General: March 2007 Archives
Bail out now if you don't want spoilers from this weeks 24....
In this weeks 24, Nadia's computer is compromised from visiting a website belonging to an insurgant. Inexplicably there is also a hardware device found in her computer.
CTU had previously been protected by Cisco's self-defending network.
I ran across a product called Reconnex today. Their marketing director wrote an article on the Top 10 Steps for Privacy Data Protection for the ISSA Journal. I thought the article was interesting and addressed threats that we need to consider at work. As a result I checked out their website.
Basically they search through data at rest and determine what data needs protecting. Then they also watch the movement of that data as it leaves the network. If there is a data breach, you can use this to determine what was lost.
I would say right now that most companies do not know where the important data is, nor could they notice if it was being emailed to a competitor.
There was just news this week where Oracle sued SAP for hacking. In that instance they noticed that user IDs were being used to access the support knowledgebase and download everything. The userIDs belonged to companies that had just switched to SAP. The downloads came from SAP IP addresses. I don't know that this product would have helped with that, but it does illustrate that data is our most important asset and most of us wouldn't have even noticed that type of attack unless it caused a resource issue causing closer investigation.
Reconnex was part of a SANS webinar in January.
There was also a review in December's Information Security Mag. Its not exactly a glowing review. Its good to hear from those who have evaled it.
Hmm, this would have been a good title for for DST related post. Instead I'm writing about March Madness.
As a new administrator of our web filter I now get to hear about all the user requests related to things that do not work. On Thursday, I was approached by a colleague who showed me an email where a user reported they could not log into WTNT AM's streaming audio. My colleague was incredulous that someone a) would be wasting company bandwidth (yea I know) and b) would have the boldness to complain about it. I was amazed because I had listed to that radio station that very morning. I know it works.
It turns out the user was trying to listen to the ACC basketball tourney. The radio station does not hold the right to broadcast this over the web so they don't stream it. Hence the user's problems. When I was listening, it switched over to music (a different licensing issue) but apparently they also disabled new logins for the duration.
The UNIX administrator asked me to scan his systems that are withing the scope of our Certification and Accreditation package. We have an auditor coming in next week to check our progress toward obtaining "authority to operate" and he wanted to make sure his systems were clean.
I found that our recently upgraded firewall now had several ports in the 37,xxx range that would act as a proxy. So basically, I could point my browser's proxy settings to the firewall on those ports and it would let me out without the usual security filtering. A bit more scanning revealed that these services were enabled on other Solaris 10 servers, not just the firewall.
I hadn't uncovered this before because my vulnerability scanner doesn't scan all 65k TCP ports. I only uncovered it because one one server, these services operated on different ports that were scanned.
So once again, I'm not happy with how my vulnerability scanner has operated. But more importantly we're left with the lesson that we need to run scans before systems move into production.
lsof isn't a default part of Solaris so the Unix guys are still investigating what is providing those services. I left it to them to track it down since I had a few other things to do.
When I arrived at work this morning, I was forwarded a urgent demand from the corporate communications office. The presentation computer by the elevator lobby near the executives was showing an old screen-saver using the old company logo. I had seen something similar in on the displays in the south lobby a week or so back, so I knew what they were talking about.
The machines by the elevator lobby were using a restricted domain account. Since the computer was purposed to display information, the screen-saver was disabled in group policy. If the screen-saver wasn't even enabled, how could the user have seen a screen-saver, I asked.
So I set out to google for a solution. I found that if no one is logged in, the screen-saver settings in hkey_users\.default\control panel\desktop will be used. I thought that had to be the solution. No one was logged in, and that caused a screen-saver to run. It was a good theory, but it turned out the .default registry settings use logon.scr for the screen-saver. That isn't the screen-saver that was observed.
I searched some more, I found out I'd forgotten a key piece of information. The Default user account which is used as the template when new accounts are made does not store the default registry information in hkey_users\.default. That is for the service account. Instead the registry is stored in ntuser.dat.
When the computer was ghosted, the last act prior to sysprep is to copy the profile used to configure everything into the default profile. Because these systems are exceedingly old, the ntuser.dat is set to run the old old screen-saver. Any new account will be created expecting to use this old screen-saver. With domain accounts, the screen-saver is changed by group policy. But there is an issue with local accounts, and also I suspect and issue when the user profile does not load correctly, and it uses a default profile instead.
I updated the ntuser.dat on the systems for which I have responsibility. I also edited the registry to remove the existing configuration pointing to the old old screen-saver.
I just saw an email from the I.T. department at a government agency. They ask all users to leave their Windows and Mac systems online this weekend and make sure automatic updates are enabled in preparation for the DST change. Wow, sounds like they are leaving things to the last minute there. It also sounds like they have a rather chaotic patch distribution system.
I'm not so sure we've been as methodical as we could have been about this. I also feel our user communication was kind of late. We have a good excuse. We changed our company name in February. We've been working for months preparing for that changeover, so DST was a secondary item until that was finished.
I'm not going to be at work the week of the 12th. Traditionally when I'm not in the office, something hits the fan. Usually its a major virus incident. So if I were my co-workers, I'd buckle up for a bumpy ride.
Rather than creating separate entries, I thought I'd comment on today's SANS Diary entries in one post.
Comparing Anti-Virus Solutions
That's just weird timing since I posted about that this weekend. I agree that virus total is an interesting snapshot. I would be more intersted in a site that collects when a virus def is available and what is in that def (assuming everyone lists what virus detections are added in each definition update). Another interesting graph is the virus release chart for each major virus. Here's a graph Message Labs put out about Nyxem response time. Symantec didn't do so well.
Security update for QuickTime (7.1.5)
About freaking time Apple. I had already given up on a fully patched install ever being released. We just pushed 7.1.3 last week to a couple hundred computers that had been running 6.5.
phpMyFAQ being exploited
I almost installed this for one FAQ I maintain. I decided to stick with static HTML since I wouldn't be able to maintain it.
I was running the good old password cracker this weekend, and I notice that there are still 10-15% of the accounts using passwords like Aaaaaaa1. (A = capital letter, a=lowercase). These passwords are fairly easy to bruteforce since there is a low level of complexity. These are passwords where the user is attempting to do the bare minimum to fit the password requirements.
It kind of reminded me of that scene from Office Space.
STAN I need to talk about your flair.JOANNA
Really? I have 15 buttons on. I, uh, (shows himSTAN
Well, ok, 15 is minimum, ok?JOANNA
Ok.STAN
Now, it's up to you whether or not you want to just do the bare
minimum. Well, like Brian, for example, has 37 pieces of flair. And a
terrific smile.JOANNA
Ok. Ok, you want me to wear more?STAN
Look. Joanna.JOANNA
Yeah.STAN
People can get a cheeseburger anywhere, ok? They come to Chotchkie's
for the atmosphere and the attitude. That's what the flair's about.
It's about fun.JOANNA
Ok. So, more then?STAN
Look, we want you to express yourself, ok? If you think the bare
minimum is enough, then ok. But some people choose to wear more and we
encourage that, ok? You do want to express yourself, don't you?JOANNA
Yeah. Yeah.STAN
Great. Great. That's all I ask.JOANNA
Ok.
We should have a policy that any password I can crack must be expired immediately.
Sadly, at work we operate with pretty much all users as local administrator. Their local administrator rights allows the user to remove domain administrators from the local administrator group breaking our ability to manage the systems. Years ago we set up a login script to add domain admins to the local administrators group if the user was a local administrator. We looked for a way to do this in group policy, but we were always told that it is not possible to append members to a group.
Based on something I had read a while back about this actually being possible, I decided to look into it further. What I found is that the Restricted Groups portion of group policy has a "member of". I can set domain admins as a restricted group, leave the members portion blank. This does not erase the current members as it did in earlier versions of windows. Then in the "members of" box, I add administrators. This adds the domain admins group to the local administrators on all domain computers.
No muss no fuss.
