General: June 2007 Archives

EFS and Firefox Download Manager

I had a user ask me today about an unusual issue with EFS on Windows XPsp2 when Mozilla browsers are used.

With EFS, normally you enable it for a folder, and you expect that any file that you place in that folder will be encrypted.

1. create a folder called c:\encrypt and set the EFS attribute on that folder
2. Download a file using Internet Explorer and save it to c:\encrypt. The file is created in an encrypted manner.
3. Download a file using Firefox or Netscape. (You must select Tools, Options, Download and specify c:\encrypt as the location to save downloaded files). The file is NOT encrypted.
4. Down a file using Firefox or Netscape using Right click "save target as" and it is encrypted.

Turning on auditing, I see that when the file is saved windows explorer is involved 9 events are actually recorded. When I save through the download manager only two events are recorded.

My next step was to use Sysinternals Process Monitor to look closer at what happens. That killed my theory that the download manager was somehow not running as me. I'm kind of at a dead end now. I've googled, but didn't find anything. I'll update this post if I find an answer.


updated: My Microsoft TAM suggests that the Firefox Download Manager may download the file to a temporary location and then move it to the final location. A move on the same parition would preserve the old attributes and the permissions.

Internet Explorer, on the other hand, performs a copy so it inherits those things.

By Roger on June 22, 2007 8:30 PM | | Comments (0) | TrackBacks (0)

Lifelock

The commercials have been all over radio; "protect yourself from identity theft with lifelock". The CEO even gives out his social security number in the commercial in an expression of confidence in his product. But what service does Lifelock actually provide and who is behind that?

A while back I was trying to figure out what lifelock did and didn't have any luck. Today, I see they have a four step process.
1. Place a fraud alert on your credit report. You can do this yourself for free. It expires every 90 days so they are saving you a bit of a hassle in renewing the fraud alert. The benefit of this is questionable since this does not actually stop new credit accounts from being opened in your name.
2. Adds your name and address to the Direct Mail Associations do not junk-mail list. This is something again that you can do for free, but you'll have to renew every 5 years or so if I remember correctly.
3. Sends you your credit report once per year. This is something you can order cheaply, and you may be eligible for a free yearly copy anyway.
4. Pay for the associated costs if your identity is stolen and help you clean up the mess.

As I read some sites about Lifelock a couple of things became clear.
1. Lifelock uses an affiliate program so any positive reviews may be somewhat disingenuous.
2. You must give Lifelock limited power of attorney to file fraud alerts with the credit bureaus.

Since you're giving Lifelock all your important info, they better be trustworthy people. According to the Phoenix New Times, Lifelock founder Robert Maynard may be a bit of a grifter. The article is quite enlightening.

Apparently, I'm a few weeks behind on news, because I just say thatthe Arizona Republic reported on June 13th that Maynard has resigned

Techcrunch puts on the tinfoil hat to worry that this organized hit was brokered by the credit bureaus. Really? That sounds like spin to me. Does it matter who the source is when the story used to sell lifelock is a lie? Its pretty ironic that a possible identity thief opens up a business on protecting people from identity theft. (or is that just like the grayhats in the infosec business).

Its pretty funny to watch the shills in the comments on each of these articles. Some people really believe in lifelock. Others are money making affiliates.

Kevin Mitnick once said something like, "a mother's maiden name is not a password. A Social Security Number is not a PIN." That is the basic problem. The credit system and even ACH transfers from your bank account act like its still safe to leave the doors unlocked at night. Lifelock really just puts a note on the door. You could put the note there for free. And there are still other windows and doors that need to be protected.

When I heard the commercials, I bought into the danger and the urgency. Now that I've looked into it, I think they are selling fear. When that happens, hold onto your wallet.

By Roger on June 20, 2007 2:57 PM | | Comments (0) | TrackBacks (0)

Mark Russinovich and the Case of the Insecure Security Software

Mark Russinovich of Microsoft blogs today about Security Software and bad default permissions leading to privilege escalation. Regular readers know that this is one of my ways of entertaining myself. Members of my JMU cohort are probably sick of me retelling stories of my past glory. ;)

I hope that with Mark's name behind this that default permissions will receive the attention they are due. It is far to easy to perform a local privilege escalation thanks to some poorly written security software.

By Roger on June 19, 2007 9:20 PM | | Comments (0) | TrackBacks (0)

Mozilla Spins the Bugs

When Firefox was first introduced, it was widely promoted as the safer browser. Some writers went as far as to leave of the "er", to them it was the "safe browser". Its now June 2007 and Mozilla now has a security blog. Interesting.

Time to parse their post from 6/18.

I find it interesting that the writer attempts to dismiss 'number of vulnerabilities' as meaningless. I also think it is freaking hilarious that they are bragging about their software update system. If we go to the archives, we'll find that was one item that was extremely lacking in earlier releases. There was no prompting for upgrades.

The current system still isn't exactly enterprise ready. Rather than creating patches, they require full installs. Instead of occurring in an enterprise approved manner as with patching software, it occurs in an ad hoc untested manner as users open Firefox after the patch is released. If user's don't use the product, it doesn't get upgraded. That is fine as long as the vulnerability can' be called from outside of Firefox.

I'm still wondering what is going to happen with Firefox 1.5 at the next patch release. They said it was done after mid-May, but then they patched it anyway. The 1.5 upgrade monitor doesn't prompt you to upgrade to 2 or warn that 1.5 is end of life.

By Roger on June 19, 2007 8:47 PM | | Comments (0) | TrackBacks (0)

OpenDNS Porn Blocking

I learned something new from Brian Kreb's Security Fix found at WashingtonPost.com. In today's entry he writes that OpenDNS has added a voluntary feature to block porn.

OpenDNS is a free DNS service that purports to be faster and more reliable than the ISP DNS you are probably using by default. Also they add in some anti-phishing and anti-typo features to protect their users. They make money by hijacking the result if you type in a non-existing webpage such as www.asdfasfdasdfasfasdfasfd.com.

Anyway, if you register your IP address with OpenDNS, you can sign up to have those dns requests checked by their St Bernard implementation.

I set it up this afternoon. It was easy to add their DNS servers into my Linksys Router (sveasoft talisman firmware), but I didn't see a way to set up DDNS updating without putting a DDNS updater on my desktop. I would have preferred to do that on the router.

This is a good free setup to stop unintentional access. If you've got people trying to get around it, you're better off having a filtered ISP or running a proxy server that is physically protected (along with the cable modem) to prevent bypassing.

By Roger on June 16, 2007 6:13 PM | | Comments (0) | TrackBacks (0)

Cold Call from Sophos

I got a cold call from a Sophos sales guy recently. As I tend to do when I have the time, I talked to him for a bit about their products. Unfortunately that just encourages sales guys because they think they've found a "mark". When he called back later, I didn't have as much time. I also saw no reason to include their NAC product in our NAC eval.

Once he saw I had no interest in further discussions, he tried to get other names out of me. He pulled the name of a Vice President off our company website and called him about his great solution for our NAC initiative. Don't sales people realize that when you try to go over someone's head, the VP is just going to pass the message back downstream until it ultimately arrives at my door?

This tool called back today. I should have just told him to leave me alone. Instead I tried to explain to him that he burned a bridge with me by going over my head. He didn't understand that I'm not a tech drone peon. My recommendation is fairly key in any security purchase.

I suspect he is now planning to call the VP again to complain that I wont be buying the Sophos product no matter how much better and cheaper it is. Every Tom Dick and Harry has a NAC product. Some cold call alone isn't going to encourage me to try one out or even commit an hour of my time to a sales presentation.


By Roger on June 15, 2007 10:32 AM | | Comments (0) | TrackBacks (0)

Safari for Windows Announced Along with its first Vuln

I would expect that the the type of person looking for a browser other than IE is satisfied by Firefox or Opera. In spite of this AppleCorp announced a Safari for Windows beta this week.

Shortly after that Bugtraq number 24433 was posted regarding Unspecified Remote Code Execution and Denial of Service Vulnerabilities

Here's a link to the securityfocus article.

By Roger on June 12, 2007 8:13 PM | | Comments (0) | TrackBacks (0)

Cisco VPN Privilege Escalation

I installed the Cisco VPN version 5 on my laptop today, and I noticed what looks like a privilege escalation vulnerability. This doesn't seem to be the vulnerability Cisco discusses here relating to the dialer portion of the program. This is a much more trivial thing.

The first thing I did was check another system. On a XPsp2 system with version 4.6 installed the Interactive user has modify permissions. As we all know, the Interactive user is a special user account representing any user who is logged on interactively. In other words, this is someone who has the Log on Locally privilege and has been logged on locally. So basically anyone who can log onto my computer (e.g. any other employee). At that point they have two choices. Do they want to wait for a system reboot and get localsystem rights, or do they want to wait for someone with local admin rights to try to use the VPN.

Surely this was fixed in version 5, I thought. No, in version 5, Interactive has full control rights.

By Roger on June 8, 2007 2:35 PM | | Comments (0) | TrackBacks (0)

Capicom Update

I performed some tests, by removing SAV and deleting capicom.dll and then installing SAV 10. In spite of what I'd read online and reported here SAV doesn't seem to be installing a version of capicom.dll.

It appears in my case that the file is just left there as Microsoft reported in the bulletin. Microsoft reports that this is not a vulnerability. Unfortunately, my vulnerability scanner still doesn't see it that way. So I need to remove, or update this dll file. I'm concerned that this may cause problems with unknown applications using this dll.

By Roger on June 6, 2007 2:41 PM | | Comments (0) | TrackBacks (0)
« General: May 2007 | Main Index | Archives | General: July 2007 »

Search