General: March 2008 Archives

I was surprised to read that George Ou is out at ZDnet as a result of corporate restructuring. I've enjoyed his writing and have learned from them. I also got a big kick out of how angry he made the Mac people.

I'm assuming that corporate restructuring is the usual code words for layoffs. I can only hope that Mary Jo Foley made that list as well. Ok, so thats a bit mean.

I hope George lands on his feet.

I'm over at a SANS conference this week, learning about wireless security. One thing I found interesting is the instructors comment that Netstumbler is the most useful tool for war-driving. He felt it handled multiple sessions and a lot of data better than the alternative. I think the GPS integration was better as well.

I hadn't considered Netstumbler since I upgraded to Vista and couldn't get it to work any longer. I wrote about that here. As a side note, it looks like I need to do some search engine optimizing. A search for 'vista Netstumbler (not in quotes) shows a Security News Portal of my RSS feed on page one, but doesn't have my own entry. If I narrow that search to my website, Google finds an old version of the post. An upgrade changed all the underscores in urls to dashes and removed the old style sheet. So even using Google to search only on my site results in a bad result. But back to the topic at hand...

When I got back from day 1 of the conference, I installed Netstumbler, and again no joy, even when I ran with admin rights. I think Netstumbler needs to stop Microsoft's wireless zero config, and I suspect that Vista isn't letting it do that. That is just a theory however. After that didn't work, I installed the drivers for a card using the Atheros chipset. I plugged that into the PCMCIA slot, and Netstumbler was able to use that no problem.

I haven't nailed down the exact cause of the onboard card not working, but at least I know that with the right card Netstumbler can work with Vista.

Last Friday, one of the guys in the department noticed that when he signed into Cox webmail he would access Cox mailboxes belonging to other employees. He was even able to open messages in those accounts.

I went back to my office and created a test account. There is an awful lot of potential confidentiality violations here. Although I never repeated the results I saw on my co-worker's screen, I did find I would see the cox inbox for other employees when I selected logoff.

We use BlueCoat SG 810-B to provide HTTP/HTTPS security in web browsing. This additionally provides a proxy cache which in theory saves on bandwidth costs. We haven't had problems previously with Cox Webmail, nor have we had problems with any other webmail or logon based website.

To resolve the problem, I disabled proxy caching on the BlueCoat for webmail.east.cox.net. Immediately the problem went away.

Just to be on the safe side, I checked with my BlueCoat Sales Engineer. He says that cookie based webmail normally works fine as the cookies are non-cacheable by default. Otherwise the webmaster needs to do a better job marking things a non-cacheable. By marking the entire site as non-cacheable I resolved the problem quickly.

Over the weekend I received a benefits summary from work. They mail it out to remind people of all the non-salary related benefits that we get. The company doesn't pay as well as others, but the retirement benefits are the golden shackles.

They provide retirement projections assuming x,y, or z rate or return and a inflation rate of a. In addition it assumes that my contributions remain porportionally the same, that the retirement program doesn't change, and I get a 4% raise (cost of living adjustment) each year. Looks like I may be working until I'm 65.

Can you imagine working for 30 more years? Looking back at what has changed in the past ten. Looking at what will change in the next 30. Fortunately you dont have to listen to my cracked crystal ball (how do you listen to a crystal ball). Bruce Schneier had some interesting comments in the latest Information Security mag.

In a fit of optimism Bruce says that security will become a requirement of the products. It will be baked in, instead of an add-on solution. One thing that will drive this is SaaS. "IT is infrastructure. Infrastructure is always outsourced. And the details of how the infrastructure works are left to the companies that provide it."

As that happens Bruce sees a consolidation in the security industry. Bad new for us Infosec guys. We'll be replaced by an Indian call center. Just kidding. It doesn't sound good though Richard Bejtlich's blog entry on this subject predicts small companies will jettison their IT staff, and a lot of us may end up working for service providers. That sounds like a net loss of security jobs to me.

Will that happen? Have most companies outsourced their helpdesk? I dont think so. Many that have, found that external helpdesks didn't provide the same level of service. Have most companies outsourced log review? I dont think so. The external company doesn't have the same interest or personal responsibility. Infomation security policy and implementation is still extremely important.

SC Magazine has a whitepaper from MessageLabs titled The Online Shadow Economy - A Billion Dollar Market. It reports on the research of MessageLabs Senior Architect of Development Maksym Schipka into the online criminal underworld, particularly Russian websites and forums.

You can buy customer written malware for as little as $250. Support is available for an extra $25 a month to ensure your malware continues to evade detection. As others have also reported, malware writers test their products against anti-virus software before release to guarantee that existing signatures will not detect it. This is where MessageLabs as been so great. The combination of established antivirus scan engines and their own Skeptic engine, a heuristic scanner, prevents malicious email attachments from getting through.

Schipka’s research suggests that malware authors can produce new, unique malware every 45 seconds
in order to keep it undetected. Signature based protections are not going to stand up to that attack.

If you do go to that link to read the research paper, be aware that SCMag will force you to register (I didn't find a bugmenot account). Also they will email the password you input in clear text. SCMag, thanks for cleartexting my password. I almost forgot the password in the one second between registering and receiving the "welcome" email.

We just finished rolling out Java 1.5 update 14. As we've come to expect with all updates, that means another update is right around the corner. SUN has not disappointed.

Sun JDK and JRE 5.0 Update 15
http://java.sun.com/javase/downloads/index_jdk5.jsp

Sun JDK and JRE 6 Update 5
http://java.sun.com/javase/downloads/index.jsp

SUN SDK and JRE 1.4.2_17
http://java.sun.com/j2se/1.4.2/download.html

Multiple vulnerabilities have been disclosed:

- Two privilege-escalation vulnerabilities affect Java Runtime Environment Virtual Machine. An untrusted application downloaded from a website may be able to elevate its privileges to read and write local files or execute local applications.

- A privilege-escalation vulnerability affects Java Runtime Environment
(JRE) when processing XSLT transformations. An applet may be able to
exploit this to read unauthorized URI, potentially execute arbitrary
code, or cause denial-of-service conditions.

- Three buffer-overflow vulnerabilities affect Java Web Start. These
issues may be exploited by a malicious Java Web Start application to
elevate privileges and perform arbitrary actions as the currently
logged-in user.

- A privilege-escalation vulnerability affects Java Web Start. A
untrusted application may be able to grant read and write permission to
local files, or execute local application in the context of the currently
logged-in user.

- An unauthorized-access vulnerability affects Java Web Start. A
malicious Java Web Start application can exploit this issue to create
files on the vulnerable system. It may then be able to execute those
files to run arbitrary code in the context of the currently logged-in
user.

- A same-origin bypass vulnerability affects the Java Plug-in. An applet
may be able to exploit this issue to execute local applications that are
accessible to the user running the plugin.

- A privilege-escalation vulnerability affects Java Runtime Environment
in the image-parsing library. A malicious applet may be able to exploit
this to read and write to local scripts and execute local applications in
the context of the currently logged-in user.

- Two denial-of-service vulnerabilities affect the color management
library that may cause the Java Runtime Environment to crash.

- An unauthorized-access vulnerability affects the Java Runtime
Environment that may allow JavaScript code to make connections to network
services. This may aid in further attacks.

- A buffer-overflow vulnerability affects Java Web Start. A Java Web
Start application may be able to exploit this issue to elevate
privileges, read/write arbitrary files, and execute arbitrary local
applications in the context of the currently logged-in user.

Does your business have policies about forwarding email to external servers? You may think you have policies but will you catch users who create their own server side forwarding rules in Outlook/Exchange?

One of our VPs decided that he wanted to get work email onto his shiny iPhone whether it was supported/allowed or not. He created a rule to forward his email to Google Mail. With Google Mail, nothing is ever really deleted, and you really don't have any control over what Google does with the content. That 's not the place to be sending information the customer intends that you keep private.

There is a website Gmail is Too Creepy that covers some of the concerns of Google Mail. Strangely enough while googling for that URL, Google wouldn't give me the result. They said I must have a virus on my computer if I'm trying to go to that website. Too creepy indeed!

In February, Postmaster General John Potter sent a letter presumably to all addresses and enclosed a Identity Theft brochure from the Federal Trade Commission (FTC)

The Postmaster General's letter reported that according to a FTC survey only 2% of all identity theft victims believed the theft of their identity was related to mail. Even so they sent this letter to educate consumers.

So many times when dealing with users the response is "I've got nothing to hide" or "I wont be a victim" or "I've got nothing worth protecting". The Postmaster Generals letter points out that if someone steals your identity, it can effect your credit standing, your ability to buy a car or home, get a job or obtain medical care. Once victimized it is not easy to clean up.

The FTC brochure has a link to the FTC's Identity Theft Site.
The brochure has three key sections.
Deter

• Shred financial documents and paperwork before you discard them


• Protect your social security number. Do not carry it in your wallet or write it on a check. Give it out only where necessary, or ask to use another identifier.


• Don't give out personal information on the phone, through the mail or over the Internet unless you know who you are dealing with.


• Never click on links in unsolicited emails. Instead type in a web address you know. Use firewalls, anti-spyware and anti-virus software to protect your home computer; keep them up to date. Visit onguardonline.gov for more information


• Don't use an obvious password like your birth date, your mother's maiden name or the last four digits of your social security number


• Keep your personal information in a secure place at home, especially if you have roommates, employ outside help or are having work done in your home.

• Bills that do not arrive as expected


• Unexpected credit cards or account statements


• Denials of credit for no apparent reason


• Calls or letters about purchases you did not make

Defend
Defend against ID theft as soon as you suspect it.

• Place a "fraud alert" on your credit reports.


• Close any account that has been tampered with or established fraudulently.
  
• File a police report


• Report the theft to the FTC

Common Ways ID Theft Happens:

1. Dumpster Diving.


2. Skimming - skimmers are a special device that steals your credit/debit card numbers.


3. Phishing


4. Changing your address


5. Theft of wallet/purse, mail, records