General: May 2007 Archives
George Ou blogs about a free WiFi driver checker from Aruba Networks.
Basically it scans domain computers via WMI using supplied credentials and reports if the wireless driver is vulnerable. They didn't take the time to have it verify the computer is reachable, so there could be some long timeouts. I've seen other WMI scripts test first. They are testing with a tcp ping on 135 which they report will not work from XP computers.
Ou reports "When I spoke with the patch management companies at RSA 2007 in February and asked them about driver patches, they looked at me with a blank stare as if they didn’t even know what I was talking about."
My vuln scanner does detect a couple of Intel 2200 BG vulnerabilities. But I've often wondered about the Broadcom drivers and the non-wifi drivers. It will be interesting to run this and see what, if anything, I've been missing.
this worked fine locally, but when I installed on a Windows 2003 to scan a subnet, it crashed. No, I haven't reported the problem to the developer.
I was a bit worried when SANS reported an update for Quicktime 7.1.6. I created a new Quicktime package on Friday and it was just about to go out to the test group. Fortunately for me, on Friday I downloaded a fresh copy of the Quicktime installer. It happened to have 7.1.6.200 which appears to be the latest version. So I'm covered for patches in http://docs.info.apple.com/article.html?artnum=305531. I'm not sure when that was officially released.
**update** - I realized tonight that the update is still needed. When it is installed a registry key is created at HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Security Updates\2007-006. Since I see no way to slipstream this update into the 7.1.6 install I updated the package to run the updates sequentially. I'm also going to have to get the SMS guys to create a separate advertisement for those people who upgraded to 7.1.6 already.
http://www.mozilla.com/en-US/firefox/all.html
"Firefox 1.5: This version of Firefox will be supported until mid-May, 2007 with security and stability updates. We strongly encourage all users to upgrade to Firefox 2."
The "check for updates" feature of Firefox at this time does not suggest upgrading to Firefox 2. I don't know if that is somethign that will change later or not. Currently, a my company most of the users with Firefox are running 1.5. They tend to not use it at all so they don't upgrade until someone tells them to.
Adobe has announced that Adobe Reader 8.1 will be released the week of June 4th. So if you've got your finger on the 'deploy' button ready to go with 8.0 you may just want to hold on for a second.
I'm trying to get 7.0.9 out this week. The question is, will 8.1 contain any security fixes and will those fixes be ported to 7.0.x if needed.
Adobe has announced that Adobe Reader 8.1 will be released the week of June 4th. So if you've got your finger on the 'deploy' button ready to go with 8.0 you may just want to hold on for a second.
I'm trying to get 7.0.9 out this week. The question is, will 8.1 contain any security fixes and will those fixes be ported to 7.0.x if needed.
I had an interesting thought this week. "Did we disable lanman hash storage on the test domains?" This is an important consideration. We use software to synchronize passwords from the production domain to the test domain for people in the I.T. department and HR. That would expose production passwords.
I looked at the primary test domain and found that we had indeed disabled the lanman hash.
On the other test domain, I found that we hadn't disabled the lanman hash storage. I was able to use my rainbow tables and in a couple of hours I had 100 percent of the passwords. About 40 of those passwords were synched over from the production domain, so I was able to obtain the production password for the lead SA, my manager and the director.
So, the lesson learned here is to apply your hardening guide on your test domains.
One of my "white whales" has been the ability to perform RPC over HTTPS. I think this would be great for the mobile workforce. It allows a remote user to open Outlook and directly connect to exchange without launching a VPN client. The problem is that any reasonable employer requires strong authentication for all remote access. Username and Password only just exposes the corporation too much. Ever since RPC over HTTP was announced, I've asked for the ability to use SecurID with it. Unfortunately what I found was that this would involve multiple design changes across ISA, Exchange and Outlook. This didn't make it into Exchange 2007, ISA 2006 or Outlook 2007. If you're interested in this sort of solution, please contact your Microsoft TAM and let them know.
I ran across a blog entry by Stefaan Pouseele that examines this issue more closely. He concludes that Outlook uses basic authentication and ISA can't do Radius authentication off of basic authentication. Further Outlook RPC over HTTPS isn't designed for a two credential logon (SecurID followed by AD as happens with the normal HTTPS logon).
For now this remains a nice dream.
Winamp 5.35 is out fixing the MP4 file parsing buffer overflow vulnerability that was previously announced.
In our recent FISMA audit at work, KPMG didn't like the vulnerability remediation report that I create each month for the Infosec group. They wanted more metrics, but their examples of metrics were very similar to what I already do.
Flash forward a few weeks, and we have a CEO who is very interested in number... in metrics.
I spend a lot of time on putting together the Infosec report, but I have to question whether some of the numbers prove anything other than that the products in question are still collecting data.
So to meet these two demands for metrics, I'm searching high and low. This will have to be an off hours project. At work, I my top two tasks right now are writing an incident response plan and selecting a FDE product. That doesn't leave a lot of spare time.
So I've spend some time over at securitymetrics.org. I've read the reviews of "Security Metrics: Replacing Fear, Uncertainty, and Doubt" over at Amazon. I've looked at A Few Good Metrics over at CSOonline.
I'm wondering if its worth getting the book or if I should just read NIST 800-80, "Guide for Developing Performance Metrics for Information Security" and 800-55 "Security Metrics for Information Technology Systems".
I do believe the right Metric can provide insight, and be a true measuring stick for the infosec program. I'm just afraid that Metrics done poorly will lead to spending a lot of time gathering arcane correlations that no one will read and will mean nothing.
I received the "Life is Beautiful" virus hoax email from a relative today.
At the bottom of the email it stated:
PLEASE SEND A COPY OF THIS E-MAIL TO ALL YOUR FRIENDS and ask them to
PASS IT ON IMMEDIATELY! THIS HAS BEEN CONFIRMED BY SNOPES.
If you go to that link, it says that the Life is Beautiful email is a hoax. The forwarder(s) didn't actually check Snopes, they just believed what the email said.
You'd think it would be easier to spend a lot of money. I'm trying to evaluate Full Disk Encryption software, and the sales people I'm dealing with are frustratingly unresponsive.
I've heard from other companies that often they find that FDE companies just aren't interested. Apparently so many companies are under a encryption mandate that they only want to spend resources on a guaranteed sale.
The most annoying example is the product I'm currently evaluating. Safeboot has not provided me with a pre-sales support direct contact. They also forbid contacting tech support. Instead I must contact the sales guy. The sales guy instead of getting me in touch with a engineer wants to set up a meeting "sometime this week or next."
I was very upfront in my need to do this eval quickly. I learned what I wanted about Pointsec in two or three days. I can't even get a response from Safeboot in that time period.
In a recent NetworkWorld article, Michael Osterman asks "How secure is a hosted environment". Specifically, he's talking about external hosting of mail stores in cases where the entire mail operation is outsource or where mail is archived externally.
The article reports on his trip to ZANTAZ and how impressed he was with their physical security. The article would have been better if it had covered other areas of information security. How are these servers protected against attack. Is the operation audited? How do you know those security doors aren't propped open every other day of the week?
I read an Infoworld article today that says that "Hackers are using Windows Updates' file transfer component to sneak malicious code downloads past firewalls". After trying to figure out what the writer was talking about, I went to the source, a Symantec blog entry. This made a BIT more sense.
The Infoworld article left me thinking this was a corporate firewall bypass. That didn't make a lot of sense because many enterprises aren't scanning HTTP and FTP anyway, so the use of BITS doesn't change that. The Symantec blog was a bit clearer that this is a personal firewall bypass.
Parlor trick or serious problem? I guess I'd be more worried about how the computer got infected initially. Flashy article titles makes this problem seem worse than it is.
As we roll through May, its time for an annual rite of late spring, its the arrival of the summer intern. Generally these are high school or college students with morally questionable opinions about copyright and movie downloads. It may be a good time to put out a reminder if you have a company policy respecting such.
Brian Kreb's Security Fix is reporting AOL is truncating passwords at 8 characters. I think our Solaris servers were doing the same thing until we upgraded to version 10. In fact, here's a blog entry from the SUN Security Coordinator's blog claiming that password truncation is a security feature. In other words, its a feature not a bog.
I was working on creating a Adobe Reader 7.0.9 package this weekend. Adobe says that they aren't providing a upgrade version of 7.0.9, only a full version. That is rather disappointing.
As part of the upgrade, I checked to see how many computers needed it. I searched for systems with acrord32.exe and sorted by version number. No computers had version 7.0.9 of that product. I knew that Reader 7.0.9 was installed on my own computer so I knew that couldn't be right. Was this caused by a bad install or by Adobe? I checked for installed versions of Adobe Reader 7.0.9 via Add/Remove Programs and found that I had a couple hundred computers with 7.0.9. So its not just my computer. Apparently Adobe didn't update the version number correctly on the main exe. I found a thread asking this question in the Adobe forum, but no answers yet.
I'm not sure how new this is, but some of my users are being sent suspicious messages. They are being blocked blocked by my IM filter, so no worries here.
Message - Images shot in Iraq _ The war will never end http://quicknews[x]info/Iraqwar.jpg
Message 2 - :D who is beside you in this pic http://quicknews[x]info/friendpic1.jpg (obviously [x] = "." I'm trying to keep you all from unintentionally getting infected).
When I checked it looked like there was a redirect on that site that took you to a page with some porn ads, and also some obfuscated java.
http://www.networkworld.com/news/2007/050207-internet2-fire.html
Cables on the Longfellow Bridge connecting Boston and Cambridge were damaged by a fire Tuesday night. Authorities report that a fire was started when a homeless man carelessly discarded a cigarette. The damage is expected to disrupt Internet2 service for several days.
I found this linked through the CERIAS weblog: Important Follow-up Re: The New Password Complexity Policy.
Hilarious
