General: February 2006 Archives
One of the annoyances that we have is wireless cards on our corporate computers that are looking for any access point named starbucks (no encryption) while connected to our domain. Anyone with a powerful antenna could park outside, set call their access point starbucks and the computers that are looking for starbucks would connect to that evil rogue access point. Personal firewalls should still protect, but it just looks bad.
So we've been looking for ways to disable wireless cards while the laptop is connected to our network. We went through a thing a few years ago with devcon. Unfortunately a VP said we couldn't disable wireless cards on computers connected to our domain because it would inconvenience the user.
We just now ran accross a setting in the dell truemobile card that will do what we want "Disable Upon Wired Connect". And I'm finding articles dated 2002 with this info. I picking the wrong search term leads to disappointment.
I'm still left with a problem. I hear the path to this value in the registry is dynamic based upon how many network interfaces you have. That will make it hard to change. The second problem is about half of our network cards are Intel and I dont know of a similar setting in those cards.
Message Labs Asia-Pacific VP James Scollay says the likelyhood of increased attacks against VOIP networks means that Message Labs will introduce services for net phone management and security later this year or next year
"VoIP is very clearly a likely next target in information security, because it is close to the critical mass needed to make it worth a criminal's time to target it," Scollay says."We are predicting the first VoIP threats will start to emerge towards the end of this year and will become common in 2007."
Just as the proliferation of email opened up a vast wave of spam, Scollay says, increasing use of VoIP may lead to an flood of spit (spam over IP telephony).
I ran across a blog entry "IPSec Everywhere, Bad Idea" on another blog. It seems that the post author went to a company that was very proud that they had implemented internal domain isolation using IPSEC.
I'm not entirely sure if the author jumped to the conclusion that this mean they were using encryption. Perhaps they were. However, Microsoft recommends implementing domain isolation through the use of IPSec ESP-NULL. This means that you are authenticating the people who are talking to you. Not encrypting all the traffic.
This technique is an alternative to 802.1x that may be easier to implement. Microsoft has a paper on this called Improving Security with Domain Isolation.
There are alternatives. 801.1x, personal firewalls, access lists on the router and pix blades within your core switches. This one seems relatively easy to deploy. Is a cure all? Of course not. There are still problems of the infected machine that is part of your network. Network authentication does not equal a clean machine. It just means that the computer is known.
Untrusted devices should not be allowed access to the trusted servers.
Sparked by EFFs latest fearmongering, many people want to know how to disable Google Desktop's ability to search across multiple computers. The articles I've read say this is off by default, but I dont use the Google Desktop, so I cant say for myself.
The following is from the Google Desktop Google Group:
If you're using Google Desktop for Enterprise, please note that the
Search Across Computers feature is not available for Google Desktop for
Enterprise, so there is no need to configure the Enterprise version of
Google Desktop at this time. Once this feature is made available for
Enterprise, it will also be configurable via the Google Desktop
Enterprise administrative template.If you're a system administrator using the consumer version of Google
Desktop, you can disable the Search Across Computers feature by
creating a DWORD value of disallow_ssd_service = 1 in the following
registry key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Google Desktop\Enterprise\
Please note that you will need to create this key.
You may need to restart Google Desktop to apply the change. To verify
that the change has taken place, restart Google Desktop and visit your
Google Desktop Preferences page. In the "Gmail and Search Across
Computers" tab, the ability to place a check in the "Search Across
Computers" check box should now be disabled.
Dear Roger, Our users are taking the provided laptop on the road with them, and they would like to connect to wirelessly to the hotel network. I've heard somewhere recently that wireless access via hotspots introduce new/different vulnerabilities. I dont want these people or their computers :) catching some virus on the road and brining it back to infect the corporation. Should I just disable the wireless cards and be done with it?
There are several problems that you should be aware of when using a wireless hotspot.
1. The Evil Twin. How do you know that the wireless access point you are using actually belongs to the hotel network? It it a fake access point in the next room belonging to someone who wants to look at your data?
Solution: A lot of this is knowing what too look for and being suspicious. Dont provide any information unless you are convinced that it is a legitimate connection. For example if you are required to register, make sure its a valid SSL certificate that is signed by a root CA. If you dont have to authenticate or provide a credit card number, then use the connection but treat it as untrusted.
If its work related, you may have a national carrier such as T-Mobile or AT&T. Perhaps that client is used to set up these connections in a trusted manner.
2. Lets say you avoid the evil twin. Do you trust your network provider and those working for him. You dont know if they are flaunting the law and collecting passwords.
Solution: Not much you can do about this other than treat the network as untrusted. Only authenticate through encrypted channels (SSL or VPN). Remember that if you open your mail client, it may have a password saved in there that it will send in clear text. You dont want the attacker to get your username and password.
3. The hotel network may not be set up properly. An article last fall revealed that test showed a significant percentage of hotel networks are not switched. This means that anyone on the network could see anyone else's traffic. Anyone in the hotel could look at the traffic you were sending. So you need to worry about protecting against everyone not just the network owner.
Solution: Same advice as number 2. You may just want to do everything over the VPN if possible.
4. The hotel isn't using a WEP key. To use it you configured your laptop to connect to a SSID, lets say its THEHOTEL. Now your computer is always looking for a network named THEHOTEL as long as your wireless card is enabled. All an attacker would need to do is name their access point THEHOTEL, and they are connected to your computer over a wireless network, and you probably wouldn't even notice.
Solution: Configure your Wireless card to only configure to encrypted networks when you are done using this network. This is a manual process. If you are really lucky your wireless drivers can be configured to only connect with access points with specific hardware addresses. Of course that could be spoofed as well.
As always good computer security practices can help to mitigate your exposure. Personal firewalls, common sense, Antivirus.
Looks like I should blog this since Chris Mosby is linking over here. (thanks for the linkage chris). I posted about it on the myitforum.com antivirus discussion list rather than posting here so I could see what others were seeing.
An blog entry by tech reporter Brian Krebs notes that Microsoft Antispyware (MSAS) is (or has) tagged Symantec Antivirus as a keystroke logger. If you then follow the MSAS removal prompt, you'll remove enough of your SAV client that it wont work anymore.
The source of these reports are Microsoft Antispyware newsgroups, I haven't seen anything on the Symantec or Microsoft website on this. Apparently the problem was with the 2/10 definitions. Newer definitions are available.
One interesting thing from the comments in the MS Newsgroup, they have had problems in the beta with deploying Microsoft Antispyware updates. Caching servers are really causing a problem.
If this has happened to you, you best bet is probably an uninstall reinstall. I dont know if restoring from Quarantine will work in this case. Time to go check on the status of systems in my enterprise to see if any have had this problem.
[UPDATE]:
Techworld reports that this effects pretty much all SCS and SAV corporate edition. That makes sense since it is detecting something in the landesk registry key that SAV stores all its stuff in.
I thought I just got unsubscribed from NTBugTraq for using the Out of Office Assistant in Outlook. Instead it looks like they haven't sent anything out since September. I just got an email from NTBugtraq using listserv's list renewal feature probing if I wish to remain subscribed. Not sure if I really care to continue the subscription. It was once at the forefront of NT security. But now, with Microsoft announcing their own patches in a timely manner, and with things like SANS, Secunia and FSIRT it just doesn't seem needed. Besides, with the blog echo chamber, I'm sure if its important someone will copy and paste it into their own blog and I'll see it there.
Now if NTBugtraq had an RSS feed I might consider subscribing to that.
A blog called Googling Google over at ZDnet writes about a possible new Gmail feature where you could point your domain to Google and use them as your mail server. He goes on to say
Companies can use it as a replacement to Microsoft Exchange as it has the potential to have shared contact lists, shared calendars, instant communication (the new talk feature), etc. Imagine also the possibility of Google allowing companies to skin their own GMail service — colors, layout, and even the logo could be customizable. Of course, even if Google allow this, ads will likely be delivered regardless.
Lets not get carried away! Companies aren't really going to be doing away with Exchange and migrating to Google Mail. This is not the Exchange Killer the anti-Microsoft forces have sought. This might be a fit for very small companies who currently use the mail services provided by their ISP or webhost. Even then, you'd have to wonder about the wisdom of using a BETA service as your corporate email solution. I would also worry about Google's propensity for serving ads based on the text in the message.
You may have noticed if you have autoupdates turned on...Adobe Reader/Acrobat 7.0.7 is out.
Adobe lists some unnamed security fixes, and some new features. The patching merry-go-round never ends.
Just about the time we finish the last round of JAVA patches, a new version is available from SUN. It seems Security Vulnerabilities in the Java Runtime Environment may Allow an Untrusted Applet to Elevate its Privileges.
SUN recommends removing vulnerable versions. What this means is that you can look in add/remove programs at your JAVA versions there. Then take a look in the control panel in the JAVA applet there (on the JAVA tab select view). You can also run java -fullversion at the command prompt although for me that just gave me the latest version.
There are three flavors
JDK and JRE 5.0
SDK and JRE 1.4.2
SDK and JRE 1.3.1
What I would do update each version to its latest release and make sure that no earlier build of that version still exists on your computer.
If you have Java Runtime Environment 5.0 update 4, update that to 6 or whatever the latest version is
from here: http://java.sun.com/j2se/1.5.0/download.jsp
Same with 1.4.2, get that here: http://java.sun.com/j2se/1.4.2/download.html
The latest 1.3.x is here: http://java.sun.com/j2se/1.3/download.html
Make sure you uninstall the earlier versions. Installing a new version will leave you with both installed. Also you want the java run time environment not the SDK (Softare Development Kit). The website is sort of confusing.
