Erin Andrews apparently is a sideline reporter for ESPN. I hadn’t heard of her before tonight. The story is some tool used a peephole reverse viewer (allows a person ouside a door to use the peephole to look in) and a camera to record her in a hotel room without her knowledge. This is obviously both illegal and not cool. The video was posted to youtube before lawyer letters were sent demanding the take down.
The news of this has ignited a mad mad search of the internet for copies of the video that may have been downloaded and reposted other placed before Google was able to comply with the removal request.
As with most big name events, malware is involved. Searching for Erin Andrews keyhole will likely lead you to attempts to install malware. Just a reminder, its not cool to make or watch upskirt videos. This is on that level. Another reminder, when you go to watch a video be very suspicious if you are prompted to install software. Get your media players and codecs from known sources!
Posts tagged ‘Google’
Erin Andrews Malware
Alternatives to Desktop Lockdown
This is another post based on notes from the Gartner Information Security Summit. Neil MacDonald gave a talk titled Five Alternatives to Desktop Lockdown: Balancing Control and Creativity.
Desktop Lockdown has failed.
But so has complete freedom.
So what do you do?
From an operational perspective, desktop lockdown was performed to reduce the number of disk images the helpdesk had to maintain. It reduced application conflicts and visits by the helpdesk. IFrom a security perspective, lockdown was performed to prevent malware and prevent users from disabling security applications.
Lockdown has failed for a number of reasons. In XP, the locked down experience is lacking. You can’t change the timezone or install a printer driver. Its not workable for the traveling user.
Locking down computers failed because new technologies bypass local controls. For example it doesn’t prevent the user from using Google Apps and other forms of cloud computing in a insecure manner. Being a standard user doesn’t even prevent all software installs. Google Chrome installs as a standard user. Microsoft was pressured to make Silverlight install without administrative rights. As long as the software only writes to your user profile and your portion of the registry, it can install as a standard user. Malware writers will not be deterred by lack of admin rights.
Its almost a cliché at this point but the consumerization of IT has led to a new workforce. Generation Y digital natives. They may not be better at not falling for fake AntivirusXP but they expect full access all the time.
Does IT really know what people need to do their jobs? Locking down was supposed to be a means to an end, not an end itself. Protecting the data is the primary goal.
Saying that lockdown has failed, does not mean that complete freedom has succeeded.
The cost of managing end user computers are far greater for unmanaged computer. The risk of virus attacks is much greater with administrative rights.
So what do you do? The talk reviewed multiple alternatives.
Alternative 1De-Privilege Admins – UAC
UAC prompts to elevate rights when admin rights are needed.
As you already know, that can be annoying if you have a lot of applications that are poorly written and need admin rights. Also depending on the user this can barely be a speedbump in stopping malware.
Alternative 2White list
While basic whitelisting is currently available in Windows XP and later as well as most Endpoint Protection (AV) applications, newer offerings from companies like Bit9 make it easier to whitelist. They maintain the lists so you dont have to manually update each time a new version is released. They also can use reputation services that make a judgment about any new/unknown files.
One user when told we were considering this technology stated as an engineer they install all sorts of software and really important work would stop if he couldn’t install every random file he found on the Internet.
Host Based Intrusion Detection Systems (HIPS) also fall into this category. They are much more complex, and can cause instability issues depending on how it is integrated.
Alternative 3Remote Presentation
In this scenario users log into a remote server such as vmware or terminal server. Of the local computer and the remote session one is managed and one is unmanaged.
This scenario requires solid network connectivity. It also isn’t clear how the network is protected from the unmanaged computer.
Alternative 4 Multiple Virtual Machines running locally
Unlike the previous example, the user can work with remotely. The virtual machines are on the local computer.
The major drawback to this approach is licensing cost, patching, and extra hardware cost.
In the future the hypervisor may make it to the desktop for better performance, but we are not there yet.
Alternative 5Workspace Virtualization
In this alternative the risky applications are put into their own sandbox.
Ringcube, Creedo, and InstallFree are three vendors in this space.
Alternative 6 Hybrid
A few from column a and a few from column b.
Alternative 7Employee Owned PCs
I’ve read the articles on companies that are providing dollars for people to buy and support their own computer. I also read about a smaller company where the owner considered the computer like a toolbox. The craftsman provides his own tools. Not a great analogy because a craftsman power saw isn’t going to get infected and DDoS the network. (Although cheap worker provided power tools could break spectacularly in a particularly liable fashion).
The analogy provided during the presentation was a road. A trucker provides the truck. He can buy the truck he wants, but it must meet certain requirements. Then while used on the road he must obey traffic laws. Officer Friendly is waiting to write a speeding ticket.
Those are seven alternatives to desktop lockdown. I think that application whitelisting will become the most mainstream the fastest. Although virtualization is moving fast. XP mode within Windows 7 is virtualization. I believe Macs have a virtual MS Windows. The question I would have is what gets virtualized. Every Internet facing application?
For the longest time, vender’s made me feel like I was at the only company in America to allow Administrator rights to users. (Neil MacDonald, if you head this way I’d love to know what percentage of companies in general and Federal Contractors in particular lock down the computers by restricting admin rights as required by the FDCC). It is very interesting to hear about some other solutions. Obviously antivirus is not working but we still need to provide protections.
Debra Wheatman on How to Sell Yourself to Management
The second talk I attended on Sunday at the Gartner Information Security Summit was Debra Wheatman on How to Sell Yourself to Management. Debra is the Chief Career Strategist with ResumesDoneWrite.
At work one of our stated goals is “to grow and live the $company brand.” In this talk Debra reminds us “You’re always selling something.” I should be worrying about my brand. Do I have PR agents who are repeating the news of my success? Am I consistently putting forward a good image?
The concept of a career map was new to me. Basically its determining where I am and establishing short term goals. Since finishing a Masters in Computer Science in 2006, I’ve been coasting a bit. My progress at work seems to have been side-tracked. Creating a career map sounds like the sort of thing that would help me think some things through. I am going to Google to get more on that.
You may find upon creating a career map, that your dream job or desired role doesn’t exist in their organization. When this happens there are two possibilities; build a case for creating the post or get out. Changing the status quo is not easy.
The bulk of the time was spent on discussing the resume, the cover letter, and interviews. In spite of all I’ve read on resumes I got some new ideas. I have enough trouble writing a few sentences for the ‘about me’ on this blog or on linkedin.
Probably the thing I’ll remember most from this talk was the suggestion that its ok to ask what their budget is. Its funny, they would essentially ask you the same question, yet it will be awkward when the applicant asks.
Instant Messaging Security
As I upgraded my Symantec IM Security server last week, I thought about the state of Instant Messaging security.
These thoughts are based on my experience with Symantec’s products. I only briefly looked at the websites of Akonix and Facetime to see what they could do. I’m not up on their current releases.
When we implemented IMLogic, which was later purchased by Symantec, we were looking to protect ourselves from malware spread via IM. Users were getting infected by each new IM worm and it needed to stop. Typically one person would get a message and a link via IM. The user would click on the link, and install the malware. The user’s IM contacts would receive a message with a link to the same virus. Even if all the other recipients recognize the message as malicious, many would then call the helpdesk, leading to more wasted time. That’s a long way of saying that we implemented IMLogic to provide IM security protection. We aren’t under any logging requirement. Logging is a big driver for implementing IM security solutions at Financial institutions.
There are limitations in using an IM security product. Each time a new version of the IM client is released there is a great likelihood that the public IM vendor will change their protocol in a way that prevents the new client from being used until the IM security vendor updates their own product. AIM 6.8 for example used a new SSL based login that provided a lot of trouble for all IM security vendors.
As time went by, people’s habits changed. Do you still have three IM clients installed on your desktop? Probably not. Most people found them to be pretty bloated pieces of drek. When online web IM offerings became feature comparable, most real people switched to using that. Meebo works great from what I’ve been told. How did the IM security vendors deal with that? They put out a list of URLs to block so that users could not use web IM.
Now public IM systems are bundling their chat with their webmail. That made it difficult to block web IM. For a while, to block Google Talk, you had to block Google Mail. There are now ways to do that. You can also block Yahoo Messenger within Yahoo Mail. I haven’t yet found a way to block Live Messenger within Hotmail.
Users are doing more chatting on Facebook, Myspace and twitter. These are also outside the security environment provided by a IM security solution. Even if I could block just the chat component of Facebook, there would still be quasi real-time communication via the wall.
Symantec IM Manager is ignoring all of these problems. Facetime has a press release from more than a year ago that speaks of controlling 20,000 Facebook applications. That might be interesting to look at.
All the IM security problems seen today are HTTP links. If an adequate HTTP security solution was in place would it even be necessary to run a IM security product anymore? IM Security is not a big software maintenance bill. But it is man hours to update and maintain. Perhaps it is no longer necessary. Then again, if a computer gets infected with a virus that can worm through LCS/OCS, I’d hate to be the one that said its ok for the corporate IM server to go bareback.
Follow me on Twitter
I’ve used Twitter as a follower for a while now. I’ve decided to create a Twitter account for Infosec related stuff. Mark Cuban says more people find his blog via twitter or Facebook than Google. That is generally going to be people sharing links. Lets face it, his controversial posts are designed to create a link-storm. My posts, not so much. However it is true that Twitter is used as a search engine for people looking for up to the minute information. Also while its kind of a no-no in my opinion to ask for link sharing on a website, follows in twitter of routinely done.
It seems a bit foolish to open another account to update when my updates to the blog have been less frequent. Fortunately the twitter lifestyle doesn’t require a spell-check. Please shoot me if I ever spell “you” as “u” however.
Follow me on Twitter @InfosecTweet
His Name is Johnny, He Hacks Stuff
Alex over at the Sunbelt Blog shared a cool link to a video of Johnny Long.
Johnny is famous for Google Hacking, using Google to discover insecure servers or unsecured information. This video is an hour long presentation on his past, how he got into security and what led him to start Hackers for Charity.
The Long family is trying to raise support for a one year move to Africa. Check out the Hackers for Charity website as well.
ISA 2006 and Forms Based Authentication
I’ve been working on upgrading ISA 2004 to ISA 2006 (on new hardware as well). We use SecurID authentication at ISA, and then Forms Based Authentication on the Front End OWA server. While this had worked fine with ISA 2004, it didn’t work at all under 2006.
A quick Google found one post on a Microsoft forum with the same problem. Their conclusion was that this was not possible. The poster cited a ISA 2006 book as saying it was an either/or situation. “You can’t do Forms Based Authentication on both ISA and OWA.”
Fortunately, I searched a bit more and found a solution. http://support.microsoft.com/kb/935206
I found I already had files newer than those in the referenced patch. By running the script and configuring OWA publishing as a regular web publishing object, I was able to get it to work.
Google’s Continued Denial of Service Attacks
Its bad enough when Google can’t keep their G-Mail servers up. Its worse when they screw up causing all search results to have a security warning. Its worse again when they force you to fill out a captcha to perform a search because some algorithm has decided that you’ve searched to much, or searched for a suspicious term.
Now for the second time in two months I’ve been banned from G-Mail for up to 24 hours.
This account has been locked down due to unusual account activity. It may take up to 24 hours for you to regain access.
Unusual account activity includes, but is not limited to:
Receiving, deleting, or downloading large amounts of mail via POP in a short period of time.
Sending a large number of undeliverable messages (messages that bounce back).
Using file-sharing or file-storage software, browser extensions, or third party software that automatically logs in to your account.
Leaving multiple instances of your Gmail account open.
Browser-related issues. Please note that if you find your browser continually reloading while attempting to access your Inbox, it’s probably a browser issue, and it may be necessary to clear your browser’s cache and cookies.
If you feel that you have been using your Gmail account according to the Gmail Terms of Use, you can troubleshoot your problem by clicking here.
As near as I can tell, the only activity I have performed is leaving Gmail open on two or three computers. This 24 hour lockout is bull.
Link: So you think you want a job in computer security
I saw this linked from Lenny Zeltser’s Twitter. Securology’s So you think you want a job in computer security.
The security operations all too true. Here’s part:
The worst part about SecOps is that you’ll either realize you’ve hit your Peter Principle with that job, in which case it’s time to spend all of your free time on backyard barbecues and retirement planning (nothing necessarily wrong with that — ignorance is bliss), OR, you’ll want out immediately because everyone around you has hit their Peter Principle highest job and you want more.
The post should be read in its entirety.
