Unless you’re paired up with Nick Nolte, 48 hours isn’t a very long time.   It seems to conflict a with later requirement: Critical patches must be evaluated in a test environment before being pushed into production on enterprise systems.    That is one quick eval cycle.

So what is critical?

In my vulnerability scan report vulnerabilities are listed 1 through 5.   Every month there are new level 5 vulnerabilities.

PCI says that things with a CVSS score greater than 7.2 (if I remember correctly) need to be patched.   Is that what critical is?

Does critical mean “was mentioned on the evening news”?

FISMA 800-53 rev 3 RA-5 leaves it up to the organization to define.

I think I should just update my vulnerability management doc to say that critical updates are defined as those accompanied by four horsemen.   Those must be patched within 48 hours.   If the server can be found in the smoking crater.   All other patches shall be deployed within 30 days unless otherwise instructed.

The phrase King of the Lab originated on the U.S television series “Bones” where the scientist who found the key evidence that week was king of the lab.

We’ve noted an odd issue at work where the event logs on multiple systems  would report:

Windows Installer reconfigured the product. Product Name: <ProductName>. Product Version: <VersionNumber>. Product Language: <languageID>. Reconfiguration success or error status: 0.

for every installed application.   This set of logs would show up repeatedly.  We were kind of hoping it would go away when systems were migrated from Windows XP to Windows 7 but it is still occuring

Our Bing-fu must be weak because I stumbled across a KB article tonight that explains it.

http://support.microsoft.com/kb/974524
Event log message indicates that the Windows Installer reconfigured all installed applications

This is caused by using group policy with WMI filters that use Win32_Product.  It can also be caused by applications that use that WMI class as well.   GuardianEdge documentation instructed me to use that WMI class in a filter to deploy GuardianEdge settings so they would only apply to clients with the specific product version.

The “Ask the Directory Services Team” blog at Microsoft recently had a post which linked that KB and reported that use of Win32_Product will (could?) result in slow boot times.  The reason this WMI Class is an issue is that it uses a DLL to actively query each installed application.   This trigger the reinstall.   Additionally if any of the installed apps are installed remotely this can really slow things down.

The Microsoft blog lists some workarounds.    I’m not sure any of them are perfect for me.   Until I implement a fix this case isn’t closed.   But it is enough for me to do a happy dance while yelling “king of the lab”.

Now where is my trophy?

What happens when you delete a virtual server in the course of its lifecycle?   At some point you’ll leave a provider, turn down a server, or just get moved to another server.

On the computers you have control over, hopefully you’re already running some sort of disk wiping.  What about the computers you don’t control?

As any forensicator will tell you, deleted files aren’t necessarily gone.   The table of contents telling you where the file is may be gone but the data is there until it is overwritten.    It turns out that due to some process problems, old servers weren’t overwritten and they were able to access data with a simple dd command on their newly provisioned virtual server.

When the data goes to the cloud you  give up a measure of control.   When you’re at least aware of what can go wrong, you can ask the right questions.

Do check out the article http://www.contextis.com/research/blog/dirtydisks/
Hat tip to Office of Inadequate Security

Passwords are dead.
“IDS is dead.” – Gartner
“Gartner is dead” – IDS
The firewall/perimeter is dead.
Antivirus is dead.
SSL is dead.
SIEM is dead.
Corporate IT security is dead.

It starts to look like if you put in any product, idea or compliance regime into google, add on “is dead” and you’ll find results.

Sometimes it is marketing (EIQ and SIEM).  Sometimes predictions.   Occasionally its exasperation at the continuing fail of a product type.  In each case, so one comes out looking like Kreskin.  But the pixels don’t write themselves and those stances generate traffic.

Plupload (version 1.5.4), which WordPress uses for uploading media.

• SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
• SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.

WordPress 3.3.2 also addresses:

• Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances.
• Cross-site scripting vulnerability when making URLs clickable.
• Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs.

An entry to the Adobe Secure Software Engineering Team (ASSET) Blog discusses several aspects of this security bulletin.

First, Acrobat and Reader 9 will no longer be using a special version of Flash bundled with those products.   Instead they will look to use what I call the plugin version of Flash.   That is the version for non-Microsoft browsers other than Chrome (Firefox, Opera, etc).   Chrome bundles its own special version of Flash.

Adobe has written the Netscape Plugin Application Programming Interface (NPAPI) to allow Acrobat and Reader to access the plugin based Flash in your Operating System.

The good news is no longer will you have to install an update to Acrobat or Reader every time there is a Flash update.   The bad news is this is only applicable to version 9.   Version 10 is still being developed.  The other bad news is if you don’t have the plugin version of Flash installed, you will be prompted to install it if you open a PDF with Flash content.

In general having Reader and Acrobat X is much more secure than having 9.   But if you’re hanging on to 9 for some reason this is good news for you.

Adobe announced that no longer will they have quarterly patches by default.   Instead scheduled releases may occur on Microsoft patch Tuesdays.   They will preannounce three days ahead of time if a patch will occur that month.   So-called out-of-band updates will be released as necessary.   I read this at less frequent Adobe Acrobat and Reader patches.

Check the Adobe ASSET blog for information.

Webmasters are faced with two huge challenges.  The first is keeping the blog secure.   There were many examples recently of WordPress blogs, even security related ones, compromised.   While it is always easy to just blame the webhost, vulnerabilities in TimThumb proved to be many blogs undoing.  If you run a blog and you haven’t searched to see if you use timthumb unbeknownst to you in one of the many plugins you’ve added, you’re blog is probably already compromised.

The second major concern for webmasters is site speed.   All these plugins we install slow the site down.   Search engines penalize your page rank for slow loading.   Users are unlikely to return.   First time visitors may have their ADD kick in and just move on to the next site.

Cloud based mini Content Delivery Networks (CDNs) like Cloudflare and Incapsula provide answers to both problems.

With these types of services the webmaster changes the DNS to point to the cloud based service.   In the cloud, they block the bad and accelerate the good (to steal a phrase from BlueCoat).   You no longer have to mess around with complicated WordPress caching plugins (although some are designed to work hand in hand with CDNs).   If you were slack on security and had a vulnerable version of TimThumb, both of these solutions would block that attack and let you know about it.  The webmaster should still stay on top of all WordPress upgrades including the plugins.   Additionally the password should be strong.

One of the challenges with using these services at Dreamhost was they lock own the A (and AAAA) records for infosecblog and www.infosecblog.org.   Even to use Incapsula’s free service, I had to pay for a third party DNS provider so I could have full control over the DNS.  With Cloudflare at least, this problem is now solved.   Dreamhost has partnered with them to allow integration with just a checkbox.   I set it up one of my other domains in minutes.  I’ll continue to use Incapula on this domain and compare the two services.

When MS12-020 came out, it was the biggest patching frenzy I’ve seen in a while.   MS12-020 was a vulnerability in the Remote Desktop Protocol.   While not on by default, this protocol is often enabled on servers and by power users for remote manageability.   This vulnerability in a protocol frequently exposed on the network resulted in a “patch now” attitude.  Our clients were emailing demanding to know our percentage patch compliance.  People were watching on pins and needles to see if a remote code execution exploit became publicly available before patching was complete.

When a denial of service capable exploit for this vulnerability became available, we pushed up our patching timeline figuring the exploitation code couldn’t be far behind.   Systems not running RDP of course are not susceptible so I wanted to target my attention on systems that had RDP and were missing the patch.   Forescout CounterAct made this easy to do.   I set up a rule looking for systems missing MS12-020 and with 3389/TCP open.

From there Forescout allows many possible remediation and enforcement measures.

•  Send the user an email with instructions on how to patch (Hey Forescout, I’d love to be able to digitally sign those emails so I don’t undermine my antiphishing efforts)
• Sent HTTP notifications.   (I’ve purchased trusted SSL certificates so users could verify the source)
• Self-Remediation – HTTP notification with link to patch, forcing user to patch
• Initiate installing the patch through Microsoft Update/SCCM.

If the situation became dire, I could even use TCPresets or ACLs on the switch port to prevent RDP inbound on systems that haven been patched.

NAC is about so much more than controlling who is admitted to the network.   It is a critical part of endpoint security.

Microsoft posted on the 20th that they were seeing exploit code attacking the vulnerability in Java which Oracle patched in February.

Yesterday Brian Krebs posted that an exploit for this vulnerability is now in one of the more popular exploit kits.  Exploit packs are malware distribution for the script kiddie.  You purchase code that will try multiple exploits based on the type of computer that comes to a website.   This means it is far beyond targeted attacks, and into the general distribution.

The same advise as always, applies with Java.

1.  If you don’t need it, remove it.
2.  If you do need it, always run the most recent version.
3.  Watch for older versions hanging on.   Remove them.
4.  For safety only run Java in one browser, and use another browser for day-to-day browsing activities.   This lowers the attack surface area.
5.  In addition to antivirus, have some sort of URL filtering that blocks malicious sites such as the free consumer BlueCoat K-9.