General: July 2005 Archives

Rob Rosenberger of Vmyths.com will be at the Capital PC Users Group Meeting (in Springfield, VA) on August 8th at 7pm. He will be speaking on the subject "Why Don't Antivirus Firms Get Infected."

If I remember right, the two reasons Rob has cited in the past are 1) severe penalties and 2) different antivirus. If you shut down your company by opening the loveletter virus, you dont get blamed, you dont get fired. At antivirus companies, you're in for a severe shunning or worse if you manage to get infected. The later claim that they use different antivirus software I dont think I can explain without sounding like a conspiracy theorist.

Check out the CPCUG site for more info. I saw Rob at the CPCUG a number of years ago and it was very entertaining and informative.

I'm trying to writeup something for the users at work to disabuse them of the notion that wireless security at home means turning on wep, turning off ssid broadcast and using HW address filtering.

I ran accross "Cracking 10 WEP in 10 minutes" which is a nice little blogcast if you haven't seen it before. I think I ignored it when it was in the news a while back. too academic. So its nice to see this styled more after the underground.

On a similar note, I'd like to get my TiVo up on my 802.11g network. I really cant hardwire it, and I want to take advantage of multiroom viewing. I don think they currently support WPA. I'm not sure they even support WEP right now. I"m not willing to downgrade my security for it. Too many neighbors with wireless networks.

Ok, enough rambling, I'm running out for some icecream.

ISS RealSecure Workgroup Manager hit its end-of-life back in January, I was asked to work on upgrading that to their new product SiteProtect 2.0.

Its always kind of funny when an upgrade is not only mandatory but it makes like more difficult. Siteprotect seems to similar to Cisco VMS. The idea is that we should be able to manage everything from one location. The scanners, the host sensors, the network sensors all come together in one lovely stew.

I guess I should start with the things I like. Unlike Cisco, they provide a console in addition to an administrative website. Its nice to have that option. Also the website doesn't use up all available memory unlike Cisco's java loving beast of a website. Updates were rather simple. It is also possible to schedule recurring updates.

I am rather perturbed about reporting. Under the old version, I was able to create graphs based on tops senders and receivers of attacks as well as the top attacks. I could then filter down and create more focused reports such as what were the top attacks attempted on server X.

The new system has reporting as an add-in module (ca-ching). I thought the analysis tab could be useful for creating a report but it has a limit of 500 lines by default. Not so helpful.

I may be able to create the reports but querying the SQL database. But the hardest part there looks like figuring out what base number system they are using to store the IP addresses so I can convert them back.

At least its something to work on as we start the new workweek.

Still working on deploying the activeX kill bit. That is the mitigation for the javaprxy.dll exploit. A SMS advertizement did not get migrated over to 2003 at work so we're playing hit or miss in guessing what the syntax should be to deploy a .reg file. We have a reg file that we normally push out monthly with over 1000 activeX controls to disable.

Microsoft created exe files to make it easy for users to disable the javaprxy.dll activeX control. I had heard this would be available on Windows Update, but I dont see it available there. It would be a good idea if they pushed this mitigation to everyone with auto-update turned on. Otherwise the average user just isn't going to be protected.

I think this mitigation should also be deployable as a patch in SMS SUS.

By the time we get mitigation deployed the real patch will be available. I haven't seen much chatter from the peeps at myitforum regarding getting mitigation deployed. Either it went smooth as silk for them, they cant talk about work anymore, or they aren't worried about it. As I've mentioned, I've downloaded the exploit code and it is childsplay. I think making this lowering the corporate exposure to this vulnerability is exceedingly important.

Gartner has released their Magic Quadrant for E-mail security Boundary 1H05. It is available from Gartner if you subscribe. It can also be picked up from some of the vendors who did well on the list if you supply your contact info.

I wouldn't list the Symantec product so high. Sure Brightmail is nice, but the dependence on the Symantec AV engine is almost unforgivable in my book. At the email boundary you want something you can rely on. Heuristics or multi-scan engines.

Its interesting to read about the other products. Barracuda is advertised on the commercial all the time here, so it was interesting so see a quick opinion on their product.

I'm of course happy to see Message Labs doing well in the report.

Of course some people (or actually one person) may think that I'm full of FUD for mentioning antivirus at all. If you're like that you probably think the principle of least privilege should be applied so that only allow white listed mail with no email attachments is allowed.