General: April 2006 Archives

Occasionally, I just post things so I can find them again later. This is one of those things.

How do you test HIPS products?

"tool which can help you to understand how your Windows HIPS (or personal firewall, or advanced anti-virus) works. "

»slipfest.cr0.org/

Cansecwest slides:

»slipfest.cr0.org/jt-csw2006-slipfest.pdf

FCM reports that Congressman Tom Davis of Northern Virginia predicted a "cyber Pearl Harbor" in a future attack on the federal governement. He said that such an attack could cause deaths or financial breakdown.

“FISMA is still viewed by some federal agencies as a paperwork exercise,” Davis said at a congressional hearing in March, when the committee released the grades. “But these are shortsighted observations.”

His goal in proping up FISMA is laudable. Computer security in the Federal government is lacking. However, Tom should really think twice about patterning his public speach after Richard Clarke and Chuch Schumer. Is it leadership to say these things? Or is it just a quick way to get public attention?

I've commented before that I think Redmond Magazine is too anti-Microsoft for my tastes. Perhaps I'm just bitter over the demise of MCP Magazine. Or perhaps I drink the Microsoft koolaide daily. So I've ignored the renewal notices from Redmond Mag. When they have called me at the office to do the renewal over the phone, I've declined and said "please let my subscription expire."

These people don't get the message.

They called for the third time today. I decided that perhaps its would be easier to verify my info and continue to receive the magazine. The young woman sounded like she spoke english as a U.S. citizen would, but she didn't know what "VA" meant as a state abbreviation. She could not pronounce "Orchard" which is all too common. She asked me what day I was born and then offered 1-30 as possible examples. It was a serious butchering of my name and all of my contact information. What was really odd was asking me to spell things that had to have been on the sheet in front of her.

It was very odd. I just cant' escape Redmond Magazine.

This week we had an object lesson in tech media bias. When Firefox has a boatload of security patches they are making their browser more secure than ever in a special new release. When Microsoft releases a boatload of patches for Internet Explorer its a security disaster for a troubled product.

Check out Georg Ou's comments over at ZDnet.
http://blogs.zdnet.com/Ou/?p=192

We've been having some trouble with Infoexpress Cyberarmor. It started last December when against my better judgment, I deployed a "fix" for Cyberarmor that was supposed to resolve a bad interaction with PGP on Windows XP that would cause every application to crash.

For a while all seemed fine. But slowly I began to receive reports of systems without the PGP fix having application errors. Soon, I experienced the problem on my own computer, a dual core Dell GX620 tower. I've had this sort of experience before where the problem can be traced to a conflicting application. So working with support, I spent three solid days uninstalling application after application. The problem continued to occur. Every single application crashed. I tried disabling Windows Data Execution Prevention. Nothing worked.

I took the same computer and loaded our leasing companies ghost image (we dont normally use this). It had no problems. I followed our ghost load creation checklist and installed everything (including drivers) that would normally go on a computer. It didn't have a problem. Next I restored our original ghost image that does have the problem and used msconfig to prevent everything from loading. It still had the problem. I was at the end of my rope. I found that if I went into pcarm.ini and disabled the PGP fix that everything worked fine.

I would really like to find out specifically what application is conflicting, but I've ready spent a lot of time on this. I think I'm going to disable the PGP fix since only 5 users actually have PGP installed.

In a recent email from Kaspersky, the newsletter writer said, it takes too long to patch.

The study shows that 19% of companies take more than a week to patch vulnerabilities, while 27% take at least two days. Overall, nearly half of those questioned claimed their computer systems were never completely protected. Interestingly, there were considerable variation in response speed between countries. France was the slowest with 66% taking at least two days to patch, while only 22% percent took that long in Spain.

I don't know about anyone else, but I'd throw a freakin party if I got my company patched in two days. Try two months. Even then we're talking about Microsoft Operating System only. Not the frequent patches for both supported and unsupported applications; Winamp, Flash, Firefox, JAVA, Real Player, Adobe, Winzip and Office.

Upset about not getting patched routinely within two days of the patch being released? I cant even imagine.

M. W. Meyer and Eric Sager write in the April 2006 issue of Information Securtiy Magazine (free subscription required) about the Maginot Network. Making a comparison to the Maginot Line of defense built by the French. There is a comparison with our current network firewall defenses. Sure its fortified, but you can just drive around it and attack the soft inside.

The authors advise hardening the endpoints first and using perimeter security as as secondary tactic. Instead of a self-defending network, we need self defending clients. They argue that the primary means of protection should be HIPS, client firewalls, encryption, forensic agents and client hardening. There is a need for communication between your devices in case of attack.

A recent Information Week article reports that complaince drives I.T. spending, not the threat of malware. What causes this?

Perhaps its that criminal and civil penalties grab the attention of the head of the company more than pleas from the I.T. department.

Perhaps that in order to be compliant, expensive audits are often required that set the I.T. budget on its ear.

Perhaps the new regulations require a more wholistic view of the business and security that is more meaningful. Where as the threat of security intrusions (and actual security intrusions) are treated on more of a case by case basis. The solution for malware is seen as technology. Thus its an I.T. department problem. Compliance on the other hand is a full company need leading to more money.

This week I keep seeing reports in the media that IMlogic 8 is out. Yet when I log into my IMManager download site, I dont see any new versions. Oh well, I'm pretty busy and don't know what I'm missing anyway. Actually since I use Sybari with their product, I would need to wait for a Sybari green light that they will support the newer version.

[update] I found another article that says "slated for release before the end of the month. Not sure why the hoopla now... I have see version 8 articles in the tech support knowledge base for a couple weeks now, so I've known this is coming. The article goes on to mention support for Google Talk.

A statue memorializing Rick Rescorla was unveiled atFort Benning GA. 500 were in attendance. We will never forget you, Rick.

You know you're in trouble when your binary analysis project resource page includes links to Linux Intel Assembly Language info. I was sort of hoping to drop these binaries into a vmware and use netmon, filemon and regmon to figure out what the files were. Apparently I'm out of luck on that. This is going to be harder than I hoped.