were to raise security awareness, demonstrate that policies require enforcement and education, get corporate communications to sign their email and create a service the company could sell. He didn't tell anyone before doing it. He didn't want anyone else to take the risk. He tried to make it easy for IT security to respond to by putting information in the comments on the phishing site, and by using a computer connected to the corporate vpn for his phishing attack.
As you might expect this did not go over well with his company. Doing something like this is definitely a career limiting event. You should always have a get out of jail free card, that is something in writing authorizing you.
edited to remove incorrect assumption about Syn and another phishing venture. Sorry about that.
Deral Heiland, Web Portals
This talk was about a pentest facilitated by the company's internet portal.
Portals provide easy access to corporate data. They call also be huge threats to the internal network.
The problem with this particular (unspecified) portal is two fold. One is it accepted unauthenticated traffic and two, the portal had full access to the network. The portal accepted and processed GET commands so you could create a query to the portal that would have it open a website on the internal network. By trying common internal address space, you could find anything running a webserver. This ranged from things like printers, Compaq Lights Out board, network equipment, the SAN administration. Bad news for the company if a hacker had uncovered this.
This is why they should have required strong authentication for everything on that server. The server should also have been filtered from internal access so that only required services could be accessed. A layer 7 firewall could have prevented the portal from being exploited as well.
Isaac Mathis, Hacking the Samauri Spirit
This was actually a intersting talk about how differences in culture influence security.
Deviant Ollam, Latest News on Bump Key Attacks
This was fairly routine for anyone who is up on bumpkeys.
Anti-bumping technology is starting to make its way into common consumer level locksets. Masterlock and Kwickset appear to be gearing up to sell consumers on this added protection.
I can not find a statement on Adobe’s website saying they no longer support reader/acrobat versions earlier than 8, but actions speak louder than words.
The security bulletin for the vulnerability currently being exploited states:
Acrobat and Adobe Reader 7.0.9 and earlier versions are also affected by these vulnerabilities. Adobe will provide further information as to the nature of the vulnerabilities via the company's Security Bulletins and Advisories page (http://www.adobe.com/support/security/) once updates are available for all affected versions of Acrobat and Adobe Reader.
That is not very reassuring because the last Adobe Reader/Acrobat security bulletin said the same thing.
Adobe will be providing an update to Adobe Reader 7.0.9 and Acrobat 7.0.9 at a later date.
That update hasn't been released.
We have a large number of users still running 7.0.9 Standard or Professional. I don't expect them to be all that excited about ponying up the dough for the upgrade to 8.x. Version 7 isn't supported with Office 2007 or Vista so they'll have to upgrade fairly soon anyway.
There has been growing talk (in general, not at work) about Adobe Reader and Acrobat alternatives. Adobe's product has become more and more bloated. They then have security bulletins as a result of these extra features. FoxIt Reader doesn't have any reported security vulnerabilities. I don't have any experience with FoxIt, but it sure seems like time to investigate a change that doesn't require multiple updates per year.
Update: Not so fast...
On February 20th, Adobe updated its security bulletin to say:
Acrobat and Adobe Reader 7.0.9 and earlier versions are also affected by these vulnerabilities.Adobe is planning to release an update to Adobe Reader and Acrobat 7 by the end of May 2008 to resolve these security issues in those versions of the products
Secunia has released Personal Software Inspector (PSI) 0.9.0.1. As I've blogged about before Secunia PSI is software for the home user that reports software that is vulnerable or no longer updated by the manufacturer.
The change log here lists a few interesting improvements.
Keeping third party application patched is critical for computers used on the Internet.
The CA Security Adviser Research blog has an interesting entry today following the trail of suspicious credit card charge.
Do you review your monthly statement for suspicious charges? Do you look over every charge or just the bigger ones? A fraudster may fly under your radar with a $5 charge. That can accrue to quite a bit of money if they hit enough people.
Review your bills. Whether its fraud or when the phone companies tacks on a monthly fee for long distance, you want to know about it as soon as possible.
If you're heading down to to Shmoocon in DC February 15th to 17th, allow extra time if you're taking Metrorail. Metro is performing platform repair at the Metro Center stop. WMATA recommends allowing an extra 30 minutes. This should start late enough to not be a problem Friday, but it will be annoying Saturday and Sunday.
Parking at the Wardman Park Marriott is $13/hour ($28/day). I dont know of alternative parking down there.
As I was driving into work this morning, my blackberry was flooded with Trojan.Zonebac alerts. When I got into work, I could see that a single computer at one of our sites was getting this detection on pretty much every major exe. When I read the Technical writeup of Trojan.Zonebac at Symantec, I found out why. Zonebac searches for files referenced in the following registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
For all the files found referenced in the registry subkey values, the Trojan creates a copy of the referenced file in a folder named "bak" at the same path as the original file. Then the Trojan will replace the original file with a copy of itself.
Now that is a mess. Normally, I see it as a fun challenge to clean machines, but in this case with so many EXEs suspect, and with the computer being remote, it seemed to be a better bet to wipe the system.
This evening the SANS Handler Diary had an entry revealing that the Adobe Reader/Professional vulnerability is currently being exploited and Zonebac is being dropped. That explains what happened.
It looks like I may have to move up my implementation of Adobe Reader 8.2.1
Dark Reading has an article reporting on a presentation Peter Tippett gave at the Computer Forensics Show in Washington DC.
He said that IT Security departments are wasting their time and a third of current security practices are useless.
Its not necessarily new thought.
It is really easy to get caught up in the patching hamster wheel.
Its easy to believe that products will solve your security problem.
A lot of security spending and effort is regulation based. Is your data more secure because users are required to have 12 character passwords that are changed every 60 days.
Is hard to get separation and look at security from new angles.
We pulled the trigger deploying Quicktime 7.4 to all users yesterday, so as we've grown to expect, Apple releases Quicktime 7.4.1 today. While we knew another update was coming, you just can't wait forever for a update to post.
The Quicktime download is in the usual location. If you are running iTunes, just grab that update. Apple's security bulletin is here.
At the beginning of the year, Guardian Edge transitioned support to an integrated voice response (IVR) system. Since then it seems impossible to call and speak to a live person.
I don't generally like to call any support phone number. Most matters should be resolvable by checking the manual, reading the knowledge base, or opening a ticket via email or web form. When I do have to call support its because I really need an answer now, and don't mind waiting on hold for a bit to get it.
The old Guardian Edge support fit that model perfectly. I could call, and normally get someone right away.
The new Guardian Edge support model is geared toward never speaking to anyone. If you call, a voice response system asks if the number you are calling from is the one associated with your account. Next even though they've already identified you by phone number the IVR asks for your support ID number. After that you can leave voice mail describing your case. In each case I've had since this change, the support technician replies by email in 4-6 hours. God help you if that answer doesn't resolve the issue because the case will get lost after that.
We paid for phone support. This doesn't seem like phone support to me. I have tried to address these concerns with Guardian Edge.. The person heading the project corrected a routing problem with my support ticket. They did not address what I feel is a loss of service.
This sort of thing happens a lot with expanding companies. They have more callers and don't have the trained bodies to handle the calls. I still find it very disappointing
Adobe Reader 8.1.2 is out, download here.
There are not any new security advisories for Adobe Reader at this time. Until I hear otherwise, this may just be a bugfix release.
Update:The 8.1.2 release notes are available. The summary states "The Adobe Reader 8.1.2 update addresses a number of customer workflow issues and security vulnerabilities while providing more stability."
Update 2 Symantec Deepsight reports that a proof-of-concept exploit is available to members of the Immunity Partners Program.
Psychology Today has an article on peoples ability to assess risk.
We substitute one risk for another.Insurers in the United Kingdom used to offer discounts to drivers who purchased cars with safer brakes. "They don't anymore," says John Adams, a risk analyst and emeritus professor of geography at University College. "There weren't fewer accidents, just different accidents."
Why? For the same reason that the vehicles most likely to go out of control in snowy conditions are those with four-wheel drive. Buoyed by a false sense of safety that comes with the increased control, drivers of four-wheel-drive vehicles take more risks. "These vehicles are bigger and heavier, which should keep them on the road," says Ropeik. "But police report that these drivers go faster, even when roads are slippery."
Both are cases of risk compensation: People have a preferred level of risk, and they modulate their behavior to keep risk at that constant level. Features designed to increase safetyâ€â€four-wheel drive, Seat belts, or air bagsâ€â€wind up making people drive faster. The safety features may reduce risks associated with weather, but they don't cut overall risk. "If I drink a diet soda with dinner," quips Slovic, "I have ice cream for dessert."
Its not much of a leap to see how this effects computer security.
The safety improvements in cars aren't supposed to replace intelligent driving decisions. Security software provides layers of protection, it doesn't replace informed choices.
More and more wired peripherals are connected to the office computer, yet at the same time people want to be more wireless. They want a wireless keyboard, a wireless mouse and a wireless headset. Its a little bit ironic that people accept wires for their non-work related USB devices, but they "can't stand the clutter" when it comes to using standard keyboards and mice.
This article from DarkReading reports on the ease of interception of wireless headset technologies and how they used information gathered through that means to socially engineer themselves into a badge and desk inside a company they were hired to pentest. Not only could they listen to phone conversations with a off-the-shelf scanner, in some cases the headset remained active after a call ceased, this effectively bugged the office!
A UPI version of the article spoke to Bob Hayes, managing director of the Security Executive Council who downplayed the issue.
"There are a lot of threats that are technically possible," he said, pointing out that monitoring telephone conversations that way without permission was a federal crime. "Why would I do that," he asked, "when I could get the same information a dozen different ways?" For instance by going through someone's garbage, pretext phone calling, or eavesdropping on conversations at trade shows.
It not as if this is a far fetched Hollywood style plot. Its one thing to do a risk analysis and determine its not worth taking action. Its another to just say "we've got bigger fish to fry".
Jack Johnson, former chief security officer for the Department of Homeland Security and now a partner in the Washington federal practice at Price Waterhouse Coopers had a more common response. "In general when it came to new technology, "ease -of-use considerations tend to trump security."" Its only later that the vulnerabilities are discovered. The CxO has to have the cool toys today.
One would wish that after so many years we would stop making the same mistakes. Security needs to be baked in early on. It cannot be the dismissed factor in the triad of Security - Usability - Cost.
Wireless keyboards are also an issue. In November 2007 DreamLab Technologies announced that due to weak encryption in Microsoft wireless keyboards they were able to capture and decrypt keystrokes. Would you intentionally set yourself up for wireless keystroke logging?
Now maybe I'm just jealous that my plantronics headset is from the last millennium and I'm using a standard dell USB keyboard. But it seems to me that the inherent risks in going wireless need to be addressed in any product used in the enterprise. It would be for the best if standards were followed in a company and products analyzed rather than implementing a hodgepodge of whatever is personal preference.
One of the things I've been doing this week is learning about the Federal Desktop Core Config (FDCC).
You've probably read about it this past week. The short version is that it is a Federal government wide configuration standard for XP and Vista.
Under FISMA, you just had to have a standard and apply it. With FDCC they are all supposed to have the same standard. The FDCC falls prey to a number of fallacies. It seems the developers are tweakers, that is to say they seem to believe the more changes made the more secure the computer is. That is just never a good idea. They appear to have started with a standard to the right of the SSLF policy (Microsoft's policy for standalone really-secure computers) and only made changes where they absolutely had to.
The mistake I wanted to write about in this blog entry is the setting "Use FIPS Compliant Algorithms for Encryption, Signing and Hashing". This setting is required for both XP and Vista under the FDCC. This policy should never be used.
The policy enabled FIPS140-1. This is kind of funny since the government requires FIPS 140-2. What isn't so funny is you will be unable to use SSL. Only TLS_RSA_WITH_3DES_EDE_CBC_SHA is supported. EFS encryption will be lowered from AES to 3DES.
When applying a security hardening policy understand what the settings will do. Test first in a non-production environment. Document your explanations for any exceptions from the standard that you are following.
SANS blogged about the latest JAVA 1.6 Update 4 release back on January12th. Brian Krebs today wrote a piece in his Washington Post blog Security Fix.
I admit it. I have no idea whether or not this update is critical. SANS seemed to say 'you might want to do this soon.' Brian said 'it contains some security fixes. You should update.' I'm looking around to see how SUN categorizes this fix. Microsoft would be letting me know if its critical or important, if exploits are available and how an attack might occur. Cisco would use the CVSS standard, which is pretty cool. Even after reviewing SUN's release notes I dont have a clue.
I kind of want to say no news is good news. We need to keep the enterprise wide reboots caused by software updates to a minimum. I just hope I dont open my RSS reader one day and read about a exploit in the wild that would have been patched if I had deployed this. I'll keep this one on the back burner and deploy it if Adobe, Flash and Quicktime slow their vulnerability circus for a while.
I'm staying up way to late tonight and reading some NAC literature. I thought this quote was pretty funny.
By year-end 2007, 80 percent of enterprises will have implemented network access control policies and procedures John Pescatore, Gartner IncJ Pescatore et al, Protect your Resources With a Network Access Control Process. Gartner Inc., 2004
That quote was in the Sophos literature.
How's that one turning out?
Perhaps the following explains the trouble I had with SEP11 and Vista.
From a email sent to platinum customers:
Update: Eraser Engine update - 01/18/07Symantec has released an Eraser Engine update today, January 18th US Pacific Time. This update replaces a planned AV Engine update that was announced in a previous Platinum Bulletin. It addresses an issue seen by some customers using Symantec Endpoint Protection 11 on Windows Vista which in rare circumstances could cause the system to become unstable. Following this update, the AV Engine and Eraser will have the following versions:
naveng32.dll: 71.4.0.23
ccEraser.dll: 107.4.1.2
At a SANS SCADA conference in New Orleans, CIA senior analyst Tom Donohue reported that cyberattacks have caused multi-city power outages outside the United States.
Rob Rosenberger writes a good article about this here.
It is pretty scary to know that there are forces out there plotting to keep us in the dark with no heat or AC. But why am I getting sidetracked with what some people want to require in California.,
This reminds me of another time SANS reported that hackers had threatened the life of scientists at the south pole. They purportedly hacked an environmental control system and attempted to extort payment or all the scientists would freeze to death. According to this Kevin Poulsen article, a FOIA request uncovered a memo about that incident which said it was minor. "Given the fact that no financial records or systems were compromised, no safety or loss of life was threatened, and no critical system corrupted" by the Romanian hackers, "we need to balance legitimate security needs with the legitimate needs of our scientists at the Pole."
It sounds to me that in both this south pole case and this new report of blackouts that the threat of cyberterrorism is being promoted in order to advance an agenda. Without details its just FUD.
Of course utilities should be taking precautions, but if the past decade is any indication the public has more to worry about from hurricanes (New Orleans) and general screwups (northeast blackout).
David LeBlanc takes the occasion of a Excel zero day to say see I told you so. Excel 2003 SP3 is not vulnerable.
I'd like to know if SP3 is not vulnerable because of the disabling of support for old file formats, or if its not vulnerable due to the other assorted fixes in the service pack. David implies its that latter saying " We did a _lot_ of work fuzzing our apps and fixing bugs. While I'll never claim that SP3 is unbreakable, it's a lot more robust than Office 2003 was previously, and this probably won't be the last time we see an advisory over something that affects SP2 but not SP3."
I was just thinking if its not vulnerable because obsolete file formats are disabled (security over backwards compatibility), then people who follow information in this KB to enable those file types are still vulnerable. I guess we'll find out when the patch is released and more information is available. Until then I'm going to go put a bug in someones ear at work about upgrading to SP3. We can't afford to wait until all of our other apps support Office 2007.
For detailed information on the security content of this update, visit http://docs.info.apple.com/article.html?artnum=307301
You are insecure. I'm not talking about your need to own a SUV even though if you ever had to move something you'd need to rent a truck to avoid damaging the leather seats. Its your computer that is insecure.
According to statistics gathered from Secunia Personal Software Inspector users, pretty much all computer with Secunia PSI have at least one vulnerable application installed. A vulnerable application is defined by them as an application where an update is available.
I would comment that Secunia reports on old versions of Flash installed. Adobe reports that those old installs are not vulnerable. I bet that trips up the most conscientious user. Others haven't taken the time to exclude archive directories. When I first installed Secunia PSI it complained about old versions of files in system archives.
Even with that minor quirk, these numbers are amazing. If you've installed Secunia PSI, you probably care about keeping your non-Microsoft applications patched. Yet it still isn't happening. I think Secunia could help by scanning more often and getting more in your face about it. Currently they seem to scan once a week an pop up a balloon immediately after the scan.
I would still recommend Secunia PSI to all home machines. It is really important to keep these applications patched, and Secunia helps out a lot in that.
Join the many Secunia PSI users - download the PSI and secure your computer today:
https://psi.secunia.com/
I have a whole bunch of Windows XP sp2 systems that give me an error when I attempt to connect to their c$ or admin$ shares: “Not enough server storage is available to process this command.â€Â
The remote system's event log records: “Event ID : 2011 Source : Srv Description: The Server's configuration parameter "IRPStackSize" is too small for the server to use a local device. Please increase the value of this parameter.â€Â
I checked a couple of Microsoft Knowledgebase articles and did a bunch of googling searching the Internet. It seems that a lot of people have latched onto http://support.microsoft.com/kb/177078 as the only cause and concluded if you have the error message “Not enough server storage is available to process this command" than it must be Symantec's fault. As I searched, I found person after person with this error message being told they needed to uninstall symantec. The person with the issue responded they had another antivirus product, they never had Symantec installed and they still had the issue. The Symantec blame had specifically to do with NAV 7.6 and 8 which hardcoded the IRP stack size to 8, roughly half of its default value in Windows XP. That doesn't have a lot to do with the issues i'm having. I dont have that registry value at all.
http://support.microsoft.com/kb/285089 is a more helpful article. It describes what the IRP Stack is and why you might have a problem with it. The problem is, you're left guessing at what "an appropriate value for my network is". I also wondered if I could configure this setting globally instead of having to manually configure it on systems exhibiting issues.
I spoke with a Microsoft contact and decided that we were having the problems because of the high number of file filtering applications (AV, AS, encryption, backup, etc) and concluded it is safe to adjust this globally. Currently we're using SMS to change the IRPStackSize to 18 (decimal).
This error is really a big problem. Its not very noticeable by itself. But on the systems with the error, SMS seemed to not be working. This effects software update distribution. It also hurts the vulnerability scanners ability to check file versions. Hopefully we are on are way to fixing this problem on a permanent basis.
I just saw that CourtTV (CourtTV is TruTV as of 1/1/2008) had a pen testing show called Tiger Team that aired a couple of times last week. GrumpySecurityGuy calls it "It Takes a Thief" with a security twist.
Don't go in expecting this show to be about a Red Team in a dark room somewhere running zero day attacks while the Symantec Security NOC is soiling themselves because green lights turn to red on a big board on the wall. It doesn't look like we're going to see Chloe say "its ok we've got the Cisco Self-Defending networkâ€Â. The episodes I've seen have had the team attempt to penetrate small very secure businesses. You don’t need to bust through a firewall or wait for a phishing reply when you can just hand someone a USB key and ask them to print out a document from it.
The team is has a social engineer, a computer security guy and a physical security guy (if I remember the introductions correctly). In the first caper they take down security at a high end car dealership. In the second episode they go after an elite exclusive Jewelry design shop. Both episodes were a heck of a lot of fun.
Preview:
Hopefully we’ll be seeing more of these episodes. I don’t see any upcoming episodes in the program guide data. I also couldn’t find the episodes on the CourtTV website. I had to bittorrent them (kids don’t try that at work).
Overindulging in alcohol can have tragic consequences if you get behind the wheel. Calling your companies tech support at 3am while drunk wont kill anyone, but it can't be a great career move.
Link (warning NSFW language)
A FISMA audit stated having a sign at the building entrance warning that all bags are subject to search is not enough. Physical security must actually occasionally search bags. Since then, on a periodic basis, security has set of a table by the entrance most employees use.
I ran into that mess on Friday afternoon. The timing of this security checkpoint says it all. If they were trying to find something, they wouldn't run a checkpoint on the Friday before New Years. They were just trying to check off a box not increase security. I got "lucky". They were stopping one person in five. They had me take out my laptop, verified that the portable propterty pass was valid for it, and had me hold open another zippered compartment in the bag.
Did it annoy me? Heck yeah it did. I'm trying to figure out why. Is my annoyance more based on the intrusion of it, or is it based on the meaninglessness of it. I could have exited the building through three other doors without that hassle. I could carry out anything on a Weekend without challenge; the doors are unmanned on the weekend. The check was so cursory it didn't have much chance at finding anything.
The New York subway bag checks can be refused if you turn around and walk away. The bag/receipt checkers at Wal-Mart can be ignored. Work bag checks are more problematic. Not following company policy can get you fired. If you have a security clearance, that could be revoked for not following security procedure.
It would help if I felt like the package inspection was more than security theatre. I'd like to at least know who the theatre is for. The employees dont feel safer because of it. I think its theatre for the auditors and for the DoD.
Employees always feel that our computer security policies are too restrictive. Unlike this package inspection, most of the time we explain the need for it. Its only with the employees that try to debate the issue to death that we then point to external requirements such as FISMA.
My desktop is coming off lease at the end of the month so I was wiping it before returning to the help desk. I decided to give Secure Erase another shot.
Secure Erase uses ATA commands to purge the data from the hard drive. This is supposed to be both more secure and faster than overwriting the data with 1s and 0s to the DoD standard. Also its operation has been verified unlike the many overwrite utilities that can be downloaded from the Internet.
In order to wipe a SATA drive with Secure Erase, the FAQ says I need to go into the BIOS and change the SATA settings to compatibility mode. Once I did this, Secure Erase was able to see my hard drive. After selecting that drive to wipe, I received a prompt that the system bios prevents this operation and I must reboot for HDDerase to attempt to override the bios. Rebooting didn't help. It seems some BIOSes freeze out attempts to run ATA commands after an OS has been loaded. The promise of a faster and more secure disk sanitization was nice, but in practice I couldn't get it to work on my computer. Even if I had found a way to unlock the drive it is more complicated than what the help desk is doing now. With the overwrite, it may take a while but that is non-interactive. It can be left running overnight. Secure Erase would require too many steps before the program could run.
As I wrote about last week there is a critical vulnerability in Flash that needs to be patched. For the past couple of years, I've been updating the Flash IE plugin and ignoring the Flash plugin for other browsers. In our environment IE7 is currently supported. My feeling is if you know enough to install non-sanctioned browsers, you know enough to maintain them. (When the vulnerability scanner finds out of date software like that which we didn't supply we notify the user to patch it).
This time around, I was thinking of patching the Flash for Mozilla/Opera/Netscape as well. The last Flash update I pushed disabled the Flash update checker through a mms.cfg file. If an IT department is managing the Flash install, as we are for the Flash plugin for IE, than we dont want users updating on their own. I've also found that update message causes calls to the helpdesk. Its easier if users only get update messages from us. The problem with this plan is I suspect the mms.cfg I dropped on the client is preventing the user from receiving flash update messages for the Mozilla/Opera plugin. Because of this concern I decided to take a look at installing the Flash plugin for Mozilla/Opera browsers.
As you have probably gathered from this post, Adobe Flash has one install for IE and other for "plugin based browsers" (Mozilla/Opera). As all companies should, we use Adobe's free license for distributing internally. This provides us with access to MSI builds that aren't' funkified with nasty added toolbars.
The best practice for installing Flash is to close all programs that use Flash prior to installation. In addition to web browsers this includes IM programs like AIM that use Flash in the advertisements. In my experience, with the IE Flash install you can get away without doing this. You can run the install silently. Flash will automatically update whenever the browser is closed.
When updating Flash for Firefox, I tried this same technique. Unfortunately this is not working. After installing Flash in Mozilla with no errors, I went to http://www.adobe.com/go/tn_15507 to test what version I'm running. It says I'm running 9.0.47.0 instead of 9.0.115.0. I closed Firefox and reopened it, no change. I rebooted it. No change.
Add Remove programs indicates "Adobe Flash Player 9 Plugin" is at version 9.0.115.0. Every copy of NPSWF32_FlashUtil.exe on the system is at 9.0.115.0. NPSWF32.dll in %windir%\system32\macromed\flash is at 9.0.115.0. its only NPSWF32.dll in c:\program files\mozilla firefox\plugins that isn't with the program. This is a serious problem because if you didn't go to the version test website, you would believe you are patched, and most vulnerability scanners will believe you are patched.
Even if you later figure out what has happened you are in a pickle. Once you have installed Flash 9 Plugin and gotten into this situation, you can't run the patch again. Its already installed. A repair didn't seem to work for me either. You really should have closed Firefox before performing the Flash update to avoid this issue.
If you find yourself in this situation, you'll need to follow the instructions at http://www.adobe.com/go/tn_14157 (make sure you close everything that uses flash). Then run the flash test using the appropriate browser to verify that its really gone. Then reinstall (make sure you close Firefox this time)
If I'm going to package this for an enterprise, I'm going to need to check for Firefox being open and either prompt the user to close it or kill the process prior to installing this update. Another possibility mentioned by my brother is to deploy the msi package via AD so it installs at boot.
It looks like I'm not the only one who has problems with Flash and Firefox. Michael Horowitz in his Cnet blog "Defensive Computing" wrote about it here.
He also comments about all the old versions of Flash. Frequent readers may recall that I've been wondering about those myself. I found this Adobe FAQ that indicates it is not necessary to remove the older versions of the IE ActiveX plugin. But this fails to answer the question about the the Mozilla type plugins. I'm fine leaving the old versions.
What a pain.
Just when you thought you were done patching for the year, Adobe releases a security bulletin for Flash.
Adobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 7.0.70.0 and earlier need to be patched.
Dont forget this needs to be verified for each browser you're running.
I wrote last week how my Vista tablet cratered shortly after I installed Symantec Endpoint Protection 11. I've rebuilt that computer, and decided not to do any more testing with SEP for a while. If I didn't have Symantec coming in sometime soon for a NAC demo I'd be evaling McAfee Total Protection Enterprise.
Today I came in after a few days off and found that my desktop is out of hard drive space. After looking around I found 18.6 GB of files in c:\program files\common files\Symantec shared\. Most of these files were in directories named *.tmp. Now I know this sort of thing happened in previous version of Symantec as well, but it hadn't happened to me. and it hadn't happened within weeks of installation.
Eweek has an interesting article on Phishing Drills. As the article points out, this isn't a new concept, but providing the drill.as a service makes it a lot easier to implement. phishme.com is a new service (not yet available) from Intrepidus. Its a paid service that allows you to set up a mock phishing exercise to evaluate your employees response to phishing and educate them if they fail.
It looks good, a flash demo on the site shows reports on how many recipients clicked the link and how many actually attempted to input information at the "phishing" site.
I find myself wondering a couple of things. Will they differentiate people who followed the link using a text browser from those who used a regular browser. That would indicate that they are investigating the link rather than falling for it. I'm also wondering if this test would run into problems with existing defenses. If I have to whitelist their sending IP that will show up in the mail headers. The users would then have an affirmative defense that they checked the source of the email and saw it was whitelisted.
Quicktime 7.3.1 has been posted to http://www.apple.com/quicktime/download/.
Its been several years since I've seen this, but I ran across it again while reading some of JD's posts on his old blog.
I am posting this as a reference for myself. "How to ask a question the smart way" is a must read. Its not only good for asking questions on the internet, but for life in general. For all of the Microsoft die-hards, check out the KB article. It is a good summary. http://support.microsoft.com/kb/555375
http://www.us-cert.gov/current/index.html#microsoft_access_database_file_attachment
US-CERT is aware of a stack buffer overflow vulnerability in the way that Microsoft Access handles specially crafted database files. Opening a specially crafted Microsoft Access Database (e.g., .MDB) can cause arbitrary code execution without requiring any additional user interaction. Microsoft Access files are considered to be high-risk, so it may be possible to execute arbitrary code without using a vulnerability in Microsoft Access.US-CERT is aware of active exploitation using malicious Microsoft Access databases.
To help protect against this type of attack, US-CERT recommends the following:
Do not open attachments from unsolicited email messages
Block high-risk file attachments at email gateways
I noticed today that Liveupdate on my home computer wasn't working. The definitions were at November 21, 2007. When I attempted to run liveupdate manually I received an error " LU1825: LiveUpdate could not understand how to install this update. You may need to get the latest version of LiveUpdate before you can install this update."
I'd previously been following threads about this problem over at Broadband Reports and at the Symantec Forums.
I followed the advice here to either reboot or restart the Symantec Antivirus service. I restarted the SAV service and immediately liveupdate worked. I've had this problem on SAVCE 10.1.6 and 10.0.1, but I've seen postings from users of Symantec AV consumer products as well.
http://www.fcw.com/online/news/151014-1.html?CMP=OTC-RSS
The Air Force is establishing a professional force of cyber operators and developing cyber career paths for officers, enlisted personnel and civilians. The new Air Force Cyber Command and the Air National Guard are among the focal points of the plan
I wonder what sort of boot camp these cyber warriors will go through.
Google has added AIM to Google Talk. For companies like mine, I'm not sure this is a good thing. We implemented IM security after one too many people got infected and the helpdesk was flooded with calls as their computer sent IMs to everyone in their buddy list. For other companies is a compliance issue rather than a security issue. They need to have IM logs.
Its pretty easy to protect the public IM clients using business solutions from Symantec, Akonix or Facetime. IM over HTTP is another matter. Google has always made it tough to block their GTalk over HTTP by integrating it with Google Mail. I haven't yet heard of a way to block Google Talk without blocking Google Mail. Now they've added in AIM to the mix.
update
you can actually block google talk in gmail http://mail.google.com/support/bin/answer.py?hl=en&answer=34330 In DNS point chatenabled.mail.google.com to 127.0.0.1.
US CERT has posted an alert about a zero day vulnerability in Quicktime
US-CERT is aware of a vulnerability in Apple QuickTime that may allow an attacker to execute arbitrary code or cause a denial-of-service condition on an affected system.Until a security fix becomes available, US-CERT encourages users and administrators to follow the Securing Your Web Browser document to help mitigate the security risk.
That seems about right. I just pushed the last security fix from Quicktime out to the first test group.
Last week, we received the draft results of our most recent audit. There were some interesting findings.
One of the findings said that we had too many disabled accounts. We have a lot of domain accounts for a company of our size. When we migrated from Lotus Notes to Exchange many years ago, the Exchange administrator created accounts in AD for generic mailboxes. When we started using unified messaging (where your voicemail is delivered to your inbox as a WAV file) that led to domain accounts being created for voicemail storage. When we implemented Sharepoint, the admin said we needed AD accounts for every entity that needed to to exist in the phone book. So accounts were created for conference rooms and other things needing to appear in the phonebook.
Most of these accounts would never actually be logged into. The generic mailboxes could be accessed by assigning Exchange permissions on the mailbox. The voicemail boxes were accessed either through assigning exchange permission or accessing messages through the phone. The accounts to get things into the phone directory didn't need to be logged into either. So the accounts were disabled.
That's why we have so many domain accounts that are disabled. According to the responsible system administrators, the accounts are necessary. It still seems kind of funny to have domain accounts for the mens and womens restroom. If the powers that be want those rooms listed in the company phone directory, that is the way it has to be.
Sharktank had a funny entry about computer naming disasters.
The company's initials are THS, so the rebuilt servers get names such as THSad1 and THSad2. That makes it easier to find the right server when browsing the network.But the day after the new e-mail server goes live, fish's own in-box is flooded -- and all the messages ask the same question.
"The users' mail clients announced the new server name in a pop-up before allowing them to connect," says fish. "In came the wave of e-mails asking why the new server was named 'the sex change.'
We had the same thing happen to us although we noticed the problem before the server went production and got it fixed. We thought it was kind of funny that the server was going to be known as "empty sex" but the director put a stop to that. :)
The Taipei Times is reporting:
Portable hard discs sold locally and produced by US disk-drive manufacturer Seagate Technology have been found to carry Trojan horse viruses that automatically upload to Beijing Web sites anything the computer user saves on the hard discAround 1,800 of the portable Maxtor hard discs, produced in Thailand, carried two Trojan horse viruses: autorun.inf and ghost.pif
The tainted portable hard disc uploads any information saved on the computer automatically and without the owner's knowledge to www.nice8.org and www.we168.org.
The affected hard discs are Maxtor Basics 500G discs.
I pushed the Cisco VPN client to the the department test group. This means that the 5.0.2 beta client that I've been waiting on will be released on Monday. ;)
Thus far I haven't had the adoption rate I would have hoped for, but this is a Holiday weekend.
Only a few problems this far:
1. The new profile is set to UDP, a user had an issue because of their dlink router. We had to go in and set it to TCP for it to work.
2. A permissions error during the install when it tried to modify the MTU setting.
3. User not understanding the instructions while upgrading the vpn client while connected through the vpn.
4. User created shortcuts not being removed when old version is uninstalled. The old version went in a custom location, the new version is going to the default location.
No major disasters which is a good thing.
Ugh, another Quicktime update.
Symantec's blog entry about the Adobe PDF exploits reported that the attacks were targeted attacks on a handful of specific organizations. Their writeup on the trojan.pidief.a still has a low treat assessment
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
It looks to me like these malicious pdfs are being spammed more widely right now. We've received files detected as exploit-pdf.shell.
Subject Lines / File names
Personal Credit Points / report.pdf
Personal Financial Statement / report.pdf
Statement of retained earnings / dept.2007.10.26.3689762.pdf
I was over at the Federal Information Assurance Conference yesterday and today. Today Jeff Jonas from IBM was one of the speakers. That was rather cool, because I had just read an article in the Washington Post about his work.
Basically, he analyzes separate data sets for commonalities. Casinos for examples might have employee databases and they also have databases of people who have signed up for their players card. Rather than the left hand not knowing what the right hand is doing, he looks for commonality so you can find out that the guy who is winning big has the same home address as the dealer. Queries become data, if I ask about John Brown today and there is no data, but tomorrow, John Brown checks into the hotel, it will tell me about him. Or perhaps someone in another department is interested in John Brown and I dont know about it. The logic will put the two of us together.
Jeff's blog is http://jeffjonas.typepad.com/
First seen at the ISC, Adobe has released updates for Acrobat and Reader 8.1. They strongly urge the application of these updates.
Updates for 7.0.9 were not released. Surprisingly Adobe says they will be releasing them later. I had expected the next Adobe security bulletin to be a wedge to force users to upgrade.
If you didn't see it, yesterday AVERT reported that a fix is available for the Real Player zero day.
Tonight, I saw a public service announcement educating viewers about online scams. The U.S. Postal Inspection Service has put up a site fakechecks.org. They have fraud tests, videos and prevention advise.
I thought this was a really cool site. Its pretty easy to make fun of the rubes that are losing this money this way. Be a better person than that and educate them so they aren't taken advantage of by online con men.
I heard that NASA is telling employees and contractors not to use IE due to malware affecting Internet Explorer and Real Player.
"Affected Platforms: Any MS Windows system running with Real Player installed and Platforms Internet Explorer used as the routine web browser. At this time it is believed all variations of Internet Explorer and Real Player may be affected."They say "The malware appears to be spreading through a large variety of common and highly-respected Internet sites, however it does not appear these sites are themselves infected. The affected sites are serving solely as a mechanism to attract potential victims."
I haven't heard anything about attacks through realplayer and IE, much less through common sites that have been exploited. It sounds related to this advisory from Microsoft, but that was IE7 on XP only. There are some RealPlayer issues over at Secunia but that would effect RealPlayer only. The problem wouldn't be browser specific and a patch is available.
Interesting to see how this develops. If there is a targeted attack against NASA as this would seem to indicate, we'll hear about it eventually.
update - I have seen an updated email alert from them saying if you need to use IE, you should remove Real.
The Symantec Security Response weblog has a good entry today on DNS security. Its worth reading. The problem I see is that its short on solutions. Sure its a nice observation that SSL will warn you, but what else can you do?
I appreciate that they didn't go with the "use OpenDNS" kneejerk response that I see a lot. Depending on your ISP, the OpenDNS servers may be more secure. But if you're a large company, you want your ISP to be certified and accredited. That may be easier to force your ISP to obtain (you're paying them a lot of money after all). As the article states, the DNS response is still vulnerable to spoofing
There were a couple of points not covered by the article.
1. What if you get infected and the infection changes your DNS server settings. Will you catch that?
2. DNSSEC if it were ever implemented would provide some protection. I would have been interested in the author's take on that.
This is interesting, McAfee has purchased Safeboot for $350 million.
Safeboot seems to be the name I hear most when talking to people at other companies about what FDE products they use. I wonder if ePO will be extended to manage this software in the next few years. That would be pretty cool. I found Safeboot to be rather buggy in my eval. But it seems similar problems occur in any FDE product.
That McAfee would make this purchase shows that they think this will continue to be a big market. One wonders what other companies may be on the market.
Russell Shaw blogging on the front page of zdnet finds it hard to believe that someone who hasn't been on the Internet can be on a jury that finds someone guilty of illegally using Kazaa to share copywrite protected material.
I don't know if Russell is starting with the default assumption that all music should be free. It certainly seems as if the anti-RIAA forces believe that at their heart. I do kind of wonder if he extends that thinking to other crimes. Should I not be allowed to be on a jury that convicts a thief unless I've stolen myself? I guess I just dont feel that thieving is all that different in cyberspace. Good for them for not falling for the specious argument that "it wasn't me, it was my insecure wireless therefore I am blameless."
I also think its kind of funny that Russell thinks funeral directors are supposed to be compassionate therefore they should give light penalties during the sentencing phase of a trial.
Blue Coat announced today that its Dynamic Real-Time Rating (DRTR) will now catagorize phishing sites on the fly in addition to pornography and gambling sites. DRTR is used to catagorize previously uncatagorized sites.
SUN has an update available for the Java Runtime Environment versions 1.3.1, 1.4.2, 5.0 and 6.0. When I looked at the fix list for 6, I really couldn't tell if this update was necessary from a security perspective or not. After reviewing an article at Techworld, I've decided I need to get this on the update schedule.
[quote]
Although Sun does not assign threat scores or label its advisories with terms such as "critical" or "low," Danish bug tracking vendor Secunia collectively tagged the five advisories and their 11 patches as "highly critical," its second-highest ranking.
[/quote]
Saw this on the McAfee blog.
Apple released a Quicktime update tonight bringing us to 7.2.0.245.
Download Link
The patch is issued to resolve "a command injection issue exists in QuickTime's handling of URLs in the qtnext field in QTL files."
It would have been nice if they'd updated the file version of quicktimeplayer.exe or updated the version information in add remove programs. Now I have to either talk the SMS guys into adding QuickTime.qts to the software inventory or just go ahead and run this patch one time on anything that has Quicktime 7.2.
I saw a post today on the Security Basics mailing list asking "Why isn't full disk encryption from manufactures a slam dunk?"
I think the answer is that it is still rather new. The problem is its new so some people are waiting to see if its defeated by attackers. Others made recent investments in softwarae FDE. Dell just made the Seagate available in the Latitude line at the end of July. Give it some time. I expect within three years hardware FDE will be the norm.
I received a Dell Lat 830 with a Seagate Momentus 5400.2 FDE drive on Tuesday. I need to remove the software encryption the help desk loaded on their, but I should have some comments later this week.
The message that you need to sanitize public content to remove tracked changes, comments and other private work product hasn't filtered out to the State Department.
It seems the State Department was caught holding a course on business open to citizens of "Algeria, Bahrain, Egypt, Iraq, Israel (limited to Israeli Arab citizens), Jordan, Kuwait, Lebanon, Morocco, Oman, Qatar, Saudi Arabia, Tunisia, the United Arab Emirates, West Bank/Gaza and Yemen."
When news of this United State State Department program that excluded Israeli Jews leaked, they edited the word document that announced that program, and reposted it. Unfortunately they had left "track changes" on and not purged that prior to reposting.
Let that be a lesson, when trying to cover up a program that discriminates based on national origin, make sure you remove hidden data before posting a document to website. Additionally LGF reports, that one of this sites hosting information on that program was serving up the Tibs-Dialer as well.
I saw this article linked from the drudgereport.
US Video Shows Simulated Hacker Attack
A government video shows the potential destruction caused by hackers seizing control of a crucial part of the U.S. electrical grid: an industrial turbine spinning wildly out of control until it becomes a smoking hulk and power shuts down.
Apparently the US Government has obtained a copy of the latest Die Hard movie.
"They've taken a theoretical attack and they've shown in a very demonstrable way the impact you can have using cyber means and cyber techniques against this type of infrastructure," said Amit Yoran, former U.S. cybersecurity chief for the Bush administration. Yoran is chief executive for NetWitness Corp., which sells sophisticated network monitoring software."It's so graphic," Yoran said. "Talking about bits and bytes doesn't have the same impact as seeing something catch fire."
So this is like the Day After Tomorrow, Super Volcano or the disaster movie of the week on SciFi. All that talk of a digital pearl harbor just wasn't getting enough attention or money, so now they are creating videos about what could happen.
Even after Y2K, its quite popular to Speculate Creatively About Dastardly Attacks.
Its always nice when your own auditors follow company policy. We have an external auditor in for the next 6 week in order to obtain FISMA certification. At the kickoff meeting, we told the auditors that they were not allowed to put their computers on our internal network, but they were more than welcome to use our guest wireless. This information was also on the account request form that they signed.
I had a feeling that they weren't going to follow our policy. We don't currently have a technical mechanism in place to enforce such a policy. I opened our DHCP management console and sure enough 5 computers had a DHCP lease with a computername and domain giving away that their owner was this auditing firm.
So I was able to bust them on that, and prove to them that we do review the logs and record anomalies in servicedesk.
Back in February I repeated Rob Pegoraro's announcement that SSL for Cox Webmail would be occurring in the first quarter of 2007.
In July, Cox enabled POP3 over SSL and indicated that SSL for Webmail was coming soon as well.
Cox has finally enabled SSL for Webmail, but it is only protecting the credentials at login.
There are several problems with this.
1) When you type in your login credentials, you are at a non-SSL site. You cannot verify the authenticity of the site to which you are providing credentials.
2) When you read your email it doesn't go over a encrypted link.
3) It may be vulnerable to a cookie replay attack such as the one announced against Google Mail at Blackhat 2007
On this somber day, I pause to remember Rick Rescorla. On September 11, 2001 he helped guide the Morgan Stanley employees in his care out of the World Trade Center. His foresight as a security officer saved many lives that day at the cost of his own life.
God bless Rick Rescorla.
I re-read The Cuckoo's Egg by Clifford Stoll this week. I last read it about 10 years ago as I was just starting my career.
Reading it now, it kind of funny to see that the debates haven't changed. If you are new to this field, you might think that Dan Greer invented the concept of Operating System diversity. As I read the book, I found that Cliff mentioned this twice. Of course then the diversity was Unix, Berkeley Unix, and the VAX.
Passwords were another point of contention that hasn't changed. Cliff was complaining that admins made their passwords requirements too stringent (such as system selected) and as a result the users wrote them down. Of course, Cliff later found that when users select the passwords, they are often dictionary words and that was easily brute forced.
In the book, Bill Chandler of Mitre is quoted as saying, "simply impossible. We're running a secure shop. No one can break in" when told that a hacker had abused their systems to attack others. Lets not similarly stick our head in the sand when it comes to security issues.
Last week I wrote in a semi-literate fashionabout my difficulties in packaging the Cisco VPN client. This week I continued trying to package the CiscoVPN client.
The problems continued this week. During the install of 5.0.01.0600 neither the profile or the rootcert were imported. I was able to fix the profile import issue. It turns out there is a bug article saying the install path should not have dashes in the folder names. TAC tells me the rootcert import issue will not be fixed in 5.0.02 and possibly not for a couple revisions after that.
This leaves me in a quandary. Can I deploy 5.0.00.0340 instead? The later version does solve a privilege escalation issue. However that can be resolved by removing the permission for "interactive" on cvpnd.exe. I dont see any other pressing fixes in the release notes. Perhaps I'll even be able to stick to the installshield version and not be forced into using the MSI.
Steve Riley writes about our favorite topic to beat into the ground, passwords. He hits three key points, account lockouts, disabling unused accounts and password expiration.
I more or less agree with him about account lockouts. They are a poor substitute for good passwords. They cause (a few) calls to the helpdesk, and open a vulnerability to a denial of service attack. The problem is how do you then enforce the 15 character passphrase that he recommends. While it is both more memorable and more secure, that doesn't mean it wont get fought hard.
Can you really do away with account lockouts? Lockouts are still seen by many as a requirement for account security. I heard a story recently of a satellite ground system that wanted to lockout their operators accounts until an administrator could perform a reset. During the night the operators would be unable to access their terminals because the administrators only worked during the day. The computer systems are in a secure area on a private network. Does the perceived benefit of account lockout justify the threat to the satellite and its data? I'd say no. Section AC-7 of NIST SP 800-53 lists requirements for account lockouts. If you've got an audit, account lockouts are probably on the list of things they are looking for.
Steve pretty much says that disabling unused accounts is an HR problem. While it is true that the accounts process needs to be hooked into HR, this will only give you hires, terms, and if you're lucky people transitioning to an "on-call" roll. If you have a policy than an account is created for every employee, there will be employees who don't use the accounts.
Finding a good program or script to disable unused accounts is not easy. You want it to run on a schedule. You dont want to have to do this yourself manually. It must be able to exclude users by account name, security group or OU. It must be able to notice when "password never expires" is set so it ignores those accounts. If you're running a Windows 2000 domain it needs to collect last logon from each domain controller and find the most recent time for each account. If a Windows 2003 domain, there is an AD account attibute that collects this and replicates it for you. Lastly it must be able to disable the account without modifying the other attributes. This is kind of a pain since the account disable attribute is actually part of userAccountControl which stores a bunch of things.
Password expiration helps prevent the bad guy from having access forever if he does penetrate the account It also annoys the crap out of people who are sharing accounts (against policy). To me it makes sense for sensitive accounts to be changed more often then regular accounts. I don't think this can be done with Windows currently. I recently used Anixis Password Policy Enforcer to create separate 60 day expiration for users with domain administrator privileges. (Regular users have a 90 day expiration).
Password Policies generate a lot of discussion. It seems to be like "is antivirus dead". Every 6-12 months someone kicks off the same discussion.
For some reason the Cisco VPN client was available in both an Installshield package and a msi package. It became time to upgrade recently so I reluctantly re-entered the realm of Cisco software. This is something truly to be feared.
The installshield version is rather easy to install and brand, although it appears to be impossible to import two root certificates. The MSI version requires creating a transform file and has some really bad instructions about using Microsoft Orca to do this. I also found out that if you have an installshield version of the Cisco VPN installed that you must remove it and reboot before attempting to install the MSI version (and then reboot again.)
Unfortunately Cisco has pulled the installshield version of the latest release and they report that no further installshield versions will be released. I guess I'll have to figure out how to package the MSI version, because I just don't want to deploy an older, slightly vulnerable Installshield version, particularly when no further Installshield versions will be released.
On August 21, the SANS Internet Storm Center noted that the storm worm was now be hosted on servers using ngix in the lastest wave of attacks. They further noted that signatures based just on that server name were a bad idea because ngix is a legitimate web server.
I notice that my Cisco IDS is reporting instances of the Storm Worm. A lookup of that signature in the Cisco IPS signature database found that "the signature triggers on seeing the string "Server:ngix"in the return web traffic." While it does note that this could be legitimate traffic, this really wastes my time.
On paper, security is supposed to be a consideration in determining what products are purchased at my company. That message hasn't filtered out to all parts of the IT department unfortunately. Its not that I want to have to be at every vendor meeting, it would just be nice if the security considerations came before the purchase order is created rather than as the product is deployed to the test bed.
The latest product that leaves me scratching my head is Hummingbird DM.
Hummingbird DM is a document management solution that we have purchased as part of a decision to move away from home grown Lotus Notes databases.
To use Hummingbird DM you have to install a client that digs in deep and takes over much of the computer. What I've noticed is this client opens a website on port 81. I'm not sure of the purpose, but it seems very unnecessary. Permissions also seem to be an issue. I'm sure there are more folders than the ones I have access to. In the folders I can see, I can see sensitive data. What I'm told is, it is up to the user to set permissions when they upload a document. This goes against the best practice of not leaving security in the hands of the end user.
Last month, I read a blog entry over at zatznotfunny about Mozy that got me thinking. Perhaps its time to give in to best practice and backup my stuff. I last backed up my home computer in 1995. It was an AST computer with a built in tape drive of some sort. That computer has been in a closet for 8 years.
Backing up to a USB (or preferably eSATA) hard drive is fine, but if you don't take the drive to another location you still have potential data loss issues. Once you've done that, how do you guarantee a reasonable schedule for backing up?
Some people suggest that I back up to the extra disk space provided by my web provider. If I did that, I would have to somehow schedule backing up, encrypting the data and copying it to the remote server. My web provider's Terms of Service state that the storage space is for files necessary to the website. So that is not allowed anyway. Others mention Google Mail or Amazon's S3 service as a great way to store data cheaply. I think its important to have software that you can count on to back the files up. I don't want a kludge.
So that brought me to Mozy. Free for the first 2 GB of data or 4.95 per month for unlimited. That sounded pretty good. If you exclude your media the free account may be good enough. If you want to backup the videos of the kids first recital, than cough up the dough for the unlimited account. ArsTechnica had a review in July of several similar products and Mozy came out on top. After checking out their site, I googled to get the other side. A CNet blogger doesn't like it, but I think he's being unusually picky.
As I mentioned, data privacy is a concern when you send you data away. With Mozy there is an option to backup with their key or with a key you provide. The more paranoid would say that since it is their software doing the encryption, either key could really be known and stored by them. I chose to go with them picking the key for easier recoverability. I'll choose to trust their privacy policy that they do not look in data files. Hopefully controls are in place to prevent low level, uncleared employees from obtaining access.
My data is encrypting now. So far I'm pretty pleased. I'll have to test recovery (they say it may take some time to create the recovery set for you).
As I say, I just installed it, so I'm not giving a full recommendation. However, you do need to be doing something with backup. If you do choose to try out Mozy, please use this link https://mozy.com/?ref=M447CB. If you sign up from that link and begin backing up data, we'll both get a free256 MB bump up.
Last month there was a data breach at a Fidelity National Information Services subsidiary. Today, I notice they have a job posting for a Project Manager in Security/Audit/Compliance.
So is this
a) coincidence
b) locking the barn door after the horses escape
c) someone got canned.
Similarly,a few weeks ago I saw a job for a deputy secretary for infosec at the U.S. Department of Veterans Affairs. They've been having issue after issue with data disclosure. One wonders if they are just hiring the person who will take the blame for the next incident.
I'm reviewing our Site Security Plan in preparation for an audit. In the section for Physical and Environmental Protecton Policy it says "an active fire safety program with continuous training for all staff.
"has an active fire safety program with continuous training for all staff."
Its a wonder we get anything done if the fire safety training never ends.
Due to a some over enthusiastic checkbox checking by a SMS admin who was rolling out patches through ITMU, IE7 was deployed to our users this week. We have had a package for IE7 created with the IEAK that had been deployed to test groups, but it wasn't yet the scheduled time for deployment. Because this went out early we didn't have a chance to educate users about differences in IE7 which lead to a rather amusing complaint.
It seems if you go to http://www.us.army.mil it redirects you to a SSL version of the page. The site is using a DoD issued certificate which of course is not in the trusted root. As a result the user gets the new dire warning about the certificate and calls the help desk. As with most louts, this one was stridently anti-Microsoft, proclaiming if the Army security isn't good enough for Bill Gates, I don't know what would be. Rather than pointing out the many hacks of Army computers, we let him know that he saw a similar message when using IE6 and would see a similar message even if he used Firefox. This has nothing to do with Bill Gates not trusting the Army. It has everything to do with the Army not rooting to a commonly trusted CA. Its working exactly the way it should be. If he has reason to trust that certificate and trust its issuer he can certainly choose to trust it and not see that message again.
I imagine shortly the users will ignore the IE7 dire warning the way they blindly choose yes when prompted in the past.
Looks like another Firefox vulnerability is going to lead to another patch.
We recommend people use Internet Explorer in Protected Mode on Windows Vista and practice safe browsing habits to protect themselves against these vulnerabilities in Mozilla Firefox.
In George Ou's blog entry titled "Email Security Has been around forever, you just have to turn it on" George asserts
"My current DSL provider AT&T like most ISPs supports SSL encryption on POP3 and SMTP and it's as simple as a checkmark and using ports 995 for POP3 and 465 for SMTP instead of the usual ports 110 and 25"
I placed a check in the "this server requires a secure connection" box and changed the pop3 server name to spop.east.cox.net and I was set.
Now if only cox would enable ssl for webmail communications like they said they would do 7 months ago. According to posts from Cox employees at Broadband Reports webmail SSL will be coming soon.
Some users would like SMTP over SSL. Currently Cox does not use authentication for SMTP so what is there to protect? If you argue the data of the message, I would suggest if the data is so important use S/MIME. Because Cox SMTP is used on network only, you're less likely to be sending mail from a insecure location requiring client to server SMTP encryption.
How many times have I gone over to a friends house and ended up working on their computer. Sometimes its fixing something, but often its making sure their third party applications are patched. Microsoft makes it really easy to deploy their patches, but every other application is often ignored. For a while now, I've used Secunia's software inspector which is a web based tool to check for vulnerable software versions. Now Secunia has released a software version of this product. Its free for home use and includes a privacy notice that should make most people who aren't software pirates sleep easier about allowing this inventory.
Personal Software Inspector 0.1.0.0 Beta installed easily and quickly performed a software inventory. It didn't find anything on my system. I dont know of anything that is out of date right now so that is probably accurate.
It checks more than 4,200 applications. According to the website, if it had found something, I would have been prompted with a link to the update. That might be easy enough for the non-techies to follow.
Their web version does tend to complain about old versions of flash. The only way to fix this is to download and run a Flash uninstaller, then immediately install the latest version of Flash.
Normally, I wouldn't tell my friends to install a version 0.1 beta product but this seems like the benefits will outweigh the risks.
The initial scan actually hadn't completed before. It turns out that Secunia gives me a score of 74% on my home system!
Some of these things are old flash files in the i386 directory or an old version of SAV (not installed mind you) that I had extracted for packaging.
I wish the product would allow a user to export all this information so I could have a less knowledgeable user export this info and mail it to me for clarification.
Apparently the Apple fanboys are continuing with their mantra, ""its not a vulnerability until there is a public demonstration". Of course we know that's not true. Even after public demonstrations of a wireless vulnerability last year at Blackhat, Apple and its defenders mounted a smear campaign against the researchers. It also ignores that the reporters are associated with Johns Hopkins, which leads credence to the "researchers". It has also been demonstrated to the reporters at the New York Times.
This fanboy response reminds me of the head-in-the-sand response of Microsoft and its defenders until slammer, sasser and blaster made it hard to mount a defense. There is a difference between denial and taking a wait and see attitude.
The bad guys I worry about don't wait for a public demonstration.
Securityfocus has an interview with DCT a developer of MPack.
DCT says, "Well, I feel that we are just a factory producing ammunition." Ammunition can be used for multiple purposes. You can hunt game and provide food for your family. You can shoot targets and have hours of entertainment. You can defend yourself and others against bad guys. You can commit a 187. Mpack can't make that claim. Its sole us is criminal. Exploit as ammunition is a argument that metasploit can make. That can be used for legitimate purposes. I don't see that with Mpack.
DCT also tries to push the idea that they are just a bunch of guys having fun in their spare time. He/she scoffs at the idea that Mpack is related to the Russian Mob.
One of the benefits of frequent Quicktime patching, is that each time I do it becomes easier. The last couple of times, I think I copied the MSI, tested and I was done.
With 7.2, I ran into a bit of a snag. It seems that the first time each user uses the shortcut in the start menu, Quicktime does a brief mini-install. I'm not sure if this is by design or if I've done something to set it off. The result of that mini-install is the desktop and quick launch icons are recreated. I see a post from over at appdeploy commenting about this issue as well.
The only way to avoid this that I've found is to delete the start menu items for Quicktime and recreate new shortcuts without the MSI baggage.
Through reading comments over at Brian Krebs Security Fix, is found out that Quicktime 7.2 is not supported on Windows 2000. Just to verify that for myself, I tried installing on Windows 2000 and found that only XP and Vista are supported.
Windows 2000 is slowly riding into the sunset, however Microsoft still supplies security patches for the OS. I'm not sure what extra cost Apple would incur by allowing the software on Windows 2000. At this point, I think I have no other choice but to uninstall Quicktime from the remaining Windows 2000 computers.
I've lost track of how many times I've updated Quicktime this year. Over on zdnet, I believe they said this is the 5th update. I recall at the last update, I questioned whether we really needed this software or not.
Apple Security Bulletin
Multiple arbitrary code execution vulnerabilities.
http://www.adobe.com/support/security/bulletins/apsb07-12.html
Critical vulnerabilities have been found in Adobe (Macromedia) Flash. These vulnerabilities would allow an attacker to run hostile code if you visit a site hosting the exploit.
All users of flash need to upgrade to version 9.0.47.0.
All those people who installed Firefox and then dont use it at all have now opened themselves to a new vulnerability.
http://www.us-cert.gov/current/index.html#microsoft_internet_explorer_remote_code
US-CERT is aware of a public exploit code for a new vulnerability targeting Microsoft Internet Explorer. The public exploit code demonstrates the vulnerability using the Mozilla Firefox firefoxurl:// URL protocol. To trigger this vulnerability, an attacker must persuade a user who has Firefox installed to access a specially crafted web page with Internet Explorer.
US-CERT will provide additional information as it becomes available.
Google has purchased Postini for $625 million (US). The purchase is believe to be designed to shore up corporate confidence in Google products.
Does this validate the "in the cloud" model of scanning?
I wonder how long MessageLabs will remain separate. They recently spun off Star their UK ISP for business.
I've been wondering for some time if old versions of Flash on a computer are a vulnerability or not.
Today while looking into the vulnerability of Flash for Mozilla, I found an article from Adobe which states:
"For Internet Explorer, only one version of Flash Player can be registered for use at any time. Older files can be removed, but this is not required as part of the update."
Flash uses a separate install for Mozilla and Opera. Those files get installed to the browser's plugins directory. Although I have the latest version of Flash for IE installed, when I run a version test from my Firefox browser, I find that it is running an old version.
This makes me worry that the Firefox users may remain vulnerable to any Flash vulnerabilities that are not IE specific.
I was having some trouble with my home wireless network today. I hadn't looked into netstumbler on vista until this evening. I was hoping to use that to see what channels my neighbors were running on. A quick search found this article:
C:\netshnetsh>wlan show networks mode=bssid (if you like all the geeky stuff [and who doesn't?] like rates supported, channel, signal strength)
or
netsh>wlan show network (an abbreviated version with just SSID, authentication and encryption types)
Yeah, its really basic, but it was exactly what I wanted. Netstumbler says it works on XP or greater (no linux jokes please). But it doesn't seem to actually work on Vista.
I had a user ask me today about an unusual issue with EFS on Windows XPsp2 when Mozilla browsers are used.
With EFS, normally you enable it for a folder, and you expect that any file that you place in that folder will be encrypted.
1. create a folder called c:\encrypt and set the EFS attribute on that folder
2. Download a file using Internet Explorer and save it to c:\encrypt. The file is created in an encrypted manner.
3. Download a file using Firefox or Netscape. (You must select Tools, Options, Download and specify c:\encrypt as the location to save downloaded files). The file is NOT encrypted.
4. Down a file using Firefox or Netscape using Right click "save target as" and it is encrypted.
Turning on auditing, I see that when the file is saved windows explorer is involved 9 events are actually recorded. When I save through the download manager only two events are recorded.
My next step was to use Sysinternals Process Monitor to look closer at what happens. That killed my theory that the download manager was somehow not running as me. I'm kind of at a dead end now. I've googled, but didn't find anything. I'll update this post if I find an answer.
updated: My Microsoft TAM suggests that the Firefox Download Manager may download the file to a temporary location and then move it to the final location. A move on the same parition would preserve the old attributes and the permissions.
Internet Explorer, on the other hand, performs a copy so it inherits those things.
The commercials have been all over radio; "protect yourself from identity theft with lifelock". The CEO even gives out his social security number in the commercial in an expression of confidence in his product. But what service does Lifelock actually provide and who is behind that?
A while back I was trying to figure out what lifelock did and didn't have any luck. Today, I see they have a four step process.
1. Place a fraud alert on your credit report. You can do this yourself for free. It expires every 90 days so they are saving you a bit of a hassle in renewing the fraud alert. The benefit of this is questionable since this does not actually stop new credit accounts from being opened in your name.
2. Adds your name and address to the Direct Mail Associations do not junk-mail list. This is something again that you can do for free, but you'll have to renew every 5 years or so if I remember correctly.
3. Sends you your credit report once per year. This is something you can order cheaply, and you may be eligible for a free yearly copy anyway.
4. Pay for the associated costs if your identity is stolen and help you clean up the mess.
As I read some sites about Lifelock a couple of things became clear.
1. Lifelock uses an affiliate program so any positive reviews may be somewhat disingenuous.
2. You must give Lifelock limited power of attorney to file fraud alerts with the credit bureaus.
Since you're giving Lifelock all your important info, they better be trustworthy people. According to the Phoenix New Times, Lifelock founder Robert Maynard may be a bit of a grifter. The article is quite enlightening.
Apparently, I'm a few weeks behind on news, because I just say thatthe Arizona Republic reported on June 13th that Maynard has resigned
Techcrunch puts on the tinfoil hat to worry that this organized hit was brokered by the credit bureaus. Really? That sounds like spin to me. Does it matter who the source is when the story used to sell lifelock is a lie? Its pretty ironic that a possible identity thief opens up a business on protecting people from identity theft. (or is that just like the grayhats in the infosec business).
Its pretty funny to watch the shills in the comments on each of these articles. Some people really believe in lifelock. Others are money making affiliates.
Kevin Mitnick once said something like, "a mother's maiden name is not a password. A Social Security Number is not a PIN." That is the basic problem. The credit system and even ACH transfers from your bank account act like its still safe to leave the doors unlocked at night. Lifelock really just puts a note on the door. You could put the note there for free. And there are still other windows and doors that need to be protected.
When I heard the commercials, I bought into the danger and the urgency. Now that I've looked into it, I think they are selling fear. When that happens, hold onto your wallet.
Mark Russinovich of Microsoft blogs today about Security Software and bad default permissions leading to privilege escalation. Regular readers know that this is one of my ways of entertaining myself. Members of my JMU cohort are probably sick of me retelling stories of my past glory. ;)
I hope that with Mark's name behind this that default permissions will receive the attention they are due. It is far to easy to perform a local privilege escalation thanks to some poorly written security software.
When Firefox was first introduced, it was widely promoted as the safer browser. Some writers went as far as to leave of the "er", to them it was the "safe browser". Its now June 2007 and Mozilla now has a security blog. Interesting.
Time to parse their post from 6/18.
I find it interesting that the writer attempts to dismiss 'number of vulnerabilities' as meaningless. I also think it is freaking hilarious that they are bragging about their software update system. If we go to the archives, we'll find that was one item that was extremely lacking in earlier releases. There was no prompting for upgrades.
The current system still isn't exactly enterprise ready. Rather than creating patches, they require full installs. Instead of occurring in an enterprise approved manner as with patching software, it occurs in an ad hoc untested manner as users open Firefox after the patch is released. If user's don't use the product, it doesn't get upgraded. That is fine as long as the vulnerability can' be called from outside of Firefox.
I'm still wondering what is going to happen with Firefox 1.5 at the next patch release. They said it was done after mid-May, but then they patched it anyway. The 1.5 upgrade monitor doesn't prompt you to upgrade to 2 or warn that 1.5 is end of life.
I learned something new from Brian Kreb's Security Fix found at WashingtonPost.com. In today's entry he writes that OpenDNS has added a voluntary feature to block porn.
OpenDNS is a free DNS service that purports to be faster and more reliable than the ISP DNS you are probably using by default. Also they add in some anti-phishing and anti-typo features to protect their users. They make money by hijacking the result if you type in a non-existing webpage such as www.asdfasfdasdfasfasdfasfd.com.
Anyway, if you register your IP address with OpenDNS, you can sign up to have those dns requests checked by their St Bernard implementation.
I set it up this afternoon. It was easy to add their DNS servers into my Linksys Router (sveasoft talisman firmware), but I didn't see a way to set up DDNS updating without putting a DDNS updater on my desktop. I would have preferred to do that on the router.
This is a good free setup to stop unintentional access. If you've got people trying to get around it, you're better off having a filtered ISP or running a proxy server that is physically protected (along with the cable modem) to prevent bypassing.
I got a cold call from a Sophos sales guy recently. As I tend to do when I have the time, I talked to him for a bit about their products. Unfortunately that just encourages sales guys because they think they've found a "mark". When he called back later, I didn't have as much time. I also saw no reason to include their NAC product in our NAC eval.
Once he saw I had no interest in further discussions, he tried to get other names out of me. He pulled the name of a Vice President off our company website and called him about his great solution for our NAC initiative. Don't sales people realize that when you try to go over someone's head, the VP is just going to pass the message back downstream until it ultimately arrives at my door?
This tool called back today. I should have just told him to leave me alone. Instead I tried to explain to him that he burned a bridge with me by going over my head. He didn't understand that I'm not a tech drone peon. My recommendation is fairly key in any security purchase.
I suspect he is now planning to call the VP again to complain that I wont be buying the Sophos product no matter how much better and cheaper it is. Every Tom Dick and Harry has a NAC product. Some cold call alone isn't going to encourage me to try one out or even commit an hour of my time to a sales presentation.
I would expect that the the type of person looking for a browser other than IE is satisfied by Firefox or Opera. In spite of this AppleCorp announced a Safari for Windows beta this week.
Shortly after that Bugtraq number 24433 was posted regarding Unspecified Remote Code Execution and Denial of Service Vulnerabilities
Here's a link to the securityfocus article.
I installed the Cisco VPN version 5 on my laptop today, and I noticed what looks like a privilege escalation vulnerability. This doesn't seem to be the vulnerability Cisco discusses here relating to the dialer portion of the program. This is a much more trivial thing.
The first thing I did was check another system. On a XPsp2 system with version 4.6 installed the Interactive user has modify permissions. As we all know, the Interactive user is a special user account representing any user who is logged on interactively. In other words, this is someone who has the Log on Locally privilege and has been logged on locally. So basically anyone who can log onto my computer (e.g. any other employee). At that point they have two choices. Do they want to wait for a system reboot and get localsystem rights, or do they want to wait for someone with local admin rights to try to use the VPN.
Surely this was fixed in version 5, I thought. No, in version 5, Interactive has full control rights.
I performed some tests, by removing SAV and deleting capicom.dll and then installing SAV 10. In spite of what I'd read online and reported here SAV doesn't seem to be installing a version of capicom.dll.
It appears in my case that the file is just left there as Microsoft reported in the bulletin. Microsoft reports that this is not a vulnerability. Unfortunately, my vulnerability scanner still doesn't see it that way. So I need to remove, or update this dll file. I'm concerned that this may cause problems with unknown applications using this dll.
George Ou blogs about a free WiFi driver checker from Aruba Networks.
Basically it scans domain computers via WMI using supplied credentials and reports if the wireless driver is vulnerable. They didn't take the time to have it verify the computer is reachable, so there could be some long timeouts. I've seen other WMI scripts test first. They are testing with a tcp ping on 135 which they report will not work from XP computers.
Ou reports "When I spoke with the patch management companies at RSA 2007 in February and asked them about driver patches, they looked at me with a blank stare as if they didn’t even know what I was talking about."
My vuln scanner does detect a couple of Intel 2200 BG vulnerabilities. But I've often wondered about the Broadcom drivers and the non-wifi drivers. It will be interesting to run this and see what, if anything, I've been missing.
this worked fine locally, but when I installed on a Windows 2003 to scan a subnet, it crashed. No, I haven't reported the problem to the developer.
I was a bit worried when SANS reported an update for Quicktime 7.1.6. I created a new Quicktime package on Friday and it was just about to go out to the test group. Fortunately for me, on Friday I downloaded a fresh copy of the Quicktime installer. It happened to have 7.1.6.200 which appears to be the latest version. So I'm covered for patches in http://docs.info.apple.com/article.html?artnum=305531. I'm not sure when that was officially released.
**update** - I realized tonight that the update is still needed. When it is installed a registry key is created at HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Security Updates\2007-006. Since I see no way to slipstream this update into the 7.1.6 install I updated the package to run the updates sequentially. I'm also going to have to get the SMS guys to create a separate advertisement for those people who upgraded to 7.1.6 already.
http://www.mozilla.com/en-US/firefox/all.html
"Firefox 1.5: This version of Firefox will be supported until mid-May, 2007 with security and stability updates. We strongly encourage all users to upgrade to Firefox 2."
The "check for updates" feature of Firefox at this time does not suggest upgrading to Firefox 2. I don't know if that is somethign that will change later or not. Currently, a my company most of the users with Firefox are running 1.5. They tend to not use it at all so they don't upgrade until someone tells them to.
Adobe has announced that Adobe Reader 8.1 will be released the week of June 4th. So if you've got your finger on the 'deploy' button ready to go with 8.0 you may just want to hold on for a second.
I'm trying to get 7.0.9 out this week. The question is, will 8.1 contain any security fixes and will those fixes be ported to 7.0.x if needed.
I had an interesting thought this week. "Did we disable lanman hash storage on the test domains?" This is an important consideration. We use software to synchronize passwords from the production domain to the test domain for people in the I.T. department and HR. That would expose production passwords.
I looked at the primary test domain and found that we had indeed disabled the lanman hash.
On the other test domain, I found that we hadn't disabled the lanman hash storage. I was able to use my rainbow tables and in a couple of hours I had 100 percent of the passwords. About 40 of those passwords were synched over from the production domain, so I was able to obtain the production password for the lead SA, my manager and the director.
So, the lesson learned here is to apply your hardening guide on your test domains.
One of my "white whales" has been the ability to perform RPC over HTTPS. I think this would be great for the mobile workforce. It allows a remote user to open Outlook and directly connect to exchange without launching a VPN client. The problem is that any reasonable employer requires strong authentication for all remote access. Username and Password only just exposes the corporation too much. Ever since RPC over HTTP was announced, I've asked for the ability to use SecurID with it. Unfortunately what I found was that this would involve multiple design changes across ISA, Exchange and Outlook. This didn't make it into Exchange 2007, ISA 2006 or Outlook 2007. If you're interested in this sort of solution, please contact your Microsoft TAM and let them know.
I ran across a blog entry by Stefaan Pouseele that examines this issue more closely. He concludes that Outlook uses basic authentication and ISA can't do Radius authentication off of basic authentication. Further Outlook RPC over HTTPS isn't designed for a two credential logon (SecurID followed by AD as happens with the normal HTTPS logon).
For now this remains a nice dream.
Winamp 5.35 is out fixing the MP4 file parsing buffer overflow vulnerability that was previously announced.
In our recent FISMA audit at work, KPMG didn't like the vulnerability remediation report that I create each month for the Infosec group. They wanted more metrics, but their examples of metrics were very similar to what I already do.
Flash forward a few weeks, and we have a CEO who is very interested in number... in metrics.
I spend a lot of time on putting together the Infosec report, but I have to question whether some of the numbers prove anything other than that the products in question are still collecting data.
So to meet these two demands for metrics, I'm searching high and low. This will have to be an off hours project. At work, I my top two tasks right now are writing an incident response plan and selecting a FDE product. That doesn't leave a lot of spare time.
So I've spend some time over at securitymetrics.org. I've read the reviews of "Security Metrics: Replacing Fear, Uncertainty, and Doubt" over at Amazon. I've looked at A Few Good Metrics over at CSOonline.
I'm wondering if its worth getting the book or if I should just read NIST 800-80, "Guide for Developing Performance Metrics for Information Security" and 800-55 "Security Metrics for Information Technology Systems".
I do believe the right Metric can provide insight, and be a true measuring stick for the infosec program. I'm just afraid that Metrics done poorly will lead to spending a lot of time gathering arcane correlations that no one will read and will mean nothing.
I received the "Life is Beautiful" virus hoax email from a relative today.
At the bottom of the email it stated:
PLEASE SEND A COPY OF THIS E-MAIL TO ALL YOUR FRIENDS and ask them to
PASS IT ON IMMEDIATELY! THIS HAS BEEN CONFIRMED BY SNOPES.
You'd think it would be easier to spend a lot of money. I'm trying to evaluate Full Disk Encryption software, and the sales people I'm dealing with are frustratingly unresponsive.
I've heard from other companies that often they find that FDE companies just aren't interested. Apparently so many companies are under a encryption mandate that they only want to spend resources on a guaranteed sale.
The most annoying example is the product I'm currently evaluating. Safeboot has not provided me with a pre-sales support direct contact. They also forbid contacting tech support. Instead I must contact the sales guy. The sales guy instead of getting me in touch with a engineer wants to set up a meeting "sometime this week or next."
I was very upfront in my need to do this eval quickly. I learned what I wanted about Pointsec in two or three days. I can't even get a response from Safeboot in that time period.
In a recent NetworkWorld article, Michael Osterman asks "How secure is a hosted environment". Specifically, he's talking about external hosting of mail stores in cases where the entire mail operation is outsource or where mail is archived externally.
The article reports on his trip to ZANTAZ and how impressed he was with their physical security. The article would have been better if it had covered other areas of information security. How are these servers protected against attack. Is the operation audited? How do you know those security doors aren't propped open every other day of the week?
I read an Infoworld article today that says that "Hackers are using Windows Updates' file transfer component to sneak malicious code downloads past firewalls". After trying to figure out what the writer was talking about, I went to the source, a Symantec blog entry. This made a BIT more sense.
The Infoworld article left me thinking this was a corporate firewall bypass. That didn't make a lot of sense because many enterprises aren't scanning HTTP and FTP anyway, so the use of BITS doesn't change that. The Symantec blog was a bit clearer that this is a personal firewall bypass.
Parlor trick or serious problem? I guess I'd be more worried about how the computer got infected initially. Flashy article titles makes this problem seem worse than it is.
As we roll through May, its time for an annual rite of late spring, its the arrival of the summer intern. Generally these are high school or college students with morally questionable opinions about copyright and movie downloads. It may be a good time to put out a reminder if you have a company policy respecting such.
Brian Kreb's Security Fix is reporting AOL is truncating passwords at 8 characters. I think our Solaris servers were doing the same thing until we upgraded to version 10. In fact, here's a blog entry from the SUN Security Coordinator's blog claiming that password truncation is a security feature. In other words, its a feature not a bog.
I was working on creating a Adobe Reader 7.0.9 package this weekend. Adobe says that they aren't providing a upgrade version of 7.0.9, only a full version. That is rather disappointing.
As part of the upgrade, I checked to see how many computers needed it. I searched for systems with acrord32.exe and sorted by version number. No computers had version 7.0.9 of that product. I knew that Reader 7.0.9 was installed on my own computer so I knew that couldn't be right. Was this caused by a bad install or by Adobe? I checked for installed versions of Adobe Reader 7.0.9 via Add/Remove Programs and found that I had a couple hundred computers with 7.0.9. So its not just my computer. Apparently Adobe didn't update the version number correctly on the main exe. I found a thread asking this question in the Adobe forum, but no answers yet.
I'm not sure how new this is, but some of my users are being sent suspicious messages. They are being blocked blocked by my IM filter, so no worries here.
Message - Images shot in Iraq _ The war will never end http://quicknews[x]info/Iraqwar.jpg
Message 2 - :D who is beside you in this pic http://quicknews[x]info/friendpic1.jpg (obviously [x] = "." I'm trying to keep you all from unintentionally getting infected).
When I checked it looked like there was a redirect on that site that took you to a page with some porn ads, and also some obfuscated java.
http://www.networkworld.com/news/2007/050207-internet2-fire.html
Cables on the Longfellow Bridge connecting Boston and Cambridge were damaged by a fire Tuesday night. Authorities report that a fire was started when a homeless man carelessly discarded a cigarette. The damage is expected to disrupt Internet2 service for several days.
I found this linked through the CERIAS weblog: Important Follow-up Re: The New Password Complexity Policy.
Hilarious
An 8 year old uses a bump key to open a cylinder lock.
McAfee called me earlier this week about their Data Loss Prevention Host software. In addition to host-based software, they have an appliance check for leakage at the network boundary. Enterprises that have implemented full disk encryption now realize that their data is at risk from more than just a stolen laptop. Social Security Numbers, Credit Card info and company proprietary information are routinely passed over the Internet in plain text at many companies.
I haven't looked into this McAfee product, but I see their interest as a validation that this marketspace will continue to develop.
I'm starting to question how much we really need Quicktime. We deployed 7.1.5 last week. As luck would have it, word of a new Quicktime vulnerability came out this week.
http://www.securityfocus.com/brief/488
The attack successfully used in last week's CanSecWest competition exploits a Java-based flaw in QuickTime and affects all browsers on systems with the multimedia software installed, possibly including Windows
I thought this article was interesting, Symantec Steps into Software as a Service.
The Cupertino, Calif.-based company said that the launch of its Online Backup Service, which provides outsourced data storage and disaster recovery services to SMB customers, is merely the first piece in a wider set of offerings it will introduce dubbed Symantec Protection Network, which will eventually include a full range of hosted security tools.
I found it kind of interesting that Alex put a disclaimer on the blog entry asking "Are the Open Sourcerers Selling You a Bill of Goods?" I don't recall Sunbelt putting a disclaimer on a blog entry before. Its clear that they fear the mindless Linux horde the way a Danish Cartoon writer fears going out in public.
Is the article that controversial? I don't think so. It just asks the mindless Linux horde to take it easy. That they should allow for the fact that an intelligent person can use Windows.
It also made me think about 'reflections on trusting trust.' Who has better guarantees that the software, the compiler, etc hasn't been trojaned.
Then I got down to the end of the article and saw it was by Deb Shinder. I guess I should consider the source.
I think I've mentioned a couple of times that I reloaded my laptop. When I went to reinstall Sharpreader, I found the sharpreader domain abandoned. Apparently they've boarded up the windows and left town.
I decided to give Google Reader another chance after my older brother mentioned it to me. I logged in, and it appears they've done some upgrading. It looks good. I deleted my old feeds, and imported my OPML file. After tweaking a few settings I'm finding it quite usable.
My favorite feature is the ability to share items with people. My shared page is here.
What I'm really missing right now is the notification box that my previous rss readers had. Obviously they can't give me a new article notification if I'm not at the site, but I was thinking they should give that notification through the Google Talk software (like I get gmail notifications). Perhaps they already do that. I haven't reinstalled Google Talk since my upgrading.
The other item I'm missing is search. That seems amazingly ironic. Yes this is the one time I"m pretty sure I'm using the term ironic correctly. I want the ability to search my feeds. I wand to easyly be able to search specific folders and even one specific feed. Why can't I search my Google Reader feeds?
Obviously I'm new to Google Reader, so if anyone has an answer, please feel free to jump in the comment section.
I got a call this morning while driving into work that the domain we receive the most mail on is not getting email. Naturally since I recently requested some changes in the way we receive mail that was blamed first.
It turns out they were right, in a way. I had requested that we update DNS so we no longer have a wildcard MX record. With a wild card mx record, you could address mail to anyserver.example.com (obviously not our real domain) and it would be delivered to our MTA. Since this causes us to process a lot of unnecessary email I thought we should remove that.
We use split DNS and run our external DNS through our ISP. When AT&T/SBC performed the update instead of removing the wildcard mx record, they removed example.com.
So we're getting no email addressed @example.com. The negative response cache TTL is 2 hours. So even after we get SBC to fix the record, we may not get email for a while.
At least this is a reminder that people should be using our new domain name instead of the old example.com.
If we had been monitoring our external MX records, we would have seen them go away and possibly gotten it fixed before most peoples cached response expired.
Bail out now if you don't want spoilers from this weeks 24....
In this weeks 24, Nadia's computer is compromised from visiting a website belonging to an insurgant. Inexplicably there is also a hardware device found in her computer.
CTU had previously been protected by Cisco's self-defending network.
I ran across a product called Reconnex today. Their marketing director wrote an article on the Top 10 Steps for Privacy Data Protection for the ISSA Journal. I thought the article was interesting and addressed threats that we need to consider at work. As a result I checked out their website.
Basically they search through data at rest and determine what data needs protecting. Then they also watch the movement of that data as it leaves the network. If there is a data breach, you can use this to determine what was lost.
I would say right now that most companies do not know where the important data is, nor could they notice if it was being emailed to a competitor.
There was just news this week where Oracle sued SAP for hacking. In that instance they noticed that user IDs were being used to access the support knowledgebase and download everything. The userIDs belonged to companies that had just switched to SAP. The downloads came from SAP IP addresses. I don't know that this product would have helped with that, but it does illustrate that data is our most important asset and most of us wouldn't have even noticed that type of attack unless it caused a resource issue causing closer investigation.
Reconnex was part of a SANS webinar in January.
There was also a review in December's Information Security Mag. Its not exactly a glowing review. Its good to hear from those who have evaled it.
Hmm, this would have been a good title for for DST related post. Instead I'm writing about March Madness.
As a new administrator of our web filter I now get to hear about all the user requests related to things that do not work. On Thursday, I was approached by a colleague who showed me an email where a user reported they could not log into WTNT AM's streaming audio. My colleague was incredulous that someone a) would be wasting company bandwidth (yea I know) and b) would have the boldness to complain about it. I was amazed because I had listed to that radio station that very morning. I know it works.
It turns out the user was trying to listen to the ACC basketball tourney. The radio station does not hold the right to broadcast this over the web so they don't stream it. Hence the user's problems. When I was listening, it switched over to music (a different licensing issue) but apparently they also disabled new logins for the duration.
The UNIX administrator asked me to scan his systems that are withing the scope of our Certification and Accreditation package. We have an auditor coming in next week to check our progress toward obtaining "authority to operate" and he wanted to make sure his systems were clean.
I found that our recently upgraded firewall now had several ports in the 37,xxx range that would act as a proxy. So basically, I could point my browser's proxy settings to the firewall on those ports and it would let me out without the usual security filtering. A bit more scanning revealed that these services were enabled on other Solaris 10 servers, not just the firewall.
I hadn't uncovered this before because my vulnerability scanner doesn't scan all 65k TCP ports. I only uncovered it because one one server, these services operated on different ports that were scanned.
So once again, I'm not happy with how my vulnerability scanner has operated. But more importantly we're left with the lesson that we need to run scans before systems move into production.
lsof isn't a default part of Solaris so the Unix guys are still investigating what is providing those services. I left it to them to track it down since I had a few other things to do.
When I arrived at work this morning, I was forwarded a urgent demand from the corporate communications office. The presentation computer by the elevator lobby near the executives was showing an old screen-saver using the old company logo. I had seen something similar in on the displays in the south lobby a week or so back, so I knew what they were talking about.
The machines by the elevator lobby were using a restricted domain account. Since the computer was purposed to display information, the screen-saver was disabled in group policy. If the screen-saver wasn't even enabled, how could the user have seen a screen-saver, I asked.
So I set out to google for a solution. I found that if no one is logged in, the screen-saver settings in hkey_users\.default\control panel\desktop will be used. I thought that had to be the solution. No one was logged in, and that caused a screen-saver to run. It was a good theory, but it turned out the .default registry settings use logon.scr for the screen-saver. That isn't the screen-saver that was observed.
I searched some more, I found out I'd forgotten a key piece of information. The Default user account which is used as the template when new accounts are made does not store the default registry information in hkey_users\.default. That is for the service account. Instead the registry is stored in ntuser.dat.
When the computer was ghosted, the last act prior to sysprep is to copy the profile used to configure everything into the default profile. Because these systems are exceedingly old, the ntuser.dat is set to run the old old screen-saver. Any new account will be created expecting to use this old screen-saver. With domain accounts, the screen-saver is changed by group policy. But there is an issue with local accounts, and also I suspect and issue when the user profile does not load correctly, and it uses a default profile instead.
I updated the ntuser.dat on the systems for which I have responsibility. I also edited the registry to remove the existing configuration pointing to the old old screen-saver.
I just saw an email from the I.T. department at a government agency. They ask all users to leave their Windows and Mac systems online this weekend and make sure automatic updates are enabled in preparation for the DST change. Wow, sounds like they are leaving things to the last minute there. It also sounds like they have a rather chaotic patch distribution system.
I'm not so sure we've been as methodical as we could have been about this. I also feel our user communication was kind of late. We have a good excuse. We changed our company name in February. We've been working for months preparing for that changeover, so DST was a secondary item until that was finished.
I'm not going to be at work the week of the 12th. Traditionally when I'm not in the office, something hits the fan. Usually its a major virus incident. So if I were my co-workers, I'd buckle up for a bumpy ride.
Rather than creating separate entries, I thought I'd comment on today's SANS Diary entries in one post.
Comparing Anti-Virus Solutions
That's just weird timing since I posted about that this weekend. I agree that virus total is an interesting snapshot. I would be more intersted in a site that collects when a virus def is available and what is in that def (assuming everyone lists what virus detections are added in each definition update). Another interesting graph is the virus release chart for each major virus. Here's a graph Message Labs put out about Nyxem response time. Symantec didn't do so well.
Security update for QuickTime (7.1.5)
About freaking time Apple. I had already given up on a fully patched install ever being released. We just pushed 7.1.3 last week to a couple hundred computers that had been running 6.5.
phpMyFAQ being exploited
I almost installed this for one FAQ I maintain. I decided to stick with static HTML since I wouldn't be able to maintain it.
I was running the good old password cracker this weekend, and I notice that there are still 10-15% of the accounts using passwords like Aaaaaaa1. (A = capital letter, a=lowercase). These passwords are fairly easy to bruteforce since there is a low level of complexity. These are passwords where the user is attempting to do the bare minimum to fit the password requirements.
It kind of reminded me of that scene from Office Space.
STAN I need to talk about your flair.JOANNA
Really? I have 15 buttons on. I, uh, (shows himSTAN
Well, ok, 15 is minimum, ok?JOANNA
Ok.STAN
Now, it's up to you whether or not you want to just do the bare
minimum. Well, like Brian, for example, has 37 pieces of flair. And a
terrific smile.JOANNA
Ok. Ok, you want me to wear more?STAN
Look. Joanna.JOANNA
Yeah.STAN
People can get a cheeseburger anywhere, ok? They come to Chotchkie's
for the atmosphere and the attitude. That's what the flair's about.
It's about fun.JOANNA
Ok. So, more then?STAN
Look, we want you to express yourself, ok? If you think the bare
minimum is enough, then ok. But some people choose to wear more and we
encourage that, ok? You do want to express yourself, don't you?JOANNA
Yeah. Yeah.STAN
Great. Great. That's all I ask.JOANNA
Ok.
We should have a policy that any password I can crack must be expired immediately.
Sadly, at work we operate with pretty much all users as local administrator. Their local administrator rights allows the user to remove domain administrators from the local administrator group breaking our ability to manage the systems. Years ago we set up a login script to add domain admins to the local administrators group if the user was a local administrator. We looked for a way to do this in group policy, but we were always told that it is not possible to append members to a group.
Based on something I had read a while back about this actually being possible, I decided to look into it further. What I found is that the Restricted Groups portion of group policy has a "member of". I can set domain admins as a restricted group, leave the members portion blank. This does not erase the current members as it did in earlier versions of windows. Then in the "members of" box, I add administrators. This adds the domain admins group to the local administrators on all domain computers.
No muss no fuss.
When I was reading about the Google Desktop Search vulnerability over the weekend, Google's rep was quoted as saying it would all be fixed silently without the user doing anything. I took that to mean it was done. This mornings vulnerability scan of HQ shows we have a significant amount of Google Desktop that needs updating.
Here's a link to the "Help Center" article on the vulnerability. I
Why isn't the Google Desktop Blog posting on this subject? It says it is "The official source for information about Google Desktop."
I received an email today about a settlement notice regarding a class action lawsuit over some credit monitoring. I read the email over, googled the web page given, and checked out snopes, butt didnt' find anything. Next I opened my RSS reader and found that Brian Krebs has an excellent writeup. His summary, its very suspicious looking, but its actually a legit settlement notice.
JAVA is a very difficult program to manage in the enterprise. It seems to have its share of vulnerabilities. Multiple branches continue to be used (1.3,1.4,1.5,1.6). Its not a matter of upgrading to the latest version and removing everything else.
Applications may be hard coded to use a specific version and will break if you uninstall. Since in most cases we did not provide the JAVA, the administrators don't know in which instances old JAVA is required.
SUN recommends keeping older versions of the JAVA Runtime Environment (JRE) on your system.
Then there is this later articlewhich says with 5.0 Update 6 and later installed on the Windows platform, all applets are executed with the latest version of the JRE. I wonder how the applications hard coded for earlier verions of JAVA would continue to work?
I notice that my vulnerability scanner detects the older versions of JAVA even though a newer version is installed. I'm trying to figure out whether I need to remove these earlier versions to be safe. Even then do I dare remove them if earlier versions are needed by my users.
SCMagazine reports that the new Google Office won't have security problems like Microsoft Office.
1. Security will be more robust
2. Updates will Appear Automatically
3. Less Features mean more security
Amol Sarwate, manager of vulnerability research at Qualys, says "You never have to patch anything, so hackers would be reluctant to target," You won’t even know if a patch is released. Whenever you log in, you’ll get the newest version they have."
Does that sound like a good thing? One of the complaints about Google Desktop Search was secret patching. Shouldn't you know what's going on? Qualys offers a software as a service vulnerability scanner and they announce major version updates. I wonder if they are silently patching security problems as well.
Eric Ogren, an analyst at Enterprise Strategy Group, told SCMagazine.com that Google will protect the software in its data center, and it will not be vulnerable to typical client-side vulnerabilities.
I wonder if this means my data would be kept forever, and available for search warrants, and also available to be accidentally disclosed.
The SC Writer buried the lead in my opinion. Amol Sarwate also said this service could be "could be vulnerable to an emerging set of web-based threats such as cross-site scripting and SQL injections."
That's what made this article jump out at me. In a week where it is reported that Google Desktop Search is inherently insecure it seems this article is trying to tell me that Google Office is secure by default.
Myspace and Secondlife have been targets. Who is to say similar issues won't be found in Google Office.
Richard Bejtlich sets out to write a book review, and instead writes a screed about FISMA in his latest blog entry. Its a shame too. I would like to know if this book is a good resource for those who are forced to participate in FISMA. We are currently under an Interim Authority to Operate and the auditor is coming in next month to extend that. People where I work create C&A packages and audit them for customers.
When we looked for an outside auditor for our C&A package we had a hard time. Most of the companies we were considering were strong in the technical writing or strong in technical knowledge. We didn't find a company that was strong in both areas. Both skills are necessary.
Anyone who has been involved with a C&A knows its one big paperchase. Does this mean its a bad thing? I would argue no. Documentation is important. FISMA forced us to update our documentation and create new documents. This is necessary. Due to the tyranny of the urgent that occurs in an I.T. shop this wouldn't have been done otherwise.
All of the commenters on Richard's entry disparage the C&A. They say that it offers no improvement in security. They argue that instead its a jobs program for C&A writers. Based on my own experience, I would say you get out of a C&A what you put into it. If it is an antagonistic relationship between the auditors and the System Administrators, then you have a problem. The problem is exacerbated when management just wants to check off C&A boxes rather than actually examining security and making things better. At my company we are better than some but we have a long way to go. The C&A has helped us get there.
Our HTTP scanner detected the IESlice.d virus when a user browsed to hxxp://81.177.23.253/pefwji/2_z.html this evening. Not sure where the user was surfing that they were directed there.
The IP address is Russian. The exploit appears to be for MS06-057.
Over at vnunet, Tom Sanders writes about the RSA conference.
More than half of the computers used by security experts attending the RSA Conference in San Francisco this week lack the proper protection and may have been compromised, according to wireless security firm AirDefense.The company scanned all wireless traffic on the first day of the conference and found a total of 623 Wi-Fi enabled notebooks and mobile phones.
Some 56 percent of these devices were configured automatically to log-on to networks with common names such as 'Linksys' or 'T-Mobile', a feature known as an open access wireless account.
So the first first paragraph is an improper summary of the statistics. "More than half of the computers used by security experts" weren't misconfigured. It was half of the computers with wireless enabled.
So the vendor has interesting statistics and I liked the article as a whole but for me it almost got overshadowed by a misleading opening paragraph.
It is extremely important to not connect to unencrypted wifi and then leave those profiles enabled when you go anywhere else. Further, Evil twin access points do occur. Your computer leaks all sorts of passwords. Its not just when you're browsing. The second your network connection comes on line, your mail client, IM clent and RSS reader may be logging into things in clear text. Its a danger you need to be aware of, and keep your clients from launching and sending passwords, until you have established a secure encrypted tunnel, whether is an 'always tunnel' vpn back to work, or a ssh tunnel back to your home.
HP OpenView Network Node Manager has insecure default permissions.
The installation process for the software grants 'Everyone' full access to the 'C:\Program Files\HP OpenView' directory. This directory contains the 'bin\ovtrcsvc.exe' executable,
which is run as a service with SYSTEM-level privileges. So a local user can replace the .exe with malicious code and it will run with SYSTEM rights the next time the service starts (likely next reboot).
I got a note from GFI pointing out their eBook Targeted Cyberattacks: Threats Faced by Your Corporate Network. It looks like its a worthwhile read.
The paper begins by answering some of the common responses to the desire to increase security:
• "That will never happen to me"
• "I have nothing to hide"
• "We're too small to be a target"
• "Why me, when they could hit some bigger company?"
I liked this section. I hear "I have nothing to hide" a lot from even technical end users.
In his Fast Forward Help File earlier this week in the Washington Post, Rob Pegoraro is asked about the security implications of ISPs not using encryption on their Webmail logins.
Rob reports that Cox is planning to offer SSL webmail the first quarter of this year.
Rob comments that "The biggest reason to look for the visual cues of a secure login is to help spot phishing scams -- phony pages that, unlike the sites they impersonate, almost never use encryption." I think its a dangerous oversimplification to trust all sites protected by SSL without verifying the certificate, who its signed by and preferably whether its been revoked or not. In my experience most users don't know to be worried about SSL errors. To be fair, the newer browsers do a better job of giving a dire warning.
People dont understand SSL and what it offers. Over at broadband reports a user commenting on the need for Cox to provide SSL login says,
"It is my perception that security vulnerabilities in Windows are being exploited at a even higher relentless, frenetic pace right now. Cox needs to be part of the solution and not contributing to the problem."
SSL is designed to preserve the message confidentiality. Without client side certificates it only provides authentication of the servers identity claim. The main risk this addresses is the risk of a rogue lan administrator sniffing passwords. This is an important consideration if you use webmail anywhere outside of the cox network and also if you use a unencrypted wireless connection at home.
I wonder if Cox is going to offer POP3 over SSL. Webmail isn't the only way passwords are passed in cleartext.
I mentioned in a previous post that we had some problems with a switch leading to browsing slowness. That caused us to receive a rant about how we were preventing employees from doing any work. They went on to say we need to give notice when making changes.
As it turns out this change went into effect for this group of complainers four business days after it was announced. I also wonder just how an announcement would have helped this situation. The only thing an earlier announcement would do is allow the users to preemptively gather their pitchforks and torches.
Why do I suspect that we'll soon have a requirement where we have to notify users two weeks ahead of major changes? After being forced into an increasingly smaller outage window, I wouldn't be surprised. When I'm readying something for deployment, we serve no wine before its time. I'm not going to know two weeks ahead of time when something is ready to get pushed out the door. It will waste a lot of time to wait until I am satisfied with the results in the test group to then announce a two week rollout countdown.
On Thursday we rolled out the Blue Coat web filter to the company. It was a bit more sudden than I had planned. I had planned to roll out slowly over a week and a half (still kind of quick), with the goal to be done by January 28th. Our Websense license expired on January 31st and I wanted to be done before then.
Unfortunately a company board meeting interfered in my plans as we were not allowed to roll out anything while they were in town. I was told that after license expiration, Websense would continue to filter, but not get any new updates. This was acceptable to the Director, so we pushed back the Blue Coat with a new goal of February 5th.
As it turned out at 11 pm on January 31st Websense stopped filtering. So on the morning of the 1st we rolled out Blue Coat to the entire company and disabled the Websense.
That afternoon, I received a report about slow FTP to our DMZ. I did some testing and the speed seemed reasonable. However, that wasn't the end of it.
The next morning before I got to work, I had a voicemail about other people having trouble opening Flash and downloading large pdf files from the DMZ. It came to a head when another Director in our company emailed our Director claiming it was impossible to get any work done. The Director wanted to turn it off all together, but I felt that this would not provide a good troubleshooting environment. We had used Blue Coat within our department with no reported problems of this nature, so we needed to have the systems under close to a full load. A compromise was reached by removing the subnets of the complainers from filtering.
The network guys had already opened up cases with Cisco and Blue Coat. Everything appeared to be normal. The configuration was acceptable to the support people. The CPU and RAM seemed fine.
I checked the antivirus appliance to make sure it wasn't running out of threads, but everything was well within spec there. Next, I checked the Blue Coat forums to see what other people had to say about this problem.
A quick check found that the most likely cause was mismatched speed or duplex issues on the switch. I called one of the network guys as 1:45 to ask him to check into that. I kept searching to get an idea of other things to try (and also establish some speed test baselines). A speed test reporting downloads of 800 kbps. Which is ludicrous when we have a 25 meg pipe.
We checked into the switch and found it wasn't quite as intelligent as we had expected. We didn't have the capability to hard code the connections to a specific speed and duplex value. We did however see the collision light was occurring on the connection to the core router. I should mention the switch is 10/100/1000 and the router interface is 100. We checked the router and saw the same errors there. The connection was already hardcoded to 100 Full so the network guys changed that to auto. That's the opposite of what you normally do when you have this problem. The port negotiated 100 Full and the errors went away.
I performed a few speed tests and found that web requests were benchmarked 10-100 times faster. The speed test now reported something crazy like 80 meg down (due to the antivirus or caching I suspect). But it is at least and apples to apples comparison with the 800 kb test.
So all is solved. The problem was not with the Blue Coat, but I did take a few body blows and get a black eye.
We got a call from the Director this week. It seems the new stationary had been ordered using the domain only. For example, example.com was used instead of www.example.com. (using example.com in place of my company domain name, obviously).
Currently example.com resolves to the firewall in the external DNS. I had just commented last week that we might want to change that. Most sites on the Internet, including this one, allow you to just type the domain name and you're taken to the website. But I didn't really want to fight any non-essential battles so I let it go.
So it became an issue when the communications department created new stationary without checking if the name they were using actually worked. Its not such a big deal externally. The DNS guy said its not kosher to have two A records. But after I pointed out that every other domain on the Internet (including one we owned) did it this way, he grudgingly agreed. That's when we hit the next hurtle. You see the Active Directory domain is example.com. Internally if you do a nslookup on the A records for example.com you get a list of the domain controller IP addresses. We haven't found a way around that problem yet.
At least I can laugh that such a common mistake continues to happen.
At our company we implemented a mandatory screensaver about a month ago. In my testing I found that if I allowed the user to select the screensaver, that they could select "none" and no screensaver would run. Obviously that isn't something you want to happen. I also found if a computer did not have the specific mandatory (corporate logoed) screensaver then that was the equivelent of not having a screensaver.
We rolled it out using logon.scr as the default intending to later change that. I figured that if we named the new screensaver logon.scr then systems that had received the new screensaver would run that, otherwise they'd have the default flying windows screensaver.
Tonight I was looking into it, and it seems that logon.scr is protected by Windows File Protection. Not sure what the next step is.
In Windows Domain Cached Credentials are a local hash of your password, which allows you to log into the computer in case the domain controller isn't available.
CacheDump is a tool that allows you to easily extract that cache, for offline password cracking. You could use John the Ripper (with a plugin) or PasswordsPro ($$ for full features).
CacheDump pulled my own credentials and another set of credentials. While I haven't tested further than sounds like anyone with local admin rights would be able to export the cached credentials of anyone who had logged into that computer. So say a support person's account is local admin on all desktops, and they do support work at a user's computer. That user could export the hash and attempt to crack the password.
Of course a strong password helps.
Crazy day at work today. I got into work early. My office is right over the main entrance so I tend to notice any odd occurrences. Around 9:30 , I noticed multiple Fairfax Country police cars parked at the front door. I had to get ready for a meeting, but I heard at 10am that the east side of the building from 1-3 had been evacuated due to a suspicious package. Since this didn't effect the room we were in (and I really wanted to have my meeting) we went ahead with the meeting. Around 11:30 we wrapped up the meeting. I went back to my office and found just about everyone outside the window.
It seemed like a scene from a movie, you look out the window and there are cops, feds, firetrucks, the bomb squad, and a schoolbus (we have a nursery in the building). It was incredible. We were advised over the company's internal intercom at 11:30 am that the building was being evacuated and that we should go home.
According to FCW.com after the employees evacuated, a bomb detection robot removed the package from the building, and they imploded it. We received an email at 3:45 pm that everything was safe. The suspicious package contained only papers. I haven't heard if the papers were just normal papers, or if there were threats. FCW reported that there have been a string of suspicious packages delivered to my company. We haven't evacuated for previous suspicious packages, so either the police were exceedingly careful, or there was more to this one.
It seems that GoDaddy is now acting as internet content police. They disabled the domain registration for Seclists.org based on a complaint from myspace.com. Seclists.org is a web archive of many security lists. I use their RSS feeds to follow many security discussions.
It seems part of this content included the list of 53k usernames and passwords found to be collected on a phishing site. Myspace didn't like that.
I'm of two minds on this. When I'm trying to take down sites hosting malicious content, it's often beneficial to send a desist email to every possible link in the chain. On the other hand this is a slippery slope where a domain could get yanked for any reason.
People enticed by cheap domains held their nose when reading the fine print. GoDaddys ToS says they "reserve the right to terminate your access to the services at any time, without notice, for any reason whatsoever."
You still shouldn't mess with Fyodor.
Apple has provided a fix for the RTSP exploit announced during the month of Apple bugs. Unfortunately, the update is quite hidden for Windows users. The Apple security document only has a link for Apple users, there is no link for Windows 2000 and XP users. Interesting.
The ISC diary has posted some instructions to download the patch, but you need to have Apple Software Update installed. If you have it, its probably on the start menu. You need to have recently gotten iTunes or Quicktime to have this installed. I only have it on one of my computer. I cant figure out where to download the patch for the other computers. I ran the "check for updates" from within Quicktime and it says I am up to date! This is not going to be good for enterprise software updates. We were already asking why Quicktime is on our ghost load.
I used Microsoft Process Monitor while downloading the patch on the one computer with Apple Software Update installed. That allowed me to capture a MSI file from my Temporary Internet Files; %userprofile%\Local Settings\Temporary Internet Files\Content.IE5\M7CLQPIX\SecurityUpdate2007-001[1].msi (your location will probably vary).
After installing the patch, my Quicktime was still version 7.1.3 when I checked the help, about quicktime from within the program.
The update creates a registry key HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Security Updates\2007-001 Version=7.1.3.191 (need to double click on version to see the value). The quicktimeplayer.exe is now version 7.1.3.191 as well. Previously the version was 7.1.3.100. These two items will help differentiate patched systems from unpatched systems.
Now, I need to figure out how to deploy this. Next, I will check if the 7.1.3 version from www.apple.com/quicktime is the new version. If so, I'll probably update my install package and do a bit of testing. Hopefully it won't be necessary to slipstream or daisy chain this SecurityUpdate2007-001.msi and the existing 7.1.3
Posting some links I might need later for silent install of JAVA.
1.3
http://java.sun.com/products/plugin/1.3/docs/silent.html
1.4.2
http://java.sun.com/j2se/1.4.2/docs/guide/plugin/developer_guide/silent.html
1.5
http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/silent.html
http://java.sun.com/j2se/1.5.0/docs/guide/plugin/developer_guide/installation.html
It looks like bank account and retirement account theft are going to be this years "stolen laptop." By that I mean it will be the story that is reported with increasing frequency.
Today's story is found in Techworld. It seems that some participants in the Governments Thrift Savings Plan had a keystroke logger installed on their computers. The bad guy used the login and account information to electronically transfer cash to other accounts.
"External penetration testing has demonstrated that our system has not been breached," the TSP said. "There is no evidence of any successful attacks against the system to identify a PIN and thus obtain access."
This is kind of a strange quote. The failure of an external pen test to identify any holes does not demonstrate that the system hasn't been breached. To determine if the system has been breached, you would need to examine the system logs, IDS logs, etc. To trust those logs it would be necessary to have used a third party log server to preserve the integrity of the logs. A forensic examination of the systems may be needed.
If I were creating a caching proxy, I think I would have it tune by assuming the content needed to be refreshed frequently. Only after a history is established should it save bandwidth by checking for updates less frequently.
We implemented a transparent caching proxy this week. I'm seeing cache freshness issues. When I talk to the vendor about this they blame bad websites. Most websites, use HTTP headers to indicate when the content expires. The problem with this response, is you have to take the Internet as it comes to you. Without this proxy, my users are just fine. Adding the proxy is supposed to make things work better not worse. In my opinion its the vendors responsibility to make it work.
So I'm left with promises that as I add more users, and time passes, the proxies freshness algorithms will learn and I wont see these issues. The vendor points out they have 70% of the caching market so they must be good. I'm left looking at yesterdays news.
Today's virus of the day is being detected as win32.small.dam in our inbound email.
The recipient addresses so far are very old. I guess this is one spammer group that hasn't been sold our corporate addressbook.
The only reason I mention the virus, is the lurid subject lines got a laugh out of me.
"U.S. Secretary of State Condoleeza Rice has kicked German Chancellor Angela Merkel"
other subjects:
"Naked teens attack home director"
"British Muslims Genocide"
Attachment named "full clip.exe" and video.exe
I had heard that Adobe Reader 7.0.9 is out, so you no longer have to upgrade to 8 to avoid the vulnerabilities mentioned in their security advisory. The problem is, according to this advisory they are only making 7.0.9 available as a full upgrade and not as a patch. I guess that is part of their program to encourage upgrading. Does this upgrade do anything besides replace one dll?
According to a Federal Computer Week article the GAO has approved a request by the US Patent and Trademark Office that it be allowed to pay high-speed Internet access for patent and trademark teleworkers.
The ability to telecommute itself is a benefit. Now these highly paid workers want the Government to pay for their internet connection too?
What's kind of funny is that although the GAO is allowing the PTO to pay for the access, they cannot pay for any hardware costs. That encourages the employee to connect directly to the internet, rather than implementing a NAT router.
http://www.us-cert.gov/current/index.html#sunjpriv
US-CERT announced today that they are aware of publicly available exploit code for multiple vulnerabilities in Sun Java Runtime Environment (JRE). There are several flaws in the JRE that may allow an untrusted Java Applet to elevate its privileges or execute malicious code.
These issues are addressed in the following releases (for Windows, Solaris, and Linux):
JDK and JRE 5.0 Update 8 or later
SDK and JRE 1.4.2_13 or later
SDK and JRE 1.3.1_19 or later
Pascal Meunier writes in the CERIAS weblog about lack of proper etiquette in zero day disclosures.
I do tend to agree with him. Zero day disclosures don't help anyone but people trying to make a name for themselves, HIPS vendors, and malware purveyors. However, I would say that this post would have been better timed during the first "Month of xyz vulnerabilities" rather than waiting until the critics darling Apple was targeted.
Daylight Saving Time starts early and ends later beginning this year, and your systems need a patch to be able to handle it.
Here's an article on one guys attempts at addressing this.
Personally, I'm getting a bit stressed. We already have a ton of stuff going on. I figured if I started after the new year, that patches would be released and I'd still have two months to do it. Well, I'm still waiting on Sharepoint and Exchange patches from Microsoft. The Solaris guys report that SUN released their patch in 2005.
Daniel Wesemann has a great commentary today in the SANS Internet Storm Center diary about one of my favorite books Cuckoo's Egg by Clifford Stoll.
I agree with Daniel that the same problems are present today. Passwords suck and should not be used for important things such as remote access to your companies network. That's why things like SecurID or smart cards are so important.
What's that phrase, "prevention is important but detection a must"? Something like that. If Clifford hadn't been so curious about an accounting problem of less than a dollar the issue in the book wouldn't have been uncovered. How would you know if someone were using your employees accounts?
If you haven't read this book, I highly recommend it.
While reviewing logs last week, I noticed that a VPN server over at our DR site was still online. This particular server should have been removed a year ago when we transitioned to a new VPN software. I didn't have a copy of the old VPN software installed anywhere but I remembered that if I connected on the VPN port, that it would answer with a banner. Sure enough the VPN was still on line.
That's the problem with development firewalls and DR sites, they don't get used that often and as a result they can be forgotten. That's not good for security. I notified the VPN and Operating System admins who disabled the VPN immediately. It looks like the VPN admin tried to disable the product, but didn't do it correctly.
The lesson is kind of obvious, know what you have. Also, trust but verify. The old VPN access should have been removed from the firewall rules when its approval to exist expired. No one verified that this actually happened.
I've written in the past about how I use SAMINSIDE and Rainbow Tables to audit passwords. I also wrote how I disabled LANMAN hash storage and as a result the LANMAN Rainbow Tables attack wouldn't be working anymore.
In the interim I've been using brute force attacks looking for 8 character passwords that consist entirely of lower alphas. I've also tried brute force attacks that tack numbers on to the end and make the first letter an upper case.
This week, I found a NTLM Rainbow Table for lowercase alphabetical passwords of length 1 through 8. While we now require stronger passwords than this, I thought it was worth trying out. The pre-calculated tables attack has been running for a couple of days. I'm pretty sure that the brute force attack for lower alphas of length 8 did not take this long.
Due to an increased network threat condition, the Defense Department is blocking all HTML-based e-mail messages and has banned the use of Outlook Web Access e-mail applications, according to a spokesman for the Joint Task Force for Global Network Operations.
According to the article, they are converting all email to plaintext only. I wonder how they are accomplishing that?
While I agree putting OWA directly on the Internet is foolish, I think there are secure ways of doing that. Further providing users easy access to OWA encourages them to use an arguably more secure method of access than using a thick VPN client which offers full access to the internal network.
Soon the security folks will have us back to using smoke signals and carrier pigeons. Think about the man-in-the-middle attacks possible then.
Its posts like this that keep Sunbelt in the list of blogs I read regularly. In the post they explain why a recent security writers claim "IE7 is still the spyware writers dream" is actually hype.
The vulnerability is that if the bad guy has write access to your computer, he can get a dll run by IE7 because they are not requiring FQDNs to load a dll. While this might make it tougher to clean your computer, the bad guy must already have infected your computer to have write access. This is not like the WMF exploit or all the bad activeX controls that were in previous IE versions.
Bruce Schneier writes in Wired "myspace users are not so dumb". In an analysis of 32k myspace passwords collected through phishing it was found that the passwords were better than studies of passwords used in a corporate environment.
Age is one reason for the difference in password quality. Myspace users tend to trend younger. Corporations are still filled with people who don't want to have a voicemail password at all much less a four digit PIN.
81% of the passwords are alphanumeric, but 28 % were merely a dictionary with the addition of one number (most often "1").
The bottom line though is these password were obtained through phishing. So while they may be educated about selecting a good password, the security awareness job isn't done.
I saw this linked from Drudge.
A High School Class President, who also holds the student seat on the Broward County (FL)School Board has been charged with two counts of computer crime with intent to defraud, a second-degree felony.
As part of his School Board job, he was given a laptop in order to access job related email. He found the I.T. specialist had a sheet of username/password combinations on his desk. The student used the purloined passwords to access the counties system for tracking grades and modify grades for several students.
The obvious lesson is not leaving passwords on a sheet of paper on your office desk.
Even today end users think security doesn’t affect them. “I’ve got nothing to hide,†they say. So they choose convenience over security. They don’t use any form of encryption on their wireless networks, and they disable the security software on their computer.
Here’s a story of a woman in Denver who learned a lesson about that after a visit from the police.
http://www.thedenverchannel.com/news/10486347/detail.html
You don't always have the ability to download patches, perhaps the system only has dialup access to the internet.
There are a couple of ways to deal with this.
http://www.heise-security.co.uk/articles/80682
http://www.autopatcher.com/
I'd be a bit concerned about whether this method is all right with Microsoft and whether anyone is sneaking something into the offline patch collection. Autopatcher has been around for a while, so I'd trust it more. The Heise-Security Offline Update is new to me.
F-Secure's Weblog has a couple entry on the recent Quicktime troubles, highlighted by the myspace worm. They report two similar vulnerabilities, and their tests has found one of the javascript tricks works with Quicktime users on a Mac with Safari.
Is this vulnerability listed on the eEye Zero Day Tracker? Not so far. Hmmm.
When I ran the Secunia Software Inspector yesterday, it found I had old versions of Firefox, Winamp, Flash, and JAVA. The Flash and JAVA detections were complaining about older versions that were installed although I do have the current version installed. Secunia recommended that I remove the earlier version.
Its not really clear if having older versions of the Flash.ocx file on a computer is actually a vulnerability or not. I figured I'd try what they suggested anyway. I downloaded a flash remover tool from adobe. After closing any program that could be using Flash, I ran uninstall_flash_player.exe. I was still left with C:\windows\system32\Macromed\flash\Flash.ocx which has a file verison of 7.0.19.0. There was also a getflash.exe in that directory with the version number matching the latest version of Flash I had installed.
I'm not really sure if I should remove that file or not. I went ahead and installed the lasted version of Flash since I need to have flash on my computer.
I saw this over on Donna's Security Flash.
Secunia has created a Software Inspector Application. Its a JAVA based single system auditor that checks your local system for vulnerabilities. (see list for checked versions).
Pretty slick. Obviously its not a full scale vulnerability checker, but it does check for some common software vulnerabilities.
MSNBC has an article on the Word doc banning at NASA that I alluded to earlier this week.
On December 5th eEye released an advisory about Adobe Download Manager. If you have downloaded software such as Adobe Reader from them using one of those stupid download clients you have Adobe Download Manager installed.
A malicious aom file could be hosted on a webpage. If you visit that webpage with IE it will automatically run exploit code in the file.
Adobe suggests that you
Browse to the following location:
Locate the file named AdobeDownloadManager.exe. If the directory or file do not exist, no further action is required.
Right-click on the AdobeDownloadManager.exe file and select Properties.
Click on the Version tab of the Properties dialog box.
If the version is 2.1.x or lower, uninstall using the uninstaller provided here.
It seems that Adobe is leveraging a vulnerability in their 7.x series of Adobe Professional and Adobe Reader to cause people to upgrade to 8 which was just released this week.
They've released a dll file that you can copy into place overwriting the vulnerable version in 7.x, but that solution is neither easy for most home users or approprate for enterprse deployment.
I'm well down the path of testing a 7.0.8 deployment and don't particularly feel like starting over.
http://www.adobe.com/support/security/bulletins/apsb06-20.html
These are my notes from a lunch and learn presentation with Stonewood about their hardware based encryption product.
They have a mobile USB hard drive . This can be used as a normal Flagstone drive if you boot to it, otherwise you need to load software to access the encrypted data.
Flagstone buys micro harddrives from Toshiba or Hitachi and repackages them in typical laptop form-factor. The drives are 4200 rpm which I find a bit to slow, but they say that's all they can get from the manufacturer.
When you boot the computer, you are prompted to enter a password. If you enter the correct password you the keys are live and you are able to enter the hard drive. If the power goes out it will fail closed. This makes me wonder if Seagate could say the same about their drive.
The drives use a tamper evident casing. The chip that contains the keys is embedded in gel so it is difficult to physically access it without destroying the chip.
FIPS 140-2 is currently pending.
Its a lifetime key. So no rekeying like SW.
The main problem I would have is that it doesn't have single sign on or a password harmonization feature such as those found in the Seagate product. The password to access the harddrive is not managed and enforced by I.T. It sounds like this will be addressed in 2007.
Today you are screwed with Wake on lan. Some I.T. shops use WoL to boot machines and patch them during the night. That is not possible with this technology today. Not sure how you'd even do that with the software full disk encryption.
Their disks are available today and have been out for years. They are in use in the British, U.S. and Canadian military. This is interesting technology and may be the wave of the future. But still you're left asking what about email, what about the phones and the pdas. Should you buy an all in one solution or will that leave you disappointed.
Lastly, the price quoted sounded kind of high. I believe Seagate was rather reasonable and comparable to normal prices.
No annual fees, maintenance or upgrades.
This is a 5 company report on their lessons lear
