General: December 2004 Archives
The 2004 Annual Email Security Report from Message Labs is available from http://www.messagelabs.com/binaries/LAB480_endofyear_UK_v3.pdf
In it they identify the trends of 2004 such as the increase in phishing, legal attacks on spammers and the on going saga of various sender authentication schemes. In addition they have statistics from the year and predictions for next year.
Wired News has a light humorous article on what happens when you work on a project that is canceled before it ships and you're fired. Of course the only course of action is to sneak into your former employee and finish it right?
As someone in infosec, the article scares the hell out of me. Even though the events occurred a decade ago, they could still occur today. The fired employee was able to continue accessing Apple headquarters because they failed to terminate his access after laying him off. Once the access was disabled employees were slack and allowed him to piggyback at entryways without challenge. Some employees condoned his efforts because they had similar side projects. It got to the point that Managers applied for contractor badges for this rebel even though he wasn't actually working on anything for Apple. At Apple they like to remind us PC folk that they think differently. Apparently this includes total lack of security. For when his project was done, they licensed it and included it in their Operating System.
I recently posted about my love for the new series of AOL ads. They highlight the fact that users don't set out to have security disasters and lose their term papers and family photos to a virus. They don't set out have their online experience be horrible because of porno spam and spyware. They just want to email grandma the pictures they took at christmas. Is that so wrong?
Tom Liston takes a different view over in today's SANS Diary. I'm so glad I got my post in first (a month ago actually). This way I know I'm not just having a knee-jerk reaction against what the "experts" have to say.
Liston, claims the ads calls AOL customers idiots. Further that computers are tools that must be used skillfully. Basically he's playing the old blame the user game. Don't we yell at Microsoft for not making patching easier, and for not making stopping viruses and spyware easier? Here is AOL stepping up and helping keep the home users system secure. In the past they've done things like turn off the Messenger service. Now they are including anti-virus and antispyware. If the updates for this are as easy as the updates to AOLs own software they have the potential to make people much much more secure.
AOL IS FILLING IN THE SECURITY GAP. THEY SHOULD BE COMMENDED.
I would highly recommend, reading the following entry from the Microsoft Monitor Blog. It tells of the writers grandma, Windows XP and AOL Security Edition.
The sole problem I might have with the ad campaign is it implies, Get AOL Get Secure. When it reality the AOL Security Edition is necessary.
Over at the SANS Internet Storm Center Diary today's handler is taking swipes at David Litchfield (calling him mean, spiteful, and rude as well as a grinch). You see Oracle patched some vulnerabilities that David found back in August. Nice guy that he is, he did not publically announce the vulnerabilities until December 23rd, 4 months after patches were available.
Stuff like this is fine in a blog. Opinion is great. But when the name SANS is on the blog, you're lending the SANS name to your personal opinion. It doesn't matter if you have a disclaimer. It just seems like more and more the SANS ISC Diary is used for a bully pulpit (or in this case just blowing off steam). The ISC Diary should stick to aggregating reports about what is going on out on the Internet.
I did a quick google to see if want the SANS handler said was true or if Litchfield had posted a response yet. I didn't find any current response, but I did find a zdnet interview with Litchfield. He appears to be very mindful of not releasing vulnerability info prior to patches being available. For that he deserves a pat on the back. Not the lump of coal that SANS is presenting.
Its kind of funny that after givingn Litchfield the pitchfork, they just kind of mention in massing that a Chinese group has released exploit code for unpatched windows vulnerabilities. Perhaps those are the guys that deserve the heat.
http://www.vnunet.com/News/1160190
VNUNets 5 predictions for the coming year in security
1. Signature-based antivirus software is finished
2. Spam rates will regularly hit 90 per cent of all emails
3. Cyber-terrorists will remain mythical
4. No Longhorn in 2005
5. No security, no connection
For the full article see the vnunet link above. All in all looks like a pretty safe list to me. The last item I can only hope will happen. Endpoint compliant where users are denied access until they are proven secure (or proven to meet certain requirements like antivirus). The first item, I have to wonder what the solution will be. I dont think HIPS is ready for prime time, and I dont think heuristics as currently deployed are the solution either.
This week the santy virus used google queries to find vulnerable versions of phpbb for it to attack. Immediately there were calls for google to block this malicious search. Within 7 hours Google complied and the virus was no longer to search for PHPBB servers until a new varient was written that changed to user-agent field. If the user-agent field is random, or something common, will Google then block all queries for phpbbs?
One has to wonder about the interests of information freedom versus the interests of computer security. I wonder how far Google will be forced to go. Will all googlewacks be banned as well? After all what legitimate purpose do I have in searching for xls files with "password" in the file name? Where will it stop. Will I no longer be able to search for +solaris +root +exploit? It seems antithetical to the nature of the internet to try to block all malicious searches in search engines.
Over at news.com Robert Lemos postulates that rate limiting is a possible solution. If I have a computer that queries for vulnerable phpbb servers, it talks to google once. How do you rate limit that? In the vast amount of traffic how do you notice "abnormal" query tendencies and block the dynamically? Frankly rate limiting should already be in effect to prevent address harvesting via the google cache.
Given the security culture, I cant help but wonder how long we must wait before someone demands we shut down the search engines to protect national securitiy. First we had a email virus getting addresses from Yahoo People. Now we have an internet worm gathering victims from Google. Wont someone please think of the children.
Nice blog entry today over at msdn.
http://blogs.msdn.com/ptorr/archive/2004/12/20/327511.aspx
It describes his experience installing Firefox. Unsigned software. Download redirects to unknown sites. Installation that does not finish.
Whereas XPsp2 does a good job of trying to stop users from running every damn thing a website asks them to, Firefox is back in the old mode of do you want to run install program x. Sure why not.
Saw an article over at Yahoo that Symantec is in talks to purchase veritas. In the article it reports that analysts have expressed concern that this may signal that the security sector may be weakening.
"For them to be taking such a huge step away from security ... it does not intuitively strike me as a positive sign for the security space over all," said Donovan Gow, an analyst at American Technology Research
The end of the "security bubble" has definitely been a concern for those late to the security table. Sure companies are being a bit more cautions about throwing money at any product with security in the name. But that does not obviate the need for security solutions. Clearly I don't have the inside knowledge of an analyst. But I wonder if the acquisition binge that Symantec and McAfee have been on is more of an indication of the wealth of these companies rather than an indication of their panic. Yet straying from the core security message of the company could be a problem.
The SANS Internet Storm Center diary has a good writeup today of some basic virus analysis.
The SANS Institute has this series of webinar's called "What Works" where a user of a product pitches it as a solution for some problem.
"SANS WhatWorks is the only web cast series that lets you talk with real
users who have real experience implementing technologies that you are
considering."
I watched the first one was it seemed that the guy doing the pitching was more than just a customer of the vendor. It seems like the guy was a partner with the vendor he was pitching. I didn't hear anything about pro/cons of other solutions or even points of evaluation. I figure his company got a big discount for doing the sales pitch. It happens all the time, customers become "partners". They sell their company name for a discount on the product.
SANS has sponsers for these events. In the event I saw, the event was sponsered by the product being pitched. This doesn't sound to me like an unbiased third party endorcement. How can this be considered a "straight from the horses mouth" when its filtered through the vendor?
This is my opinion. This is Rogers InfoSec Blog.
Eugene Kaspersky head of antivirus firm Kaspersky recently predicted the the security computing market will burst within 5 years.
He predicts this crash will occur because of a lack of experience or skill at many companies with security related products. Furthermore, the drive toward secure networks for business will alleviate the demand for other security products.
EDS reports that human error took out 40,000 computers in the UK Department of Work and Pensions the week of November 22nd. EDS was attempting an upgrade to Windows XP and the push was inadvertantly deployed to more systems than intended.
Availability. One of the keys of computer security. Human error, an oft overlooked cause of Information Security problems.
Many software clients use Globally Unique Identifiers to identify themselves to a network server. This becomes an annoyance to those of us who use disk imaging to deployed systems. Sysprep does a good job of taking care of the Windows SIDs, but the person doing the disk imaging is left to manually go through and delete the remaining GUIDs. Otherwise every imaged system would have the same ID number. (By deleting the GUID just prior to imagine a new ID is created when the system is deployed). I've always wondered why these software products didn't just key off of something else. I guess they didn't want to use a Microsoft GUID since they wouldn't' have the any control over the number provided.
Symantec Antivirus is the worst offender. They addressed the problem of disk imagine causing duplicate GUIDs by having the GUID change seemingly every time the IP address changes. How many times does the IP address change or a different network interface used on a laptop? It could connect on multiple subnets. It could use a VPN. It could dialup. It could be placed in a docking station. Suddenly every system is listed multiple times in the management control console (the SSC) because the GUID keeps changing.
And so I'm off to once again add suppressnewguid into the registry on the SAV parent server to stop the client duplication. Hope the person doing the disk imaging remembers to remove the GUID prior to the image being taken. Wouldn't it be a lot easier if they used a GUID which guarenteed uniqueness by sysprep.
