- Microsoft releases new SQL 2005 Service Pack
- Using Metasploit Framework-A Step-by-Step Example
- Italian mob boss done in by Caesar Cipher
- Feedback on Honeyclient Article
- Levity for the day
- Microsoft HOSTS file bypass issue
- It's raining confidential information
- And the confidential, top secret leaks continue...
- Free Windows Intrusion Detection System
- Microsoft Virus Mitigation Techniques
April 19, 2006 | Comments: (0)
Microsoft releases new SQL 2005 Service Pack
What's interesting is that it doesn't seem to contain any security fixes.
http://support.microsoft.com/kb/916940
Microsoft's security track record on IIS and SQL over the last couple of years is nothing short of amazing. They haven't had a SQL security bug since Slammer.
Here's hoping they can do the same thing with IE 7-the most complex challenge.
Posted by Roger Grimes on April 19, 2006 05:27 PM
April 19, 2006 | Comments: (0)
Using Metasploit Framework-A Step-by-Step Example
Document shows you how to use Metasploit Framework.
An upcoming column (4/21/06) will discuss using Metasploit (www.metasploit.org) Framework to test vulnerabilities. This accompanying blog entry has a documentDownload file that is referenced in the column. It demonstrates the Framework's syntax using a common Windows example.
Posted by Roger Grimes on April 19, 2006 05:22 AM
April 18, 2006 | Comments: (0)
Italian mob boss done in by Caesar Cipher
Some Italian mob bosses apparently don't know good encryption.
Passed on to me by my good friend Eric Heitzman:
http://dsc.discovery.com/news/briefs/20060417/mafiaboss_tec.html?source=rss
My favorite quote from the article has this background context:
"each number corresponds to a letter of the alphabet. "A" is 4, "B" is 5, "C" is 6 and so on until the letter Z , which corresponds to number 24,"
And here is the "mathematics expert" they interviewed:
"According to Martignago, the Provenzano code might have been made more secure by changing the + 3 key with other shift characters ( +5, +7, +8, etc.) from time to time."
This is one of those stories that make you laugh out loud if you're a crypto geek. My wife is just shaking her head at me.
Posted by Roger Grimes on April 18, 2006 04:51 PM
April 17, 2006 | Comments: (0)
Feedback on Honeyclient Article
Here's some interesting feedback concerning my InfoWorld column on honeyclients.
My honeyclient article is located at http://www.infoworld.com/article/06/04/14/77378_16OPsecadvise_1.html.
-------------
The following item in your article has potential impact on persons with disabilities, and persons using pre-fetching to speed up browsing:
"Honeyclients are becoming prevalent enough that malicious attackers are trying to identify them and take them down. Several honeyclients have been DDoS attacked in recent months. Honeyclient proponents are even proactively thinking up ways malicious hackers could identify honeyclients, such as the use of transparent URLs.
In this method, a malicious phisher could include an invisible URL -- a color link on the same color background -- that would not be noticed and followed by the typical Web surfer. Invisible URLs would be readily swallowed up by an automated honeyclient, and in turn identify the Web surfer as a mechanized honeyclient. It seems that a war I didn’t even know about two weeks ago is already being fought in its second stages."
Persons using screen-reading software would not be able to tell that a link is not visible. Mobility-impaired persons tabbing through links may inadvertently activate a transparent URL. Persons using pre-fetching features (probably not a good idea due to the increased risk of following a malicious link) may also follow invisible links. So these folks are now at increased risk of being the target of a DDoS attach because some of their behavior mimics that of a honeyclient.
Of course, such a victim would likely not know what's going on. Talk about unintended consequences.
Hope this helps,
Charles "Chas" Belov
Muni Webmaster
Posted by Roger Grimes on April 17, 2006 02:19 PM
April 15, 2006 | Comments: (0)
Nigerian Scam Conference
http://j-walk.com/other/conf/index.htm
(I've always loved this link-reminded by Schneier's recent Crypto-gram newsletter)
Posted by Roger Grimes on April 15, 2006 02:07 PM
April 15, 2006 | Comments: (0)
Microsoft HOSTS file bypass issue
Microsoft bypasses HOSTS file in certain circumstances
There is a lot of talk on various security mailing lists regarding Microsoft's HOSTS file bypass. It appears starting in XP Pro SP2 and W2K3 SP1, various Microsoft-related URLs cannot be bypassed by placing alternate IP addresses in the Windows hosts file. It appears to be a strategy by Microsoft to not allow malicious host file changes to stop Microsoft patch updates, plus hardcoding a few other Microsoft URLs.
The following host file exclusions were documented on the Full Disclosure and Bugtraq mailing lists:
---------------------
From: Derek Soeder
To:
Dave, great find! Those lists you dug up are named DomainScreenList and HostsScreenList in the symbols for DNSAPI; here they are for reference...
DomainScreenList:
windowsupdate.microsoft.com
windowsupdate.com
microsoftupdate.com
download.microsoft.com
update.microsoft.com
HostsScreenList:
microsoft.com
www.microsoft.com
support.microsoft.com
wustats.microsoft.com
microsoftupdate.microsoft.com
office.microsoft.com
msdn.microsoft.com
go.microsoft.com
msn.com
www.msn.com
msdn.com
www.msdn.com
-------------------
People are hot and fired up about this on both sides of the issue, with lots of the arguments on both sides being valid.
My take? In most instances, the instituted changes helps make Windows more secure by making it less likely that malware can manipulate Microsoft software update services. Yes, it should have been documented. And yes, to a hundred other statements...but out of all the things we have to complain about in Windows security, that could really use fixing to make Windows more secure, this issue concerns me only very slightly.
To paraphrase a popular Bruce Schneier statement (the original quote was regarding an SSH or SSL bug), if host file bypass is your biggest Windows security issue, then you're more secure than most folks.
On an interesting side note: Four of the "protected" URLs are not currently pointing to valid web pages.
Posted by Roger Grimes on April 15, 2006 09:05 AM
April 13, 2006 | Comments: (0)
It's raining confidential information
Florida County Posts Residents' Sensitive Data On Public Web Site
http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,110389,00.html
APRIL 11, 2006 (COMPUTERWORLD) -
A Florida state statute that requires county officials to post images of certain official documents online has led to the public exposure of sensitive data on potentially millions of current and former residents in Broward County.
The Social Security numbers, driver's license information and bank account details belonging to potentially millions of current and former residents of Florida are available to anyone on the Internet because sensitive information has not been redacted from public records being posted on county Web sites.
--------------
There has to be some commonsense applied here.
Posted by Roger Grimes on April 13, 2006 10:56 AM
April 13, 2006 | Comments: (0)
And the confidential, top secret leaks continue...
Here's yet another high-security, high-risk leak:
Web site exposes Air Force One defenses
Source: San Francisco Chronicle / San Francisco Gate
Date Written: 2006-04-08
Andrews Air Force Base has inadvertently posted security details and procedures for Air Force One to its website, complete with a map of the interior, locations of Secret Service agents' positions throughout the plane, and a target that could detonate on-board oxygen tanks if shot with a high calibre rifle. The documents also contained details about Air Force One's missile defense systems. The disclosure raises questions about the Air Force's operational security and could prompt the Secret Service to cancel future presidential travel. The Secret Service has refused to comment on the documents or their release.
Added: 4-15-06: Apparently, I, like lots of other people, overreacted to this story. Here's a good recap of the "non-issue"http://www.defensetech.org/archives/002315.html
Posted by Roger Grimes on April 13, 2006 10:51 AM
April 13, 2006 | Comments: (0)
Free Windows Intrusion Detection System
Free Windows IDS tool taken from Securiteam mail list (I have not tested-Roger):
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
GeSWall - Free Intrusion Prevention System for Windows
----------------------------------------------------------------------
DETAILS
GeSWall is an intrusion prevention system for Windows. It applies a security policy that effectively precludes damage from various attacks and malicious software.
Instead of blocking particular attack techniques GeSWall focuses on attack objectives such as taking control of a PC, stealing data, breaking system integrity etc. This approach allows block unknown attacks based on zero-days vectors, e.g. GeSWall has been stopped Windows Metafile exploits.
GeSWall policy isolates web browsers, e-mail, chat, p2p, irc clients and other applications that may serve as entry points for malicious software or intrusions. Viruses, trojans, spyware, keyloggers and exploits cannot pass through an isolation policy and so cannot cause damage.
In contrast with similar solutions, GeSWall is not limited by using sandboxing or virtualization, because this leads to usability problems.
GeSWall is designed to be as non-intrusive as possible and does not restrict a network access, files or process creation. Instead, it tracks a potential threat (e.g. a file, process) down, isolates this threat and prevents damage.
An additional information and free GeSWall download are available on web site:
http://www.gentlesecurity.com/personal.html
Note: Only personal GeSWall is a free product, and it is not opensource.
ADDITIONAL INFORMATION
The information has been provided by
Posted by Roger Grimes on April 13, 2006 10:36 AM
April 13, 2006 | Comments: (0)
Microsoft Virus Mitigation Techniques
Virus mitigation techniques after the virus is in!
* TechNet Webcast: Virus Mitigation Techniques: After the Virus Is
Security cats produced by a friend.
Inside (Part 1) (Level 200)
http://go.microsoft.com/fwlink/?LinkId=32516
TechNet Webcast: Virus Mitigation Techniques: After the Virus Is
Inside (Part 2) (Level 200)
http://go.microsoft.com/fwlink/?LinkId=32518
Posted by Roger Grimes on April 13, 2006 10:25 AM
April 13, 2006 | Comments: (0)
U.S. spy data for sale for cheap
USB drives contain top secret information
This story is too bizarre to believe at first. You'll have to read the article.
http://www.msnbc.msn.com/id/12289823/
Apparently, USB drives with top secret spy information are available for sale in an Afganistan marketplace.
Somebody will be in trouble for this one.
Posted by Roger Grimes on April 13, 2006 08:41 AM
April 12, 2006 | Comments: (0)
More feedback on ny hard disk encryption column
More information, and guestions, from readers regarding my encryption column,
Encryption for All http://www.infoworld.com/article/06/03/31/76920_14OPsecadvise_1.html
--------------
From: Albert
Roger,
I heard a year or two ago about on hard disk manufacturer, Seagate http://www.pcworld.com/news/article/0,aid,121522,00.asp that was incorporating hardware encryption capabilities into it's notebook hard disks. I assumed at the time that other manufacturers would follow and government customers especially would be enthusiastic buyers.(Including me.)
About the same time NSA was demonstrating it's classified solution for USB hard disk enclosures and desktop full disk encryption products (encrypts in-line on the IDE bus - transparent to the operation of the disk from the motherboard).
I assumed that the NSA capability would be incorporated in the hard disk controller electronics on the drive. I haven't heard any more about it.
We are now in the market for some drives. Any idea where I can get some encryption capable disks?
--------------
Readers??
--------------
From: Victor Roberts
Your column is directed toward computer professionals. Therefore, I do wonder about your suggestion that the free version of PGP is an option for your readers. You state:
"If you need commercial support, PGP Corp. provides products for Windows, Mac, and BlackBerrys."
However, support is not the only issue. The free versions of PGP are licensed only for use in non-commercial environments. It would be a violation of the license agreement for Free PGP to use these products in any commercial business. Since most of your readers probably work for a commercial business, this limitation should have been mentioned.
Victor Roberts, Ph.D.
Roberts Research & Consulting, Inc.
-----------------
From: Dooley, Patrick M
There are federal guidelines for the use of Federal Data. I would at least advise folks to use encryption that is compliant with NIST 140-2.
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
Patrick M. Dooley
Wisconsin Department of Revenue
---------------------
From: Calkin, Warwick
Roger,
I agree with everything in your article however archiving of encrypted email actually causes complications in the compliance equation.
A problem which we are currently grappling with is that if an email is encrypted at the desktop (encrypting away from the desktop is not an option) and then archived, indexing becomes a lot less meaningful.
Using the smime header we are able to index the to, from, and subject.
However in the event of a "discovery event" where we need to recover large volumes of mail (usually based on something in the content which we can't see), this lack of indexing becomes a real overhead and almost forces us into a position where we need to recover all encrypted emails,de-encrypt all, and index all. Obviously this creates several compromises.
Your views on how others are tackling this problem would be appreciated.
---------
This has got to be a common issue. Readers??
Posted by Roger Grimes on April 12, 2006 10:44 AM
April 12, 2006 | Comments: (0)
City Manager gets overly excited over non-existent hack problem
City Manager thinks his city's web site has been hacked, and goes ballistic trying to convince "the hackers" that he means business.
First published in IW by Robert X. Cringely:
http://www.tuttletimes.com/siteSearch/apstorysection/local_story_088201244.html
I don't know whether to say that we've all probably done something as well-meaningly stupid, or to say this guy went off the deep-end and didn't want to listen to anyone who tried to help him? Either way, it's a lesson in what not to do. His language and threats in the email show a lack of professionalism on behalf of a city manager.
Here are some other links on the subject:
Ashlee Vance was the first person I saw report this, and his story http://www.theregister.co.uk/2006/03/24/tuttle_centos/was pretty funny.
Great local TV report http://geek.j2solutions.net/stuff/centos.wmv as well...
Posted by Roger Grimes on April 12, 2006 09:37 AM
April 12, 2006 | Comments: (0)
Mark Burnett's 'Perfect Passwords' is a must read for system administrators.
Mark has made a great, quick, must-read book on passwords. I had read a few chapters of it before it was published (my quote is on the back cover), and liked it, but the overall book should be read by all system administrators. It contains commonsense, practical advice, just more of it than most of us have thought about alone-all in one place.
I think every system administrator will see one or two of their own personal passwords in the book...which is a wake-up call.
I was able to quickly read/skim the entire book, pull out all the useful tips in under an hour while my daughter was getting her braces tightened. A complete slow read would probably take a day. I think all system administrators should buy and understand this book.
Posted by Roger Grimes on April 12, 2006 09:09 AM
April 12, 2006 | Comments: (0)
Reporting Child Pornography in the U.S
Here's a link to report child pornography in the U.S.
If you know about online child pornography, report it here: http://www.ncmec.org/
Some people hate the Internet because they think it leads to more child pornography. I love the Internet for the same reason. It used to be that we could only catch pedophiles when they committed a physical crime or if the post office master general noticed child pornography in their snail mail. Now, the authorities pose online as 14-year old girls and put up bogus child pornography sites and catch these creeps by the tens of thousands a year. Before the Internet, we'd catch a few of these criminals a day, now we catch them a hundred at a time. And that's more of these sick people off the street and away from my children.
Posted by Roger Grimes on April 12, 2006 04:48 AM
April 11, 2006 | Comments: (0)
Feedback on Hacker Takedown Article
Feedback to my Hacker Takedown Article
My latest article http://www.infoworld.com/article/06/04/07/77154_15OPsecadvise_1.html is generating feedback.
----------------
It was nice to see the dynamic DNS services getting some press in your security adviser newsletter. I've run DtDNS for seven years, providing dynamic DNS on free hosts as well as full domain names. While I'm one of the smaller services, I participate in DNSBL, one of the "informal groups" that you mentioned, to share information with many of the other players in the dynamic DNS market, as well as a handful of security firms. We receive daily reports and lists of confirmed malware, phishing, and other nasty sites that are quickly taken down after investigation. We also share domain names that are known to be "bad" and collectively deny service to them. It is an ongoing battle to keep the services clean and useful, but we will keep fighting the good fight.
Justin D. Scott
DtDNS Administrator
www.dtdns.com
----------------
From Robert:
Great article! I just joined the Anti-phishing working group and articipate in MWP, DA, Botnets, etc lists. And I can vouch for how hard Paul/Castlecops has been working. They've been posting PIRT alerts like crazy. And their integrated approach to reporting is an inspiration for a lot of what I'm working on. heir reports aggregate all the information that might be useful in getting the site taken down. (WHOIS, DNS, headers, etc) I'm hoping to get an incident responders portal up that ties together with my malware registration server and malicious urls workflow site. I've also been working with what I'm calling malware analysis frameworks.
The dynamic dns stuff is definitely an issue. I've been seeing some of the botnet operators start running their own dns servers.And they are using rackspace they pay for instead of hacked boxes. I also might have identified a dynamic dns provider that is part of a criminal organization. Crazy stuff and its getting more out of hand every day. Also I see you mentioned how proactive MS was on the last 0day. I hadn't realized they had done all that takedown work. Very cool. Their slew of lawsuits against phishers worldwide is pretty cool too. A good cause to use all those boatloads of money for and could have a bigger impact on their users than a new firewall or some such. I'm attaching the 0day we were working at the ISC yesterday. We submitted it for takedown as well. It handed out a different exploit based on useragent string.
--------------
From: Carol Anne Ogdin
Dear Roger:
The problem with rampant phishing is apathy. If more people would take the step of responding to the ISPs of phishers, the practice would stop.
Here's what I have been doing for a few months when I receive an obvious "phishing" message:
1. I look at the HTML code behind the message and find the bogus URL
that the phisher is using. I go to that site; if it's not there, then it's been removed and I take no further action.
2. I use the Windows "tracert" command to trace the route to the entire bogus URL. The last several lines will usually identify the routers of vendors supplying access to that site. If the site is in countries I know to be uncooperative (e.g., China, Russia, Romania), I stop at this point.
3. I forward the message to the last two vendors on the list before the final line. I address the message to "abuse@
"postmaster@
the subject line to "Your Customer is PHISHING," giving them four pieces of information:
a. The bogus URL in the message (so they don't have to search for it),
b. The IP address to which it resolves,
c. The last five lines of the tracert text, so they can see for
themselves the route to the site, and
d. The original (forwarded) message I received 4. I conclude my
message with a polite request that they investigate and stop the phisher from preying on Internet users.
In about 75% of cases, when I look back in a day or so, the site is
gone. In about 25% of cases, I get cordial "Thank you" notes from one or both of the ISPs I've notified.
If more of us would take the five minutes is takes to forward the
message with diagnostic information to the people who's reputations
could be harmed, these sites would get shut down within minutes of the
first phishing eMail being sent.
As for the temporal nature of phishing sites: Yes, they move. And, often move to other domains. But, they tend to stick with the same IAP/ISP, because changing that usually incurs cost (save for Yahoo, and their ilk, who both make it easy to remain anonymous, and don't seem particularly interested in policing their membership)
Phishers can build a set of bogus pages and reuse them. They can have DNS access to dozens of domain names. But they have to have an account with some hosting service, and that (usually) costs money to set up, so it remains constant.
What's interesting to me is how many of these phishers create absolutely broken HTML (often in Word!), and end up sending the victim to the "real" site anyway! Phishing seems to be the mark of the "get rich quick" mindset, without much appreciation of proper or idiomatic English, or good design.
I install SpoofStick on all my clients' browsers, and teach them how to use it. When I see it turned off, it's a sign I need to engage in a little educational persuasion; it's seldom off a second time.
Carol Anne Ogdin
Deep Woods Technology, Inc
Posted by Roger Grimes on April 11, 2006 08:52 AM
April 10, 2006 | Comments: (0)
Two sites for scanning for malware
Both allow the uploading of potential malware for analysis against multiple anti-virus scanners.
Jotti http://virusscan.jotti.org/
VirusTotal http://www.virustotal.com/
VirusTotal tends to be up and down.
Posted by Roger Grimes on April 10, 2006 04:04 PM
April 10, 2006 | Comments: (0)
Oracle's Mary Ann Davidson's blog
Mary Ann Davidson's blog
Mary Ann Davidson's Oracle bloghttp://blogs.oracle.com/maryanndavidson/ Interesting blog...the most interesing I've seen by a corporate CSO, and she waxes on about more topics than Oracle...surfing, War World II, etc.
Posted by Roger Grimes on April 10, 2006 03:38 PM
April 10, 2006 | Comments: (0)
Security podcasts for your listening pleasure.
My February 2006 column http://www.infoworld.com/article/06/02/17/75431_08OPsecadvise_1.html listed several cool security pod casts. I download them and listen to them in the gym, on the road, or while flying or waiting in airports. Here's the most current list I have:
Security Now http://www.grc.com/securitynow.htm- One of my favorite weekly podcasts is by Steve Gibson and Leo Laporte. Each episode is 20 to 30 minutes long, ranging from current topics to deep technology to long opinions.
SABAG Security http://www.sabagsecurity.com/
This is my second-favorite computer security podcast. Recorded by two McAfee employees (I must disclose that I work for Foundstone, a division of McAfee), Brett and Jim keep up on the latest malware and exploits, plus cover issues from an industry perspective. They lightly plug McAfee from time to time, but you’ll be hard pressed to find two more even-handed reviewers. Plus as a bonus, the SABAG podcast gets you CISSP credits. I hope more podcasts follow suit.
PaulDotCom http://pauldotcom.com/
Good security podcast by Paul Asadoorian and Larry Pesce
Blue Box: The VoIP Security Podcast http://www.blueboxpodcast.com/ The next big worm may also take down our IP-telephone networks instead of just our computers. If VoIP security is your interest, Dan York and Jonathan Zar’s podcast has you covered.
CSO Magazine Podcast http://www.csoonline.com/podcasts If you like your computer security news at a higher level than the bits and bytes, this podcast is for you. CSO Magazine provides a weekly security roundup, with a focus on industry events, products, and news useful to any computer security professional.
Martin McKeay’s Network Security Blog http://www.mckeay.net/
Nice mix of topics.
Symantec Podcasts
http://www.symantec.com/podcast/index.jsp
Symantec offers several different flavors of podcasts. One for home users, one for enterprise users, one for small businesses, etc.
Update (8-12-07):
Sun Microsystems podcasts on Identity Management solutions
http://www.sun.com/software/products/identity/podcasts.jsp.
Posted by Roger Grimes on April 10, 2006 02:54 PM
April 10, 2006 | Comments: (0)
Virus capable of infecting both Windows and Linux executables.
Article http://www.techworld.com/security/news/index.cfm?newsID=5752&pagtype=all
No big surprise, but interesting. Cross-platform viruses appear time-to-time and are to be expected. The idea that an anti-monoculture distribution of PCs will somehow defeat or minimize malware or hackers is shown as short-sighted in light of cross-platform threats. An anti-monoculture use of computers may help in the short-run, but in the long-run, malware and hackers will rise to the challenge and overcome the obstacles.
Posted by Roger Grimes on April 10, 2006 02:08 PM
April 03, 2006 | Comments: (0)
Truecrypt is another hard disk encryption program.
My column on hard drive encryption programs http://www.infoworld.com/article/06/03/31/76920_14OPsecadvise_1.html failed to mention another excellent alternative for encrypting hard drives, Truecrypt.
Thanks to two readers who wrote me about something I should have already known about.
Open source Truecrypt http://www.truecrypt.com or http://sourceforge.net/projects/truecrypt works with Windows and Linux, and encrypts more than hard drives (e.g. USB keys, etc.). Among its encryption algorithms are 3DES, Twofish, and Blowfish.
If you're interested in Truecrypt's bumpy open source history read Answer.com's excellent recap http://www.answers.com/main/ntquery;jsessionid=1jajh7v4zinyh?
Posted by Roger Grimes on April 3, 2006 04:06 AM
April 01, 2006 | Comments: (0)
Software to spy on mobile phone messages
http://www.infoworld.com/article/06/03/31/77003_HNspycompanyargues_1.html?source=NLC-TB2006-03-31
Posted by Roger Grimes on April 1, 2006 03:27 PM
TOP STORIES
Top 10 stories of the weekA new place to hide rootkits
Sun exec on OpenSolaris, Linux
AT&T: No free iPhone Wi-Fi info
MS to appeal E.U. fine
XP SP3 causes endless reboots
Vista as insecure as Win 2000
Google grilled on human rights
Java ubiquity an edge in RIA battle
The InfoWorld news quiz
ADDITIONAL RESOURCES
- Application Security: Threats and How to Counter Them
- Why Linux Threats Mean Business
- Minding the Machines: PC Disaster Recovery for the Enterprise
- Protect Your Data with SSL
- Prevent Your Next Microsoft Exchange Outage
- 11 Myths About Microsoft Exchange Backup & Recovery
