General: July 2006 Archives

ISC: Outshare or Die

Johannes Ullrich has a piece in the SANS Internet Storm Center Diary that I'm sure will provoke much discussion. Entitled "Out-Share or Die", Ullrich posits that Information Security professionals must learn to collaborate and share information in order to protect their environment from the attackers. There are many parts of this article, some I agree with and some I don't. In this post I comment on a single sentence that sparked some thought.

Ullrich quotes Clausewitz in his book "On War" as saying "Defense is the stronger form of waging war". Not having read Clausewitz, I have no idea if this is in context or not. But I can ask, is this truly analogous to Information Security? A war can be prevented by having a strong military and a demonstrated willingness to use it. How does that translate to information security? The Cold War was won with a peace through strength plan implemented by Ronald Reagan. The missile race initiated the concept of mutually assured destruction. How does that translate to information security? Intrusion Defense Systems, Firewalls and Anti-virus do not strike fear in the hearts of hackers the way the Strategic Defense Initiative struck fear in the hearts of America's enemies.

Ignoring the thrill-seekers, today's computer attackers are more like the Russian Mafia. (Wait, in many cases today's attackers are the Russian Mafia.) They are like terrorists. They have time and resources to keep prodding until they find an opening. They only have to win once, defense has to win every time. A strong defense deters rational people who are afraid of reprisal. In the world of computer attacks a strong defense is necessary, but bringing these people to justice will do more to deter. This role belongs to law enforcement and potentially to the military if it can be proved that a nation-state initiated a computer attack on our interests.

By Roger on July 31, 2006 6:44 PM | | Comments (1) | TrackBacks (0)

Third Brigade Seminar

I went to a seminar put on by Third Brigade on Thursday. It was a good summary regarding the need for HIPS (Host-Based Intrustion Prevention Software). I also got some hands on lab time with their product.

I agree with them that their product is lightweight, and takes less time to deploy than other products like CSA or McAfee HIPS. I am concerned about whether it will work in our environment. Or I should say, in a heterogeneous environment where everyone is a local admin I wonder if any HIPS work. Our users already don't like the limited changes they are allowed by the current personal firewall. This product wont allow them to whitelist anything in the packet filter, but still allows them to disable it completely. And of course ultimately, I want a HIPS product to protect against zero day attacks. It is my opinion that this product cant do that. I expect to be doing a eval install in a couple of months so that is something I'll be verifying.

HIPS products have a high pain potential, and are thus likely to turn into shelfware. That is something I dont think would happen with the Third Brigade product. I think this product would improve our level of protection and give us much greater reporting than what we see now.

By Roger on July 30, 2006 11:32 PM | | Comments (0) | TrackBacks (0)

U Fairfax Access

I was checking out the University of Fairfax website again tonight to see if they've received any accreditation that would make it more likely that my company would pay for the courses.

I thought it was kind of funny that an Information Security program isn't using SSL to protect the username and password credentials when logging into webmail or the online classroom.

By Roger on July 29, 2006 7:09 PM | | Comments (0) | TrackBacks (0)

Cisco 871 router

I've been considering purchasing a Cisco 871 router for a while. It looks like it has the ability to do inbound VPNs and also IDS. Cost has been the main thing holding me back. The second consideration is that I have a wireless mesh implemented using Linksys and third party firmware. I'm not sure how this router would fit in. Recently, I've been thinking about setting up a system to run SNORT and placing it on a hub between the cable modem and my router. By doing that I gain the IDS fun that I want, and dont have to worry about screwing up my existing router implementation.

George Ou blogged about the 871 today. I didn't see too much of interest in what he wrote today, but I'd like to see his future articles as he writes more about its general use and less about its feature list.

I think the 871 is a good SOHO device for when a "hacked" Linksys would not be acceptable.

By Roger on July 29, 2006 4:27 PM | | Comments (0) | TrackBacks (0)

Web Application Scanning

Web application scanning is a subject that I know little about. In a recent audit, I was asked if we used any tools for that, but its not something we have addressed. It looks like this topic is going to get broader press coverage due to a presentation at this summer's blackhat conference regarding the use of javascript and XSS to compromise intranets.

The topic's author is the founder of Whitehat Security. I found it kind of funny that they sell a website scanning service along with an appliance for scanning your intranet. Yet on the same website there is a copy of a previous blackhat presentation they gave in 2004 that seems to argue that humans are needed to appropriately evaluate web application vulnerabilities. I'll have to keep reading on the website to find out what has changed.

By Roger on July 24, 2006 9:38 PM | | Comments (0) | TrackBacks (0)

Norton Personal Firewall 2006 DoS

There is a denial of service vulnerability in Norton Personal Firewall 2006, and potentially earlier versions. The system may crash due to the exploitation of this vulnerability. Exploit code is available.

--Source

By Roger on July 23, 2006 2:47 PM | | Comments (0) | TrackBacks (0)

Vulnerability Scanners

Rod asks,

What are you all using for Security vulnerability remediation and tracking? Posts in the security community over the last few weeks have highlighted that eEye’s Retina product may not be as automated as larger company’s need.

What’s your experience?

I haven't used eEye's vulnerability scanner, so I cant really comment on that.

I use Qualys as my vulnerability scanner. An appliance is used to scan internal systems. External systems are scanned from the Qualys servers. I like the customizable reports, and the remediation ticketing systems. As I've mentioned, I've had some issues with false positives and they aren't always the fasted at getting those worked out.

We have an auditor on site verifying our Site Security Plan, they are using Harris STAT. I had a week to scan machines using their account. STAT also had its share of false positives. I did not work with STAT support to resolve those so I dont know how their support it. The reporting was not as flexible as Qualys. Its not a bad software package, but I dont see why the government is so in love with it.

One of the key things I like about Qualys is the ability to schedule and forget. It will always have the current signatures. Ease of use is very important. Automatic updates, scheduled scans, and flexible reporting are key. Vulnerability scanners are designed to let you know about vulnerabilities for which a patch is available. If no one is responding to the reports, its just a waste of money.

By Roger on July 19, 2006 6:36 PM | | Comments (0) | TrackBacks (0)

Webex Downloader Plugin - Remote Code Execution Vulnerability

According to a WebEx security advisory, "A vulnerability within the WebEx Downloader plug-in can result in arbitrary components being delivered from unauthorized sources."

The next time you use WebEx, you'll receive an updated control to fix this vulnerability. If you dont want to wait until then to be patched, there is a download link in the security bulletin.

By Roger on July 10, 2006 1:49 AM | | Comments (0) | TrackBacks (0)

Testing Flash Versions

As I patch Flash on a variety of computers, an event that seems to be more and more common, sometimes I want to doublecheck that I've been successful. Looking for flash9.ocx in %windir%\system32\macromed\flash is one way, but who knows for sure if that is accurate. Looking at the version of getflash.exe in the same directory is also useful, but again, flash is doing some weird stuff, and I still see flash.ocx, flash8.ocx and flash8b.ocx in that directory.

I found one way to get some assurance. Flash has a website at http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_15507 to identify what version of flash is being run on your computer. The latest version of Flash at the time of this post is 9.0.16.0. When you go there, make sure to verify each browser on your computer.

If you're having a hard time upgrading to 9 make sure you close all browser windows after installing the newer version of flash. Otherwise the current version of flash will not exit. If that fails, perhaps using the uninstaller for 8 first will help.

I do worry about the leftover flash8.ocx and flash8b.ocx files. What if its like SUN JAVA and and previous vulnerable version is still around and can be requested by an attacker? Should I be deleting the earlier versions from my computer as a standard practice?

By Roger on July 10, 2006 12:00 AM | | Comments (0) | TrackBacks (0)

Salting the Hash

In our Lotus Notes R5 implementation the Internet password is unsalted. That is to say when the word "password" is hashed it alway returns the same answer (beginning with 355). In Lotus the password hash is revealed to the public via LDAP, via the notes client viewing the names.nsf database or viewing the names.nsf database through a web browser. It would be possible to determine the user passwords. Access to databases such as names.nsf should be restricted where possible.

Fortunately beginning in R5 it is possible to salt the hash. A password salt is combined with the original password and the hashing algorithm so that a given password will not always have the same stored hash. The provides added security and helps to prevent password cracking.

By Roger on July 7, 2006 7:55 PM | | Comments (0) | TrackBacks (0)

Updating Flash Again

Earlier this month, I noted that a new Flash version 9 was available. Today I see that this new version fixes a vulnerability in 8.0.24.0 that could result in the execution of an attackers commands. Fortinet published this on July 5th and I found it through Brian Krebb's blog in the Post.

By Roger on July 7, 2006 7:16 PM | | Comments (0) | TrackBacks (0)

Coincidence?

The IP address of the anonymous coward who trashed my blog entry on Qualys false positives is assigned to Conxion in Palo Alto California. This is a mere 12.5 miles from Qualys headquarters in Redwood City California.

Of course millions of people live in the Frisco bay area so it could be a coincidence.

By Roger on July 3, 2006 12:47 PM | | Comments (0) | TrackBacks (0)

Flash 9 available

Adobe Flash version 9.0.16.0 is out. Release notes are here. Currently, I dont see a security reason to update.

Flash has had a lot of vulnerabilities in the past 9 months. I hope this major new version marks a reexamination of the code with security in mind. Unfortunately, its more likely they've opened up new avenues for flaws.

By Roger on July 2, 2006 1:37 PM | | Comments (0) | TrackBacks (0)

AVERT Lab blogs on password policy

AVERT Lab blogs on password policy

Wait until someone at McAfee reminds him its bad form to talk about how you choose your passwords. Reminds me of the time at work a guy said he chose his passwords based on where he had been posted in the military. From there is was short work to figure out his passwords.

I'm not reading that article all that carefully, so perhaps I'm misunderstanding. I think its bad form to use a pattern of consequitive keys on the keyboard as your password. Its a short step from the good old password of "qwertyui". Further, you are reducing the total possible password complexity.

By Roger on July 1, 2006 3:22 PM | | Comments (0) | TrackBacks (0)
« General: June 2006 | Main Index | Archives | General: August 2006 »

Search