General: July 2007 Archives
I'm reviewing our Site Security Plan in preparation for an audit. In the section for Physical and Environmental Protecton Policy it says "an active fire safety program with continuous training for all staff.
"has an active fire safety program with continuous training for all staff."
Its a wonder we get anything done if the fire safety training never ends.
Due to a some over enthusiastic checkbox checking by a SMS admin who was rolling out patches through ITMU, IE7 was deployed to our users this week. We have had a package for IE7 created with the IEAK that had been deployed to test groups, but it wasn't yet the scheduled time for deployment. Because this went out early we didn't have a chance to educate users about differences in IE7 which lead to a rather amusing complaint.
It seems if you go to http://www.us.army.mil it redirects you to a SSL version of the page. The site is using a DoD issued certificate which of course is not in the trusted root. As a result the user gets the new dire warning about the certificate and calls the help desk. As with most louts, this one was stridently anti-Microsoft, proclaiming if the Army security isn't good enough for Bill Gates, I don't know what would be. Rather than pointing out the many hacks of Army computers, we let him know that he saw a similar message when using IE6 and would see a similar message even if he used Firefox. This has nothing to do with Bill Gates not trusting the Army. It has everything to do with the Army not rooting to a commonly trusted CA. Its working exactly the way it should be. If he has reason to trust that certificate and trust its issuer he can certainly choose to trust it and not see that message again.
I imagine shortly the users will ignore the IE7 dire warning the way they blindly choose yes when prompted in the past.
Looks like another Firefox vulnerability is going to lead to another patch.
We recommend people use Internet Explorer in Protected Mode on Windows Vista and practice safe browsing habits to protect themselves against these vulnerabilities in Mozilla Firefox.
In George Ou's blog entry titled "Email Security Has been around forever, you just have to turn it on" George asserts
"My current DSL provider AT&T like most ISPs supports SSL encryption on POP3 and SMTP and it's as simple as a checkmark and using ports 995 for POP3 and 465 for SMTP instead of the usual ports 110 and 25"
I wasn't aware that my ISP, Cox Communications, offered POP over SSL so I decided to give it a try. Its actually listed in their support site. I just wasn't aware of it. It looks like they started this about a week or two ago.
I placed a check in the "this server requires a secure connection" box and changed the pop3 server name to spop.east.cox.net and I was set.
Now if only cox would enable ssl for webmail communications like they said they would do 7 months ago. According to posts from Cox employees at Broadband Reports webmail SSL will be coming soon.
Some users would like SMTP over SSL. Currently Cox does not use authentication for SMTP so what is there to protect? If you argue the data of the message, I would suggest if the data is so important use S/MIME. Because Cox SMTP is used on network only, you're less likely to be sending mail from a insecure location requiring client to server SMTP encryption.
How many times have I gone over to a friends house and ended up working on their computer. Sometimes its fixing something, but often its making sure their third party applications are patched. Microsoft makes it really easy to deploy their patches, but every other application is often ignored. For a while now, I've used Secunia's software inspector which is a web based tool to check for vulnerable software versions. Now Secunia has released a software version of this product. Its free for home use and includes a privacy notice that should make most people who aren't software pirates sleep easier about allowing this inventory.
Personal Software Inspector 0.1.0.0 Beta installed easily and quickly performed a software inventory. It didn't find anything on my system. I dont know of anything that is out of date right now so that is probably accurate.
It checks more than 4,200 applications. According to the website, if it had found something, I would have been prompted with a link to the update. That might be easy enough for the non-techies to follow.
Their web version does tend to complain about old versions of flash. The only way to fix this is to download and run a Flash uninstaller, then immediately install the latest version of Flash.
Normally, I wouldn't tell my friends to install a version 0.1 beta product but this seems like the benefits will outweigh the risks.
The initial scan actually hadn't completed before. It turns out that Secunia gives me a score of 74% on my home system!
Some of these things are old flash files in the i386 directory or an old version of SAV (not installed mind you) that I had extracted for packaging.
I wish the product would allow a user to export all this information so I could have a less knowledgeable user export this info and mail it to me for clarification.
Apparently the Apple fanboys are continuing with their mantra, ""its not a vulnerability until there is a public demonstration". Of course we know that's not true. Even after public demonstrations of a wireless vulnerability last year at Blackhat, Apple and its defenders mounted a smear campaign against the researchers. It also ignores that the reporters are associated with Johns Hopkins, which leads credence to the "researchers". It has also been demonstrated to the reporters at the New York Times.
This fanboy response reminds me of the head-in-the-sand response of Microsoft and its defenders until slammer, sasser and blaster made it hard to mount a defense. There is a difference between denial and taking a wait and see attitude.
The bad guys I worry about don't wait for a public demonstration.
Securityfocus has an interview with DCT a developer of MPack.
DCT says, "Well, I feel that we are just a factory producing ammunition." Ammunition can be used for multiple purposes. You can hunt game and provide food for your family. You can shoot targets and have hours of entertainment. You can defend yourself and others against bad guys. You can commit a 187. Mpack can't make that claim. Its sole us is criminal. Exploit as ammunition is a argument that metasploit can make. That can be used for legitimate purposes. I don't see that with Mpack.
DCT also tries to push the idea that they are just a bunch of guys having fun in their spare time. He/she scoffs at the idea that Mpack is related to the Russian Mob.
One of the benefits of frequent Quicktime patching, is that each time I do it becomes easier. The last couple of times, I think I copied the MSI, tested and I was done.
With 7.2, I ran into a bit of a snag. It seems that the first time each user uses the shortcut in the start menu, Quicktime does a brief mini-install. I'm not sure if this is by design or if I've done something to set it off. The result of that mini-install is the desktop and quick launch icons are recreated. I see a post from over at appdeploy commenting about this issue as well.
The only way to avoid this that I've found is to delete the start menu items for Quicktime and recreate new shortcuts without the MSI baggage.
Through reading comments over at Brian Krebs Security Fix, is found out that Quicktime 7.2 is not supported on Windows 2000. Just to verify that for myself, I tried installing on Windows 2000 and found that only XP and Vista are supported.
Windows 2000 is slowly riding into the sunset, however Microsoft still supplies security patches for the OS. I'm not sure what extra cost Apple would incur by allowing the software on Windows 2000. At this point, I think I have no other choice but to uninstall Quicktime from the remaining Windows 2000 computers.
I've lost track of how many times I've updated Quicktime this year. Over on zdnet, I believe they said this is the 5th update. I recall at the last update, I questioned whether we really needed this software or not.
Apple Security Bulletin
Multiple arbitrary code execution vulnerabilities.
http://www.adobe.com/support/security/bulletins/apsb07-12.html
Critical vulnerabilities have been found in Adobe (Macromedia) Flash. These vulnerabilities would allow an attacker to run hostile code if you visit a site hosting the exploit.
All users of flash need to upgrade to version 9.0.47.0.
All those people who installed Firefox and then dont use it at all have now opened themselves to a new vulnerability.
http://www.us-cert.gov/current/index.html#microsoft_internet_explorer_remote_code
US-CERT is aware of a public exploit code for a new vulnerability targeting Microsoft Internet Explorer. The public exploit code demonstrates the vulnerability using the Mozilla Firefox firefoxurl:// URL protocol. To trigger this vulnerability, an attacker must persuade a user who has Firefox installed to access a specially crafted web page with Internet Explorer.
US-CERT will provide additional information as it becomes available.
Google has purchased Postini for $625 million (US). The purchase is believe to be designed to shore up corporate confidence in Google products.
Does this validate the "in the cloud" model of scanning?
I wonder how long MessageLabs will remain separate. They recently spun off Star their UK ISP for business.
I've been wondering for some time if old versions of Flash on a computer are a vulnerability or not.
Today while looking into the vulnerability of Flash for Mozilla, I found an article from Adobe which states:
"For Internet Explorer, only one version of Flash Player can be registered for use at any time. Older files can be removed, but this is not required as part of the update."
So that solves one mystery but I'm left with the one I was originally researching.
Flash uses a separate install for Mozilla and Opera. Those files get installed to the browser's plugins directory. Although I have the latest version of Flash for IE installed, when I run a version test from my Firefox browser, I find that it is running an old version.
This makes me worry that the Firefox users may remain vulnerable to any Flash vulnerabilities that are not IE specific.
I was having some trouble with my home wireless network today. I hadn't looked into netstumbler on vista until this evening. I was hoping to use that to see what channels my neighbors were running on. A quick search found this article:
C:\netshnetsh>wlan show networks mode=bssid (if you like all the geeky stuff [and who doesn't?] like rates supported, channel, signal strength)
or
netsh>wlan show network (an abbreviated version with just SSID, authentication and encryption types)
Yeah, its really basic, but it was exactly what I wanted. Netstumbler says it works on XP or greater (no linux jokes please). But it doesn't seem to actually work on Vista.
