General: August 2006 Archives
There is some interesting info in the latest updates to the ISC diary entry on SUN JAVA.\
In the original entry the writer notes that the latest version of SUN JAVA attempts to solve the problem where not only does installing an updated version of JAVA not remove earlier versions, the earlier versions can be specifically requested by the bad guys. That's right, its like installing a patch, but letting the bad guy ignore it if they choose to. That problem is rather old, but SUN is addressing it by having the latest version of JAVA prompt the user if an older, potentially vulnerable version is requested.
So why not just remove the earlier vulnerable version you might ask. Many bad web applications specifically require a bad version of JAVA, so you cant uninstall the bad version if you want to use that website. You are forced to wait for the original developer to provide an update. Ciscoworks VMS is one example of such a site.
So here is what is new, a reader of the ISC wrote in to suggest that you create a CLSID pointing requests for the older vulnerable version to the newer version (stay within the same 1.42, 1.5 family). It may not work for every site, but its worth a shot. I thought that was the best tip so far on the ISC site this month and it wasn't even part of their tip of the day segment. :)
As I was getting ready to leave for work this morning, I got a voicemail message from my manager indicating our corporate headquarters is closing today at 8:30 am due to a A/C failure and that I should work from home.
Normally, this wouldn't be a problem. However, yesterday I left work at 9:15 pm and didn't bring my laptop or my comptuer glasses home. I figured, I wasn't going to do any more work that evening so why bother. We're supposed to bring the laptop home every day for disaster recovery purposes.
Here's an interesting article on VM Sprawl.
Companies implement Virtual Machines but soon find that without the restrictions of hardware cost, the amount of virtual servers skyrockets. They still need to be managed, patched and in some cases licensed.
George Ou writes on the campaign Apple Computers and their kool aide drinking drones have been mounting against the security researchers who demonstrated a wireless driver exploit at Blackhat.
I find the entire thing disgusting. Why does computing feel more like politics?
Today's SANSBITES email has a blurb on the Department of Transportation laptop that went missing while holding data on 133,000 Floridians. Apparently the data was originally encrypted, the later it wasn't.
John Pescatore of Gartner comments, "Who knows what really went on, but rushing out encryption of stored data without thinking through all the issues (like indexing and archiving, just to name two common problems) often results in self inflicted wounds or the encryption being disabled."
That sounds familiar. After OMB M-06-16 required encryption, many government agencies have been running around implementing ill-considered encryption plans.
I have been trying to hold off this groundswell for encryption until we can implement it correctly using a Certificate Authority. Now suddenly we've uncovered a major problem. The backup software only allows you to restore encrypted files to yourself. If you lose your computer, and get the administrator to restore the files to a new computer, the backup software will not allow restoration of encrypted files. This is a huge problem. You can protect your important data with encryption, but don't plan on getting it back in case of disaster. We're pressuring the vendor to change this behavior.
Regular readers might recall last month we finally disabled storage of the lanman hash in our Windows domain. It was about time, too.
This week, I ran SAMInside and found that I couldn't crack any passwords for accounts where only the ntlm hash was stored. Dictionary attacks and brute force take a lot longer than rainbow tables. That wasn't the shoe that dropped though, that was expected and good.
I heard that our Accounts Payable check-cutting computer is running Windows 95. After we disabled the lanman hash storage, and they changed their password, suddenly these users weren't able to log into the domain at this computer. (Windows 9x requires the AD services client to be able to log into the domain when lanman hash storage is disabled.) I of course thought that was pretty freaking hilarious. I have a feeling though that it will make it harder for us to get approval to push through other security tweaks.
I'm glad it broke the computer. Now we know that something critical is relying on Windows 95 and we can rectify the situation. Sure it caused some people to run around like chickens with their heads cut off, but in the long run things will be better off.
I just saw that one of my former classmates has taken up blogging since we graduated with our Masters Degree in Information Security. The address is here. I hassled him into getting the rss feed link onto the main page, because that's how I follow all these sites.
As part of its August "advice-a-day" series, ISC offered some tips on surviving the monthly patch releases. The advice is somewhat contradictory, but at least for once they present a spectrum of suggestions for dealing with a problem rather than pretending there is only one way.
- Patch now - if there is any pain from patching it will be less than the pain from getting hit by a virus before getting patched.
- Deploy to a representative group, monitor, deploy to wider group. But still the total time-frame needs to be quick.
- Patch critical services, and laptops which are more vulnerable.
- Deploy to a representative group, monitor, deploy to wider group. Taking 4-6 weeks to get it done.
It seems like their advice is lacking in preventative steps. I suppose such as "use a personal firewall" or "login as a limited rights user" only work for specific types of attack. Seriously, the best way to address the patch cycle isn't to run faster. Its to get off the exercise wheel all together. Virtual Patching may be the answer. That is where you use a HIPS product to prevent the client from being vulnerable to the attack in the first place. Products like CSA, McAfee HIPS, ISS, and Third Brigade should be closely examined. I'd be interested in hearing from anyone with one of these products. Do you agree that the need to patch is less once HIPS is deployed? Or have you found that not to be the case.
Here's a link to a CSO article from last year providing some Information Security metrics. Good stuff
By now, you've read about the vulnerability in the Intel Wireless Drivers. If you haven't make sure you read this, and then check with your vendor for their version of the Intel update.
What I found funny was that Johnny Cache who presented a similar (or the same) vulnerability on a Macbook is quoted as saying,
The likelihood that you'll encounter this particular exploit is small. "You have to have some economic gain," said Cache in an interview after the event. Right now, there's little gain in hacking into an individual laptop at short range.
There are just so many things wrong with that statement. I wonder if he would have said the same things about the Sybian OS phone attacks, or bluetooth address book harvesting. Short range attacks are fairly likely to be attempted at conferences, airports, and other large gathering of geeks. Has he forgotten so quickly that some attacks are done just because it can be done? Money doesn't have to be the prime motivating factor. Of course I can think of many examples where money could be gained by using this exploit. Its a new spin on war driving, war automated hacking! Or worse yet, its industrial espionage. You role up in my parking lot and install a bot through the this wifi driver attack. You're now a privileged computer on my network.
I think this weekend I'm going to go watch the video of the hack (I think sunbelt has it linked), and then check on the Dell and Toshiba driver situations. I think my tablet is using a vulnerable wireless driver.
