General: November 2005 Archives
The Register wrote yesterday that Symantec is not selling LC5 outside the U.S. Actually they are doing better than me, I couldn't even get Symantec to talk to me about LC5 and I'm in the U.S. SAMInside is better and cheaper anyway.
On November 16, AOL added a "AIM Bots" group to AIM users buddy list. This group contained buddies Moviephone and ShoppingBuddy. A popup indicated that the bots had been added, but it was not clear who really added the new buddies or why. Apparently AIM was seeking to promote knowledge about the bots, which are a way to query movie times and shopping info via IM.
This intrusion is much worse than when aim first started adding ads to the aim client. The protests against this action were even mentioned on Drudge. I dont use third party IM clients like Trillian or software to remove the ads from AIM. I wonder if they are free from this annoyance.
While we are able to delete the bot buddy group manually, you may want to let AOL know what you think by sending a message to megabotfeedback@aol.com. I'd use a disposable email account for that email.
This is an old one, and a good candidate for a snopes debunking. Who knows, its probably photoshopped, but its still good for an illustration. Security just cant be an afterthought in anything that you design or implement. This news station didn't have good access control on who could update the school closing crawl.
A News.com article reports that bots will include encryption to hide their presence.
In the near future, bots will include encryption to hide their presence from security and network sniffing tools often used to detect their presence, said Adam Meyers, an information assurance engineer at SRA International speaking at the Computer Security Institute conference here.
I'm not a bot expert, but I thought this was already common practice, controlling bots over encrypted IRC channels.
The bot writers have a choice of a variety of encryption technologies, according to Meyers. They could use SSH, SSL (Secure Sockets Layer), ROT-13 or a proprietary method, Meyers said. Such a bot would be harder to craft than today's bots, but worthwhile, he said.
ROT13? That'll slow down the cryptanalysis...not. But perhaps enough to fool the IDS.
CSOOnline blogs about an Office Document Solutions conference in Boston reporting that office Copiers could be the most insecure thing on your network. Of course anyone with an ounce of security knowledge and access to a networked copier already knows that. I blogged about my own copiers here and here.
"Network-connected output devices are becoming an absolute primary target of people, foreign and domestic, who are penetrating networks," according to Jim Joyce, senior vice president for office services at Xerox Global Services. Its an interesting premise. They could be considered a primary target, because someone might want to hack the copier and then send a copy of everything copied or printed on the copier to an email address outside the company. On the other hand its a good secondary target because the large hard drives and insecure operating system lends themselves to attacking other systems.
I've written in the past that the latest copiers I have from Canon seem to be much better than earlier models from both Canon and Toshiba in terms of security. Since then, they have added a scanning workstation which is a unsecured Windows XP client. :(. I wish they had just given us the software to install ourself instead of bringing a computer that if we secure it, they won't support it.
How many versions of the SUN JAVA Runtime Environment are you running? A couple MVPs over at broadbandreports asked this question after they noticed users with older versions of SUN JAVA getting infected.
Its not exactly a new problem with SUN JAVA. You run the update, you think you're protected, but what you don't realize is that you are merely adding the new version to your system. The older vulnerable version is still there and can still be requested specifically by a malicious website. Can you imagine if Microsoft patches ran that way? Not only that, many applications that use SUN JAVA are programed to work with a specific version only. So I'm forced to use a vulnerable version of JAVA in order to administrate a product like the Cisco VMS server. (Cisco has finally provided an upgrade but they still don't support the current release.
For the record, I've got the following versions on my computer.
1.5.0_01
1.5.0_02
1.5.0_04
1.3.1_03
How about that, my entry discussing my LC4 and LC5 search is the number one result at Google if you search for lc5 and Symantec..
I did some more searching last night and found a experts-exchange thread indicating that Symantec is not selling LC5 anymore because they plan to incorporate that in some form into their own security product line. I have no idea where that leaves those of us who need to get a new license file every time a we get a new computer and need to reinstall LC4.
I also found an entry at GovernmentSecurity.org (a
The Microsoft hype machine was in full force with the release of Exchange 2003 Service Pack 2. They would have you belief that that along with Windows Mobile is the death knell for Blackberry. Microsoft was pushing it hard, and you could see the MVPs repeating the charge faithfully. When I was out at Microsoft in Herndon, VA they were pushing this, so I asked them how they would architect a solution which required push technology yet the clients must use SecurID for any inbound initiated connection. They couldn't do it. I had to figure out on my own that I needed a Good Technologies server to make this work. Replacing the Blackberry server with a Good server is hardly a huge benefit of Exch2k3sp2.
The thing is the Blackberry fanatics (and I'm still one), dont even know they are already dead. Company after company is moving to Windows Media phones or the Treo. Some want more features than Blackberry can provide. Other companies just dont want to be caught with their pants down if Blackberry has an adverse court ruling. This lawsuit uncertainty is having a chilling effect on Blackberries market share and it could not come at a worse time.
The Blackberry head says that they already have alternate technology in place if they lose this patent lawsuit. Is he merely trying to keep the stock from tanking or do they have solid plans in place to prevent the Blackberry network from going dark? Will people who have been enamored with Blackberry choose to leave after they've been prompted by these events to examine the Good Technology solution.
Since Symantec purchased @stake it has been difficult to find information on LC5. In my good searches I can see where people are sharing eval copies. I am a licensed customer of LC4 and would like to upgrade to LC5. I called Symantec Sales and they took a message "for the LC sales person" who has yet to call me back. LC uses a form of DRM to force you to get an updated license file if you install it on a new machine. In December, I'll be getting a new computer and will need help from Symantec just to keep using LC4.
Since Symantec purchased @stake it has been difficult to find information on LC5. In my good searches I can see where people are sharing eval copies. I am a licensed customer of LC4 and would like to upgrade to LC5. I called Symantec Sales and they took a message "for the LC sales person" who has yet to call me back. LC uses a form of DRM to force you to get an updated license file if you install it on a new machine. In December, I'll be getting a new computer and will need help from Symantec just to keep using LC4.
Another week another patch. I was just noticing that Flash really needs to get patched. That one has some potential. You recall some instances of ad servers getting hacked. And banner ads like to use flash. So you could hack the ad server and upload a specially crafted flash file. that way you go to any garden variety trusted website that happens to use that banner ad server, you get infected with the virus spread through the Flash exploit.
We've decided this needs to be addressed soon. Fortunately Macromedia does reportedly supply a msi version of the install if you license it for use on your intranet. So it should be simple to push the newer version out with sms. You can use sms to get a count of clients wiith each version of flash by doing a query for getflash.exe.
Microsoft only has one patch out this month. But its for GDI. I'd recommend patching the clients this month on your normal patching cycle. Servers shouldn't be used to surf, so I'm thinking its safe skipping the server patches this month.
Message Labs continued their expansion of the the cloud services by adding Omnipod an outsourced Enterprise IM product.
The I.T department is burdened by the need for more an more servers and more and more services. Outsourcing repetitve tasks to domain experts is one way to make it possible to get things done. Having the services in the cloud make it possible for IM to continue in the event of a localized disaster.
Lots of IM Security noise this week. From technews "Your Next IM could be Your network's last by Gregg Keizer:
Facetime is issuing a "Worm Free Guarantee" on tuesday as it released Facetime Auditor 6.5. AFAIK they rely on thresholding to watching clients sending too many messages in a short period of time. When I evaluated an earlier version of Facetime's product in October, I was plagued by problems.
IMLogic pointed out theyuse RTTPS technology to detect odd behavior and block the tranmission. RTTPS is an add-on piece for their IMLogic product. It was not available when I tested IMLogic in September. I asked about getting a new beta and was told they don't do that because evals are limited to 50 users and RTTPS doesn't eval well with that number of users. When I evaled IMLogic file transfer did not work with AIM and MSN Messenger.
The article says that it is possible to create an IM exploit that automatically runs exploit code using keystroke macros found in MSN and AOLs product. (I haven't heard of this before)
I had Akonix on site today and will be beginning an eval of them next week. They have been doing IM Security for a while now. They are still using updating block lists. Its a better defense than what IMLogic and Facetime gave me to demo. However, I find myself wondering if these two vendors haven't jumped right back into the game with their new releases.
Being dependent on updates as Akonix is, is not a good place to be. Think of it like email. When there were a low number of email virues and they spread slowly, it was rare for a virus to get by. But as the volume of email viruses increased, their speed increased and more got by. Today viruses target specific companies and industries. The update model of security is not good enough for that. But based on my poor experience in evaluating IMLogic and Facetime, I really dont trust their press releases. Hopefully my eval of Akonix will fare better than these previous two.
Yesterday, Mark over at SysInternals posted about Sony Digital Rights Management (DRM) using rootkit like practices to hide their files. This got picked up by the SANS Internet Storm Center blog giving it wider exposure.
Now today, F-Secure has a similar article. Do I think that the F-Secure Blacklight (rootkit detector) would have found the same things the SysInternals rootkit scanner did? Sure. But Sysinternals did post about it first, so I think F-Secure should give credit where credit is due. At the present time they do not mention the SysInternals writeup at all. Since that article clearly sparked their own, I find this to be poor blogging on the part of F-Secure. Give credit where it is due.
