General: January 2008 Archives

One of the things I've been doing this week is learning about the Federal Desktop Core Config (FDCC).

You've probably read about it this past week. The short version is that it is a Federal government wide configuration standard for XP and Vista.

Under FISMA, you just had to have a standard and apply it. With FDCC they are all supposed to have the same standard. The FDCC falls prey to a number of fallacies. It seems the developers are tweakers, that is to say they seem to believe the more changes made the more secure the computer is. That is just never a good idea. They appear to have started with a standard to the right of the SSLF policy (Microsoft's policy for standalone really-secure computers) and only made changes where they absolutely had to.

The mistake I wanted to write about in this blog entry is the setting "Use FIPS Compliant Algorithms for Encryption, Signing and Hashing". This setting is required for both XP and Vista under the FDCC. This policy should never be used.

The policy enabled FIPS140-1. This is kind of funny since the government requires FIPS 140-2. What isn't so funny is you will be unable to use SSL. Only TLS_RSA_WITH_3DES_EDE_CBC_SHA is supported. EFS encryption will be lowered from AES to 3DES.

When applying a security hardening policy understand what the settings will do. Test first in a non-production environment. Document your explanations for any exceptions from the standard that you are following.

SANS blogged about the latest JAVA 1.6 Update 4 release back on January12th. Brian Krebs today wrote a piece in his Washington Post blog Security Fix.

I admit it. I have no idea whether or not this update is critical. SANS seemed to say 'you might want to do this soon.' Brian said 'it contains some security fixes. You should update.' I'm looking around to see how SUN categorizes this fix. Microsoft would be letting me know if its critical or important, if exploits are available and how an attack might occur. Cisco would use the CVSS standard, which is pretty cool. Even after reviewing SUN's release notes I dont have a clue.

I kind of want to say no news is good news. We need to keep the enterprise wide reboots caused by software updates to a minimum. I just hope I dont open my RSS reader one day and read about a exploit in the wild that would have been patched if I had deployed this. I'll keep this one on the back burner and deploy it if Adobe, Flash and Quicktime slow their vulnerability circus for a while.

I'm staying up way to late tonight and reading some NAC literature. I thought this quote was pretty funny.

By year-end 2007, 80 percent of enterprises will have implemented network access control policies and procedures John Pescatore, Gartner Inc

That quote was in the Sophos literature.

How's that one turning out?

Perhaps the following explains the trouble I had with SEP11 and Vista.
From a email sent to platinum customers:

Update: Eraser Engine update - 01/18/07

Symantec has released an Eraser Engine update today, January 18th US Pacific Time. This update replaces a planned AV Engine update that was announced in a previous Platinum Bulletin. It addresses an issue seen by some customers using Symantec Endpoint Protection 11 on Windows Vista which in rare circumstances could cause the system to become unstable. Following this update, the AV Engine and Eraser will have the following versions:

naveng32.dll: 71.4.0.23
ccEraser.dll: 107.4.1.2

At a SANS SCADA conference in New Orleans, CIA senior analyst Tom Donohue reported that cyberattacks have caused multi-city power outages outside the United States.

Rob Rosenberger writes a good article about this here.

It is pretty scary to know that there are forces out there plotting to keep us in the dark with no heat or AC. But why am I getting sidetracked with what some people want to require in California.,

This reminds me of another time SANS reported that hackers had threatened the life of scientists at the south pole. They purportedly hacked an environmental control system and attempted to extort payment or all the scientists would freeze to death. According to this Kevin Poulsen article, a FOIA request uncovered a memo about that incident which said it was minor. "Given the fact that no financial records or systems were compromised, no safety or loss of life was threatened, and no critical system corrupted" by the Romanian hackers, "we need to balance legitimate security needs with the legitimate needs of our scientists at the Pole."

It sounds to me that in both this south pole case and this new report of blackouts that the threat of cyberterrorism is being promoted in order to advance an agenda. Without details its just FUD.

Of course utilities should be taking precautions, but if the past decade is any indication the public has more to worry about from hurricanes (New Orleans) and general screwups (northeast blackout).

David LeBlanc takes the occasion of a Excel zero day to say see I told you so. Excel 2003 SP3 is not vulnerable.

I'd like to know if SP3 is not vulnerable because of the disabling of support for old file formats, or if its not vulnerable due to the other assorted fixes in the service pack. David implies its that latter saying " We did a _lot_ of work fuzzing our apps and fixing bugs. While I'll never claim that SP3 is unbreakable, it's a lot more robust than Office 2003 was previously, and this probably won't be the last time we see an advisory over something that affects SP2 but not SP3."

I was just thinking if its not vulnerable because obsolete file formats are disabled (security over backwards compatibility), then people who follow information in this KB to enable those file types are still vulnerable. I guess we'll find out when the patch is released and more information is available. Until then I'm going to go put a bug in someones ear at work about upgrading to SP3. We can't afford to wait until all of our other apps support Office 2007.

Quicktime 7.4 is out

For detailed information on the security content of this update, visit http://docs.info.apple.com/article.html?artnum=307301

You are insecure. I'm not talking about your need to own a SUV even though if you ever had to move something you'd need to rent a truck to avoid damaging the leather seats. Its your computer that is insecure.

According to statistics gathered from Secunia Personal Software Inspector users, pretty much all computer with Secunia PSI have at least one vulnerable application installed. A vulnerable application is defined by them as an application where an update is available.

I would comment that Secunia reports on old versions of Flash installed. Adobe reports that those old installs are not vulnerable. I bet that trips up the most conscientious user. Others haven't taken the time to exclude archive directories. When I first installed Secunia PSI it complained about old versions of files in system archives.

Even with that minor quirk, these numbers are amazing. If you've installed Secunia PSI, you probably care about keeping your non-Microsoft applications patched. Yet it still isn't happening. I think Secunia could help by scanning more often and getting more in your face about it. Currently they seem to scan once a week an pop up a balloon immediately after the scan.

I would still recommend Secunia PSI to all home machines. It is really important to keep these applications patched, and Secunia helps out a lot in that.

Join the many Secunia PSI users - download the PSI and secure your computer today:
https://psi.secunia.com/

I have a whole bunch of Windows XP sp2 systems that give me an error when I attempt to connect to their c$ or admin$ shares: “Not enough server storage is available to process this command.”

The remote system's event log records: “Event ID : 2011 Source : Srv Description: The Server's configuration parameter "IRPStackSize" is too small for the server to use a local device. Please increase the value of this parameter.”

I checked a couple of Microsoft Knowledgebase articles and did a bunch of googling searching the Internet. It seems that a lot of people have latched onto http://support.microsoft.com/kb/177078 as the only cause and concluded if you have the error message “Not enough server storage is available to process this command" than it must be Symantec's fault. As I searched, I found person after person with this error message being told they needed to uninstall symantec. The person with the issue responded they had another antivirus product, they never had Symantec installed and they still had the issue. The Symantec blame had specifically to do with NAV 7.6 and 8 which hardcoded the IRP stack size to 8, roughly half of its default value in Windows XP. That doesn't have a lot to do with the issues i'm having. I dont have that registry value at all.

http://support.microsoft.com/kb/285089 is a more helpful article. It describes what the IRP Stack is and why you might have a problem with it. The problem is, you're left guessing at what "an appropriate value for my network is". I also wondered if I could configure this setting globally instead of having to manually configure it on systems exhibiting issues.

I spoke with a Microsoft contact and decided that we were having the problems because of the high number of file filtering applications (AV, AS, encryption, backup, etc) and concluded it is safe to adjust this globally. Currently we're using SMS to change the IRPStackSize to 18 (decimal).

This error is really a big problem. Its not very noticeable by itself. But on the systems with the error, SMS seemed to not be working. This effects software update distribution. It also hurts the vulnerability scanners ability to check file versions. Hopefully we are on are way to fixing this problem on a permanent basis.