General: July 2004 Archives
News.com has an article based on a presentation at blackhat vegas about Google hacking. Google can be used to identify vulnerable servers, find exposed password files and anything else you might be looking for. Thanks to the google cache, you might have access to things that are no longer even on the site.
Security Focus ran an article on this back in April that is a bit more technical than the news.com article.
GoogleDorks is my favorite site for this sort of thing. It a collection of searches that people more imaginative than me have used to find vulnerable servers.
Google is the hackers first step in network reconnaissance. Be aware of what you are making available.
Back in the beginning of July there was a funny parody of a mi2g vulnerability announcement posted to Full Disclosure regarding a information disclosure and possible race condition in the Wendy's drive through menu order system. http://seclists.org/lists/fulldisclosure/2004/Jul/0311.html If you haven't seen it, its worth a small chuckle.
Mi2g is best known for issueing bogus press releases regarding the worldwide cost of each virus and other inane methods of self-promotion. Threatening to sue those who mock them is their other pasttime.
Mi2g's oh so serious rebuttal to the diabolical fake Wendy's order system security bulletin was posted July 20th. http://www.mi2g.com/cgi/mi2g/press/200704.php Its a real scream!
I wrote the following for a company newsletter. Based on a recent discussion over at MyItForum.com I thought I'd go into the archives, sanatize references to my company and go with a retro article today.
Imagine the ability to carry up to 1 GB of data with you from home to work in a device that is no bigger than a highlighter. USB Flash drives are pocket sized portable storage devices that can be accessed via any PC with a USB port. They offer more storage than a floppy, are more portable than ZIP drives, and are easier to use than CD-RW disks.
With the ease of use and compatibility found in these drives it is easy to imagine that employees will purchase and use these devices. With that in mind, consider the following points to ensure a safe computing environment on your company network.
1. Watch out for viruses!
When you transfer files between one location and your comapny make certain to scan the files with an up-to-date virus scanner. (This is also true when transferring files using floppy disk, CD-Rs and ZIP/JAZZ drives.)
2. Protect your data
Most USB flash cards do not contain any protection if your flash card is stolen or lost. More expensive models can be protected by a PIN or even a thumbprint. If you have a model without any data protection, don’t store any information on there you can’t afford to lose. Client data, social security numbers, and credit card numbers should never be stored on these device.
3. Include return information
Include a text file on the flash drive with your contact information so it can be returned if it is misplaced.
USB Flash drives are very convenient. When using the latest tech gadgets, it is important to be aware of security concerns. By doing these simple steps you can safeguard your own data and that of your company.
I was on a break between Masters programs and needed some structured education to make me open a book. I decided to take a class that the community college was offering in Computer Security. As part of the class we were required to give a 10 minute presentation on something related to the class.
One of my classmates got up and talked about information warfare. As an example he cited the gulf war printer virus! For those of you who don't know in 1992 US News and World Report ran a story reporting that just before the first gulf war, the NSA intercepted printers bound for Iraq. They are supposed to have replaced the chips inside the printer with chips containing a virus. To this day, some Generals credit the Gulf War virus with knocking out Iraqi RADAR installations.
Unfortunately the Gulf War virus story was originally written as an APRIL FOOLS gag in 1992.
http://www.vmyths.com/hoax.cfm?id=123&page=3
http://www.soci.niu.edu/~crypt/other/wsj.htm
I considered making my talk about refuting the Gulf War Printer virus hoax, but discretion being the better part of valor (whatever that means) I chose not to directly refute this student. Rather I gave a talk about virus hoaxes.
I talked about how to identify virus hoaxes and ridiculed people's credulity regarding outlandish claims that show up in the email inbox. It was a thing of beauty. A great didactic moment. At the end there was time for questions, and the gulf war printer guy asks if its true that viruses are propagated by antivirus companies to spur business. I guess some people never learn.
Interesting article by Jon Oltsik over at news.com. Its titled The Network is the Security. He asks: Why is network security based on scores of individual boxes with limited integration. Why is network security an overlay on the network rather than the network itself?
He argues that when a computer is turned on the network should know who they are and what they have access to. And if people are doing something they shouldn't then security staff is alerted.
The network should perform firewall, IDS, IPS AV and content filtering. It should create a model of "normal" traffic as a baseline for anomaly detection.
Jon then goes on to review the leading vendors.
Remember when we were able to take the time to try out virus definition updates before deploying them to the company? That sure helped avoid unpleasant interactions with company software. At the very least we'd wait a bit and let some other poor sap experience the mayhem at HIS company that comes with a bad virus update.
Over time, that began to be an indefensible position. Too often the enemy would be at the gate before we'd even receive a virus update. The second the definition was available it had to be deployed just to stop the damage. Its funny how best practice shifts over time. Yesterday virus defs are considered carefully before deployment and today we're begging for anything, even beta defs.
Besides the need to get the new defs out to meet an immediate threat, we also found that the virus def quality had greatly improved and some fears were no longer applicable.
The same thing is occurring now with patching (operating system and programs). I wont bore you by rehashing the mean time to exploit. We all know its the time between release of patch and public exploit is shrinking. Even today we all sit and wait for Tuesday and the 7 patches that are coming. Hopefully this will help with the Internet Explorer mayhem. How long is prudent to wait before deploying the patch when people are actively having their browser exploited? Auto-updating is here for patches as well. Lets hope that in time we can apply these OS and software patches with the same level of assurance we apply the anti-virus patches (virus definition updates).
