General: December 2007 Archives
I just saw that CourtTV (CourtTV is TruTV as of 1/1/2008) had a pen testing show called Tiger Team that aired a couple of times last week. GrumpySecurityGuy calls it "It Takes a Thief" with a security twist.
Don't go in expecting this show to be about a Red Team in a dark room somewhere running zero day attacks while the Symantec Security NOC is soiling themselves because green lights turn to red on a big board on the wall. It doesn't look like we're going to see Chloe say "its ok we've got the Cisco Self-Defending network”. The episodes I've seen have had the team attempt to penetrate small very secure businesses. You don’t need to bust through a firewall or wait for a phishing reply when you can just hand someone a USB key and ask them to print out a document from it.
The team is has a social engineer, a computer security guy and a physical security guy (if I remember the introductions correctly). In the first caper they take down security at a high end car dealership. In the second episode they go after an elite exclusive Jewelry design shop. Both episodes were a heck of a lot of fun.
Preview:
Hopefully we’ll be seeing more of these episodes. I don’t see any upcoming episodes in the program guide data. I also couldn’t find the episodes on the CourtTV website. I had to bittorrent them (kids don’t try that at work).
Overindulging in alcohol can have tragic consequences if you get behind the wheel. Calling your companies tech support at 3am while drunk wont kill anyone, but it can't be a great career move.
Link (warning NSFW language)
A FISMA audit stated having a sign at the building entrance warning that all bags are subject to search is not enough. Physical security must actually occasionally search bags. Since then, on a periodic basis, security has set of a table by the entrance most employees use.
I ran into that mess on Friday afternoon. The timing of this security checkpoint says it all. If they were trying to find something, they wouldn't run a checkpoint on the Friday before New Years. They were just trying to check off a box not increase security. I got "lucky". They were stopping one person in five. They had me take out my laptop, verified that the portable propterty pass was valid for it, and had me hold open another zippered compartment in the bag.
Did it annoy me? Heck yeah it did. I'm trying to figure out why. Is my annoyance more based on the intrusion of it, or is it based on the meaninglessness of it. I could have exited the building through three other doors without that hassle. I could carry out anything on a Weekend without challenge; the doors are unmanned on the weekend. The check was so cursory it didn't have much chance at finding anything.
The New York subway bag checks can be refused if you turn around and walk away. The bag/receipt checkers at Wal-Mart can be ignored. Work bag checks are more problematic. Not following company policy can get you fired. If you have a security clearance, that could be revoked for not following security procedure.
It would help if I felt like the package inspection was more than security theatre. I'd like to at least know who the theatre is for. The employees dont feel safer because of it. I think its theatre for the auditors and for the DoD.
Employees always feel that our computer security policies are too restrictive. Unlike this package inspection, most of the time we explain the need for it. Its only with the employees that try to debate the issue to death that we then point to external requirements such as FISMA.
My desktop is coming off lease at the end of the month so I was wiping it before returning to the help desk. I decided to give Secure Erase another shot.
Secure Erase uses ATA commands to purge the data from the hard drive. This is supposed to be both more secure and faster than overwriting the data with 1s and 0s to the DoD standard. Also its operation has been verified unlike the many overwrite utilities that can be downloaded from the Internet.
In order to wipe a SATA drive with Secure Erase, the FAQ says I need to go into the BIOS and change the SATA settings to compatibility mode. Once I did this, Secure Erase was able to see my hard drive. After selecting that drive to wipe, I received a prompt that the system bios prevents this operation and I must reboot for HDDerase to attempt to override the bios. Rebooting didn't help. It seems some BIOSes freeze out attempts to run ATA commands after an OS has been loaded. The promise of a faster and more secure disk sanitization was nice, but in practice I couldn't get it to work on my computer. Even if I had found a way to unlock the drive it is more complicated than what the help desk is doing now. With the overwrite, it may take a while but that is non-interactive. It can be left running overnight. Secure Erase would require too many steps before the program could run.
As I wrote about last week there is a critical vulnerability in Flash that needs to be patched. For the past couple of years, I've been updating the Flash IE plugin and ignoring the Flash plugin for other browsers. In our environment IE7 is currently supported. My feeling is if you know enough to install non-sanctioned browsers, you know enough to maintain them. (When the vulnerability scanner finds out of date software like that which we didn't supply we notify the user to patch it).
This time around, I was thinking of patching the Flash for Mozilla/Opera/Netscape as well. The last Flash update I pushed disabled the Flash update checker through a mms.cfg file. If an IT department is managing the Flash install, as we are for the Flash plugin for IE, than we dont want users updating on their own. I've also found that update message causes calls to the helpdesk. Its easier if users only get update messages from us. The problem with this plan is I suspect the mms.cfg I dropped on the client is preventing the user from receiving flash update messages for the Mozilla/Opera plugin. Because of this concern I decided to take a look at installing the Flash plugin for Mozilla/Opera browsers.
As you have probably gathered from this post, Adobe Flash has one install for IE and other for "plugin based browsers" (Mozilla/Opera). As all companies should, we use Adobe's free license for distributing internally. This provides us with access to MSI builds that aren't' funkified with nasty added toolbars.
The best practice for installing Flash is to close all programs that use Flash prior to installation. In addition to web browsers this includes IM programs like AIM that use Flash in the advertisements. In my experience, with the IE Flash install you can get away without doing this. You can run the install silently. Flash will automatically update whenever the browser is closed.
When updating Flash for Firefox, I tried this same technique. Unfortunately this is not working. After installing Flash in Mozilla with no errors, I went to http://www.adobe.com/go/tn_15507 to test what version I'm running. It says I'm running 9.0.47.0 instead of 9.0.115.0. I closed Firefox and reopened it, no change. I rebooted it. No change.
Add Remove programs indicates "Adobe Flash Player 9 Plugin" is at version 9.0.115.0. Every copy of NPSWF32_FlashUtil.exe on the system is at 9.0.115.0. NPSWF32.dll in %windir%\system32\macromed\flash is at 9.0.115.0. its only NPSWF32.dll in c:\program files\mozilla firefox\plugins that isn't with the program. This is a serious problem because if you didn't go to the version test website, you would believe you are patched, and most vulnerability scanners will believe you are patched.
Even if you later figure out what has happened you are in a pickle. Once you have installed Flash 9 Plugin and gotten into this situation, you can't run the patch again. Its already installed. A repair didn't seem to work for me either. You really should have closed Firefox before performing the Flash update to avoid this issue.
If you find yourself in this situation, you'll need to follow the instructions at http://www.adobe.com/go/tn_14157 (make sure you close everything that uses flash). Then run the flash test using the appropriate browser to verify that its really gone. Then reinstall (make sure you close Firefox this time)
If I'm going to package this for an enterprise, I'm going to need to check for Firefox being open and either prompt the user to close it or kill the process prior to installing this update. Another possibility mentioned by my brother is to deploy the msi package via AD so it installs at boot.
It looks like I'm not the only one who has problems with Flash and Firefox. Michael Horowitz in his Cnet blog "Defensive Computing" wrote about it here.
He also comments about all the old versions of Flash. Frequent readers may recall that I've been wondering about those myself. I found this Adobe FAQ that indicates it is not necessary to remove the older versions of the IE ActiveX plugin. But this fails to answer the question about the the Mozilla type plugins. I'm fine leaving the old versions.
What a pain.
Just when you thought you were done patching for the year, Adobe releases a security bulletin for Flash.
Adobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 7.0.70.0 and earlier need to be patched.
Dont forget this needs to be verified for each browser you're running.
I wrote last week how my Vista tablet cratered shortly after I installed Symantec Endpoint Protection 11. I've rebuilt that computer, and decided not to do any more testing with SEP for a while. If I didn't have Symantec coming in sometime soon for a NAC demo I'd be evaling McAfee Total Protection Enterprise.
Today I came in after a few days off and found that my desktop is out of hard drive space. After looking around I found 18.6 GB of files in c:\program files\common files\Symantec shared\. Most of these files were in directories named *.tmp. Now I know this sort of thing happened in previous version of Symantec as well, but it hadn't happened to me. and it hadn't happened within weeks of installation.
Eweek has an interesting article on Phishing Drills. As the article points out, this isn't a new concept, but providing the drill.as a service makes it a lot easier to implement. phishme.com is a new service (not yet available) from Intrepidus. Its a paid service that allows you to set up a mock phishing exercise to evaluate your employees response to phishing and educate them if they fail.
It looks good, a flash demo on the site shows reports on how many recipients clicked the link and how many actually attempted to input information at the "phishing" site.
I find myself wondering a couple of things. Will they differentiate people who followed the link using a text browser from those who used a regular browser. That would indicate that they are investigating the link rather than falling for it. I'm also wondering if this test would run into problems with existing defenses. If I have to whitelist their sending IP that will show up in the mail headers. The users would then have an affirmative defense that they checked the source of the email and saw it was whitelisted.
Quicktime 7.3.1 has been posted to http://www.apple.com/quicktime/download/.
Its been several years since I've seen this, but I ran across it again while reading some of JD's posts on his old blog.
I am posting this as a reference for myself. "How to ask a question the smart way" is a must read. Its not only good for asking questions on the internet, but for life in general. For all of the Microsoft die-hards, check out the KB article. It is a good summary. http://support.microsoft.com/kb/555375
http://www.us-cert.gov/current/index.html#microsoft_access_database_file_attachment
US-CERT is aware of a stack buffer overflow vulnerability in the way that Microsoft Access handles specially crafted database files. Opening a specially crafted Microsoft Access Database (e.g., .MDB) can cause arbitrary code execution without requiring any additional user interaction. Microsoft Access files are considered to be high-risk, so it may be possible to execute arbitrary code without using a vulnerability in Microsoft Access.US-CERT is aware of active exploitation using malicious Microsoft Access databases.
To help protect against this type of attack, US-CERT recommends the following:
Do not open attachments from unsolicited email messages
Block high-risk file attachments at email gateways
I noticed today that Liveupdate on my home computer wasn't working. The definitions were at November 21, 2007. When I attempted to run liveupdate manually I received an error " LU1825: LiveUpdate could not understand how to install this update. You may need to get the latest version of LiveUpdate before you can install this update."
I'd previously been following threads about this problem over at Broadband Reports and at the Symantec Forums.
I followed the advice here to either reboot or restart the Symantec Antivirus service. I restarted the SAV service and immediately liveupdate worked. I've had this problem on SAVCE 10.1.6 and 10.0.1, but I've seen postings from users of Symantec AV consumer products as well.
http://www.fcw.com/online/news/151014-1.html?CMP=OTC-RSS
The Air Force is establishing a professional force of cyber operators and developing cyber career paths for officers, enlisted personnel and civilians. The new Air Force Cyber Command and the Air National Guard are among the focal points of the plan
I wonder what sort of boot camp these cyber warriors will go through.
Google has added AIM to Google Talk. For companies like mine, I'm not sure this is a good thing. We implemented IM security after one too many people got infected and the helpdesk was flooded with calls as their computer sent IMs to everyone in their buddy list. For other companies is a compliance issue rather than a security issue. They need to have IM logs.
Its pretty easy to protect the public IM clients using business solutions from Symantec, Akonix or Facetime. IM over HTTP is another matter. Google has always made it tough to block their GTalk over HTTP by integrating it with Google Mail. I haven't yet heard of a way to block Google Talk without blocking Google Mail. Now they've added in AIM to the mix.
