General: October 2006 Archives

On-screen keyboards fail protect against password thieves

Some banks and kiosks have used on-screen keyboards in an effort to thwart keystroke loggers. Apparently the bad guys have caught on to that. There is an article on this here, and video posted here. When you connect to a bank site in the list of targeted sites, the malware will take a screenshot at every mouse click. The image will include a mark on the screen where you clicked.

By Roger on October 28, 2006 10:25 PM | | Comments (0) | TrackBacks (0)

SafeDllSearchMode

This evening, I'm working on creating a Windows XP sp2 hardening guide based on NIST document 800-68. In the document NIST suggests enabling SafeDllSearchMode. From reading Protect Your Windows Network by Jesper Johansson and Steve Riley I know that SafeDllSearchMode is turned on by default in Windows XP Service Pack 1 and higher.

I suppose they could be saying that creating the registry key and making sure it remains equal to 1 is easier than making sure it never gets created equal to zero. Hardening is more than just applying settings once, you need to make sure they remain set that way.

The way it comes across is they weren't aware of the default value.

By Roger on October 28, 2006 8:49 PM | | Comments (0) | TrackBacks (0)

Yes, but is it best practice

On almost a yearly basis it seems like we have an audit for some reason. In each audit, the password policy has gotten flagged. We have a policy requiring Letters (uppers, lowers), numbers and special characters, 3 of the 4. We haven't implemented the requirement in account policy. So each audit, a report goes to the executives with this as a highlighted item, and each time, they reject implementing what has been a company policy since the beginning of the company.

So we have this long list of external auditors who have made this recommendation. But that's not good enough. The execs want it to be shown that its "best practice". I guess someone is going to have to peer into he world of other companies our size and in our business and see what their password policy is. *sigh*

By Roger on October 28, 2006 1:05 PM | | Comments (0) | TrackBacks (0)

Yahoo! Messenger Vulnerability

A SecurityFocus entry reports a remote buffer overflow vulnerability in Yahoo! Messenger Service 8 with Voice.

Use of a personal firewall will help protect against this sort of attack.

By Roger on October 24, 2006 10:27 PM | | Comments (0) | TrackBacks (0)

Training Students to defend networks and computers

If you have access to ACM there is an article "Training students to administer and defend computer networks and systems" by Brett Tjaden and Brian Tjaden. It is about the 2005 version of the Secure Operations course I took last spring.

The point of the course is that most people managing systems are not prepared to defend networks and systems. In the course people have a server (windows or Linux) that they must defend 24/7 against the attacks of their classmates and the instructor. There are four stages to the course. Each stage involves planning, documentation and configuration. I "won" the 2006 version of this course by "owning" the most computers without being taken out myself.

I found this article on the bulletin board of Dr Tjaden's office. I kind of wonder how Secure Operations 2007 will operate if the new class reads this article and has a huge leg up on how to attack.

By Roger on October 21, 2006 10:51 PM | | Comments (1) | TrackBacks (0)

Just change the grading system

The Department of the Interior wants a new grading system. The Government as a whole got a D+ on their report card, so rather than improve they blame the grading policy and dismiss it as being check-box oriented.

Certainly, FISMA is a big paper chase, but at the end of the day security is improved and risks are accepted or mitigated if people take it seriously. The problem comes in when System Administrators bunker down to protect their turf and management goes to Tom Davis to get FISMA changed rather than focusing on improving the security program.

Agency CIO Tipton noted that his agency did not score well on the most recent report card but said Interior’s cybersecurity has never been stronger....“We look at FISMA and I noted that we fended off four billion probes, scans, attacks last year without any significant breaches."

You fended of four billion probes. That sounds awfully impressive to the casual listener. It sounds like a number a CIO would use if he were trying to prove that all that money spent on security is actually worth it. Does that number prove defense in depth or does it prove you have a firewall?

Of course its not hard for the Department of the Interior's cybersecurity to have never been stronger. Look at 2004 when a Judge forced them off the Internet for 4 months due to their Information Security bungling.

By Roger on October 20, 2006 10:37 PM | | Comments (0) | TrackBacks (0)

Email Message Size Limit

We received a notice from our email provider that the new default maximum message size will be 50 MB. The previous default was no published limit.

That reminded me of the Paris Hilton divx file story, but I see I already blogged about that in 2004.

We've had various mail size limits through the years. In 2002, I found the firewall admin had used the SMTP secure server to set the maximum size to 16 Mb.

Although the mail provider is changing the default, we are still free to set our own limit (even a ridiculously high limit). So we're taking a look at the email logs to see what has been sent lately. There is a report that a Lotus Notes administrator sent a 500 Mb file. Clearly a quota needs to be set to avoid denial of service attacks. However, we have a preference to keep the environment as open as possible. I'd suspect that a limit of 100 Mb will be set, maybe 50 Mb if I'm lucky.

By Roger on October 19, 2006 10:56 PM | | Comments (0) | TrackBacks (0)

Adobe Reader Updating

I got to thinking tonight about which desktop software we should be looking to update next. Adobe Reader seems to have a number of hits in my vulnerability scanner results, so I was thinking that might be a good option.

A quick inventory shows that we've got a full spectrum of Adobe Reader installed. I even found some version 3 installed. Now how does that happen?

First I checked out appdeploy.com where I got some tips about install switches and disabling the Yahoo search bar. I was also reminded of the Tuner for Adobe.

Next, I went to Adobe and read their article on deploying Adobe Acrobat with SMS. I also watched a 50 minute session on using the Tuner to customize Adobe Reader and Acrobat Professional.

Lastly, I stopped by myitforum.com and did a search on the front page, and in the sms mailing list. I forgot to search the forum and the blogs there.

What I've found is that I should be able to remove Reader 6 automatically while installing 7.0.8 because it also uses the Windows Installer technology. However, for removing version 3-5, I'm on my own. Fortunately, I found some helpful command lines. I think I'll create an SMS Installer package to remove the earler versions.

Some of my computers have Adobe Reader and Professional installed. That may make things interesting. I'm also concerned because we tend to move the Adobe Reader icon into its own folder. An upgrade will probably result in an empty folder with users wondering how to start adobe.

It looks like Adobe Professional 8 is out. I dont see a Adobe Reader 8 available yet, although I see one reference to a pre-release copy. Its an age old question. Should we spend time deploying 7.0.8 when 8 is around the corner. We really shouldn't deploy 8 immediately when it is released, so maybe we do need to do 7.0.8 now.

So it looks like there is a lot of work to do. Hopefully, I'll be able to make time for this.

By Roger on October 19, 2006 10:40 PM | | Comments (0) | TrackBacks (0)

Upgrading to XP

The Help Desk has decided the best way to upgrade systems to Windows XP SP2 from Windows 2000 SP4 is to take the computer to the helpdesk and put in a CD.

Who knows what kinds of problems this will cause in the future. I wish that these computers contained some sort of mark of the beast to indicate that they were upgraded in place rather than doing a clean install with a data restore. Compounding this bit of bad news is the decision by the largest Center to hold onto computers for a third year instead of doing a two year lease. That means these unholy computers will be in production longer.

I've found a handful of computers with Microsoft Virtual Machine installed. They are running XPsp2. We have no way of knowing if the users actually need this for some obscure product or if its a remnant from an upgraded Operating System.

By Roger on October 18, 2006 3:00 PM | | Comments (0) | TrackBacks (0)

Michael has a bad password

How great is it that not only does Michael Scott have a password of 12345, but its written on a post-it note. (The guy in the turban is the I.T. guy if you haven't seen him on the show before).

By Roger on October 17, 2006 9:51 AM | | Comments (2) | TrackBacks (0)

North Korea may have the bomb but where's the electricity

I saw this linked from the Drudge Report. Its an article in the Daily Mail.

Here is a satellite shot of the Korean peninsula. In the south we see tons of light pollution from the cities. In the north we see nothing, but some light around the capital city. According to the article, the North Koreans have an electricity curfew of 9pm.

I blogged about this in June of 2004 using a similar image. Then it was to poke fun at the claim that the North Koreans who couldn't keep the lights on were supposedly training hundreds of hacker commandos to wage war. Now its just kind of sad that so many people are forced to live in abject poverty while their glorious leader plays with nukes to earn a seat at the big boy table.

By Roger on October 12, 2006 10:58 PM | | Comments (0) | TrackBacks (0)

Tough Week

Its been a rough couple of days. This web security project is a bit more grueling that I would have expected. Normally when I'm evaluating something, I can just download it and run it for 30 days. In this project most of the solutions are either external services or they are appliances. As a result, there are evaluation agreements that need to be approved by the contracts office. This usually involves a couple of weeks time.

So after fighting through all that with the second vendor on my eval list, I find that the vendor doesn't even offer everything we need for this to work. They told me they had a client side proxy, and they dont.

Time to start the process with the next vendor, unless I can convince the boss that vendor number one has everything we want.

By Roger on October 11, 2006 9:48 PM | | Comments (0) | TrackBacks (0)

Chilling Security Fix article on ID Theft

Brian Kreb's Security Fix blog in the Washington Post has an entry about his research for an article on identity theft. Its worth a read.

The point I take from the article is that it is important to be careful of where you shop online. Companies like Amazon have security departments that continually work to improve security, and are likely to notice database compromises. If you think that is an optimistic statement compare that with the likelihood that the store you found through a bargain hunting website will notice a hack, or be prepared for one. Is it worth saving $5 to buy through Fred's Bargain Camera goods?

I've written before about a seller of Palm Treo cases that exposed my name and address to anyone on the internet. I would consider avoiding the smaller online sellers. If they cant be avoided see if your Credit Card company offers one time card numbers for internet use.

By Roger on October 1, 2006 9:10 PM | | Comments (0) | TrackBacks (0)
« General: September 2006 | Main Index | Archives | General: November 2006 »

Search