I was surprised to read this evening that Cisco is buying ScanSafe.
I have been evaluating Web SaaS venders and looked at ScanSafe in September. To me ScanSafe has always been the market leader in web security as a service. I just had some issues that prevented us from going with them. According to a techtarget article, this purchase brings Cisco into the Web SaaS market and should play with their IronPort. I hope this purchase improves both companies.
As was stated when Barracuda bought Purewire, this validates the web SaaS market. It seem to repeat the recent acquisition phase of email SaaS venders. Is Zscaler now the odd man out, not yet having found a dance partner? I think not. There are still plenty of companies that think they need to buy into a SaaS presence.
Posts tagged ‘Cisco’
Cisco buys ScanSafe
Sophos Endpoint Security Eval Thoughts
This week I began a evaluation of Sophos Endpoint security. (why do I get the feeling all over the country sales guys just perked up and began repeating “sales lead” to themselves). Currently we’re using Symantec Antivirus 10. I’m looking to consolidate antivirus, antispyware and the personal firewall into one product. We also want more protection than signature based solutions can provide. For years I’ve been wanted to go with Cisco Security Agent (although now I dont want to add yet another agent), I’ve also considered McAfee Total Protection because it has the McAfee HIPS technology.
Sophos recently made big sales to Northrop Grumman and GE. This shatters the notion that they are only a small European AV vendor. Sophos sales tells a pretty good story, and they are nothing if not tenacious.
When I set up their enterprise console, I found as they stated, its a lot simpler to manage than McAfee TPS and Symantec Endpoint Protection. When I got to installing the client I found a couple of things that really bother me.
1. McAfee and Symantec both provide mechanisms for locking the client configuration. With Sophos they create local groups; Sophos Administrator, Sophos Power User and Sophos User. The install on the client added every member of local administrators to the Sophos Administrators group. In our company employees have local admin rights so this is kind of a problem.
Sophos’ answer to this is to use Restricted Group in Group Policy to restrict membership in the Sophos Administrators group to whatever groups you specify. Additionally they use Group Policy to place NTFS file permissions on their XML configuration file.
This solution is simply not as granular as that provided by the competitor. With Symantec I can allow specific settings to be modifiable by the user. I can give the user the uninstall password if necessary. This solution doesn’t allow you to lockdown settings on computers that are not members of your domain. This solution creates a dependency on group policy acting correctly. Informed local administrators may be able to add themselves to the group long enough to perform their rogue task.
2. Installing Sophos requires supplying a local administrator account for the machine where the installation is occurring. Since we generally deploy software through SMS this means I’ll have to supply a password in the command line script. I believe that is specifically forbidden under NIST 800-53. Its certainly bad practice. It also raises questions on how users outside the domain will install. (home users, windows computers in other domains).
I haven’t run across software with this requirement before. Either software runs as the user running the install (if they have admin rights) or you run the install as the sms install account.
I had a lot of problems getting the install to work and then successfully check in for updates. When installing on a non-domain computer.
3. The Sophos install creates a local administrator account. Now I’m sure it has a very strong password, but I’m just not comfortable with my software creating a local admin account. Symantec didn’t do that. McAfee didn’t do that.
I’ve been accused of writing off these endpoint security vendors too quickly. The way I see it, it doesn’t matter if the rest of the eval is perfect, if Sophos can’t answer to my satisfaction why they are doing things this way and why it isn’t a problem, I can’t do with this product.
Sophos has already gotten me to change some of my thinking. Their defaults include scanning program files only, scanning on read/execute only, not scanning compressed files. Its no wonder they claim to be faster than the competitor. In those cases, they had a good argument for their recommendations. (although a sales engineer did recommend I scan on write too and ignore the manual on that point). These three issues may be too much for me to accept.
My sales engineer is out most of next week. I’m out Monday. I’ll post a followup when I get some answers back.
Shmoocon 2008 Day 2
Here are some notes from Shmoocon day 2. Today was a return to the traditional Build It, Break It, and Bring it on tracks. Here are some notes/summaries from the sessions I attended. It was another fun day.
Active 802.11 Fingerprinting, Bratus, Cornelius and Peebles
How can you identify if an access point is legitimate or rogue? Does two way RSA crypto solve the problem of a rogue AP? The speakers would argue that if you are communicating with a rogue AP, the use of certificates could actually cause more information to be given away to the rogue. You could certainly be exploited in your communication as well if your wireless drivers have vulnerabilities.
Just as with OS fingerprinting through TCP, the wireless protocol can be abused to send unexpected traffic to the AP and fingerprint how it responds. They built a tool called Baffle using Ruby to perform this test. They were able to verify that the access point was using the driver that is expected.
If you’re expecting a linksys AP and I set up a rogue linksys AP, this isn’t going to help you, at least from my understanding of the talk. An audience member asked if this could be used with adhoc (client-to-client) connections as well. It cannot be used for that because the APs are much more chatty and have more negotiation.
The remainder of the time was a presentation on access point hiding. I did not catch the presenters name. Basically anything that has some room inside and has sufficient power could be refashioned to contain an AP. This assumes that you need to be stealthy about placing a rogue AP in the first place. The take home for me from this section of the talk was the question, “if an AP enabled itself at 2 am (either to let the hacker in, or to move some data out) would you catch that.”
Smarter Password Cracking; Weir, Glodek
Not a lot new here.
Password cracking is getting tougher. Sometimes users are forced to pick better passwords. Often developers are throwing in a salt or hashing multiple times. A salt makes a precalculated table attack difficult. Multiple hashes attempt to increase the calculation penalty when trying a offline password attack. For example while Word’s password mechanism was once trivial to break, Word now uses 5000 SHA1 and a huge salt.
In the last year or two several password troves have become available to all. In the past researchers didn’t have a way to report on user password selection. After a myspace phishers collected passwords leaked, researchers now had a large collection of legitimate passwords. Many of the passwords were tremendously weak and thus not comparable to the enterprise password.
When setting out to crack passwords, it is helpful to figure how how the users select the passwords. This allows the cracker to have a better chance at success.
I was hoping to take from this lecture a script to analyze a list of passwords and display the tendencies found. I would like to be able to easily run a report that says: 30% of users passwords were reveals in testing. Of those 90 percent were in the format Aaaaaa11 (A=upper, a=lower, 1=any number). I don’t see that script on his website, I’m going to check back later.
They’re hacking Our Clients, Why are we focusing only on servers; Beale
This talk had two major sections. The need for patching clients, and a poor man’s way to find clients that need patching.
In the first section Beale said that in pentesting engagements they now attempt to get to the internal network through client side attack. Often they are limited by engagement rules to the computers belonging to IT staff or security folk. Even with this set of users they are consistently able to perform attacks on the browser, mail client, Office, Adobe Reader, etc. Core Impact and Metasploit are two tools mentioned.
The bad guys moved to client side attacks years ago. Their biggest problem is managing all their owned boxes.
The question is asked, isn’t this just social engineering. There are two responses to this. No, sometimes attacks autorun without user interaction. Yes, but the human firewall is imperfect. Even the most educated users get fooled. Its still appropriate for a pentest.
Comment from the audience – Once it reaches the user, freakin game over.
The attackers only have to find one vulnerable human or one vulnerable software install.
Isn’t this a patch management problem, Beale asks rhetorically.
He says yes, but not every organization has patch management.
Also patch management, needs know about every system to patch it. It needs rights. It often doesn’t patch every product. Most people don’t have that complete an inventory of what is on their network.
To address these issues, the speaker proposed using User-Agent strings to self identify vulnerable systems. That information could be collected in HTTP proxy logs, and email servers. Vulnerable clients could be denied further access.
While you could do further things such as implement something like the Master Reconnaissance Tool to gather browser plug-ins, there is still vulnerable software that you don’t address in this way.
Another idea is to look at the metadata for recently created files on your fileserver, sharepoint, in email. Apparently you can determine the version of the software used to create the document. A vulnerable version and a recently created document equal a problem that needs to be addressed.
Since I do vuln scan all online systems, and I do have a patch management system, the second part of the talk wasn’t as interesting. It seemed like a lot of work just to catch a small number that missed the patch management and vuln scanning. I do see the usefulness in a University or other similar environment.
VOIP Hopper; Ostrom and Kindervas
This was strong talk demonstrating their new version of their voiphopper program. Most people outside that room think that a vlan is a security separator. The talk showed how easy it is to get onto the voice vlan. In IT there is also a low awareness of VOIP threats. People think, “you can’t access corporate data from an IP Phone.”
voiphopper now includes a Cisco Discovery Protocol generator making it really easy to pretend to be a VOIP phone.
Mitigation-
1. Use Cisco’s phone CDP Security provided in 12.2.36 SE. This requires a phone to have power or it will shutdown the port. (one wonders how that would work in my case where a bad blade wasn’t providing power for some ports, and I was given a brick for my phone instead of using power over ethernet).
2. MAC address filtering
3. Disable the pc port on the phone. (this is the lobby phones that should be have a pc plugged into them).
Got Citrix? Hack it!; Gupta
One audience member correctly asked for less IE vulnerabilities and more about Citrix I agree. The vulnerabilities presented all existed because Windows was not secured for the role the system was playing.
Gupta has a good point that people think putting something behind Citrix is equal to securely serving it.
We did not get to see a couple of demos because the wireless network was down during this session. I’d recommend either not relying on a unreliable medium for a presentation or have a video backup. We were left with a session cut short, and a feeling of disappointment.
JAVA 1.6 Update 4
SANS blogged about the latest JAVA 1.6 Update 4 release back on January12th. Brian Krebs today wrote a piece in his Washington Post blog Security Fix.
I admit it. I have no idea whether or not this update is critical. SANS seemed to say ‘you might want to do this soon.’ Brian said ‘it contains some security fixes. You should update.’ I’m looking around to see how SUN categorizes this fix. Microsoft would be letting me know if its critical or important, if exploits are available and how an attack might occur. Cisco would use the CVSS standard, which is pretty cool. Even after reviewing SUN’s release notes I dont have a clue.
I kind of want to say no news is good news. We need to keep the enterprise wide reboots caused by software updates to a minimum. I just hope I dont open my RSS reader one day and read about a exploit in the wild that would have been patched if I had deployed this. I’ll keep this one on the back burner and deploy it if Adobe, Flash and Quicktime slow their vulnerability circus for a while.
Tiger Team on CourtTV
I just saw that CourtTV (CourtTV is TruTV as of 1/1/2008) had a pen testing show called Tiger Team that aired a couple of times last week. GrumpySecurityGuy calls it “It Takes a Thief” with a security twist.
Don’t go in expecting this show to be about a Red Team in a dark room somewhere running zero day attacks while the Symantec Security NOC is soiling themselves because green lights turn to red on a big board on the wall. It doesn’t look like we’re going to see Chloe say “its ok we’ve got the Cisco Self-Defending networkâ€Â. The episodes I’ve seen have had the team attempt to penetrate small very secure businesses. You don’t need to bust through a firewall or wait for a phishing reply when you can just hand someone a USB key and ask them to print out a document from it.
The team is has a social engineer, a computer security guy and a physical security guy (if I remember the introductions correctly). In the first caper they take down security at a high end car dealership. In the second episode they go after an elite exclusive Jewelry design shop. Both episodes were a heck of a lot of fun.
Preview:
Hopefully we’ll be seeing more of these episodes. I don’t see any upcoming episodes in the program guide data. I also couldn’t find the episodes on the CourtTV website. I had to bittorrent them (kids don’t try that at work).
“I’ve got issues”
Ok, so the title is an inside joke.
On Monday I began having some issues on my Vista Tablet.
- The computer isn’t able to obtain an IP address from the DHCP server
- An error: error 56 the cisco systems, inc vpn service has not been started
- Unable to uninstall SEP11
- Unable to perform a rollback to a previous snapshot
- Unable to open tcp/ip properties because supposedly another dialog was already open
I’m blaming Symantec Endpoint Protection 11. That was the last change to the system.
Cisco VPN upgrade
I pushed the Cisco VPN client to the the department test group. This means that the 5.0.2 beta client that I’ve been waiting on will be released on Monday. 
Thus far I haven’t had the adoption rate I would have hoped for, but this is a Holiday weekend.
Only a few problems this far:
1. The new profile is set to UDP, a user had an issue because of their dlink router. We had to go in and set it to TCP for it to work.
2. A permissions error during the install when it tried to modify the MTU setting.
3. User not understanding the instructions while upgrading the vpn client while connected through the vpn.
4. User created shortcuts not being removed when old version is uninstalled. The old version went in a custom location, the new version is going to the default location.
No major disasters which is a good thing.
Packaging the Cisco VPN Client Part 2
Last week I wrote in a semi-literate fashionabout my difficulties in packaging the Cisco VPN client. This week I continued trying to package the CiscoVPN client.
The problems continued this week. During the install of 5.0.01.0600 neither the profile or the rootcert were imported. I was able to fix the profile import issue. It turns out there is a bug article saying the install path should not have dashes in the folder names. TAC tells me the rootcert import issue will not be fixed in 5.0.02 and possibly not for a couple revisions after that.
This leaves me in a quandary. Can I deploy 5.0.00.0340 instead? The later version does solve a privilege escalation issue. However that can be resolved by removing the permission for “interactive” on cvpnd.exe. I dont see any other pressing fixes in the release notes. Perhaps I’ll even be able to stick to the installshield version and not be forced into using the MSI.
Packaging the Cisco VPN Client
For some reason the Cisco VPN client was available in both an Installshield package and a msi package. It became time to upgrade recently so I reluctantly re-entered the realm of Cisco software. This is something truly to be feared.
The installshield version is rather easy to install and brand, although it appears to be impossible to import two root certificates. The MSI version requires creating a transform file and has some really bad instructions about using Microsoft Orca to do this. I also found out that if you have an installshield version of the Cisco VPN installed that you must remove it and reboot before attempting to install the MSI version (and then reboot again.)
Unfortunately Cisco has pulled the installshield version of the latest release and they report that no further installshield versions will be released. I guess I’ll have to figure out how to package the MSI version, because I just don’t want to deploy an older, slightly vulnerable Installshield version, particularly when no further Installshield versions will be released.
ngix, Stormworm and Cisco IDS
On August 21, the SANS Internet Storm Center noted that the storm worm was now be hosted on servers using ngix in the lastest wave of attacks. They further noted that signatures based just on that server name were a bad idea because ngix is a legitimate web server.
I notice that my Cisco IDS is reporting instances of the Storm Worm. A lookup of that signature in the Cisco IPS signature database found that “the signature triggers on seeing the string “Server:ngix”in the return web traffic.” While it does note that this could be legitimate traffic, this really wastes my time.
