Does Anybody Really Know What Time it is

January 11, 2012, 12:33 pm

Does anybody really care (about time)?

This Chicago song came to mind for today’s blog post about NTP.

I was walking down the street one day.    ok, I’ll stop.   I was reviewing my firewall logs and I noticed systems going to external services for NTP.

It is best practice (and company policy) for all systems to be using the same time source.  It is very difficult to match up logs from different systems when they may have different times.

It turns out there were two problems at play.   The first is default configurations.   People setting up specific equipment didn’t update NTP or assumed because it was set on one system it would replicate to other appliances part of that “group”.   The other thing that happened was an issue with the internal NTP server caused the Unix admin to point his servers elsewhere for time.

Your internal NTP server needs to be rock solid.

Another item that still needs to be addressed here, is secondary NTP.   People are going to the same primary NTP server and then using whatever was default on the device as the backup NTP.   Yeah, not such a good idea.

Tags:
Category: General  |  Comment

Symantec Source Code Stolen

January 9, 2012, 12:25 am

Source code for Symantec Endpoint Protection 11 and Symantec Antivirus 10 has been stolen. According to speculation in news reports, the source code had been provided to the Indian government and was compromised from their servers. Security companies often provide source code to be able to sell software in a country. I suppose they are worried about NSA backdoors.  This hack highlights the problems with loaning out your source code.

Symantec downplayed the severity of the report saying SAV 10 is no longer sold (end of support in July 2012) and SEP11 is 4-5 years old.

Even if the source code was a from a earlier version, I am confident the source code doesn’t change that much in a major build.    Symantec Endpoint Protection 11 may have initially been released 4 or 5 years ago (can that be right?) but it is still the main version in use today.   Its successor SEP 12.1 was only released in July and most people would wait before deployment.

I was a bit surprised by some of the reactions in to this disclosure.   Rob Rachweld of Imperva says there is “not much hackers could learn from it” because they already analyze antimalware products.   The Atlantic Wire quotes Bruce Schneier as saying it isn’t a big deal.

I think it is a big deal.   Antivirus products do have vulnerabilities.   Antivirus products are widely deployed and often it is possible to find out what a particular company is using.   Isn’t code analysis easier than trying to blackbox test or trying to reverse engineer the code?  Depending on how diligent Symantec has been, I think this could lead to more security updates for Endpoint Protection.

Chris Parden, Symantec spokesmen says the are developing a remediation process for enterprise customers still using affected products.

Tags: ,
Category: Antivirus  |  Comment

Scanning External Drives on Connection

January 7, 2012, 11:53 pm

Over on Symantec Connect (the Symantec support forum), I frequently see people ask about the ability to automatically scan a removable drive when it is connected to a system.   They also submit it as an “idea”.   The Idea section is where you can make product suggestions that users can discuss and vote up or down.

I often wonder where this idea comes from because it seems like a particularly bad idea.   It seems like someone decided that was the only way to solve the problem of USB based malware like conficker.   That isn’t the case and it can be very inconvenient.

If I connect a 1 Gb drive to the system do I really want to wait while Symantec Endpoint Protection scans the full hard drive?   I dont think so.   Endpoint Protection can disable autorun solving 80% of the malware problem, and real-time scanning will still scan files as they are actually used.

Like most bad ideas this requirement comes from hardening guides and auditors.  I was reading the Critical Security Controls and found the following:

Quick wins: Organizations should configure systems so that they conduct an automated anti-malware scan of removable media when it is inserted.

As I said, I think a full drive scan is completely unwarranted.   Do any other antimalware products have this capability?

Tags: , ,
Category: Antivirus  |  Comment

WordPress 3.3.1 Released

January 3, 2012, 5:58 pm

If you haven’t logged into your WordPress today, this is news to you.   Version 3.3.1 has been released to fix a XSS vulnerability.

According to ThreatPost, this is only a vulnerability if you installed WordPress by browsing to the IP.   Most installs are hosted and you would browse to the site FQDN to install.   These systems aren’t vulnerable.

The update also fixed 15 bugs.   So review the release notes and determine if you need to update.   Or just do it.

Tags: ,
Category: General  |  Comment

Wi-Fi Protected Setup

December 28, 2011, 1:31 am

Wi-Fi Protected Setup (WPS) is a method common on home access points  for users to connect without having to type in a long encryption key.   Instead a PIN is printed on the access point and anyone with physical access can add themselves to the wireless.   This has always seemed kind of hinky to me so I disable WPS after all my devices are setup.

Research posted earlier this week by Stefan Viehbock reports WPS design flaws and implementation flaws that can result in an attacker accessing your network.  

Flaw #1 – WPS is vulnerable to brute force attacks

Flaw #2 – The access point sends a authfail if the first half of the PIN is incorrect.   Uh huh. 

A brute force tool has been written but has not been released at the time of this posting.
Where possible, users should disable WPS on their home access point when they are not actively adding new wireless clients.

Tags:
Category: General  |  2 Comments

Microsoft on disabling wireless cards

December 26, 2011, 9:33 pm

I think it is important to disable wireless cards in laptops when a wired connection is present.   Microsoft doesn’t.   Steve Riley wrote about this back in October 2008.   I blogged about that then.   Now in a post signed by David Pracht but posted under MichaelPlatts’ userid, the Microsoft Enterprise Networking Team argues that it is no big deal to be connected to the internal corporate network in a wired fashion while you are connected to EVILROGUE hotspot in the parking lot.   They says this because Windows 7 has “strong host” routing.   Also you could disable the ability to connect to unapproved wireless.  They don’t really spell out how “strong host” routing helps.  

Disabling the ability to connect to unapproved wireless is not something I see happening in most organizations.   “To improve mobility, here is your laptop.   To improve security, you may not connect this to any wireless network except the one here at work.   And maybe Starbucks”.   Sounds like a recent Dilbert strip.

There is no valid reason for users to have multihomed computers.   While personal firewalls when configured correctly should prevent intrusion by a parking lot pentest access point, why take the risk?   It looks like you have a bad security posture.

Actually the Microsoft article left me wondering what happens if my wired connection is 100 Mb, but the wireless is 802.11n and is identified as having 300 Mb.   If both interfaces have default gateways does the wireless connection then “win”.   As I understand that article, fastest speed wins.   Worth testing.

Tags:
Category: Microsoft  |  2 Comments

Merry Christmas

December 24, 2011, 11:37 pm

Category: Offtopic  |  Comment

F-Secure on Java

December 23, 2011, 9:37 am

F-Secure generated a lot of traffic in the blogosphere with their post declaring Java harmful and better to not be installed on computers.   To me the only surprising part is the discussions this generated.   Isn’t this old news?   Principle of least privilege says to remove it if you don’t need it.   So when you’re regularly updating an application for security fixes it may be time to consider alternatives.

F-Secure links Larry Seltzer’s month without Java from 2010.   Brian Krebs posted a blog article around the same time recommending Java be removed.   I couldn’t find an earlier article, but I thought Krebs had been banging this drum for much longer.

Removing software you don’t need certainly lowers the attack surface area.   At work, I’d caution that you’re likely to find groups of users using Java for internal applications.   If you don’t put Java on your system image, they are going to install the ancient version of Java supplied by their application developer.   I found a couple users with Java 1.6.0 update zero.   When I removed that and installed the latest Java 1.6, the application still worked fine.    If you’re actively patching your environment having Java installed may not be that bad.

The articles liked mention alternatives such as only allowing Java to run on specific sites.   Sometimes I install Java only for use on my non-day-to-day browser.   I’m not sure either solution scales into the enterprise where you have to account for all sorts of computer literacy.

Tags: , ,
Category: General  |  Comment

Santa Gets Hacked (video)

December 9, 2011, 10:38 pm

Santa Gets Hacked! from Twist and Shout on Vimeo.

Category: General  |  2 Comments

Android Malware

November 23, 2011, 12:53 pm

Android malware has certainly been in the news a lot this week.

First, I read a AV-Test report that found the free antivirus for Android is garbage.   In a on-demand scan  ”the best free app was Zoner AntiVirus Free with 32% detected malicious apps. All other scanners detected at best 10% of the apps, some didn’t detect anything at all.”   Yikes.   F-Secure and Kaspersky were included for comparison.   The commercial apps detected 50% of the malware on an on-demand scan and blocked all malware on attempted install.

Then we had Chris DiBona’s blog post (or should I say Google+ post) in which he lets his zeal for open source completely whitewash any security concern on any phone (besides Windows of course).

He ignores issues with trojaned apps because they will eventually be found and removed from the app store.   By that time you’ve already fallen prey to the malicious app stealing the login credentials you use on the banking app.   But that’s ok.   The Operating System wasn’t infected so it must not have been a virus (huh?).

I think the article would have been better with less venom and open source bluster. 

Then we hear from Fortinet that Android malware surges in 2011.   This makes sense that malware would see an uptick as adoption increases.  

While the numbers aren’t huge the uptick is interesting.   The type of attacks may be limited by the mobile phone security model but that doesn’t indicate they are malware free.

  • Geinimi – Android’s first botnet
  • Hongtoutou - a trojan wallpaper.   Steals IMEI and IMSI
  • DroidKungFu – information stealer, botnet
  • JiFake – fake IM app, toll fraud
  • BaseBridge – toll fraud

As we discuss corporate security policies for mobile phones we need to consider the applicability of antivirus requirements.    While it is important to look out for marketing FUD, we dont need to take the Bagdad Bob position and claim there is no malware on mobile operating systems either.

While today’s Android malware is applications that are trojaned or installed by the user through social engineering, that doesn’t mean that will always be the case.    The question I have is does the antivirus operate at a level where it could detect OS level infections or is it really only a “malicious app” checker.

Paid antivirus for android generally comes with other features such as phone locator and toll fraud prevention that may make it desireable.

update – Bruce Schneier weighs in with a post on Android malware.  He links to a Juniper blog post continuing an issue of Android malware rooting the phones because they dont get patched.

Category: Antivirus  |  1 Comment
« Previous Entries
Next Entries »