General: December 2006 Archives
I've written in the past about how I use SAMINSIDE and Rainbow Tables to audit passwords. I also wrote how I disabled LANMAN hash storage and as a result the LANMAN Rainbow Tables attack wouldn't be working anymore.
In the interim I've been using brute force attacks looking for 8 character passwords that consist entirely of lower alphas. I've also tried brute force attacks that tack numbers on to the end and make the first letter an upper case.
This week, I found a NTLM Rainbow Table for lowercase alphabetical passwords of length 1 through 8. While we now require stronger passwords than this, I thought it was worth trying out. The pre-calculated tables attack has been running for a couple of days. I'm pretty sure that the brute force attack for lower alphas of length 8 did not take this long.
Due to an increased network threat condition, the Defense Department is blocking all HTML-based e-mail messages and has banned the use of Outlook Web Access e-mail applications, according to a spokesman for the Joint Task Force for Global Network Operations.
According to the article, they are converting all email to plaintext only. I wonder how they are accomplishing that?
While I agree putting OWA directly on the Internet is foolish, I think there are secure ways of doing that. Further providing users easy access to OWA encourages them to use an arguably more secure method of access than using a thick VPN client which offers full access to the internal network.
Soon the security folks will have us back to using smoke signals and carrier pigeons. Think about the man-in-the-middle attacks possible then.
Its posts like this that keep Sunbelt in the list of blogs I read regularly. In the post they explain why a recent security writers claim "IE7 is still the spyware writers dream" is actually hype.
The vulnerability is that if the bad guy has write access to your computer, he can get a dll run by IE7 because they are not requiring FQDNs to load a dll. While this might make it tougher to clean your computer, the bad guy must already have infected your computer to have write access. This is not like the WMF exploit or all the bad activeX controls that were in previous IE versions.
Bruce Schneier writes in Wired "myspace users are not so dumb". In an analysis of 32k myspace passwords collected through phishing it was found that the passwords were better than studies of passwords used in a corporate environment.
Age is one reason for the difference in password quality. Myspace users tend to trend younger. Corporations are still filled with people who don't want to have a voicemail password at all much less a four digit PIN.
81% of the passwords are alphanumeric, but 28 % were merely a dictionary with the addition of one number (most often "1").
The bottom line though is these password were obtained through phishing. So while they may be educated about selecting a good password, the security awareness job isn't done.
I saw this linked from Drudge.
A High School Class President, who also holds the student seat on the Broward County (FL)School Board has been charged with two counts of computer crime with intent to defraud, a second-degree felony.
As part of his School Board job, he was given a laptop in order to access job related email. He found the I.T. specialist had a sheet of username/password combinations on his desk. The student used the purloined passwords to access the counties system for tracking grades and modify grades for several students.
The obvious lesson is not leaving passwords on a sheet of paper on your office desk.
Even today end users think security doesn’t affect them. “I’ve got nothing to hide,” they say. So they choose convenience over security. They don’t use any form of encryption on their wireless networks, and they disable the security software on their computer.
Here’s a story of a woman in Denver who learned a lesson about that after a visit from the police.
http://www.thedenverchannel.com/news/10486347/detail.html
You don't always have the ability to download patches, perhaps the system only has dialup access to the internet.
There are a couple of ways to deal with this.
http://www.heise-security.co.uk/articles/80682
http://www.autopatcher.com/
I'd be a bit concerned about whether this method is all right with Microsoft and whether anyone is sneaking something into the offline patch collection. Autopatcher has been around for a while, so I'd trust it more. The Heise-Security Offline Update is new to me.
F-Secure's Weblog has a couple entry on the recent Quicktime troubles, highlighted by the myspace worm. They report two similar vulnerabilities, and their tests has found one of the javascript tricks works with Quicktime users on a Mac with Safari.
Is this vulnerability listed on the eEye Zero Day Tracker? Not so far. Hmmm.
When I ran the Secunia Software Inspector yesterday, it found I had old versions of Firefox, Winamp, Flash, and JAVA. The Flash and JAVA detections were complaining about older versions that were installed although I do have the current version installed. Secunia recommended that I remove the earlier version.
Its not really clear if having older versions of the Flash.ocx file on a computer is actually a vulnerability or not. I figured I'd try what they suggested anyway. I downloaded a flash remover tool from adobe. After closing any program that could be using Flash, I ran uninstall_flash_player.exe. I was still left with C:\windows\system32\Macromed\flash\Flash.ocx which has a file verison of 7.0.19.0. There was also a getflash.exe in that directory with the version number matching the latest version of Flash I had installed.
I'm not really sure if I should remove that file or not. I went ahead and installed the lasted version of Flash since I need to have flash on my computer.
I saw this over on Donna's Security Flash.
Secunia has created a Software Inspector Application. Its a JAVA based single system auditor that checks your local system for vulnerabilities. (see list for checked versions).
Pretty slick. Obviously its not a full scale vulnerability checker, but it does check for some common software vulnerabilities.
MSNBC has an article on the Word doc banning at NASA that I alluded to earlier this week.
On December 5th eEye released an advisory about Adobe Download Manager. If you have downloaded software such as Adobe Reader from them using one of those stupid download clients you have Adobe Download Manager installed.
A malicious aom file could be hosted on a webpage. If you visit that webpage with IE it will automatically run exploit code in the file.
Adobe suggests that you
Browse to the following location:
Locate the file named AdobeDownloadManager.exe. If the directory or file do not exist, no further action is required.
Right-click on the AdobeDownloadManager.exe file and select Properties.
Click on the Version tab of the Properties dialog box.
If the version is 2.1.x or lower, uninstall using the uninstaller provided here.
It seems that Adobe is leveraging a vulnerability in their 7.x series of Adobe Professional and Adobe Reader to cause people to upgrade to 8 which was just released this week.
They've released a dll file that you can copy into place overwriting the vulnerable version in 7.x, but that solution is neither easy for most home users or approprate for enterprse deployment.
I'm well down the path of testing a 7.0.8 deployment and don't particularly feel like starting over.
http://www.adobe.com/support/security/bulletins/apsb06-20.html
These are my notes from a lunch and learn presentation with Stonewood about their hardware based encryption product.
They have a mobile USB hard drive . This can be used as a normal Flagstone drive if you boot to it, otherwise you need to load software to access the encrypted data.
Flagstone buys micro harddrives from Toshiba or Hitachi and repackages them in typical laptop form-factor. The drives are 4200 rpm which I find a bit to slow, but they say that's all they can get from the manufacturer.
When you boot the computer, you are prompted to enter a password. If you enter the correct password you the keys are live and you are able to enter the hard drive. If the power goes out it will fail closed. This makes me wonder if Seagate could say the same about their drive.
The drives use a tamper evident casing. The chip that contains the keys is embedded in gel so it is difficult to physically access it without destroying the chip.
FIPS 140-2 is currently pending.
Its a lifetime key. So no rekeying like SW.
The main problem I would have is that it doesn't have single sign on or a password harmonization feature such as those found in the Seagate product. The password to access the harddrive is not managed and enforced by I.T. It sounds like this will be addressed in 2007.
Today you are screwed with Wake on lan. Some I.T. shops use WoL to boot machines and patch them during the night. That is not possible with this technology today. Not sure how you'd even do that with the software full disk encryption.
Their disks are available today and have been out for years. They are in use in the British, U.S. and Canadian military. This is interesting technology and may be the wave of the future. But still you're left asking what about email, what about the phones and the pdas. Should you buy an all in one solution or will that leave you disappointed.
Lastly, the price quoted sounded kind of high. I believe Seagate was rather reasonable and comparable to normal prices.
No annual fees, maintenance or upgrades.
This is a 5 company report on their lessons learned and experience.
Rhonda Maluia from the Naval Special Warfare Development Group spoke on their use of hardware based encryption. They use Flagstone which is a British company (opening U.S. offices shortly).
I took less notes on this talk due to the dark background of the slides. Encryption on the hardware device is a very interesting concept that takes encryption out of the hands of the user completely. They don't even need to know its going on.
They were seeking a secure solution with ease of use and the ability to fail securely.
They defined a secure solution as FIPS compliance AES 128 bit Full Disk Encryption with pre-boot authentication, tamper evidence and it works.
The more the user has to do, such as putting data in a "secure" folder, the less a solution works. The wanted minimal user intervention and moving parts. A low learning curve and good performance.
The device locks after 5 failed logon attempts. After 5 recovery attempts, the data is gone.
Obviously you still need antivirus, personal firewall, antispyware, etc.
Monty McDougal is speaking on behalf of TrueCrypt. This is a free open source solution for Linux and Windows.
I didn't take a lot of notes because I'm not interested in this product. One thing that I think would be true across the board is that unexpected power outages can be devastating to the file system. This is harder to recover from with full disk encryption. Backups are key.
Matt Norris
Matt uses Netapp Decru to address the problem of Tape Backup Encryption.
Most people are not addressing the issue of tape backup encryption. This is a real issue.
q. Do you encrypt all backups
a. yes
Tape backup encryption is tough. We've all heard stories of needing to recover from 10 year old backups and trying to install the backup software and find the license key. Now imagine that with encryption.
Regarding performance issues, he says that tapes aren't wired speed anyway.
The netapp appliance connects to the fiberchannel switch and is passed the data.
I don't have any notes on the other two speakers.
The first session of the second day at the SANS Secure Storage and Encryption Summit was presented by Jason Fossen. Jason teaches the Securing Windows Track at many SANS conferences. Today he is speaking on Vista Bitlocker as well as EFS.
I missed the first 5 or 10 minutes thanks to DC area traffic. I'm kind of angry about that, but what are you going to do. It look me 15 minutes longer on Thursday than on Wednesday to get there.
With EFS you can encrypt anything not in the Windows folder and without the system bit set.
The ultimate strength of the encryption is in the password complexity.
EFS is NTFS only.
The problems you get into is that you are relying on the users to select folders for encryption and put sensitive data in those folders. Also EFS is for folders only. You would need a separate solution for email and for all your electronic toys.
With Bitlocker and EFS in Vista you'd have to have a compelling case for purchasing the third party whole desk encryption programs. (assuming you're a windows shop who is upgrading to vista anyway). The main argument for third party is the usb fobs and phones.
Doesn't EFS has horrendous vulnerabilities?
-By default the local admin in windows 2000 was the recovery agent. This was listed in the help file. There were ways to deal with that. After the uproar, that was no longer the default in XP but in many minds the damage was done.
- You should always encrypt at the folder level to avoid an issue.
- Swapfile and hibernate are issues that should be considered
What about commercial EFS crackers?
They require the password to work.
Bitlocker - system must be partitioned in 2 volumes, boot and OS. Only OS volume can be encrypted in Vista. In Longhorn (server) any non-boot volume can be encrypted.
Bitlocker provides verification of the integrity of the boot-up files which can help prevent rootkits and other malware. Note you need TPM for this feature.
Bitlocker provides sector level encryption of the entire hard drive.
Steps to enable TPM
1. Verify your Bios supports TPM 1.2 (make sure you have latest BIOS)
2. Enable TPM in BIOS
3. Turn on TPM in Windows (tpm.msc)
4. Initialize the TPM with an owners pass.
There are options that involve still using a USB token containing a key in combination with the TPM to provide a multi-factor authentication. It seems to me the USB is likely to be left in the laptop bag so why bother. Its nice to have that level of security available where necessary.
There is a script manage-bde.wsf to manage TPM and bitlocker from the command line.
Takes about 1 minute per GB when enabling bitlocker. You can reboot! you are able to work while its performing its initial encryption.
**Gotcha** if you don't disable bitlocker during a bios update it will freak out. So you can temporarily disable it while updating bios or boot files.
So what if the TPM is pooched, how do you get your data? There is a 48 digit recovery password. This is stored in the computer account in Active Directory. You should require in Group Policy to have this PIN stored before bitlocker can enable.
Best Practices:
- Make sure your new hardware supports tpm 1.2.
- It may save time to have the hardware vendor partition with two partitions.
- Enforce a strong passphrase policy
use 128 bit AES. 512 bit is overkill for most.
Bitlocker doesn't replace EFS it enhances it.
Q - Can bitlocker use third party certs?
A- no, it doesn't not use certs per se
Q - is a schema mod required for bitlocker
A - yes not only that, You must be running Windows 2003 SP1 domain controllers with a Schema mod.
Q- Forensics?
A- Well, if you left the door open for forensics, the bad guy could look at the file too. With all these whole disk encryption products, you pretty much need to decrypt the disk to use an encase.
Q- Can malware disable bitlocker? You mentioned a script to enable/disable
A- If you're running as admin and malware gets installed, sure. But then you've got a bad enough problem already if malware is running as admin. Why are you running as admin?
ALLOWING USERS TO SELECT FOLDERS FOR ENCRYPTION IS A DISASTER!!!
I attended the SANS Secure Storage and Encryption Summit '06 in McLean Virginia today. Since I expect more people reading a blog start at the top of the page and work backward, I figured I'd put this explanation here.
I'm posting some notes from the sessions. They aren't in any particular order. Hopefully they are somewhat useful. If not, I'm sorry, I am not going to a have a chance to re-read and edit the posts.
The conference made me somewhat concerned. It seems everyone is focusing on full disk encryption products. We just finished purchasing a digital certificates from Verisign (not implemented yet) for a large sum of money. We're planning to go EFS right now using those certificates. I'm worried we aren't going in the right direction.
I realized that I am aware of EFS's limitations and know how to implement in a secure way on XP sp2. While I am still concerned about issues such as reportability, the initial time of encryption, and knowing that the sensitive data is encrypted, I think it may be ok.
Each Government agency wants us to go buy the encryption program they chose. Its less work for them. We could have have pockets of users with different version of encryption all over the enterprise. It is not workable.
Interesting days are ahead.
These are my notes from the vendor panel at the SANS Secure Storage and Encryption Summit.
Guardian Edge
If we haven't had enough statement of the problem, I like the way they put it.
Data is disappearing out of the organization and you don't know it.
81 percent of companies report the loss of one or more laptops containing sensitive data in the past 12 months. Would we even know what was on the laptop?
53 % believe that their companies would be unable to determine what sensitive or confidential info resided on a usb memory stick if it were lost.
PGP
- The PGP piece on the blackberry is there by default. You just need to license it. It actually will connect to your PGP Universal server. That sounds kind of neat.
Seagate
Seagate admits that its a hard drive solution only. You need to do something else for your thumb drive, and email, etc.
FIPS 140 in progress for the Seagate (I assume that is FIPS 140-2. I dont think they do 140-1 anymore).
They also have the DoD evaluating for the secure wipe. Seagate just removes the encryption key.
The PGP guy made an analogy to when 3-d graphics cards came out. Something about it not puting software rendering out of business, it works together.
Q- Why would we need this (any of the vendors) when bitlocker comes out.
A - better management tools
- mature product
- OS support, bitlocker is obviously vista only and reportedly the more expensive versions of vista.
- No requirement for TPM. bitlocker is better with TPM.
These are my notes from a talk Eric Cole gave at today's SANS Secure Storage and Encryption Summit. If you have a chance to hear Eric talk on any subject, run do not walk to sign up. I dint have a lot of security heroes but he is someone I admire.
Again these are my notes. I am not copying the slide deck due to obvious copyright concerns. But I hope these notes are still somewhat useful as it does take some time to convert from handwriting. If nothing else it allows me to review the material while its still fresh.
Gartner has a Magic Quadrant for desktop encryption. Most of the providers in the "good" quadrant are only 1-2 years old. Food for thought.
With encryption you might not know for 10 years if the implementation is valid. So you should do some basic checks. Boot from a CD, mount the hard drive and see what can be discovered.
Credant is great for mobile devices and PDA, but on the laptop they focus on specific folders leaving hibernation files vulnerable.
PC Guardian encrypts everything but doesn't have the integration the bells and whistles (your mileage may vary).
Histogram - I kind of missed this part. It has to do with looking at file size over time and determining if something or other is too predictable.
It is certainly worse to think you're secure when you really aren't.
Eric likes to encrypt at the folder level. If you encrypt full disk, then when you log in everything is accessible. He likes to be able to leave his consulting directory encrypted while working at a SANS conference. Further backups remain encrypted when you do folder level encryption.
Many people deploy encryption without fixing up the security of their computer at all.
Deploying without a screensaver lock is like leaving the door open on a safe.
Same goes for deploying with a bad password policy. Eric says quit messing around. Set the minimum length to 30 and be done with it. That will force users to use a phrase. They cant write something like that down, its more trouble than just learning a phrase.
Like Alan said, you need to look at data protection solutions as well as encryption.
If encryption was easy everyone would be doing it. Its been around a long time.
Because of laptop theft and data leakage press, and regulation, crypto has become the hammer of choice. Crypto is seen as the solution to every problem. Ever hear the phrase "when all you have is a hammer, everything looks like a nail"? Pass me the crypto-hammer.
1. Protection of the key is paramount.
the strength of the key is based on the strength of the password that protects it.
If your users have admin rights, your ability to succeed in this deployment drops by 80%.
2. Understand what risk is being mitigated and what isn't.
take protections commensurate with the exposure. A $10k per day body guard is nothing if the wrong people want you dead.
3. Encryption doesn't prevent inference attacks.
Several friends of mine have spent time in unfriendly countries. I asked them about using hushmail or PGP. They said that if the bad guys suspected you of hiding email traffic it would only cause trouble.
Eric told a story where they suspected theft of trade secrets. They did some egress monitoring and found one guy who only used encryption when sending email to one address. That certainly raised suspicion.
Steve Jobs apparently has a bodyguard for his computer. If he isn't within 5 feet of the computer, than the guard needs to be.
(skipping some steps)
6. Know the problem you're trying to solve.
Its no longer a laptop when its got 80 Gb of data on it. Its a portable server.
"The only silver bullet is found in a bar"
This is the third in my series of posts recording my notes from the SANS SecureStorage and Encryption Summit in McLean, VA. Hopefully is semi-literate.
Seagate is finally coming to the general market with their Momentus 5400 FED.2 hard drive. This hard drive is designed to perform total data encryption on the hard drive itself. The drive is expected to OEM in January and ship in March or April with most major laptop brands. Around that time you should be able to purchase just the drive as well.
The drive is password protected. There is a master password which allows you to wipe, configure and set the user password. The user password is read/write to the disk only. There is separate software to provide enterprise management of the master password. The user password can by harmonized with Active Directory to allow for single sign on. You can also authenticate to the drives with Certificates and the TPM.
The drives are manufactured in China which raised some eyebrows.
In a survey of why businesses don't encrypt, 69% cited performance; 44% cited complexity/ not user friendly; 25% cited cost. Seagate feels that their product addresses those concerns.
They report that they use AES-128. I forgot to ask why not AES 256. I did ask why its only a 5400 RPM hard drive right now. I was thinking the encryption was slowing things so much that a faster hard drive wasn't worth it. They report that 5400 is the most commonly ordered hard drive so it made sense for them to put the disk encryption at that level first.
In this session at the SANS Secure Storage and Encryption Summit 3 companies report on the process they used to deploy mobile data encryption enterprise wide.
ACS implemented PGP
Q - Why didn't ACS uses EFS?
A- Diversity of environment with customers and types of devices supported
Q- ACS lost a laptop with 1 million customer records earlier this year...
A - lets just say you need to look at server data at remote sites. Particularly sites that are easily broken into.
Q- Why whole disk encryption
A- take the choice out of the users hands. Folder level encryption lets the users decide what to encrypt. Further you still have problems with page file and hibernation.
Q - have you had problems where you try to send someone a file but its still encrypted.
A - they maintained they haven't.
Metavante Corp deployed Utimaco Safeguard
Has problems with Visual Studio installed. If VS is installed on a computer than the Utimaco would not install. If I understood him right, on those computers, they removed VS, installed the Utimaco and then put the VS back.
Q- What were your three finalists?
A- Pointsec, PGP, Utmatico
Q- Why did you avoid the TPM
A- Dont want to wait for computer refresh. Not all systems have TPM now.
Q- Isn't whole disk encryption going to bog down older computers
A- Not in his experience
Q- How does full disk encryption impact AV and patching
A - it doesn't (actually later on we find out from another person that the user needs to be logged in. Unattended installs will no longer work if the user is not logged in. )
Q - How do you send files securely to external users
A - Secure email (undefined, does he mean s/mime?) and they have an external site with https for file sharing with their customers/partners.
Alan on file/folder level encryption - you dont know what you've encrypted and what you haven't. This is very important when the laptop is lost and you dont know if you're protected or not.
Q - Has there been a higher rate of driver failures when using whole disk encryption?
A - no. (we learn in a later seminar that hard drives with problems will die during the rollout and initial encryption. So you should do a full defrag prior to deployment to try and uncover any problems first.
Determine the business need
Determine the scope and avoid scope creep.
Why they picked Utimaco Safeguard:
1. configurable single sign on. Could be integrated with SecurID, AD,biometrics etc.
2. Able to leverage their current software deployment method
3. Able to manage w/o Active Directory (they dont have it at all sites)
4. Ability to limit system resource consumption and also leverage check point capability during the initial encryption process. The initial encryption process could take hours. By throttling this back users can still work and even shut down their computer while initial setup is taking place.
5. Full disk encryption
6. No TPM requirement
7. pricing.
Helpdesk calls related to this deployment <6% of total calls. Most didn't read the instructions. They did run into a problem where users with a camera or ipod attached had their hard drives encrypted. Some called because the software was so seamless they didn't realize it was installed.
VESTA - This demonstration was on using the nCipher netHSM to encrypt databases. nCipher is an appliance.
These are my notes from the SANS SS&E Summit conference section 1.1. its my attempt to not violate their copyright by reproducing their slide deck, but I think posting my notes is fair game. This may or may not have any flow to it. Any errors are my own.
In the first section Alan Paller Director of Research at SANS and Ben Wright Attorney introduce the subject of encryption.
The first step was a review of the audience at the summit. About 20% of the audience is government, as you might expect for a DC area conference. The Federal Government is overdue on implementing encryption based on the OMB deadline.
Its important to remember that encryption is one piece of your data protection program. If you get too wrapped up in in you miss other needed protection.
The CEO doesn't want to end up on the front page of the Washington Post for the wrong reason. They've seen Congressional hearings on the theft of Veterans' data. They've seen the Choicepoint lawsuit. They're often leading the charge for encryption. They've heard the word so often it sounds like a magic phrase. Abracadabera, my security problems are gone. Unfortunately its not so easy.
You can lose data may ways. Encryption only deals with some of these.
- Stolen or lost laptops, desktops ,servers
- Lost or stolen CDs and thumb drives
- Lost or stolen backup tapes
- Employee theft
- Server compromise
Cybercrime is real. They're coming after anyone where they can make money. That includes government contractors.
Interesting mention of the Romanian South Pole Station extortionists. I dont recall that incident, but here's a link http://www.fbi.gov/page2/july03/071803backsp.htm
Encryption doesn't necessarily help when the attack is a targeted social engineered attack. Lets say the user finds a usb fob in the parking lot. He wants to return it, or he has a more prurient interest, so he hooks the usb fob to his computer to open it. Most computers will autorun code found on the fob if it is configured to do that. The code installs and has the same access to the files that the user does which generally includes reading the encrypted files on their system. (disable autorun on business computers).
"A firewall is a steel door on a cardboard house."
An email comes by name and correct email address from a VP at your company warning you that you need to install the latest patch you're in big trouble. Most people will follow instructions.
Data needs to be protected across multiple layers.
1. Identity Management and access control
2. Encryption and rights management
3. Host monitoring and protection (HIPS and network segmentation)
4. Content monitoring (egress monitoring, and monitoring for things on the laptop that shouldn't be there).
The next part of this session covered legal issues with Benjamin Wright, JD.
The I.T. Security Law sweet spot is negligence law. This is based on the reasonable man doctrine. This covers the steps a reasonable man would take to protect the data.
Politicians emphasize encryption. The California disclosure law Senate Bill 1386 has a safe harbor for encrypted data. He mocks it saying "reasonable security is not required as long as its encrypted." In spite of what the law says he would recommend airing on the side of disclosure because some creative lawyer will sue you even if its encrypted data that is lost.
HIPPA merely terms encryption as addressable, meaning it should be considered.
I am attending the SANS Secure Storage & Encryption Summit in McLean Virginia today and tomorrow. Its a seminar put on by SANS and invited vendors.
I'm going to be typing up my notes for each session in the following posts.
Apple has released a patch for Quicktime but it is reportedly only available at the myspace site.
http://blog.washingtonpost.com/securityfix/2006/12/how_not_to_distribute_security_1.html
"A Romanian man has been indicted on charges of hacking into more than 150 U.S. government computers,The U.S. government alleged Faur was the leader of a hacking group called "WhiteHat Team," whose main goal was to break into U.S. government computers because they are some of the securest machines in the world."
This "WhiteHat Team" is kind of poorly named. A whitehat is ethically against the unauthorized use of a computer system.
Also, if they think computers at Jet Propulsion Laboratory in Pasadena, California; Goddard Space Flight Center in Greenbelt, Maryland; Sandia National Laboratories in Albuquerque, New Mexico; and the U.S. Naval Observatory in Washington D.C. are among the most secure in the world they are mis-informed. Government systems routinely do poorly in their FISMA grading. They have been abused for the past 20 years. The real challenge is not going to jail after hacking them. They failed at that.
With a headline "Vista Designed to Make Malware Easy" CmdrTaco has just gone too far. It turns out the actual article being cited is about malware masquerading as cracks for Vista. Further if you download your copy of Vista from a warez site, surprise surprise, it may have malware slipstreamed into the install.
This has nothing to do with Vista security. This has nothing to do with Windows. If you install software from an untrustworthy source, you're giving up control of your computer. If the top problem with Vista security is that illegal copies of it might have a virus, we should throw a big party.
At least the top commenter's at Slashdot understand that the article is nonsense. But really such unadulterated crap shouldn't be on the front page of Slashdot at all.
Several sites are reporting a worm infecting Myspace profiles and attempting to phish passwords through the use of javascript in Quicktime files. The vulnerability sounds similar to the Word URL autolaunch vulnerability or the same problem in Adobe.
An exploited user profile in Youtube will contain a Quicktime file. The Quicktime will likely play without user interaction when they go to the webpage. This will use javascript to open a popunder and also infect your Youtube profile if you have one.
More info is available:
F-Secure Weblog
Websense
SpywareGuide
I've been reading some of the appdeploy.com postings about packaging Quicktime. As usual it sounds like there are many opinions on how to do it. Some of the opinions posted there may refer to older versions so its hard to know if the complaint is still valid.
While searching the Apple support forum, I found that there is actually a license agreement for deploying the free version of Quicktime in an organization. All of the people posting at appdeploy seem to have just downloaded the free version from the website and used that as the source files. Apple has a License agreement for corporations who want to deploy via the network to their clients.
The problem with this Apple Quicktime license is that its a bid far-reaching. It requires the Quicktime icon on the desktop. Most packagers would want to remove this. They also require that the license agreement be posted to the company intranet.
Right now, I'm trying to figure out how to install Quicktime in such a way that:
1) previous copies are removed
2) Quicktime is not added to the systray.
3) A desktop icon is not created
4) it doesn't mess with the users current file type mappings
Apple doesn't seem to have put any thought into the best way to accomplish these goals. Adobe had instructions for Reader/Professional and provided an Install Shield Tuner for Adobe Reader/Standard/Professional.
I got pretty close with the few minutes I spent on it tonight, but I don't have my own MST file creator. I guess I could install Orca again, but I never liked that all that much. Looks like I've got a bit of work ahead.
